krb5 commit: Pass client address to DAL audit_as_req
Greg Hudson
ghudson at mit.edu
Thu May 18 15:40:46 EDT 2017
https://github.com/krb5/krb5/commit/20991d55efbe1f987c1dbc1065f2d58c8f34031b
commit 20991d55efbe1f987c1dbc1065f2d58c8f34031b
Author: Andreas Schneider <asn at samba.org>
Date: Thu May 18 15:32:45 2017 +0200
Pass client address to DAL audit_as_req
As this is an incompatible change to the API, also increment the DAL
and KDB versions.
ticket: 8583 (new)
src/include/kdb.h | 14 ++++++++------
src/kdc/kdc_log.c | 4 ++--
src/lib/kdb/Makefile.in | 2 +-
src/lib/kdb/kdb5.c | 15 ++++++---------
src/plugins/kdb/db2/db2_exp.c | 4 ++--
src/plugins/kdb/db2/kdb_db2.c | 5 +++--
src/plugins/kdb/db2/kdb_db2.h | 5 +++--
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 5 +++--
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 5 +++--
src/tests/kdbtest.c | 4 ++--
10 files changed, 33 insertions(+), 30 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index da04724..cadd392 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -69,7 +69,7 @@
/* This version will be incremented when incompatible changes are made to the
* KDB API, and will be kept in sync with the libkdb major version. */
-#define KRB5_KDB_API_VERSION 8
+#define KRB5_KDB_API_VERSION 9
/* Salt types */
#define KRB5_KDB_SALTTYPE_NORMAL 0
@@ -695,8 +695,9 @@ krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext,
krb5_pa_data ***e_data);
void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code);
+ krb5_address *from, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code);
void krb5_db_refresh_config(krb5_context kcontext);
@@ -865,7 +866,7 @@ krb5_error_code krb5_db_register_keytab(krb5_context context);
* This number indicates the date of the last incompatible change to the DAL.
* The maj_ver field of the module's vtable structure must match this version.
*/
-#define KRB5_KDB_DAL_MAJOR_VERSION 6
+#define KRB5_KDB_DAL_MAJOR_VERSION 7
/*
* A krb5_context can hold one database object. Modules should use
@@ -1356,8 +1357,9 @@ typedef struct _kdb_vftabl {
* AS request.
*/
void (*audit_as_req)(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code);
+ krb5_address *from, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code);
/* Note: there is currently no method for auditing TGS requests. */
diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c
index c044a35..925fc3f 100644
--- a/src/kdc/kdc_log.c
+++ b/src/kdc/kdc_log.c
@@ -89,8 +89,8 @@ log_as_req(krb5_context context, const krb5_fulladdr *from,
ktypestr, fromstring, status,
cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
}
- krb5_db_audit_as_req(context, request, client, server, authtime,
- errcode);
+ krb5_db_audit_as_req(context, request, from->address, client, server,
+ authtime, errcode);
#if 0
/* Sun (OpenSolaris) version would probably something like this.
The client and server names passed can be null, unlike in the
diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index 5da22df..b77bf49 100644
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -5,7 +5,7 @@ LOCALINCLUDES= -I.
# Keep LIBMAJOR in sync with KRB5_KDB_API_VERSION in include/kdb.h.
LIBBASE=kdb5
-LIBMAJOR=8
+LIBMAJOR=9
LIBMINOR=0
LIBINITFUNC=kdb_init_lock_list
LIBFINIFUNC=kdb_fini_lock_list
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index 7f33c7e..b233e99 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -322,12 +322,7 @@ copy_vtable(const kdb_vftabl *in, kdb_vftabl *out)
out->audit_as_req = in->audit_as_req;
out->refresh_config = in->refresh_config;
out->check_allowed_to_delegate = in->check_allowed_to_delegate;
-
- /* Copy fields for minor version 1 (major version 6). */
- assert(KRB5_KDB_DAL_MAJOR_VERSION == 6);
- out->free_principal_e_data = NULL;
- if (in->min_ver >= 1)
- out->free_principal_e_data = in->free_principal_e_data;
+ out->free_principal_e_data = in->free_principal_e_data;
/* Set defaults for optional fields. */
if (out->fetch_master_key == NULL)
@@ -2677,8 +2672,9 @@ krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code)
+ krb5_address *from, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code)
{
krb5_error_code status;
kdb_vftabl *v;
@@ -2686,7 +2682,8 @@ krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
status = get_vftabl(kcontext, &v);
if (status || v->audit_as_req == NULL)
return;
- v->audit_as_req(kcontext, request, client, server, authtime, error_code);
+ v->audit_as_req(kcontext, request, from, client, server, authtime,
+ error_code);
}
void
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c
index 1a41481..5367d05 100644
--- a/src/plugins/kdb/db2/db2_exp.c
+++ b/src/plugins/kdb/db2/db2_exp.c
@@ -166,10 +166,10 @@ WRAP_K (krb5_db2_check_policy_as,
(kcontext, request, client, server, kdc_time, status, e_data));
WRAP_VOID (krb5_db2_audit_as_req,
- (krb5_context kcontext, krb5_kdc_req *request,
+ (krb5_context kcontext, krb5_kdc_req *request, krb5_address *from,
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime, krb5_error_code error_code),
- (kcontext, request, client, server, authtime, error_code));
+ (kcontext, request, from, client, server, authtime, error_code));
static krb5_error_code
hack_init (void)
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index e3dccd9..5c0a83c 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -1551,8 +1551,9 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code)
+ krb5_address *from, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code)
{
(void) krb5_db2_lockout_audit(kcontext, client, authtime, error_code);
}
diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h
index b1b50c8..bc85ba3 100644
--- a/src/plugins/kdb/db2/kdb_db2.h
+++ b/src/plugins/kdb/db2/kdb_db2.h
@@ -134,7 +134,8 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code);
+ krb5_address *from, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code);
#endif /* KRB5_KDB_DB2_H */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
index 7ba8075..d13637c 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -277,8 +277,9 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code)
+ krb5_address *from, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code)
{
(void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code);
}
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 2e9bcda..80d0650 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -282,8 +282,9 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code);
+ krb5_address *from, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code);
krb5_error_code
krb5_ldap_check_allowed_to_delegate(krb5_context context,
diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c
index 3f63cfb..6e2d439 100644
--- a/src/tests/kdbtest.c
+++ b/src/tests/kdbtest.c
@@ -243,8 +243,8 @@ check_entry(krb5_db_entry *ent)
static void
sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp)
{
- /* Both back ends ignore the request parameter for now. */
- krb5_db_audit_as_req(ctx, NULL, *entp, *entp, authtime,
+ /* Both back ends ignore the request and from parameters for now. */
+ krb5_db_audit_as_req(ctx, NULL, NULL, *entp, *entp, authtime,
ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED);
krb5_db_free_principal(ctx, *entp);
CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));
More information about the cvs-krb5
mailing list