krb5 commit: Pass local address to DAL audit_as_req
Greg Hudson
ghudson at mit.edu
Mon Jun 5 12:32:18 EDT 2017
https://github.com/krb5/krb5/commit/03d33d42f7302fb7e2804d4206009208ad5d509f
commit 03d33d42f7302fb7e2804d4206009208ad5d509f
Author: Andreas Schneider <asn at samba.org>
Date: Fri May 19 11:00:52 2017 +0200
Pass local address to DAL audit_as_req
In the KDC, pass the local address from dispatch() to
process_as_req(), then to log_as_req(), then to
krb5_db_audit_as_req(), and finally to the KDB modules.
[ghudson at mit.edu: squashed commits and rewrote commit message]
ticket: 8583
src/include/kdb.h | 2 ++
src/kdc/dispatch.c | 5 +++--
src/kdc/do_as_req.c | 17 ++++++++++-------
src/kdc/kdc_log.c | 9 ++++++---
src/kdc/kdc_util.h | 6 ++++--
src/lib/kdb/kdb5.c | 5 +++--
src/plugins/kdb/db2/db2_exp.c | 3 ++-
src/plugins/kdb/db2/kdb_db2.c | 1 +
src/plugins/kdb/db2/kdb_db2.h | 1 +
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 1 +
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 1 +
src/tests/kdbtest.c | 5 +++--
12 files changed, 37 insertions(+), 19 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 808e283..5615329 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -695,6 +695,7 @@ krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext,
krb5_pa_data ***e_data);
void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr,
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime, krb5_error_code error_code);
@@ -1357,6 +1358,7 @@ typedef struct _kdb_vftabl {
* AS request.
*/
void (*audit_as_req)(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr,
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime, krb5_error_code error_code);
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index 57f0865..3867ff9 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -187,8 +187,9 @@ dispatch(void *cb, const krb5_fulladdr *local_addr,
*/
state->active_realm = setup_server_realm(handle, as_req->server);
if (state->active_realm != NULL) {
- process_as_req(as_req, pkt, remote_addr, state->active_realm,
- vctx, finish_dispatch_cache, state);
+ process_as_req(as_req, pkt, local_addr, remote_addr,
+ state->active_realm, vctx,
+ finish_dispatch_cache, state);
return;
} else {
retval = KRB5KDC_ERR_WRONG_REALM;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index acaa651..2d3ad13 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -160,6 +160,7 @@ struct as_req_state {
struct kdc_request_state *rstate;
char *sname, *cname;
void *pa_context;
+ const krb5_fulladdr *local_addr;
const krb5_fulladdr *remote_addr;
krb5_data **auth_indicators;
@@ -359,9 +360,9 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
state->reply.enc_part.ciphertext.length);
free(state->reply.enc_part.ciphertext.data);
- log_as_req(kdc_context, state->remote_addr, state->request, &state->reply,
- state->client, state->cname, state->server,
- state->sname, state->authtime, 0, 0, 0);
+ log_as_req(kdc_context, state->local_addr, state->remote_addr,
+ state->request, &state->reply, state->client, state->cname,
+ state->server, state->sname, state->authtime, 0, 0, 0);
did_log = 1;
egress:
@@ -381,10 +382,10 @@ egress:
emsg = krb5_get_error_message(kdc_context, errcode);
if (state->status) {
- log_as_req(kdc_context, state->remote_addr, state->request,
- &state->reply, state->client, state->cname, state->server,
- state->sname, state->authtime, state->status, errcode,
- emsg);
+ log_as_req(kdc_context, state->local_addr, state->remote_addr,
+ state->request, &state->reply, state->client,
+ state->cname, state->server, state->sname, state->authtime,
+ state->status, errcode, emsg);
did_log = 1;
}
if (errcode) {
@@ -492,6 +493,7 @@ finish_preauth(void *arg, krb5_error_code code)
/*ARGSUSED*/
void
process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+ const krb5_fulladdr *local_addr,
const krb5_fulladdr *remote_addr, kdc_realm_t *kdc_active_realm,
verto_ctx *vctx, loop_respond_fn respond, void *arg)
{
@@ -511,6 +513,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->arg = arg;
state->request = request;
state->req_pkt = req_pkt;
+ state->local_addr = local_addr;
state->remote_addr = remote_addr;
state->active_realm = kdc_active_realm;
diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c
index 13fcfa7..7e87339 100644
--- a/src/kdc/kdc_log.c
+++ b/src/kdc/kdc_log.c
@@ -54,7 +54,9 @@
/* Someday, pass local address/port as well. */
/* Currently no info about name canonicalization is logged. */
void
-log_as_req(krb5_context context, const krb5_fulladdr *remote_addr,
+log_as_req(krb5_context context,
+ const krb5_fulladdr *local_addr,
+ const krb5_fulladdr *remote_addr,
krb5_kdc_req *request, krb5_kdc_rep *reply,
krb5_db_entry *client, const char *cname,
krb5_db_entry *server, const char *sname,
@@ -89,8 +91,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *remote_addr,
ktypestr, fromstring, status,
cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
}
- krb5_db_audit_as_req(context, request, remote_addr->address, client,
- server, authtime, errcode);
+ krb5_db_audit_as_req(context, request,
+ local_addr->address, remote_addr->address,
+ client, server, authtime, errcode);
#if 0
/* Sun (OpenSolaris) version would probably something like this.
The client and server names passed can be null, unlike in the
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 1c183de..3d87f36 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -140,7 +140,7 @@ cammac_check_kdcver(krb5_context context, krb5_cammac *cammac,
/* do_as_req.c */
void
process_as_req (krb5_kdc_req *, krb5_data *,
- const krb5_fulladdr *, kdc_realm_t *,
+ const krb5_fulladdr *, const krb5_fulladdr *, kdc_realm_t *,
verto_ctx *, loop_respond_fn, void *);
/* do_tgs_req.c */
@@ -346,7 +346,9 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request,
krb5_db_entry *server, krb5_enc_tkt_part *tkt);
void
-log_as_req(krb5_context context, const krb5_fulladdr *remote_addr,
+log_as_req(krb5_context context,
+ const krb5_fulladdr *local_addr,
+ const krb5_fulladdr *remote_addr,
krb5_kdc_req *request, krb5_kdc_rep *reply,
krb5_db_entry *client, const char *cname,
krb5_db_entry *server, const char *sname,
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index 02e0a2d..ad637b6 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -2672,6 +2672,7 @@ krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr, krb5_db_entry *client,
krb5_db_entry *server, krb5_timestamp authtime,
krb5_error_code error_code)
@@ -2682,8 +2683,8 @@ krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
status = get_vftabl(kcontext, &v);
if (status || v->audit_as_req == NULL)
return;
- v->audit_as_req(kcontext, request, remote_addr, client, server, authtime,
- error_code);
+ v->audit_as_req(kcontext, request, local_addr, remote_addr,
+ client, server, authtime, error_code);
}
void
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c
index 3b42b0a..4d905db 100644
--- a/src/plugins/kdb/db2/db2_exp.c
+++ b/src/plugins/kdb/db2/db2_exp.c
@@ -167,10 +167,11 @@ WRAP_K (krb5_db2_check_policy_as,
WRAP_VOID (krb5_db2_audit_as_req,
(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr,
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime, krb5_error_code error_code),
- (kcontext, request, remote_addr, client, server,
+ (kcontext, request, local_addr, remote_addr, client, server,
authtime, error_code));
static krb5_error_code
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 3ee6fdd..d23587a 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -1551,6 +1551,7 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr, krb5_db_entry *client,
krb5_db_entry *server, krb5_timestamp authtime,
krb5_error_code error_code)
diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h
index 52bc508..349244d 100644
--- a/src/plugins/kdb/db2/kdb_db2.h
+++ b/src/plugins/kdb/db2/kdb_db2.h
@@ -134,6 +134,7 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr,
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime,
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
index b77989d..4fbf898 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -277,6 +277,7 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr, krb5_db_entry *client,
krb5_db_entry *server, krb5_timestamp authtime,
krb5_error_code error_code)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index cf1192b..5c8539a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -282,6 +282,7 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ const krb5_address *local_addr,
const krb5_address *remote_addr, krb5_db_entry *client,
krb5_db_entry *server, krb5_timestamp authtime,
krb5_error_code error_code);
diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c
index 6e2d439..3f61f3e 100644
--- a/src/tests/kdbtest.c
+++ b/src/tests/kdbtest.c
@@ -243,8 +243,9 @@ check_entry(krb5_db_entry *ent)
static void
sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp)
{
- /* Both back ends ignore the request and from parameters for now. */
- krb5_db_audit_as_req(ctx, NULL, NULL, *entp, *entp, authtime,
+ /* Both back ends ignore the request, local_addr, and remote_addr
+ * parameters for now. */
+ krb5_db_audit_as_req(ctx, NULL, NULL, NULL, *entp, *entp, authtime,
ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED);
krb5_db_free_principal(ctx, *entp);
CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));
More information about the cvs-krb5
mailing list