diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 70fa1b6d0..8a6cc527f 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2738,7 +2738,7 @@ _kdc_as_rep(astgs_request_t r) out: r->ret = ret; - _kdc_hdb_audit(r); + _kdc_audit_request(r); /* * In case of a non proxy error, build an error message. diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 887c9a05b..55f851bf2 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -2578,7 +2578,7 @@ _kdc_tgs_rep(astgs_request_t r) out: r->ret = ret; - _kdc_hdb_audit(r); + _kdc_audit_request(r); if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ METHOD_DATA error_method = { 0, NULL }; diff --git a/kdc/misc.c b/kdc/misc.c index 1d7467261..296557300 100644 --- a/kdc/misc.c +++ b/kdc/misc.c @@ -343,18 +343,20 @@ _kdc_include_pac_p(astgs_request_t r) } /* - * Notify the HDB backend of the audited event. + * Notify the HDB backend and windc plugin of the audited event. */ krb5_error_code -_kdc_hdb_audit(astgs_request_t r) +_kdc_audit_request(astgs_request_t r) { + krb5_error_code ret; struct HDB *hdb; - hdb = r->clientdb ? r->clientdb : r->config->db[0]; + ret = _kdc_windc_audit(r); + if (ret == 0 && + (hdb = r->clientdb ? r->clientdb : r->config->db[0]) && + hdb->hdb_audit) + ret = hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r); - if (hdb && hdb->hdb_audit) - return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r); - - return 0; + return ret; } diff --git a/kdc/windc.c b/kdc/windc.c index e7e2b9d4d..e9ee99636 100644 --- a/kdc/windc.c +++ b/kdc/windc.c @@ -210,30 +210,6 @@ _kdc_check_access(astgs_request_t r) return ret; } -static krb5_error_code KRB5_LIB_CALL -finalize(krb5_context context, const void *plug, void *plugctx, void *userctx) -{ - krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug; - - if (ft->finalize_reply == NULL) - return KRB5_PLUGIN_NO_HANDLE; - return ft->finalize_reply((void *)plug, userctx); -} - -krb5_error_code -_kdc_finalize_reply(astgs_request_t r) -{ - krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE; - - if (have_plugin) - ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, finalize); - - if (ret == KRB5_PLUGIN_NO_HANDLE) - ret = 0; - - return ret; -} - static krb5_error_code KRB5_LIB_CALL referral_policy(krb5_context context, const void *plug, void *plugctx, void *userctx) { @@ -255,6 +231,54 @@ _kdc_referral_policy(astgs_request_t r) return ret; } +static krb5_error_code KRB5_LIB_CALL +finalize_reply(krb5_context context, const void *plug, void *plugctx, void *userctx) +{ + krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug; + + if (ft->finalize_reply == NULL) + return KRB5_PLUGIN_NO_HANDLE; + return ft->finalize_reply((void *)plug, userctx); +} + +krb5_error_code +_kdc_finalize_reply(astgs_request_t r) +{ + krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE; + + if (have_plugin) + ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, finalize_reply); + + if (ret == KRB5_PLUGIN_NO_HANDLE) + ret = 0; + + return ret; +} + +static krb5_error_code KRB5_LIB_CALL +audit(krb5_context context, const void *plug, void *plugctx, void *userctx) +{ + krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug; + + if (ft->audit == NULL) + return KRB5_PLUGIN_NO_HANDLE; + return ft->audit((void *)plug, userctx); +} + +krb5_error_code +_kdc_windc_audit(astgs_request_t r) +{ + krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE; + + if (have_plugin) + ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, audit); + + if (ret == KRB5_PLUGIN_NO_HANDLE) + ret = 0; + + return ret; +} + uintptr_t KRB5_CALLCONV kdc_get_instance(const char *libname) { diff --git a/kdc/windc_plugin.h b/kdc/windc_plugin.h index 2ecfe70fc..433344e15 100644 --- a/kdc/windc_plugin.h +++ b/kdc/windc_plugin.h @@ -77,13 +77,6 @@ typedef krb5_error_code typedef krb5_error_code (KRB5_CALLCONV *krb5plugin_windc_client_access)(void *, astgs_request_t); -/* - * Update the AS or TGS reply immediately prior to encoding. - */ - -typedef krb5_error_code -(KRB5_CALLCONV *krb5plugin_windc_finalize_reply)(void *, astgs_request_t r); - /* * A referral policy plugin can either rewrite the server principal * by resetting priv->server_princ, or it can disable referral @@ -98,6 +91,24 @@ typedef krb5_error_code typedef krb5_error_code (KRB5_CALLCONV *krb5plugin_windc_referral_policy)(void *, astgs_request_t r); +/* + * Update the AS or TGS reply immediately prior to encoding. + */ + +typedef krb5_error_code +(KRB5_CALLCONV *krb5plugin_windc_finalize_reply)(void *, astgs_request_t r); + +/* + * Audit an AS or TGS request. This function is called after encoding the + * reply (on success), or before encoding the error message. If a HDB audit + * function is also present, it is called after this one. + * + * The request should not be modified by the plugin. + */ + +typedef krb5_error_code +(KRB5_CALLCONV *krb5plugin_windc_audit)(void *, astgs_request_t r); + #define KRB5_WINDC_PLUGIN_MINOR 8 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR @@ -110,6 +121,7 @@ typedef struct krb5plugin_windc_ftable { krb5plugin_windc_client_access client_access; krb5plugin_windc_referral_policy referral_policy; krb5plugin_windc_finalize_reply finalize_reply; + krb5plugin_windc_audit audit; } krb5plugin_windc_ftable; #endif /* HEIMDAL_KDC_WINDC_PLUGIN_H */ diff --git a/tests/plugin/windc.c b/tests/plugin/windc.c index 3168291ce..6d275f9a9 100644 --- a/tests/plugin/windc.c +++ b/tests/plugin/windc.c @@ -116,6 +116,13 @@ finalize_reply(void *ctx, astgs_request_t r) return 0; } +static krb5_error_code KRB5_CALLCONV +audit(void *ctx, astgs_request_t r) +{ + logit("audit", r); + return 0; +} + static krb5plugin_windc_ftable windc = { KRB5_WINDC_PLUGING_MINOR, windc_init, @@ -124,7 +131,8 @@ static krb5plugin_windc_ftable windc = { pac_verify, client_access, NULL, /* referral_policy */ - finalize_reply + finalize_reply, + audit }; static const krb5plugin_windc_ftable *const windc_plugins[] = {