krb5/krb5-1.6-CVE-2007-0957-prelim.patch

1275 lines
40 KiB
Diff
Raw Normal View History

2007-04-03 18:41:26 +00:00
*** src/kadmin/server/kadm_rpc_svc.c (revision 19480)
--- src/kadmin/server/kadm_rpc_svc.c (local)
***************
*** 250,255 ****
--- 250,257 ----
krb5_data *c1, *c2, *realm;
gss_buffer_desc gss_str;
kadm5_server_handle_t handle;
+ size_t slen;
+ char *sdots;
success = 0;
handle = (kadm5_server_handle_t)global_server_handle;
***************
*** 274,279 ****
--- 276,283 ----
if (ret == 0)
goto fail_name;
+ slen = gss_str.length;
+ trunc_name(&slen, &sdots);
/*
* Since we accept with GSS_C_NO_NAME, the client can authenticate
* against the entire kdb. Therefore, ensure that the service
***************
*** 296,303 ****
fail_princ:
if (!success) {
! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
! gss_str.length, gss_str.value);
}
gss_release_buffer(&min_stat, &gss_str);
krb5_free_principal(kctx, princ);
--- 300,307 ----
fail_princ:
if (!success) {
! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
! slen, gss_str.value, sdots);
}
gss_release_buffer(&min_stat, &gss_str);
krb5_free_principal(kctx, princ);
*** src/kadmin/server/misc.c (revision 19480)
--- src/kadmin/server/misc.c (local)
***************
*** 171,173 ****
--- 171,182 ----
return kadm5_free_principal_ent(handle->lhandle, &princ);
}
+
+ #define MAXPRINCLEN 125
+
+ void
+ trunc_name(size_t *len, char **dots)
+ {
+ *dots = *len > MAXPRINCLEN ? "..." : "";
+ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
+ }
*** src/kadmin/server/misc.h (revision 19480)
--- src/kadmin/server/misc.h (local)
***************
*** 45,47 ****
--- 45,49 ----
#ifdef SVC_GETARGS
void kadm_1(struct svc_req *, SVCXPRT *);
#endif
+
+ void trunc_name(size_t *len, char **dots);
*** src/kadmin/server/ovsec_kadmd.c (revision 19480)
--- src/kadmin/server/ovsec_kadmd.c (local)
***************
*** 992,997 ****
--- 992,999 ----
rpcproc_t proc;
int i;
const char *procname;
+ size_t clen, slen;
+ char *cdots, *sdots;
client.length = 0;
client.value = NULL;
***************
*** 1000,1009 ****
(void) gss_display_name(&minor, client_name, &client, &gss_type);
(void) gss_display_name(&minor, server_name, &server, &gss_type);
! if (client.value == NULL)
client.value = "(null)";
! if (server.value == NULL)
server.value = "(null)";
a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
proc = msg->rm_call.cb_proc;
--- 1002,1021 ----
(void) gss_display_name(&minor, client_name, &client, &gss_type);
(void) gss_display_name(&minor, server_name, &server, &gss_type);
! if (client.value == NULL) {
client.value = "(null)";
! clen = sizeof("(null)") -1;
! } else {
! clen = client.length;
! }
! trunc_name(&clen, &cdots);
! if (server.value == NULL) {
server.value = "(null)";
+ slen = sizeof("(null)") - 1;
+ } else {
+ slen = server.length;
+ }
+ trunc_name(&slen, &sdots);
a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
proc = msg->rm_call.cb_proc;
***************
*** 1016,1029 ****
}
if (procname != NULL)
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
! "claimed client = %s, server = %s, addr = %s",
! procname, client.value,
! server.value, a);
else
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
! "claimed client = %s, server = %s, addr = %s",
! proc, client.value,
! server.value, a);
(void) gss_release_buffer(&minor, &client);
(void) gss_release_buffer(&minor, &server);
--- 1028,1041 ----
}
if (procname != NULL)
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
! "claimed client = %.*s%s, server = %.*s%s, addr = %s",
! procname, clen, client.value, cdots,
! slen, server.value, sdots, a);
else
krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
! "claimed client = %.*s%s, server = %.*s%s, addr = %s",
! proc, clen, client.value, cdots,
! slen, server.value, sdots, a);
(void) gss_release_buffer(&minor, &client);
(void) gss_release_buffer(&minor, &server);
*** src/kadmin/server/schpw.c (revision 19480)
--- src/kadmin/server/schpw.c (local)
***************
*** 40,45 ****
--- 40,47 ----
int numresult;
char strresult[1024];
char *clientstr;
+ size_t clen;
+ char *cdots;
ret = 0;
rep->length = 0;
***************
*** 258,266 ****
free(ptr);
clear.length = 0;
! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
! clientstr, ret ? krb5_get_error_message (context, ret) : "success");
krb5_free_unparsed_name(context, clientstr);
if (ret) {
--- 260,271 ----
free(ptr);
clear.length = 0;
! clen = strlen(clientstr);
! trunc_name(&clen, &cdots);
! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
! clen, clientstr, cdots,
! ret ? krb5_get_error_message (context, ret) : "success");
krb5_free_unparsed_name(context, clientstr);
if (ret) {
*** src/kadmin/server/server_stubs.c (revision 19480)
--- src/kadmin/server/server_stubs.c (local)
***************
*** 14,19 ****
--- 14,20 ----
#include <arpa/inet.h> /* inet_ntoa */
#include <adm_proto.h> /* krb5_klog_syslog */
#include "misc.h"
+ #include <string.h>
#define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
***************
*** 237,242 ****
--- 238,298 ----
return 0;
}
+ static int
+ log_unauth(
+ char *op,
+ char *target,
+ gss_buffer_t client,
+ gss_buffer_t server,
+ struct svc_req *rqstp)
+ {
+ size_t tlen, clen, slen;
+ char *tdots, *cdots, *sdots;
+
+ tlen = strlen(target);
+ trunc_name(&tlen, &tdots);
+ clen = client->length;
+ trunc_name(&clen, &cdots);
+ slen = server->length;
+ trunc_name(&slen, &sdots);
+
+ return krb5_klog_syslog(LOG_NOTICE,
+ "Unauthorized request: %s, %.*s%s, "
+ "client=%.*s%s, service=%.*s%s, addr=%s",
+ op, tlen, target, tdots,
+ clen, client->value, cdots,
+ slen, server->value, sdots,
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ }
+
+ static int
+ log_done(
+ char *op,
+ char *target,
+ char *errmsg,
+ gss_buffer_t client,
+ gss_buffer_t server,
+ struct svc_req *rqstp)
+ {
+ size_t tlen, clen, slen;
+ char *tdots, *cdots, *sdots;
+
+ tlen = strlen(target);
+ trunc_name(&tlen, &tdots);
+ clen = client->length;
+ trunc_name(&clen, &cdots);
+ slen = server->length;
+ trunc_name(&slen, &sdots);
+
+ return krb5_klog_syslog(LOG_NOTICE,
+ "Request: %s, %.*s%s, %s, "
+ "client=%.*s%s, service=%.*s%s, addr=%s",
+ op, tlen, target, tdots, errmsg,
+ clen, client->value, cdots,
+ slen, server->value, sdots,
+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+ }
+
generic_ret *
create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
{
***************
*** 275,283 ****
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_create_principal((void *)handle,
&arg->rec, arg->mask,
--- 331,338 ----
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
! log_unauth("kadm5_create_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_create_principal((void *)handle,
&arg->rec, arg->mask,
***************
*** 287,296 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
--- 342,349 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_create_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
***************
*** 341,349 ****
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_create_principal_3((void *)handle,
&arg->rec, arg->mask,
--- 394,401 ----
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
! log_unauth("kadm5_create_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_create_principal_3((void *)handle,
&arg->rec, arg->mask,
***************
*** 355,364 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
--- 407,414 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_create_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
***************
*** 406,414 ****
|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
arg->princ, NULL)) {
ret.code = KADM5_AUTH_DELETE;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_delete_principal((void *)handle, arg->princ);
if( ret.code == 0 )
--- 456,463 ----
|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
arg->princ, NULL)) {
ret.code = KADM5_AUTH_DELETE;
! log_unauth("kadm5_delete_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_delete_principal((void *)handle, arg->princ);
if( ret.code == 0 )
***************
*** 416,425 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
--- 465,472 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_delete_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
***************
*** 469,477 ****
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_MODIFY;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
arg->mask);
--- 516,523 ----
|| kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_MODIFY;
! log_unauth("kadm5_modify_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
arg->mask);
***************
*** 480,489 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
--- 526,533 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_modify_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
/* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
}
***************
*** 546,554 ****
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
--- 590,597 ----
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! log_unauth("kadm5_rename_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
***************
*** 557,566 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg1);
--- 600,607 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_rename_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg1);
***************
*** 614,622 ****
arg->princ,
NULL))) {
ret.code = KADM5_AUTH_GET;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
if (handle->api_version == KADM5_API_VERSION_1) {
ret.code = kadm5_get_principal_v1((void *)handle,
--- 655,662 ----
arg->princ,
NULL))) {
ret.code = KADM5_AUTH_GET;
! log_unauth(funcname, prime_arg,
! &client_name, &service_name, rqstp);
} else {
if (handle->api_version == KADM5_API_VERSION_1) {
ret.code = kadm5_get_principal_v1((void *)handle,
***************
*** 636,646 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
! prime_arg,
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
--- 676,683 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done(funcname, prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
***************
*** 688,696 ****
NULL,
NULL)) {
ret.code = KADM5_AUTH_LIST;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_get_principals((void *)handle,
arg->exp, &ret.princs,
--- 725,732 ----
NULL,
NULL)) {
ret.code = KADM5_AUTH_LIST;
! log_unauth("kadm5_get_principals", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_get_principals((void *)handle,
arg->exp, &ret.princs,
***************
*** 700,710 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
! prime_arg,
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
--- 736,743 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_get_principals", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
***************
*** 755,763 ****
ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
arg->pass);
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_CHANGEPW;
}
--- 788,795 ----
ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
arg->pass);
} else {
! log_unauth("kadm5_chpass_principal", prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
***************
*** 767,776 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
--- 799,806 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_chpass_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
***************
*** 828,836 ****
arg->ks_tuple,
arg->pass);
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_CHANGEPW;
}
--- 858,865 ----
arg->ks_tuple,
arg->pass);
} else {
! log_unauth("kadm5_chpass_principal", prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
***************
*** 840,849 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
--- 869,876 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_chpass_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
***************
*** 892,900 ****
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
arg->keyblock);
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_SETKEY;
}
--- 919,926 ----
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
arg->keyblock);
} else {
! log_unauth("kadm5_setv4key_principal", prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_SETKEY;
}
***************
*** 904,913 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
--- 930,937 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_setv4key_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
***************
*** 956,964 ****
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
arg->keyblocks, arg->n_keys);
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_SETKEY;
}
--- 980,987 ----
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
arg->keyblocks, arg->n_keys);
} else {
! log_unauth("kadm5_setkey_principal", prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_SETKEY;
}
***************
*** 968,977 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
--- 991,998 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_setkey_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
***************
*** 1023,1031 ****
arg->ks_tuple,
arg->keyblocks, arg->n_keys);
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_SETKEY;
}
--- 1044,1051 ----
arg->ks_tuple,
arg->keyblocks, arg->n_keys);
} else {
! log_unauth("kadm5_setkey_principal", prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_SETKEY;
}
***************
*** 1035,1044 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
--- 1055,1062 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_setkey_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
***************
*** 1097,1105 ****
ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
&k, &nkeys);
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_CHANGEPW;
}
--- 1115,1122 ----
ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
&k, &nkeys);
} else {
! log_unauth(funcname, prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
***************
*** 1119,1128 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg);
--- 1136,1143 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done(funcname, prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
***************
*** 1185,1193 ****
arg->ks_tuple,
&k, &nkeys);
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_CHANGEPW;
}
--- 1200,1207 ----
arg->ks_tuple,
&k, &nkeys);
} else {
! log_unauth(funcname, prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_CHANGEPW;
}
***************
*** 1207,1216 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
! prime_arg, errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg);
--- 1221,1228 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done(funcname, prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg);
***************
*** 1253,1262 ****
rqst2name(rqstp),
ACL_ADD, NULL, NULL)) {
ret.code = KADM5_AUTH_ADD;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
!
} else {
ret.code = kadm5_create_policy((void *)handle, &arg->rec,
arg->mask);
--- 1265,1273 ----
rqst2name(rqstp),
ACL_ADD, NULL, NULL)) {
ret.code = KADM5_AUTH_ADD;
! log_unauth("kadm5_create_policy", prime_arg,
! &client_name, &service_name, rqstp);
!
} else {
ret.code = kadm5_create_policy((void *)handle, &arg->rec,
arg->mask);
***************
*** 1265,1275 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
! ((prime_arg == NULL) ? "(null)" : prime_arg),
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
--- 1276,1284 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_create_policy",
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
***************
*** 1310,1318 ****
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_DELETE, NULL, NULL)) {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_DELETE;
} else {
ret.code = kadm5_delete_policy((void *)handle, arg->name);
--- 1319,1326 ----
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_DELETE, NULL, NULL)) {
! log_unauth("kadm5_delete_policy", prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_DELETE;
} else {
ret.code = kadm5_delete_policy((void *)handle, arg->name);
***************
*** 1321,1331 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
! ((prime_arg == NULL) ? "(null)" : prime_arg),
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
--- 1329,1337 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_delete_policy",
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
***************
*** 1366,1374 ****
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_MODIFY, NULL, NULL)) {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
ret.code = KADM5_AUTH_MODIFY;
} else {
ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
--- 1372,1379 ----
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_MODIFY, NULL, NULL)) {
! log_unauth("kadm5_modify_policy", prime_arg,
! &client_name, &service_name, rqstp);
ret.code = KADM5_AUTH_MODIFY;
} else {
ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
***************
*** 1378,1388 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
! ((prime_arg == NULL) ? "(null)" : prime_arg),
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
--- 1383,1391 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_modify_policy",
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
***************
*** 1464,1478 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
! ((prime_arg == NULL) ? "(null)" : prime_arg),
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
--- 1467,1478 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done(funcname,
! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,
! &client_name, &service_name, rqstp);
} else {
! log_unauth(funcname, prime_arg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
***************
*** 1517,1525 ****
rqst2name(rqstp),
ACL_LIST, NULL, NULL)) {
ret.code = KADM5_AUTH_LIST;
! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
! prime_arg, client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_get_policies((void *)handle,
arg->exp, &ret.pols,
--- 1517,1524 ----
rqst2name(rqstp),
ACL_LIST, NULL, NULL)) {
ret.code = KADM5_AUTH_LIST;
! log_unauth("kadm5_get_policies", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_get_policies((void *)handle,
arg->exp, &ret.pols,
***************
*** 1529,1539 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
! prime_arg,
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
--- 1528,1535 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_get_policies", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
***************
*** 1573,1583 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
! client_name.value,
! errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
--- 1569,1576 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_get_privs", client_name.value, errmsg,
! &client_name, &service_name, rqstp);
free_server_handle(handle);
gss_release_buffer(&minor_stat, &client_name);
***************
*** 1594,1599 ****
--- 1587,1594 ----
kadm5_server_handle_t handle;
OM_uint32 minor_stat;
char *errmsg = 0;
+ size_t clen, slen;
+ char *cdots, *sdots;
xdr_free(xdr_generic_ret, &ret);
***************
*** 1612,1625 ****
if (ret.code != 0)
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
! (ret.api_version == KADM5_API_VERSION_1 ?
! "kadm5_init (V1)" : "kadm5_init"),
! client_name.value,
! (ret.code == 0) ? "success" : errmsg,
! client_name.value, service_name.value,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
! rqstp->rq_cred.oa_flavor);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
--- 1607,1628 ----
if (ret.code != 0)
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! else
! errmsg = "success";
!
! clen = client_name.length;
! trunc_name(&clen, &cdots);
! slen = service_name.length;
! trunc_name(&slen, &sdots);
! krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
! "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
! (ret.api_version == KADM5_API_VERSION_1 ?
! "kadm5_init (V1)" : "kadm5_init"),
! clen, client_name.value, cdots, errmsg,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
! rqstp->rq_cred.oa_flavor);
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
*** src/kdc/do_tgs_req.c (revision 19480)
--- src/kdc/do_tgs_req.c (local)
***************
*** 489,516 ****
newtransited = 1;
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
errcode = krb5_check_transited_list (kdc_context,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
krb5_princ_realm (kdc_context, request->server));
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
krb5_klog_syslog (LOG_INFO,
! "bad realm transit path from '%s' to '%s' via '%.*s'",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
! enc_tkt_reply.transited.tr_contents.length,
! enc_tkt_reply.transited.tr_contents.data);
else {
const char *emsg = krb5_get_error_message(kdc_context, errcode);
krb5_klog_syslog (LOG_ERR,
! "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
! enc_tkt_reply.transited.tr_contents.length,
enc_tkt_reply.transited.tr_contents.data,
! emsg);
krb5_free_error_message(kdc_context, emsg);
}
} else
--- 489,526 ----
newtransited = 1;
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+ unsigned int tlen;
+ char *tdots;
+
errcode = krb5_check_transited_list (kdc_context,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
krb5_princ_realm (kdc_context, request->server));
+ tlen = enc_tkt_reply.transited.tr_contents.length;
+ tdots = tlen > 125 ? "..." : "";
+ tlen = tlen > 125 ? 125 : tlen;
+
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
krb5_klog_syslog (LOG_INFO,
! "bad realm transit path from '%s' to '%s' "
! "via '%.*s%s'",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
! tlen,
! enc_tkt_reply.transited.tr_contents.data,
! tdots);
else {
const char *emsg = krb5_get_error_message(kdc_context, errcode);
krb5_klog_syslog (LOG_ERR,
! "unexpected error checking transit from "
! "'%s' to '%s' via '%.*s%s': %s",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
! tlen,
enc_tkt_reply.transited.tr_contents.data,
! tdots, emsg);
krb5_free_error_message(kdc_context, emsg);
}
} else
***************
*** 542,547 ****
--- 552,560 ----
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
tmp = 0;
+ if (tmp != NULL)
+ limit_string(tmp);
+
krb5_klog_syslog(LOG_INFO,
"TGS_REQ %s: 2ND_TKT_MISMATCH: "
"authtime %d, %s for %s, 2nd tkt client %s",
***************
*** 816,821 ****
--- 829,835 ----
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing alternate <un-unparseable> TGT");
} else {
+ limit_string(sname);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing TGT %s", sname);
free(sname);
*** src/kdc/kdc_util.c (revision 19480)
--- src/kdc/kdc_util.c (local)
***************
*** 404,409 ****
--- 404,410 ----
krb5_db_free_principal(kdc_context, &server, nprincs);
if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
+ limit_string(sname);
krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
sname);
free(sname);
*** src/lib/kadm5/logger.c (revision 19480)
--- src/lib/kadm5/logger.c (local)
***************
*** 45,51 ****
#include <varargs.h>
#endif /* HAVE_STDARG_H */
! #define KRB5_KLOG_MAX_ERRMSG_SIZE 1024
#ifndef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN 256
#endif /* MAXHOSTNAMELEN */
--- 45,51 ----
#include <varargs.h>
#endif /* HAVE_STDARG_H */
! #define KRB5_KLOG_MAX_ERRMSG_SIZE 2048
#ifndef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN 256
#endif /* MAXHOSTNAMELEN */
***************
*** 261,267 ****
#endif /* HAVE_SYSLOG */
/* Now format the actual message */
! #if HAVE_VSPRINTF
vsprintf(cp, actual_format, ap);
#else /* HAVE_VSPRINTF */
sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
--- 261,269 ----
#endif /* HAVE_SYSLOG */
/* Now format the actual message */
! #if HAVE_VSNPRINTF
! vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
! #elif HAVE_VSPRINTF
vsprintf(cp, actual_format, ap);
#else /* HAVE_VSPRINTF */
sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
***************
*** 850,856 ****
syslogp = &outbuf[strlen(outbuf)];
/* Now format the actual message */
! #ifdef HAVE_VSPRINTF
vsprintf(syslogp, format, arglist);
#else /* HAVE_VSPRINTF */
sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
--- 852,860 ----
syslogp = &outbuf[strlen(outbuf)];
/* Now format the actual message */
! #ifdef HAVE_VSNPRINTF
! vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
! #elif HAVE_VSPRINTF
vsprintf(syslogp, format, arglist);
#else /* HAVE_VSPRINTF */
sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],