oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Define log levels in docs and change default to 0-3.

Browse Source 
We define the meaning of the various log levels in the man page
for krb5_openlog(3).  If logging configured and levels are not
specified, we change the default levels to 0-3 which should exclude
debugging messages which are generally only desired in exceptional
circumstances.

We also go through the KDC and adjust the levels to be appropriate.
This commit is contained in:
Roland C. Dowdeswell
2019-10-15 16:55:56 +01:00
committed by Roland C. Dowdeswell
parent aa5c525e71
commit c7d4682aed
11 changed files with 266 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
kdc/connect.c
View File

@@ -333,7 +333,7 @@ init_sockets(krb5_context context,
krb5_print_address (&addresses.val[j], a_str,
sizeof(a_str), &len);
kdc_log(context, config, 5, "listening on %s port %u/%s",
kdc_log(context, config, 3, "listening on %s port %u/%s",
a_str,
ntohs(ports[i].port),
(ports[i].type == SOCK_STREAM) ? "tcp" : "udp");
@@ -392,7 +392,7 @@ send_reply(krb5_context context,
struct descr *d,
krb5_data *reply)
{
kdc_log(context, config, 5,
kdc_log(context, config, 4,
"sending %lu bytes to %s", (unsigned long)reply->length,
d->addr_string);
if(prependlength){
@@ -403,13 +403,13 @@ send_reply(krb5_context context,
l[3] = reply->length & 0xff;
if(rk_IS_SOCKET_ERROR(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len))) {
kdc_log (context, config,
0, "sendto(%s): %s", d->addr_string,
1, "sendto(%s): %s", d->addr_string,
strerror(rk_SOCK_ERRNO));
return;
}
}
if(rk_IS_SOCKET_ERROR(sendto(d->s, reply->data, reply->length, 0, d->sa, d->sock_len))) {
kdc_log (context, config, 0, "sendto(%s): %s", d->addr_string,
kdc_log (context, config, 1, "sendto(%s): %s", d->addr_string,
strerror(rk_SOCK_ERRNO));
return;
}
@@ -443,7 +443,7 @@ do_request(krb5_context context,
krb5_data_free(&reply);
}
if(ret)
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"Failed processing %lu byte request from %s",
(unsigned long)len, d->addr_string);
}
@@ -462,7 +462,7 @@ handle_udp(krb5_context context,
buf = malloc(max_request_udp);
if (buf == NULL){
kdc_log(context, config, 0, "Failed to allocate %lu bytes",
kdc_log(context, config, 1, "Failed to allocate %lu bytes",
(unsigned long)max_request_udp);
return;
}
@@ -591,14 +591,14 @@ grow_descr (krb5_context context,
grow = max(1024, d->len + n);
if (d->size + grow > max_request_tcp) {
kdc_log(context, config, 0, "Request exceeds max request size (%lu bytes).",
kdc_log(context, config, 2, "Request exceeds max request size (%lu bytes).",
(unsigned long)d->size + grow);
clear_descr(d);
return -1;
}
tmp = realloc (d->buf, d->size + grow);
if (tmp == NULL) {
kdc_log(context, config, 0, "Failed to re-allocate %lu bytes.",
kdc_log(context, config, 1, "Failed to re-allocate %lu bytes.",
(unsigned long)d->size + grow);
clear_descr(d);
return -1;
@@ -624,7 +624,7 @@ handle_vanilla_tcp (krb5_context context,
sp = krb5_storage_from_mem(d->buf, d->len);
if (sp == NULL) {
kdc_log (context, config, 0, "krb5_storage_from_mem failed");
kdc_log (context, config, 1, "krb5_storage_from_mem failed");
return -1;
}
krb5_ret_uint32(sp, &len);
@@ -662,35 +662,35 @@ handle_http_tcp (krb5_context context,
p = NULL;
t = strtok_r(s, " \t", &p);
if (t == NULL) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Missing HTTP operand (GET) request from %s", d->addr_string);
return -1;
}
t = strtok_r(NULL, " \t", &p);
if(t == NULL) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Missing HTTP GET data in request from %s", d->addr_string);
return -1;
}
data = malloc(strlen(t));
if (data == NULL) {
kdc_log(context, config, 0, "Failed to allocate %lu bytes",
kdc_log(context, config, 1, "Failed to allocate %lu bytes",
(unsigned long)strlen(t));
return -1;
}
if(*t == '/')
t++;
if(de_http(t) != 0) {
kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 5, "HTTP request: %s", t);
kdc_log(context, config, 2, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 4, "HTTP request: %s", t);
free(data);
return -1;
}
proto = strtok_r(NULL, " \t", &p);
if (proto == NULL) {
kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 2, "Malformed HTTP request from %s", d->addr_string);
free(data);
return -1;
}
@@ -707,16 +707,16 @@ handle_http_tcp (krb5_context context,
"<H1>404 Not found</H1>\r\n"
"That page doesn't exist, maybe you are looking for "
"<A HREF=\"http://www.h5l.org/\">Heimdal</A>?\r\n";
kdc_log(context, config, 0, "HTTP request from %s is non KDC request", d->addr_string);
kdc_log(context, config, 5, "HTTP request: %s", t);
kdc_log(context, config, 2, "HTTP request from %s is non KDC request", d->addr_string);
kdc_log(context, config, 4, "HTTP request: %s", t);
free(data);
if (rk_IS_SOCKET_ERROR(send(d->s, proto, strlen(proto), 0))) {
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
kdc_log(context, config, 1, "HTTP write failed: %s: %s",
d->addr_string, strerror(rk_SOCK_ERRNO));
return -1;
}
if (rk_IS_SOCKET_ERROR(send(d->s, msg, strlen(msg), 0))) {
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
kdc_log(context, config, 1, "HTTP write failed: %s: %s",
d->addr_string, strerror(rk_SOCK_ERRNO));
return -1;
}
@@ -732,13 +732,13 @@ handle_http_tcp (krb5_context context,
"Content-transfer-encoding: binary\r\n\r\n";
if (rk_IS_SOCKET_ERROR(send(d->s, proto, strlen(proto), 0))) {
free(data);
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
kdc_log(context, config, 1, "HTTP write failed: %s: %s",
d->addr_string, strerror(rk_SOCK_ERRNO));
return -1;
}
if (rk_IS_SOCKET_ERROR(send(d->s, msg, strlen(msg), 0))) {
free(data);
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
kdc_log(context, config, 1, "HTTP write failed: %s: %s",
d->addr_string, strerror(rk_SOCK_ERRNO));
return -1;
}
@@ -831,13 +831,13 @@ handle_tcp(krb5_context context,
}
} else if (d[idx].len > 4) {
kdc_log (context, config,
0, "TCP data of strange type from %s to %s/%d",
2, "TCP data of strange type from %s to %s/%d",
d[idx].addr_string, descr_type(d + idx),
ntohs(d[idx].port));
if (d[idx].buf[0] & 0x80) {
krb5_data reply;
kdc_log (context, config, 0, "TCP extension not supported");
kdc_log (context, config, 2, "TCP extension not supported");
ret = krb5_mk_error(context,
KRB5KRB_ERR_FIELD_TOOLONG,
@@ -952,7 +952,7 @@ loop(krb5_context context, krb5_kdc_configuration *config,
if (!rk_IS_BAD_SOCKET(d[i].s)) {
if (d[i].type == SOCK_STREAM &&
d[i].timeout && d[i].timeout < time(NULL)) {
kdc_log(context, config, 1,
kdc_log(context, config, 2,
"TCP-connection from %s expired after %lu bytes",
d[i].addr_string, (unsigned long)d[i].len);
clear_descr(&d[i]);
@@ -1067,8 +1067,8 @@ reap_kid(krb5_context context, krb5_kdc_configuration *config,
int status;
int i = 0; /* quiet warnings */
int ret = 0;
int level = 0;
const char *sev = "";
int level = 3;
const char *sev = "info: ";
pid = waitpid(-1, &status, options);
if (pid <= 0)
@@ -1091,7 +1091,7 @@ reap_kid(krb5_context context, krb5_kdc_configuration *config,
/* should not happen */
what = "untracked";
sev = "warning: ";
level = 1;
level = 2;
}
}
@@ -1194,9 +1194,9 @@ start_kdc(krb5_context context,
bonjour_kid(context, config, argv0, islive);
# endif
kdc_log(context, config, 0, "KDC started master process pid=%d", getpid());
kdc_log(context, config, 3, "KDC started master process pid=%d", getpid());
#else
kdc_log(context, config, 0, "KDC started pid=%d", getpid());
kdc_log(context, config, 3, "KDC started pid=%d", getpid());
#endif
roken_detach_finish(NULL, daemon_child);
@@ -1222,7 +1222,7 @@ start_kdc(krb5_context context,
exit(0);
case -1:
/* XXXrcd: hmmm, do something useful?? */
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"KDC master process could not fork worker process");
sleep(10);
break;
@@ -1239,7 +1239,7 @@ start_kdc(krb5_context context,
"warning: forked untracked child process: %d",
(int)pid);
}
kdc_log(context, config, 0, "KDC worker process started: %d",
kdc_log(context, config, 3, "KDC worker process started: %d",
pid);
num_kdcs++;
/* Slow down the creation of KDCs... */
@@ -1296,15 +1296,15 @@ start_kdc(krb5_context context,
}
end:
kdc_log(context, config, 0, "KDC master process exiting");
kdc_log(context, config, 3, "KDC master process exiting");
} else {
loop(context, config, &d, &ndescr, -1);
kdc_log(context, config, 0, "KDC exiting");
kdc_log(context, config, 3, "KDC exiting");
}
free(pids);
#else
loop(context, config, &d, &ndescr, -1);
kdc_log(context, config, 0, "KDC exiting");
kdc_log(context, config, 3, "KDC exiting");
#endif
free(d);

8
kdc/digest-service.c
View File

@@ -67,7 +67,7 @@ ntlm_service(void *ctx, const heim_idata *req,
int ret;
const char *domain;
kdc_log(context, config, 1, "digest-request: uid=%d",
kdc_log(context, config, 4, "digest-request: uid=%d",
(int)heim_ipc_cred_get_uid(cred));
if (heim_ipc_cred_get_uid(cred) != 0) {
@@ -93,7 +93,7 @@ ntlm_service(void *ctx, const heim_idata *req,
goto failed;
}
kdc_log(context, config, 1, "digest-request: user=%s/%s",
kdc_log(context, config, 4, "digest-request: user=%s/%s",
ntq.loginUserName, domain);
if (ntq.lmchallenge.length != 8)
@@ -126,7 +126,7 @@ ntlm_service(void *ctx, const heim_idata *req,
}
}
kdc_log(context, config, 2,
kdc_log(context, config, 5,
"digest-request: found user, processing ntlm request");
if (ntq.ntChallengeResponce.length != 24) {
@@ -205,7 +205,7 @@ ntlm_service(void *ctx, const heim_idata *req,
abort();
failed:
kdc_log(context, config, 1, "digest-request: %d", ret);
kdc_log(context, config, 4, "digest-request: %d", ret);
(*complete)(cctx, ret, &rep);

44
kdc/digest.c
View File

@@ -223,7 +223,7 @@ _kdc_do_digest(krb5_context context,
krb5_data serverNonce;
if(!config->enable_digest) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Rejected digest request (disabled) from %s", from);
return KRB5KDC_ERR_POLICY;
}
@@ -236,7 +236,7 @@ _kdc_do_digest(krb5_context context,
memset(&rep, 0, sizeof(rep));
memset(&res, 0, sizeof(res));
kdc_log(context, config, 0, "Digest request from %s", from);
kdc_log(context, config, 3, "Digest request from %s", from);
ret = krb5_kt_resolve(context, "HDBGET:", &id);
if (ret) {
@@ -320,7 +320,7 @@ _kdc_do_digest(krb5_context context,
goto out;
if (client->entry.flags.allow_digest == 0) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client %s tried to use digest "
"but is not allowed to",
client_name);
@@ -364,7 +364,7 @@ _kdc_do_digest(krb5_context context,
goto out;
}
kdc_log(context, config, 0, "Valid digest request from %s (%s)",
kdc_log(context, config, 3, "Valid digest request from %s (%s)",
client_name, from);
/*
@@ -498,7 +498,7 @@ _kdc_do_digest(krb5_context context,
goto out;
}
kdc_log(context, config, 0, "Digest %s init request successful from %s",
kdc_log(context, config, 3, "Digest %s init request successful from %s",
ireq.u.init.type, from);
break;
@@ -622,7 +622,7 @@ _kdc_do_digest(krb5_context context,
char idx;
if ((config->digests_allowed & CHAP_MD5) == 0) {
kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
kdc_log(context, config, 2, "Digest CHAP MD5 not allowed");
goto out;
}
@@ -669,7 +669,7 @@ _kdc_do_digest(krb5_context context,
if (ret == 0) {
r.u.response.success = TRUE;
} else {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"CHAP reply mismatch for %s",
ireq.u.digestRequest.username);
r.u.response.success = FALSE;
@@ -682,7 +682,7 @@ _kdc_do_digest(krb5_context context,
char *A1, *A2;
if ((config->digests_allowed & DIGEST_MD5) == 0) {
kdc_log(context, config, 0, "Digest SASL MD5 not allowed");
kdc_log(context, config, 2, "Digest SASL MD5 not allowed");
goto out;
}
@@ -794,7 +794,7 @@ _kdc_do_digest(krb5_context context,
if (ret == 0) {
r.u.response.success = TRUE;
} else {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"DIGEST-MD5 reply mismatch for %s",
ireq.u.digestRequest.username);
r.u.response.success = FALSE;
@@ -810,7 +810,7 @@ _kdc_do_digest(krb5_context context,
EVP_MD_CTX *ctp;
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
kdc_log(context, config, 2, "MS-CHAP-V2 not allowed");
goto failed;
}
@@ -917,7 +917,7 @@ _kdc_do_digest(krb5_context context,
if (ret == 0) {
r.u.response.success = TRUE;
} else {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"MS-CHAP-V2 hash mismatch for %s",
ireq.u.digestRequest.username);
r.u.response.success = FALSE;
@@ -1013,7 +1013,7 @@ _kdc_do_digest(krb5_context context,
r.u.error.code = EINVAL;
}
kdc_log(context, config, 0, "Digest %s request successful %s",
kdc_log(context, config, 3, "Digest %s request successful %s",
ireq.u.digestRequest.type, ireq.u.digestRequest.username);
break;
@@ -1021,7 +1021,7 @@ _kdc_do_digest(krb5_context context,
case choice_DigestReqInner_ntlmInit:
if ((config->digests_allowed & (NTLM_V1|NTLM_V1_SESSION|NTLM_V2)) == 0) {
kdc_log(context, config, 0, "NTLM not allowed");
kdc_log(context, config, 2, "NTLM not allowed");
goto failed;
}
@@ -1030,14 +1030,14 @@ _kdc_do_digest(krb5_context context,
r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
if ((ireq.u.ntlmInit.flags & NTLM_NEG_UNICODE) == 0) {
kdc_log(context, config, 0, "NTLM client have no unicode");
kdc_log(context, config, 2, "NTLM client have no unicode");
goto failed;
}
if (ireq.u.ntlmInit.flags & NTLM_NEG_NTLM)
r.u.ntlmInitReply.flags |= NTLM_NEG_NTLM;
else {
kdc_log(context, config, 0, "NTLM client doesn't support NTLM");
kdc_log(context, config, 2, "NTLM client doesn't support NTLM");
goto failed;
}
@@ -1137,7 +1137,7 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto out;
kdc_log(context, config, 0, "NTLM init from %s", from);
kdc_log(context, config, 3, "NTLM init from %s", from);
break;
@@ -1181,7 +1181,7 @@ _kdc_do_digest(krb5_context context,
krb5_crypto_destroy(context, crypto);
crypto = NULL;
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Failed to decrypt nonce from %s", from);
goto failed;
}
@@ -1227,7 +1227,7 @@ _kdc_do_digest(krb5_context context,
char *targetname;
if ((config->digests_allowed & NTLM_V2) == 0) {
kdc_log(context, config, 0, "NTLM v2 not allowed");
kdc_log(context, config, 2, "NTLM v2 not allowed");
goto out;
}
@@ -1273,7 +1273,7 @@ _kdc_do_digest(krb5_context context,
EVP_MD_CTX *ctx;
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
kdc_log(context, config, 0, "NTLM v1-session not allowed");
kdc_log(context, config, 2, "NTLM v1-session not allowed");
ret = EINVAL;
goto failed;
}
@@ -1298,7 +1298,7 @@ _kdc_do_digest(krb5_context context,
} else {
if ((config->digests_allowed & NTLM_V1) == 0) {
kdc_log(context, config, 0, "NTLM v1 not allowed");
kdc_log(context, config, 2, "NTLM v1 not allowed");
goto failed;
}
}
@@ -1389,7 +1389,7 @@ _kdc_do_digest(krb5_context context,
}
case choice_DigestReqInner_supportedMechs:
kdc_log(context, config, 0, "digest supportedMechs from %s", from);
kdc_log(context, config, 4, "digest supportedMechs from %s", from);
r.element = choice_DigestRepInner_supportedMechs;
memset(&r.u.supportedMechs, 0, sizeof(r.u.supportedMechs));
@@ -1421,7 +1421,7 @@ _kdc_do_digest(krb5_context context,
goto out;
}
kdc_log(context, config, 0, "Digest failed with: %s", s);
kdc_log(context, config, 2, "Digest failed with: %s", s);
r.element = choice_DigestRepInner_error;
r.u.error.reason = strdup("unknown error");

20
kdc/fast.c
View File

@@ -115,7 +115,7 @@ fast_parse_cookie(kdc_request_t r, const PA_DATA *pa)
goto out;
if (r->fast.expiration < kdc_time) {
kdc_log(r->context, r->config, 0, "fast cookie expired");
kdc_log(r->context, r->config, 2, "fast cookie expired");
ret = KRB5KDC_ERR_POLICY;
goto out;
}
@@ -298,7 +298,7 @@ _kdc_fast_mk_error(krb5_context context,
KRB5_PADATA_FX_COOKIE,
NULL, 0);
if (ret) {
kdc_log(r->context, r->config, 0, "failed to add fast cookie with: %d", ret);
kdc_log(r->context, r->config, 1, "failed to add fast cookie with: %d", ret);
free_METHOD_DATA(error_method);
return ret;
}
@@ -388,7 +388,7 @@ _kdc_fast_unwrap_request(kdc_request_t r)
}
if (fxreq.element != choice_PA_FX_FAST_REQUEST_armored_data) {
kdc_log(r->context, r->config, 0,
kdc_log(r->context, r->config, 2,
"AS-REQ FAST contain unknown type: %d", (int)fxreq.element);
ret = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
@@ -396,14 +396,14 @@ _kdc_fast_unwrap_request(kdc_request_t r)
/* pull out armor key */
if (fxreq.u.armored_data.armor == NULL) {
kdc_log(r->context, r->config, 0,
kdc_log(r->context, r->config, 2,
"AS-REQ armor missing");
ret = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
}
if (fxreq.u.armored_data.armor->armor_type != 1) {
kdc_log(r->context, r->config, 0,
kdc_log(r->context, r->config, 2,
"AS-REQ armor type not ap-req");
ret = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
@@ -413,7 +413,7 @@ _kdc_fast_unwrap_request(kdc_request_t r)
&fxreq.u.armored_data.armor->armor_value,
&ap_req);
if(ret) {
kdc_log(r->context, r->config, 0, "AP-REQ decode failed");
kdc_log(r->context, r->config, 2, "AP-REQ decode failed");
goto out;
}
@@ -462,7 +462,7 @@ _kdc_fast_unwrap_request(kdc_request_t r)
if (ac->remote_subkey == NULL) {
krb5_auth_con_free(r->context, ac);
kdc_log(r->context, r->config, 0,
kdc_log(r->context, r->config, 2,
"FAST AP-REQ remote subkey missing");
ret = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
@@ -495,7 +495,7 @@ _kdc_fast_unwrap_request(kdc_request_t r)
buf, len,
&fxreq.u.armored_data.req_checksum);
if (ret) {
kdc_log(r->context, r->config, 0,
kdc_log(r->context, r->config, 2,
"FAST request have a bad checksum");
goto out;
}
@@ -505,7 +505,7 @@ _kdc_fast_unwrap_request(kdc_request_t r)
&fxreq.u.armored_data.enc_fast_req,
&data);
if (ret) {
kdc_log(r->context, r->config, 0,
kdc_log(r->context, r->config, 2,
"Failed to decrypt FAST request");
goto out;
}
@@ -529,7 +529,7 @@ _kdc_fast_unwrap_request(kdc_request_t r)
/* check for unsupported mandatory options */
if (FastOptions2int(fastreq.fast_options) & 0xfffc) {
kdc_log(r->context, r->config, 0,
kdc_log(r->context, r->config, 2,
"FAST unsupported mandatory option set");
ret = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;

118
kdc/kerberos5.c
View File

@@ -337,7 +337,7 @@ _kdc_log_timestamp(krb5_context context,
else
strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
kdc_log(context, config, 5,
kdc_log(context, config, 3,
"%s authtime: %s starttime: %s endtime: %s renew till: %s",
type, authtime_str, starttime_str, endtime_str, renewtime_str);
}
@@ -358,7 +358,7 @@ pa_pkinit_validate(kdc_request_t r, const PA_DATA *pa)
ret = _kdc_pk_rd_padata(r->context, r->config, &r->req, pa, r->client, &pkp);
if (ret || pkp == NULL) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
_kdc_r_log(r, 5, "Failed to decode PKINIT PA-DATA -- %s",
_kdc_r_log(r, 2, "Failed to decode PKINIT PA-DATA -- %s",
r->client_name);
goto out;
}
@@ -375,7 +375,7 @@ pa_pkinit_validate(kdc_request_t r, const PA_DATA *pa)
goto out;
}
_kdc_r_log(r, 0, "PKINIT pre-authentication succeeded -- %s using %s",
_kdc_r_log(r, 3, "PKINIT pre-authentication succeeded -- %s using %s",
r->client_name, client_cert);
free(client_cert);
@@ -466,7 +466,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
if (_kdc_is_anon_request(&r->req)) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon");
kdc_log(r->context, r->config, 2, "ENC-CHALL doesn't support anon");
return ret;
}
@@ -476,7 +476,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
&size);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
_kdc_r_log(r, 5, "Failed to decode PA-DATA -- %s",
_kdc_r_log(r, 2, "Failed to decode PA-DATA -- %s",
r->client_name);
return ret;
}
@@ -525,7 +525,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str);
if (ret2)
str = NULL;
_kdc_r_log(r, 5, "Failed to decrypt ENC-CHAL -- %s "
_kdc_r_log(r, 2, "Failed to decrypt ENC-CHAL -- %s "
"(enctype %s) error %s",
r->client_name, str ? str : "unknown enctype", msg);
krb5_free_error_message(r->context, msg);
@@ -542,7 +542,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
if(ret){
krb5_crypto_destroy(r->context, challangecrypto);
ret = KRB5KDC_ERR_PREAUTH_FAILED;
_kdc_r_log(r, 5, "Failed to decode PA-ENC-TS_ENC -- %s",
_kdc_r_log(r, 2, "Failed to decode PA-ENC-TS_ENC -- %s",
r->client_name);
continue;
}
@@ -556,7 +556,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
client_time, sizeof(client_time), TRUE);
ret = KRB5KRB_AP_ERR_SKEW;
_kdc_r_log(r, 0, "Too large time skew, "
_kdc_r_log(r, 2, "Too large time skew, "
"client time %s is out by %u > %u seconds -- %s",
client_time,
(unsigned)labs(kdc_time - p.patimestamp),
@@ -619,7 +619,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
&len);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
_kdc_r_log(r, 5, "Failed to decode PA-DATA -- %s",
_kdc_r_log(r, 2, "Failed to decode PA-DATA -- %s",
r->client_name);
goto out;
}
@@ -633,11 +633,11 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
if(krb5_enctype_to_string(r->context, enc_data.etype, &estr))
estr = NULL;
if(estr == NULL)
_kdc_r_log(r, 5,
_kdc_r_log(r, 2,
"No client key matching pa-data (%d) -- %s",
enc_data.etype, r->client_name);
else
_kdc_r_log(r, 5,
_kdc_r_log(r, 2,
"No client key matching pa-data (%s) -- %s",
estr, r->client_name);
free(estr);
@@ -649,7 +649,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
ret = krb5_crypto_init(r->context, &pa_key->key, 0, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(r->context, ret);
_kdc_r_log(r, 0, "krb5_crypto_init failed: %s", msg);
_kdc_r_log(r, 1, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(r->context, msg);
free_EncryptedData(&enc_data);
goto out;
@@ -674,7 +674,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
pa_key->key.keytype, &str);
if (ret2)
str = NULL;
_kdc_r_log(r, 5, "Failed to decrypt PA-DATA -- %s "
_kdc_r_log(r, 2, "Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
r->client_name, str ? str : "unknown enctype", msg);
krb5_free_error_message(r->context, msg);
@@ -701,7 +701,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
krb5_data_free(&ts_data);
if(ret){
ret = KRB5KDC_ERR_PREAUTH_FAILED;
_kdc_r_log(r, 5, "Failed to decode PA-ENC-TS_ENC -- %s",
_kdc_r_log(r, 2, "Failed to decode PA-ENC-TS_ENC -- %s",
r->client_name);
goto out;
}
@@ -712,7 +712,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
client_time, sizeof(client_time), TRUE);
ret = KRB5KRB_AP_ERR_SKEW;
_kdc_r_log(r, 0, "Too large time skew, "
_kdc_r_log(r, 2, "Too large time skew, "
"client time %s is out by %u > %u seconds -- %s",
client_time,
(unsigned)labs(kdc_time - p.patimestamp),
@@ -739,7 +739,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
ret = krb5_enctype_to_string(r->context, pa_key->key.keytype, &str);
if (ret)
str = NULL;
_kdc_r_log(r, 2, "ENC-TS Pre-authentication succeeded -- %s using %s",
_kdc_r_log(r, 3, "ENC-TS Pre-authentication succeeded -- %s using %s",
r->client_name, str ? str : "unknown enctype");
free(str);
@@ -816,7 +816,7 @@ log_patypes(krb5_context context,
if (p && n + 1 < padata->len)
p = rk_strpoolprintf(p, ", ");
if (p == NULL) {
kdc_log(context, config, 0, "out of memory");
kdc_log(context, config, 1, "out of memory");
return;
}
}
@@ -824,7 +824,7 @@ log_patypes(krb5_context context,
p = rk_strpoolprintf(p, "none");
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "Client sent patypes: %s", str);
kdc_log(context, config, 4, "Client sent patypes: %s", str);
free(str);
}
@@ -853,7 +853,7 @@ _kdc_encode_reply(krb5_context context,
ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "Failed to encode ticket: %s", msg);
kdc_log(context, config, 1, "Failed to encode ticket: %s", msg);
krb5_free_error_message(context, msg);
return ret;
}
@@ -863,7 +863,7 @@ _kdc_encode_reply(krb5_context context,
ret = krb5_crypto_init(context, skey, etype, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
free(buf);
return ret;
@@ -880,7 +880,7 @@ _kdc_encode_reply(krb5_context context,
krb5_crypto_destroy(context, crypto);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "Failed to encrypt data: %s", msg);
kdc_log(context, config, 1, "Failed to encrypt data: %s", msg);
krb5_free_error_message(context, msg);
return ret;
}
@@ -890,7 +890,7 @@ _kdc_encode_reply(krb5_context context,
krb5_keyblock *strengthen_key = NULL;
KrbFastFinished finished;
kdc_log(context, config, 0, "FAST armor protection");
kdc_log(context, config, 4, "FAST armor protection");
memset(&finished, 0, sizeof(finished));
krb5_data_zero(&data);
@@ -954,13 +954,13 @@ _kdc_encode_reply(krb5_context context,
ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
kdc_log(context, config, 1, "Failed to encode KDC-REP: %s", msg);
krb5_free_error_message(context, msg);
return ret;
}
if(buf_size != len) {
free(buf);
kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
kdc_log(context, config, 1, "Internal error in ASN.1 encoder");
*e_text = "KDC internal error";
return KRB5KRB_ERR_GENERIC;
}
@@ -968,7 +968,7 @@ _kdc_encode_reply(krb5_context context,
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
free(buf);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
return ret;
}
@@ -996,13 +996,13 @@ _kdc_encode_reply(krb5_context context,
krb5_crypto_destroy(context, crypto);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
kdc_log(context, config, 1, "Failed to encode KDC-REP: %s", msg);
krb5_free_error_message(context, msg);
return ret;
}
if(buf_size != len) {
free(buf);
kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
kdc_log(context, config, 1, "Internal error in ASN.1 encoder");
*e_text = "KDC internal error";
return KRB5KRB_ERR_GENERIC;
}
@@ -1059,7 +1059,7 @@ make_etype_info_entry(krb5_context context,
else if(key->salt->type == hdb_afs3_salt)
*ent->salttype = 2;
else {
kdc_log(context, config, 0, "unknown salt-type: %d",
kdc_log(context, config, 2, "unknown salt-type: %d",
key->salt->type);
return KRB5KRB_ERR_GENERIC;
}
@@ -1333,7 +1333,7 @@ log_as_req(krb5_context context,
if (p && i + 1 < b->etype.len)
p = rk_strpoolprintf(p, ", ");
if (p == NULL) {
kdc_log(context, config, 0, "out of memory");
kdc_log(context, config, 1, "out of memory");
return;
}
}
@@ -1359,7 +1359,7 @@ log_as_req(krb5_context context,
}
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "%s", str);
kdc_log(context, config, 3, "%s", str);
free(str);
{
@@ -1367,7 +1367,7 @@ log_as_req(krb5_context context,
unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(),
fixedstr, sizeof(fixedstr));
if(*fixedstr)
kdc_log(context, config, 0, "Requested flags: %s", fixedstr);
kdc_log(context, config, 3, "Requested flags: %s", fixedstr);
}
}
@@ -1389,19 +1389,19 @@ kdc_check_flags(krb5_context context,
/* check client */
if (client->flags.locked_out) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client (%s) is locked out", client_name);
return KRB5KDC_ERR_POLICY;
}
if (client->flags.invalid) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client (%s) has invalid bit set", client_name);
return KRB5KDC_ERR_POLICY;
}
if(!client->flags.client){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Principal may not act as client -- %s", client_name);
return KRB5KDC_ERR_POLICY;
}
@@ -1410,7 +1410,7 @@ kdc_check_flags(krb5_context context,
char starttime_str[100];
krb5_format_time(context, *client->valid_start,
starttime_str, sizeof(starttime_str), TRUE);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client not yet valid until %s -- %s",
starttime_str, client_name);
return KRB5KDC_ERR_CLIENT_NOTYET;
@@ -1420,7 +1420,7 @@ kdc_check_flags(krb5_context context,
char endtime_str[100];
krb5_format_time(context, *client->valid_end,
endtime_str, sizeof(endtime_str), TRUE);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client expired at %s -- %s",
endtime_str, client_name);
return KRB5KDC_ERR_NAME_EXP;
@@ -1428,7 +1428,7 @@ kdc_check_flags(krb5_context context,
if (client->flags.require_pwchange &&
(server_ex == NULL || !server_ex->entry.flags.change_pw)) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client's key must be changed -- %s", client_name);
return KRB5KDC_ERR_KEY_EXPIRED;
}
@@ -1438,7 +1438,7 @@ kdc_check_flags(krb5_context context,
char pwend_str[100];
krb5_format_time(context, *client->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client's key has expired at %s -- %s",
pwend_str, client_name);
return KRB5KDC_ERR_KEY_EXPIRED;
@@ -1451,24 +1451,24 @@ kdc_check_flags(krb5_context context,
hdb_entry *server = &server_ex->entry;
if (server->flags.locked_out) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server locked out -- %s", server_name);
return KRB5KDC_ERR_POLICY;
}
if (server->flags.invalid) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server has invalid flag set -- %s", server_name);
return KRB5KDC_ERR_POLICY;
}
if(!server->flags.server){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Principal may not act as server -- %s", server_name);
return KRB5KDC_ERR_POLICY;
}
if(!is_as_req && server->flags.initial) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"AS-REQ is required for server -- %s", server_name);
return KRB5KDC_ERR_POLICY;
}
@@ -1477,7 +1477,7 @@ kdc_check_flags(krb5_context context,
char starttime_str[100];
krb5_format_time(context, *server->valid_start,
starttime_str, sizeof(starttime_str), TRUE);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server not yet valid until %s -- %s",
starttime_str, server_name);
return KRB5KDC_ERR_SERVICE_NOTYET;
@@ -1487,7 +1487,7 @@ kdc_check_flags(krb5_context context,
char endtime_str[100];
krb5_format_time(context, *server->valid_end,
endtime_str, sizeof(endtime_str), TRUE);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server expired at %s -- %s",
endtime_str, server_name);
return KRB5KDC_ERR_SERVICE_EXP;
@@ -1497,7 +1497,7 @@ kdc_check_flags(krb5_context context,
char pwend_str[100];
krb5_format_time(context, *server->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server's key has expired at %s -- %s",
pwend_str, server_name);
return KRB5KDC_ERR_KEY_EXPIRED;
@@ -1563,7 +1563,7 @@ _kdc_check_anon_policy (krb5_context context,
hdb_entry_ex *server)
{
if (!config->allow_anonymous){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Request for anonymous ticket denied by local policy");
return KRB5KDC_ERR_POLICY;
}
@@ -1613,7 +1613,7 @@ generate_pac(kdc_request_t r, Key *skey)
ret = _kdc_pac_generate(r->context, r->client, &p);
if (ret) {
_kdc_r_log(r, 0, "PAC generation failed for -- %s",
_kdc_r_log(r, 1, "PAC generation failed for -- %s",
r->client_name);
return ret;
}
@@ -1627,7 +1627,7 @@ generate_pac(kdc_request_t r, Key *skey)
&data);
krb5_pac_free(r->context, p);
if (ret) {
_kdc_r_log(r, 0, "PAC signing failed for -- %s",
_kdc_r_log(r, 1, "PAC signing failed for -- %s",
r->client_name);
return ret;
}
@@ -1740,7 +1740,7 @@ _kdc_as_rep(kdc_request_t r,
*/
ret = _kdc_fast_unwrap_request(r);
if (ret) {
_kdc_r_log(r, 0, "FAST unwrap request from %s failed: %d", from, ret);
_kdc_r_log(r, 1, "FAST unwrap request from %s failed: %d", from, ret);
goto out;
}
@@ -1762,7 +1762,7 @@ _kdc_as_rep(kdc_request_t r,
ret = krb5_unparse_name(context, r->server_princ, &r->server_name);
}
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"AS-REQ malformed server name from %s", from);
goto out;
}
@@ -1780,12 +1780,12 @@ _kdc_as_rep(kdc_request_t r,
ret = krb5_unparse_name(context, r->client_princ, &r->client_name);
}
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"AS-REQ malformed client name from %s", from);
goto out;
}
kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
kdc_log(context, config, 3, "AS-REQ %s from %s for %s",
r->client_name, from, r->server_name);
is_tgs = krb5_principal_is_krbtgt(context, r->server_princ);
@@ -1796,7 +1796,7 @@ _kdc_as_rep(kdc_request_t r,
if (_kdc_is_anonymous(context, r->client_princ) &&
!_kdc_is_anon_request(&r->req)) {
kdc_log(context, config, 0, "Anonymous client w/o anonymous flag");
kdc_log(context, config, 2, "Anonymous client w/o anonymous flag");
ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
@@ -1821,7 +1821,7 @@ _kdc_as_rep(kdc_request_t r,
goto out;
}
kdc_log(context, config, 0, "WRONG_REALM - %s -> %s",
kdc_log(context, config, 2, "WRONG_REALM - %s -> %s",
r->client_name, fixed_client_name);
free(fixed_client_name);
@@ -1839,7 +1839,7 @@ _kdc_as_rep(kdc_request_t r,
goto out;
} else if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", r->client_name, msg);
kdc_log(context, config, 2, "UNKNOWN -- %s: %s", r->client_name, msg);
krb5_free_error_message(context, msg);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
@@ -1853,7 +1853,7 @@ _kdc_as_rep(kdc_request_t r,
goto out;
} else if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", r->server_name, msg);
kdc_log(context, config, 2, "UNKNOWN -- %s: %s", r->server_name, msg);
krb5_free_error_message(context, msg);
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
@@ -1877,7 +1877,7 @@ _kdc_as_rep(kdc_request_t r,
b->etype.val, b->etype.len,
&r->sessionetype, NULL, NULL);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Client (%s) from %s has no common enctypes with KDC "
"to use for the session key",
r->client_name, from);
@@ -1927,7 +1927,7 @@ _kdc_as_rep(kdc_request_t r,
}
goto out;
}
kdc_log(context, config, 0,
kdc_log(context, config, 3,
"%s pre-authentication succeeded -- %s",
pat[n].name, r->client_name);
found_pa = 1;
@@ -2318,7 +2318,7 @@ _kdc_as_rep(kdc_request_t r,
ret = add_enc_pa_rep(r);
if (ret) {
const char *msg = krb5_get_error_message(r->context, ret);
_kdc_r_log(r, 0, "add_enc_pa_rep failed: %s: %d", msg, ret);
_kdc_r_log(r, 1, "add_enc_pa_rep failed: %s: %d", msg, ret);
krb5_free_error_message(r->context, msg);
goto out;
}

182
kdc/krb5tgs.c
View File

@@ -243,7 +243,7 @@ check_KRB5SignedPath(krb5_context context,
free(data.data);
if (ret) {
free_KRB5SignedPath(&sp);
kdc_log(context, config, 5,
kdc_log(context, config, 2,
"KRB5SignedPath not signed correctly, not marking as signed");
return 0;
}
@@ -400,26 +400,26 @@ check_tgs_flags(krb5_context context,
if(f.validate){
if(!tgt->flags.invalid || tgt->starttime == NULL){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request to validate ticket");
return KRB5KDC_ERR_BADOPTION;
}
if(*tgt->starttime > kdc_time){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Early request to validate ticket");
return KRB5KRB_AP_ERR_TKT_NYV;
}
/* XXX tkt = tgt */
et->flags.invalid = 0;
}else if(tgt->flags.invalid){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Ticket-granting ticket has INVALID flag set");
return KRB5KRB_AP_ERR_TKT_INVALID;
}
if(f.forwardable){
if(!tgt->flags.forwardable){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request for forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -427,7 +427,7 @@ check_tgs_flags(krb5_context context,
}
if(f.forwarded){
if(!tgt->flags.forwardable){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Request to forward non-forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -439,7 +439,7 @@ check_tgs_flags(krb5_context context,
if(f.proxiable){
if(!tgt->flags.proxiable){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request for proxiable ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -447,7 +447,7 @@ check_tgs_flags(krb5_context context,
}
if(f.proxy){
if(!tgt->flags.proxiable){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Request to proxy non-proxiable ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -459,7 +459,7 @@ check_tgs_flags(krb5_context context,
if(f.allow_postdate){
if(!tgt->flags.may_postdate){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request for post-datable ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -467,7 +467,7 @@ check_tgs_flags(krb5_context context,
}
if(f.postdated){
if(!tgt->flags.may_postdate){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request for postdated ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -482,7 +482,7 @@ check_tgs_flags(krb5_context context,
if(f.renewable){
if(!tgt->flags.renewable || tgt->renew_till == NULL){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request for renewable ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -494,7 +494,7 @@ check_tgs_flags(krb5_context context,
if(f.renew){
time_t old_life;
if(!tgt->flags.renewable || tgt->renew_till == NULL){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Request to renew non-renewable ticket");
return KRB5KDC_ERR_BADOPTION;
}
@@ -514,7 +514,7 @@ check_tgs_flags(krb5_context context,
*/
if (tgt->flags.anonymous &&
!_kdc_is_anonymous(context, tgt_name)) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Anonymous ticket flag set without anonymous principal");
return KRB5KDC_ERR_BADOPTION;
}
@@ -554,7 +554,7 @@ check_constrained_delegation(krb5_context context,
*/
if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request for constrained delegation");
return ret;
}
@@ -582,7 +582,7 @@ check_constrained_delegation(krb5_context context,
}
ret = KRB5KDC_ERR_BADOPTION;
}
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Bad request for constrained delegation");
return ret;
}
@@ -628,11 +628,11 @@ verify_flags (krb5_context context,
const char *pstr)
{
if(et->endtime < kdc_time){
kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
kdc_log(context, config, 2, "Ticket expired (%s)", pstr);
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
if(et->flags.invalid){
kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
kdc_log(context, config, 2, "Ticket not valid (%s)", pstr);
return KRB5KRB_AP_ERR_TKT_NYV;
}
return 0;
@@ -667,11 +667,11 @@ fix_transited_encoding(krb5_context context,
*/
if (tr->contents.length == 0)
break;
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Transited type 0 with non empty content");
return KRB5KDC_ERR_TRTYPE_NOSUPP;
default:
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Unknown transited type: %u", tr->tr_type);
return KRB5KDC_ERR_TRTYPE_NOSUPP;
}
@@ -712,7 +712,7 @@ fix_transited_encoding(krb5_context context,
}
if(num_realms == 0) {
if(strcmp(client_realm, server_realm))
kdc_log(context, config, 0,
kdc_log(context, config, 4,
"cross-realm %s -> %s", client_realm, server_realm);
} else {
size_t l = 0;
@@ -727,7 +727,7 @@ fix_transited_encoding(krb5_context context,
strlcat(rs, ", ", l);
strlcat(rs, realms[i], l);
}
kdc_log(context, config, 0,
kdc_log(context, config, 4,
"cross-realm %s -> %s via [%s]",
client_realm, server_realm, rs);
free(rs);
@@ -1080,7 +1080,7 @@ tgs_check_authenticator(krb5_context context,
krb5_auth_con_getauthenticator(context, ac, &auth);
if(auth->cksum == NULL){
kdc_log(context, config, 0, "No authenticator in request");
kdc_log(context, config, 2, "No authenticator in request");
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
@@ -1094,7 +1094,7 @@ tgs_check_authenticator(krb5_context context,
||
#endif
!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
kdc_log(context, config, 2, "Bad checksum type in authenticator: %d",
auth->cksum->cksumtype);
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
@@ -1104,13 +1104,13 @@ tgs_check_authenticator(krb5_context context,
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
kdc_log(context, config, 1, "Failed to encode KDC-REQ-BODY: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
if(buf_size != len) {
free(buf);
kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
kdc_log(context, config, 1, "Internal error in ASN.1 encoder");
*e_text = "KDC internal error";
ret = KRB5KRB_ERR_GENERIC;
goto out;
@@ -1119,7 +1119,7 @@ tgs_check_authenticator(krb5_context context,
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
free(buf);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
@@ -1133,7 +1133,7 @@ tgs_check_authenticator(krb5_context context,
krb5_crypto_destroy(context, crypto);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Failed to verify authenticator checksum: %s", msg);
krb5_free_error_message(context, msg);
}
@@ -1162,7 +1162,7 @@ need_referral(krb5_context context, krb5_kdc_configuration *config,
SPN form, which is used for inter-domain communication in AD
*/
name = server->name.name_string.val[2];
kdc_log(context, config, 0, "Giving 3 part referral for %s", name);
kdc_log(context, config, 4, "Giving 3 part referral for %s", name);
*realms = malloc(sizeof(char *)*2);
if (*realms == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
@@ -1176,7 +1176,7 @@ need_referral(krb5_context context, krb5_kdc_configuration *config,
else
return FALSE;
kdc_log(context, config, 0, "Searching referral for %s", name);
kdc_log(context, config, 5, "Searching referral for %s", name);
return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
}
@@ -1223,14 +1223,14 @@ tgs_parse_request(krb5_context context,
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
kdc_log(context, config, 2, "Failed to decode AP-REQ: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
/* XXX check for ticket.sname == req.sname */
kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
kdc_log(context, config, 2, "PA-DATA is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY; /* ? */
goto out;
}
@@ -1290,7 +1290,7 @@ tgs_parse_request(krb5_context context,
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
p = failed;
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"Ticket-granting ticket %s not found in database: %s", p, msg);
krb5_free_principal(context, princ);
krb5_free_error_message(context, msg);
@@ -1316,7 +1316,7 @@ next_kvno:
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
krb5_unparse_name(context, princ, &p);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"No server key with enctype %s found for %s",
str ? str : "<unknown enctype>",
p ? p : "<unparse_name failed>");
@@ -1349,7 +1349,7 @@ next_kvno:
krb5_free_principal(context, princ);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
kdc_log(context, config, 2, "Failed to verify AP-REQ: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
@@ -1362,14 +1362,14 @@ next_kvno:
*csec = malloc(sizeof(**csec));
if (*csec == NULL) {
krb5_free_authenticator(context, &auth);
kdc_log(context, config, 0, "malloc failed");
kdc_log(context, config, 1, "malloc failed");
goto out;
}
**csec = auth->ctime;
*cusec = malloc(sizeof(**cusec));
if (*cusec == NULL) {
krb5_free_authenticator(context, &auth);
kdc_log(context, config, 0, "malloc failed");
kdc_log(context, config, 1, "malloc failed");
goto out;
}
**cusec = auth->cusec;
@@ -1391,7 +1391,7 @@ next_kvno:
if(ret){
const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
kdc_log(context, config, 1, "Failed to get remote subkey: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
@@ -1403,14 +1403,14 @@ next_kvno:
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, "Failed to get session key: %s", msg);
kdc_log(context, config, 1, "Failed to get session key: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
}
if(subkey == NULL){
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"Failed to get key for enc-authorization-data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
@@ -1425,7 +1425,7 @@ next_kvno:
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
@@ -1437,7 +1437,7 @@ next_kvno:
krb5_crypto_destroy(context, crypto);
if(ret){
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Failed to decrypt enc-authorization-data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
@@ -1453,7 +1453,7 @@ next_kvno:
krb5_auth_con_free(context, ac);
free(*auth_data);
*auth_data = NULL;
kdc_log(context, config, 0, "Failed to decode authorization data");
kdc_log(context, config, 2, "Failed to decode authorization data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
}
@@ -1621,13 +1621,13 @@ tgs_build_reply(krb5_context context,
if(b->additional_tickets == NULL ||
b->additional_tickets->len == 0){
ret = KRB5KDC_ERR_BADOPTION; /* ? */
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"No second ticket present in request");
goto out;
}
t = &b->additional_tickets->val[0];
if(!get_krbtgt_realm(&t->sname)){
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Additional ticket is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY;
goto out;
@@ -1678,11 +1678,11 @@ tgs_build_reply(krb5_context context,
asn1_KDCOptions_units(),
opt_str, sizeof(opt_str));
if(*opt_str)
kdc_log(context, config, 0,
kdc_log(context, config, 3,
"TGS-REQ %s from %s for %s [%s]",
cpn, from, spn, opt_str);
else
kdc_log(context, config, 0,
kdc_log(context, config, 3,
"TGS-REQ %s from %s for %s", cpn, from, spn);
/*
@@ -1704,7 +1704,7 @@ server_lookup:
goto out;
}
kdc_log(context, config, 5,
kdc_log(context, config, 4,
"Returning a referral to realm %s for "
"server %s.",
ref_realm, spn);
@@ -1762,7 +1762,7 @@ server_lookup:
}
} else if (need_referral(context, config, &b->kdc_options, sp, &realms)) {
if (strcmp(realms[0], sp->realm) != 0) {
kdc_log(context, config, 5,
kdc_log(context, config, 4,
"Returning a referral to realm %s for "
"server %s that was not found",
realms[0], spn);
@@ -1787,7 +1787,7 @@ server_lookup:
krb5_free_host_realm(context, realms);
}
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server not found in database: %s: %s", spn, msg);
krb5_free_error_message(context, msg);
if (ret == HDB_ERR_NOENTRY)
@@ -1821,7 +1821,7 @@ server_lookup:
if (b->etype.val[i] == adtkt.key.keytype)
break;
if(i == b->etype.len) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Addition ticket have not matching etypes");
krb5_clear_error_message(context);
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
@@ -1841,14 +1841,14 @@ server_lookup:
NULL,
NULL);
if(ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server (%s) has no support for etypes", spn);
goto out;
}
ret = _kdc_get_preferred_key(context, config, server, spn,
NULL, &skey);
if(ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Server (%s) has no supported etypes", spn);
goto out;
}
@@ -1874,7 +1874,7 @@ server_lookup:
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
krbtgt_etype, &tkey_check);
if(ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Failed to find key for krbtgt PAC check");
goto out;
}
@@ -1892,14 +1892,14 @@ server_lookup:
our_realm,
NULL);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"Failed to make krbtgt principal name object for "
"authz-data signatures");
goto out;
}
ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"Failed to make krbtgt principal name object for "
"authz-data signatures");
goto out;
@@ -1910,7 +1910,7 @@ server_lookup:
if (ret) {
char *ktpn = NULL;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"No such principal %s (needed for authz-data signature keys) "
"while processing TGS-REQ for service %s with krbtg %s",
krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
@@ -1930,7 +1930,7 @@ server_lookup:
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
char *ktpn;
ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Request with wrong krbtgt: %s",
(ret == 0) ? ktpn : "<unknown>");
if(ret == 0)
@@ -1942,14 +1942,14 @@ server_lookup:
ret = _kdc_get_preferred_key(context, config, krbtgt_out, krbtgt_out_n,
NULL, &tkey_sign);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Failed to find key for krbtgt PAC signature");
goto out;
}
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
tkey_sign->key.keytype, &tkey_sign);
if(ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Failed to find key for krbtgt PAC signature");
goto out;
}
@@ -1974,13 +1974,13 @@ server_lookup:
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
kdc_log(context, config, 1, "Client no longer in database: %s",
kdc_log(context, config, 2, "Client no longer in database: %s",
cpn);
goto out;
}
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 1, "Client not found in database: %s", msg);
kdc_log(context, config, 2, "Client not found in database: %s", msg);
krb5_free_error_message(context, msg);
}
@@ -1991,7 +1991,7 @@ server_lookup:
tgt, &rspac, &signedpath);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Verify PAC failed for %s (%s) from %s with %s",
spn, cpn, from, msg);
krb5_free_error_message(context, msg);
@@ -2008,7 +2008,7 @@ server_lookup:
&signedpath);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"KRB5SignedPath check failed for %s (%s) from %s with %s",
spn, cpn, from, msg);
krb5_free_error_message(context, msg);
@@ -2038,13 +2038,13 @@ server_lookup:
sdata->padata_value.length,
&self, NULL);
if (ret) {
kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
kdc_log(context, config, 2, "Failed to decode PA-S4U2Self");
goto out;
}
if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
free_PA_S4U2Self(&self);
kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
kdc_log(context, config, 2, "Reject PA-S4U2Self with unkeyed checksum");
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
@@ -2058,7 +2058,7 @@ server_lookup:
const char *msg = krb5_get_error_message(context, ret);
free_PA_S4U2Self(&self);
krb5_data_free(&datack);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
kdc_log(context, config, 2, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
goto out;
}
@@ -2096,7 +2096,7 @@ server_lookup:
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
free_PA_S4U2Self(&self);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"krb5_verify_checksum failed for S4U2Self: %s", msg);
krb5_free_error_message(context, msg);
goto out;
@@ -2132,7 +2132,7 @@ server_lookup:
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 1,
kdc_log(context, config, 2,
"S4U2Self principal to impersonate %s not found in database: %s",
tpn, msg);
krb5_free_error_message(context, msg);
@@ -2140,7 +2140,7 @@ server_lookup:
}
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
kdc_log(context, config, 2, "PAC generation failed for -- %s",
tpn);
goto out;
}
@@ -2151,7 +2151,7 @@ server_lookup:
&rspac);
krb5_pac_free(context, p);
if (ret) {
kdc_log(context, config, 0, "PAC signing failed for -- %s",
kdc_log(context, config, 2, "PAC signing failed for -- %s",
tpn);
goto out;
}
@@ -2164,7 +2164,7 @@ server_lookup:
*/
ret = check_s4u2self(context, config, clientdb, client, sp);
if (ret) {
kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
kdc_log(context, config, 2, "S4U2Self: %s is not allowed "
"to impersonate to service "
"(tried for user %s to service %s)",
cpn, tpn, spn);
@@ -2182,7 +2182,7 @@ server_lookup:
b->kdc_options.forwardable = 0;
str = "";
}
kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
kdc_log(context, config, 3, "s4u2self %s impersonating %s to "
"service %s %s", cpn, tpn, spn, str);
}
}
@@ -2207,7 +2207,7 @@ server_lookup:
*/
if (!signedpath) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Constrained delegation done on service ticket %s/%s",
cpn, spn);
goto out;
@@ -2226,7 +2226,7 @@ server_lookup:
ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"failed to decrypt ticket for "
"constrained delegation from %s to %s ", cpn, spn);
goto out;
@@ -2256,7 +2256,7 @@ server_lookup:
/* check that ticket is valid */
if (adtkt.flags.forwardable == 0) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Missing forwardable flag on ticket for "
"constrained delegation from %s (%s) as %s to %s ",
cpn, dpn, tpn, spn);
@@ -2267,7 +2267,7 @@ server_lookup:
ret = check_constrained_delegation(context, config, clientdb,
client, server, sp);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"constrained delegation from %s (%s) as %s to %s not allowed",
cpn, dpn, tpn, spn);
goto out;
@@ -2293,7 +2293,7 @@ server_lookup:
&adtkt, &rspac, &ad_signedpath);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Verify delegated PAC failed to %s for client"
"%s (%s) as %s from %s with %s",
spn, cpn, dpn, tpn, from, msg);
@@ -2313,7 +2313,7 @@ server_lookup:
&ad_signedpath);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"KRB5SignedPath check from service %s failed "
"for delegation to %s for client %s (%s)"
"from %s failed with %s",
@@ -2324,7 +2324,7 @@ server_lookup:
if (!ad_signedpath) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Ticket not signed with PAC nor SignedPath service %s failed "
"for delegation to %s for client %s (%s)"
"from %s",
@@ -2332,7 +2332,7 @@ server_lookup:
goto out;
}
kdc_log(context, config, 0, "constrained delegation for %s "
kdc_log(context, config, 3, "constrained delegation for %s "
"from %s (%s) to %s", tpn, cpn, dpn, spn);
}
@@ -2351,7 +2351,7 @@ server_lookup:
!krb5_principal_compare(context,
krbtgt->entry.principal,
server->entry.principal)){
kdc_log(context, config, 0, "Inconsistent request.");
kdc_log(context, config, 2, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH;
goto out;
}
@@ -2359,7 +2359,7 @@ server_lookup:
/* check for valid set of addresses */
if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(context, config, 0, "Request from wrong address");
kdc_log(context, config, 2, "Request from wrong address");
goto out;
}
@@ -2378,7 +2378,7 @@ server_lookup:
PA_DATA pa;
krb5_crypto crypto;
kdc_log(context, config, 0,
kdc_log(context, config, 4,
"Adding server referral to %s", ref_realm);
ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
@@ -2389,7 +2389,7 @@ server_lookup:
NULL, s, &pa.padata_value);
krb5_crypto_destroy(context, crypto);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"Failed building server referral");
goto out;
}
@@ -2398,7 +2398,7 @@ server_lookup:
ret = add_METHOD_DATA(&enc_pa_data, &pa);
krb5_data_free(&pa.padata_value);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 4,
"Add server referral METHOD-DATA failed");
goto out;
}
@@ -2497,7 +2497,7 @@ _kdc_tgs_rep(krb5_context context,
if(req->padata == NULL){
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"TGS-REQ from %s without PA-DATA", from);
goto out;
}
@@ -2507,7 +2507,7 @@ _kdc_tgs_rep(krb5_context context,
if(tgs_req == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"TGS-REQ from %s without PA-TGS-REQ", from);
goto out;
}
@@ -2527,7 +2527,7 @@ _kdc_tgs_rep(krb5_context context,
goto out;
}
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 2,
"Failed parsing TGS-REQ from %s", from);
goto out;
}
@@ -2535,7 +2535,7 @@ _kdc_tgs_rep(krb5_context context,
{
const PA_DATA *pa = _kdc_find_padata(req, &i, KRB5_PADATA_FX_FAST);
if (pa)
kdc_log(context, config, 10, "Got TGS FAST request");
kdc_log(context, config, 5, "Got TGS FAST request");
}
@@ -2554,7 +2554,7 @@ _kdc_tgs_rep(krb5_context context,
&auth_data,
from_addr);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 1,
"Failed building TGS-REP to %s", from);
goto out;
}
@@ -2575,7 +2575,7 @@ out:
METHOD_DATA error_method = { 0, NULL };
kdc_log(context, config, 10, "tgs-req: sending error: %d to client", ret);
kdc_log(context, config, 5, "tgs-req: sending error: %d to client", ret);
ret = _kdc_fast_mk_error(context, NULL,
&error_method,
NULL,

28
kdc/kx509.c
View File

@@ -413,13 +413,13 @@ get_template(krb5_context context,
"kx509_templates",
config_label, comp0, NULL);
if (kx509_template == NULL) {
kdc_log(context, reqctx->config, 0, "kx509 template not found for %s",
kdc_log(context, reqctx->config, 2, "kx509 template not found for %s",
princ);
ret = KRB5KDC_ERR_POLICY;
goto out;
}
} else {
kdc_log(context, reqctx->config, 0, "kx509 client %s has too many components!",
kdc_log(context, reqctx->config, 2, "kx509 client %s has too many components!",
princ);
ret = KRB5KDC_ERR_POLICY;
}
@@ -538,7 +538,7 @@ build_certificate(krb5_context context,
goto out;
}
kdc_log(context, reqctx->config, 0, "Issuing kx509 certificate to %s "
kdc_log(context, reqctx->config, 3, "Issuing kx509 certificate to %s "
"using template %s", princ, kx509_template);
/*
@@ -747,7 +747,7 @@ kdc_kx509_verify_service_principal(krb5_context context,
KRB5_TGS_NAME) == 0) {
const char *r = krb5_principal_get_comp_string(context, sprincipal, 1);
if ((ret = is_local_realm(context, reqctx, r)))
kx509_log(context, reqctx, 0, "client used wrong krbtgt for kx509");
kx509_log(context, reqctx, 2, "client used wrong krbtgt for kx509");
goto out;
}
@@ -775,7 +775,7 @@ err:
goto out;
ret = KRB5KDC_ERR_SERVER_NOMATCH;
kx509_log(context, reqctx, 0, "client used wrong kx509 service principal "
kx509_log(context, reqctx, 2, "client used wrong kx509 service principal "
"(expected %s)", expected);
out:
@@ -798,7 +798,7 @@ encode_reply(krb5_context context,
reqctx->reply->length = 0;
ASN1_MALLOC_ENCODE(Kx509Response, data.data, data.length, r, &size, ret);
if (ret) {
kdc_log(context, reqctx->config, 0, "Failed to encode kx509 reply");
kdc_log(context, reqctx->config, 1, "Failed to encode kx509 reply");
return ret;
}
if (size != data.length)
@@ -860,7 +860,7 @@ mk_error_response(krb5_context context,
msg = freeme1;
}
kdc_log(context, reqctx->config, 0, "%s", msg);
kdc_log(context, reqctx->config, 1, "%s", msg);
rep.hash = NULL;
rep.certificate = NULL;
@@ -969,7 +969,7 @@ update_csr(krb5_context context, kx509_req_context reqctx, Extensions *exts)
}
}
if (ret)
kx509_log(context, reqctx, 0,
kx509_log(context, reqctx, 2,
"request has bad desired certificate extensions");
return ret;
}
@@ -998,7 +998,7 @@ get_csr(krb5_context context, kx509_req_context reqctx)
ret = hx509_request_parse_der(context->hx509ctx, &reqctx->csr_plus.csr,
&reqctx->csr);
if (ret)
kx509_log(context, reqctx, 0, "invalid CSR");
kx509_log(context, reqctx, 2, "invalid CSR");
/*
* Handle any additional Certificate Extensions requested out of band
@@ -1025,7 +1025,7 @@ get_csr(krb5_context context, kx509_req_context reqctx)
/* Not an RSAPublicKey or garbage follows it */
if (ret == 0)
kx509_log(context, reqctx, 0, "request has garbage after key");
kx509_log(context, reqctx, 2, "request has garbage after key");
return mk_error_response(context, reqctx, KRB5KDC_ERR_NULL_KEY,
"Could not decode CSR or RSA subject public key");
}
@@ -1094,7 +1094,7 @@ _kdc_do_kx509(krb5_context context,
* possibly change the error code and message.
*/
is_probe = 1;
kx509_log(context, &reqctx, 0, "unauthenticated probe request");
kx509_log(context, &reqctx, 4, "unauthenticated probe request");
ret = mk_error_response(context, &reqctx, KRB5KDC_ERR_NULL_KEY,
"kx509 service is available");
goto out;
@@ -1229,13 +1229,13 @@ _kdc_do_kx509(krb5_context context,
ret = encode_reply(context, &reqctx, &rep);
if (ret)
/* Can't send an error message either in this case, surely */
kx509_log(context, &reqctx, 0, "Could not encode response");
kx509_log(context, &reqctx, 1, "Could not encode response");
out:
if (ret == 0 && !is_probe)
kx509_log(context, &reqctx, 0, "Issued certificate");
kx509_log(context, &reqctx, 3, "Issued certificate");
else
kx509_log(context, &reqctx, 0, "Did not issue certificate");
kx509_log(context, &reqctx, 2, "Did not issue certificate");
if (reqctx.ac)
krb5_auth_con_free(context, reqctx.ac);
if (ticket)

4
kdc/misc.c
View File

@@ -58,7 +58,7 @@ log_princ(krb5_context context, krb5_kdc_configuration *config, int lvl,
ret = krb5_unparse_name(context, princ, &princstr);
if (ret) {
kdc_log(context, config, 0, "log_princ: ENOMEM");
kdc_log(context, config, 1, "log_princ: ENOMEM");
return;
}
kdc_log(context, config, lvl, fmt, princstr);
@@ -121,7 +121,7 @@ _derive_the_keys(krb5_context context, krb5_kdc_configuration *config,
bail:
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "%s: %s", errmsg, msg);
kdc_log(context, config, 1, "%s: %s", errmsg, msg);
krb5_free_error_message(context, msg);
}
if (crypto)

8
kdc/set_dbinfo.c
View File

@@ -85,13 +85,13 @@ krb5_kdc_set_dbinfo(krb5_context context, struct krb5_kdc_configuration *c)
if (ret)
goto out;
kdc_log(context, c, 0, "label: %s",
kdc_log(context, c, 3, "label: %s",
hdb_dbinfo_get_label(context, d));
kdc_log(context, c, 0, "\tdbname: %s",
kdc_log(context, c, 3, "\tdbname: %s",
hdb_dbinfo_get_dbname(context, d));
kdc_log(context, c, 0, "\tmkey_file: %s",
kdc_log(context, c, 3, "\tmkey_file: %s",
hdb_dbinfo_get_mkey_file(context, d));
kdc_log(context, c, 0, "\tacl_file: %s",
kdc_log(context, c, 3, "\tacl_file: %s",
hdb_dbinfo_get_acl_file(context, d));
}
hdb_free_dbinfo(context, &info);

26
lib/krb5/krb5_openlog.3
View File

@@ -203,9 +203,29 @@ parameter to
.Fn krb5_log
is within this range (inclusive) the message gets logged to this
destination, otherwise not. Either of the min and max valued may be
omitted, in this case min is assumed to be zero, and max is assumed to be
infinity. If you don't include a dash, both min and max gets set to the
specified value. If no range is specified, all messages gets logged.
omitted, in this case min is assumed to be 0, and max is assumed to
be 3.
If you don't include a dash, both min and max get set to the
specified value.
.Ss Levels
Each log message has a level as follows:
.Bl -tag -width "xxx" -offset indent
.It 0
Critical conditions.
This is a condition that should be corrected immediately, such as a
corrupted Kerberos database.
.It 1
Errors.
These are errors that occur in the normal processing of requests.
.It 2
Warning messages.
On the KDC, this includes malformed requests and requests that
are out of policy.
.It 3
Informational messages.
.It 4-9
Debugging messages with increasing obscurity as the level rises.
.El
.Sh EXAMPLES
.Bd -literal -offset indent
[logging]

4
lib/krb5/log.c
View File

@@ -268,7 +268,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
{
krb5_error_code ret = 0;
int min = 0, max = -1, n;
int min = 0, max = 3, n;
char c;
const char *p = orig;
#ifdef _WIN32
@@ -285,6 +285,8 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
max = min;
}
}
if (c == '-')
max = -1;
}
if(n){
#ifdef _WIN32