kdc: separate PKINIT/GSS authorization failure

Create a new audit event for PKINIT/GSS authorization (impersonation) failure
2022-01-01 23:44:05 +11:00
parent a9c6bc2bf2
commit d683780b1d
2 changed files with 15 additions and 11 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -501,7 +501,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
 	_kdc_set_e_text(r, "PKINIT certificate not allowed to "
 			"impersonate principal");
 	_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				HDB_AUTH_EVENT_PKINIT_FAILED);
+				HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED);
 	goto out;
    }

@@ -554,7 +554,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
 	    _kdc_set_e_text(r, "GSS-API client not allowed to "
 			    "impersonate principal");
 	    _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				    HDB_AUTH_EVENT_GSS_PA_FAILED);
+				    HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED);
 	    goto out;
 	}

@@ -562,6 +562,8 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)

 	_kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s",
 		   r->cname, client_name);
+	_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
+				HDB_AUTH_EVENT_GSS_PA_SUCCEEDED);

 	ret = _kdc_gss_mk_composite_name_ad(r, gcp);
 	if (ret) {
@@ -572,15 +574,15 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)

    ret = _kdc_gss_mk_pa_reply(r, gcp);
    if (ret) {
-	if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED)
+	if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED) {
 	    _kdc_set_e_text(r, "Failed to build GSS pre-authentication reply");
+	    _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
+				    HDB_AUTH_EVENT_GSS_PA_FAILED);
+	}

 	goto out;
    }

-    _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-			    HDB_AUTH_EVENT_GSS_PA_SUCCEEDED);
-
    heim_assert(r->pa_state == NULL, "already have PA state, should be NULL");
    r->pa_state = (struct as_request_pa_state *)gcp;
    gcp = NULL;
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -94,11 +94,13 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_AUTH_EVENT_LTK_PREAUTH_FAILED	5   /* long term key preauth failed */
 #define HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED	6   /* long term key preauth succeeded */
 #define HDB_AUTH_EVENT_PKINIT_SUCCEEDED	        7   /* PKINIT preauth succeeded */
-#define HDB_AUTH_EVENT_PKINIT_FAILED	        8   /* PKINIT preauth succeeded */
-#define HDB_AUTH_EVENT_GSS_PA_SUCCEEDED		9   /* GSS preauth succeeded */
-#define HDB_AUTH_EVENT_GSS_PA_FAILED		10  /* GSS preauth failed */
-#define HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED   	11  /* unknown preauth failed */
-#define HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED	12  /* unknown preauth succeeded */
+#define HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED	8   /* PKINIT cert not authorized */
+#define HDB_AUTH_EVENT_PKINIT_FAILED	        9   /* PKINIT preauth succeeded */
+#define HDB_AUTH_EVENT_GSS_PA_SUCCEEDED		10  /* GSS preauth succeeded */
+#define HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED	11  /* GSS preauth mapping failed */
+#define HDB_AUTH_EVENT_GSS_PA_FAILED		12  /* GSS preauth failed */
+#define HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED   	13  /* unknown preauth failed */
+#define HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED	14  /* unknown preauth succeeded */

 /*
 * Audit keys to be queried using heim_audit_getkv(). There are other keys