kdc: preserve value types in auditing

Preserve integer/boolean audit values as their native types; convert to strings
when logging only. This commit goes some way towards unifying the two auditing
APIs.

kdc/bx509d.c

@@ -485,8 +485,8 @@ bad_reqv(struct bx509_request_desc *r,
     char *formatted = NULL;
     char *msg = NULL;
 
-    heim_audit_addkv((heim_svc_req_desc)r, 0, "http-status-code", "%d",
-                     http_status_code);
+    heim_audit_addkv_number((heim_svc_req_desc)r, "http-status-code",
+			    http_status_code);
     (void) gettimeofday(&r->tv_end, NULL);
     if (code == ENOMEM) {
         if (r->context)
@@ -669,13 +669,13 @@ bx509_param_cb(void *d,
                                                   &oid);
         der_free_oid(&oid);
     } else if (strcmp(key, "csr") == 0 && val) {
-        heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_csr", "true");
+        heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_csr", TRUE);
         r->ret = 0; /* Handled upstairs */
     } else if (strcmp(key, "lifetime") == 0 && val) {
         r->req_life = parse_time(val, "day");
     } else {
         /* Produce error for unknown params */
-        heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_unknown", "true");
+        heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
         krb5_set_error_message(r->context, r->ret = ENOTSUP,
                                "Query parameter %s not supported", key);
     }
@@ -1738,7 +1738,7 @@ get_tgt_param_cb(void *d,
         r->req_life = parse_time(val, "day");
     } else {
         /* Produce error for unknown params */
-        heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_unknown", "true");
+        heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
         krb5_set_error_message(r->context, r->ret = ENOTSUP,
                                "Query parameter %s not supported", key);
     }

kdc/httpkadmind.c

@@ -700,8 +700,8 @@ bad_reqv(kadmin_request_desc r,
     if (r && r->context)
         context = r->context;
     if (r && r->hcontext && r->kv)
-        heim_audit_addkv((heim_svc_req_desc)r, 0, "http-status-code", "%d",
-                         http_status_code);
+        heim_audit_addkv_number((heim_svc_req_desc)r, "http-status-code",
+				http_status_code);
     (void) gettimeofday(&r->tv_end, NULL);
     if (code == ENOMEM) {
         if (context)
@@ -1046,7 +1046,7 @@ param_cb(void *d,
 #endif
     } else {
         /* Produce error for unknown params */
-        heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_unknown", "true");
+        heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
         krb5_set_error_message(r->context, ret = ENOTSUP,
                                "Query parameter %s not supported", key);
     }

kdc/kerberos5.c

@@ -498,15 +498,13 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
 	endtime_str[100], renewtime_str[100];
 
     if (authtime)
-	_kdc_audit_addkv((kdc_request_t)r, 0, "auth", "%ld", (long)authtime);
+	_kdc_audit_addkv_number((kdc_request_t)r, "auth", authtime);
     if (starttime && *starttime)
-	_kdc_audit_addkv((kdc_request_t)r, 0, "start", "%ld",
-			 (long)*starttime);
+	_kdc_audit_addkv_number((kdc_request_t)r, "start", *starttime);
     if (endtime)
-	_kdc_audit_addkv((kdc_request_t)r, 0, "end", "%ld", (long)endtime);
+	_kdc_audit_addkv_number((kdc_request_t)r, "end", endtime);
     if (renew_till && *renew_till)
-	_kdc_audit_addkv((kdc_request_t)r, 0, "renew", "%ld",
-			 (long)*renew_till);
+	_kdc_audit_addkv_number((kdc_request_t)r, "renew", *renew_till);
 
     krb5_format_time(r->context, authtime,
 		     authtime_str, sizeof(authtime_str), TRUE);
@@ -984,8 +982,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
 	str = NULL;
     _kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s",
 	       r->cname, str ? str : "unknown enctype");
-    _kdc_audit_addkv((kdc_request_t)r, 0, "pa-etype", "%d",
-		     (int)pa_key->key.keytype);
+    _kdc_audit_addkv_number((kdc_request_t)r, "pa-etype", (int64_t)pa_key->key.keytype);
     audit_auth_event(r, HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED,
 		     str ? str : "unknown enctype");
 
@@ -1888,8 +1885,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
     krb5_const_principal canon_princ = NULL;
 
     r->pac_attributes = get_pac_attributes(r->context, &r->req);
-    _kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
-		     (long)r->pac_attributes);
+    _kdc_audit_addkv_number((kdc_request_t)r, "pac_attributes",
+			    r->pac_attributes);
 
     if (!_kdc_include_pac_p(r))
 	return 0;

kdc/krb5tgs.c

@@ -807,8 +807,8 @@ tgs_make_reply(astgs_request_t r,
      * is implementation dependent.
      */
     if (r->pac && !et->flags.anonymous) {
-	_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
-			 (long)r->pac_attributes);
+	_kdc_audit_addkv_number((kdc_request_t)r, "pac_attributes",
+			        r->pac_attributes);
 
 	/*
 	 * PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES

kdc/kx509.c

@@ -668,7 +668,7 @@ check_authz(krb5_context context,
     ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
                             cprincipal);
     if (ret == 0) {
-        _kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true");
+        _kdc_audit_addkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
 
         ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s);
         if (ret == 0) {
@@ -785,7 +785,7 @@ check_authz(krb5_context context,
     if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed)))
         goto eacces;
 
-    _kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true");
+    _kdc_audit_addkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
     return 0;
 
 eacces:
@@ -1046,9 +1046,9 @@ _kdc_do_kx509(kx509_req_context r)
 out:
     hx509_certs_free(&certs);
     if (ret == 0 && !is_probe)
-        _kdc_audit_addkv((kdc_request_t)r, 0, "cert_issued", "true");
+        _kdc_audit_addkv_bool((kdc_request_t)r, "cert_issued", TRUE);
     else
-        _kdc_audit_addkv((kdc_request_t)r, 0, "cert_issued", "false");
+        _kdc_audit_addkv_bool((kdc_request_t)r, "cert_issued", FALSE);
     if (r->ac)
         krb5_auth_con_free(r->context, r->ac);
     if (ticket)

kdc/libkdc-exports.def

@@ -17,6 +17,8 @@ EXPORTS
 	krb5_kdc_update_time
 	krb5_kdc_pk_initialize
 	_kdc_audit_addkv
+	_kdc_audit_addkv_bool
+	_kdc_audit_addkv_number
 	_kdc_audit_addkv_object
 	_kdc_audit_delkv
 	_kdc_audit_getkv

kdc/process.c

@@ -94,6 +94,18 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
     heim_audit_addkv_timediff((heim_svc_req_desc)r,k, start, end);
 }
 
+void
+_kdc_audit_addkv_bool(kdc_request_t r, const char *k, krb5_boolean v)
+{
+    heim_audit_addkv_number((heim_svc_req_desc)r, k, (int)v);
+}
+
+void
+_kdc_audit_addkv_number(kdc_request_t r, const char *k, int64_t v)
+{
+    heim_audit_addkv_number((heim_svc_req_desc)r, k, v);
+}
+
 void
 _kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj)
 {

kdc/version-script.map

@@ -21,6 +21,8 @@ HEIMDAL_KDC_1.0 {
 		krb5_kdc_update_time;
 		krb5_kdc_pk_initialize;
 		_kdc_audit_addkv;
+		_kdc_audit_addkv_bool;
+		_kdc_audit_addkv_number;
 		_kdc_audit_addkv_object;
 		_kdc_audit_delkv;
 		_kdc_audit_getkv;