diff --git a/krb5-1.6-CVE-2007-0957-prelim.patch b/krb5-1.6-CVE-2007-0957-prelim.patch new file mode 100644 index 0000000..a87f91c --- /dev/null +++ b/krb5-1.6-CVE-2007-0957-prelim.patch @@ -0,0 +1,1274 @@ +*** src/kadmin/server/kadm_rpc_svc.c (revision 19480) +--- src/kadmin/server/kadm_rpc_svc.c (local) +*************** +*** 250,255 **** +--- 250,257 ---- + krb5_data *c1, *c2, *realm; + gss_buffer_desc gss_str; + kadm5_server_handle_t handle; ++ size_t slen; ++ char *sdots; + + success = 0; + handle = (kadm5_server_handle_t)global_server_handle; +*************** +*** 274,279 **** +--- 276,283 ---- + if (ret == 0) + goto fail_name; + ++ slen = gss_str.length; ++ trunc_name(&slen, &sdots); + /* + * Since we accept with GSS_C_NO_NAME, the client can authenticate + * against the entire kdb. Therefore, ensure that the service +*************** +*** 296,303 **** + + fail_princ: + if (!success) { +! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", +! gss_str.length, gss_str.value); + } + gss_release_buffer(&min_stat, &gss_str); + krb5_free_principal(kctx, princ); +--- 300,307 ---- + + fail_princ: + if (!success) { +! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", +! slen, gss_str.value, sdots); + } + gss_release_buffer(&min_stat, &gss_str); + krb5_free_principal(kctx, princ); +*** src/kadmin/server/misc.c (revision 19480) +--- src/kadmin/server/misc.c (local) +*************** +*** 171,173 **** +--- 171,182 ---- + + return kadm5_free_principal_ent(handle->lhandle, &princ); + } ++ ++ #define MAXPRINCLEN 125 ++ ++ void ++ trunc_name(size_t *len, char **dots) ++ { ++ *dots = *len > MAXPRINCLEN ? "..." : ""; ++ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; ++ } +*** src/kadmin/server/misc.h (revision 19480) +--- src/kadmin/server/misc.h (local) +*************** +*** 45,47 **** +--- 45,49 ---- + #ifdef SVC_GETARGS + void kadm_1(struct svc_req *, SVCXPRT *); + #endif ++ ++ void trunc_name(size_t *len, char **dots); +*** src/kadmin/server/ovsec_kadmd.c (revision 19480) +--- src/kadmin/server/ovsec_kadmd.c (local) +*************** +*** 992,997 **** +--- 992,999 ---- + rpcproc_t proc; + int i; + const char *procname; ++ size_t clen, slen; ++ char *cdots, *sdots; + + client.length = 0; + client.value = NULL; +*************** +*** 1000,1009 **** + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); +! if (client.value == NULL) + client.value = "(null)"; +! if (server.value == NULL) + server.value = "(null)"; + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; +--- 1002,1021 ---- + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); +! if (client.value == NULL) { + client.value = "(null)"; +! clen = sizeof("(null)") -1; +! } else { +! clen = client.length; +! } +! trunc_name(&clen, &cdots); +! if (server.value == NULL) { + server.value = "(null)"; ++ slen = sizeof("(null)") - 1; ++ } else { ++ slen = server.length; ++ } ++ trunc_name(&slen, &sdots); + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; +*************** +*** 1016,1029 **** + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " +! "claimed client = %s, server = %s, addr = %s", +! procname, client.value, +! server.value, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " +! "claimed client = %s, server = %s, addr = %s", +! proc, client.value, +! server.value, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); +--- 1028,1041 ---- + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " +! "claimed client = %.*s%s, server = %.*s%s, addr = %s", +! procname, clen, client.value, cdots, +! slen, server.value, sdots, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " +! "claimed client = %.*s%s, server = %.*s%s, addr = %s", +! proc, clen, client.value, cdots, +! slen, server.value, sdots, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); +*** src/kadmin/server/schpw.c (revision 19480) +--- src/kadmin/server/schpw.c (local) +*************** +*** 40,45 **** +--- 40,47 ---- + int numresult; + char strresult[1024]; + char *clientstr; ++ size_t clen; ++ char *cdots; + + ret = 0; + rep->length = 0; +*************** +*** 258,266 **** + free(ptr); + clear.length = 0; + +! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", + inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), +! clientstr, ret ? krb5_get_error_message (context, ret) : "success"); + krb5_free_unparsed_name(context, clientstr); + + if (ret) { +--- 260,271 ---- + free(ptr); + clear.length = 0; + +! clen = strlen(clientstr); +! trunc_name(&clen, &cdots); +! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", + inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), +! clen, clientstr, cdots, +! ret ? krb5_get_error_message (context, ret) : "success"); + krb5_free_unparsed_name(context, clientstr); + + if (ret) { +*** src/kadmin/server/server_stubs.c (revision 19480) +--- src/kadmin/server/server_stubs.c (local) +*************** +*** 14,19 **** +--- 14,20 ---- + #include /* inet_ntoa */ + #include /* krb5_klog_syslog */ + #include "misc.h" ++ #include + + #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" + #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" +*************** +*** 237,242 **** +--- 238,298 ---- + return 0; + } + ++ static int ++ log_unauth( ++ char *op, ++ char *target, ++ gss_buffer_t client, ++ gss_buffer_t server, ++ struct svc_req *rqstp) ++ { ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Unauthorized request: %s, %.*s%s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ } ++ ++ static int ++ log_done( ++ char *op, ++ char *target, ++ char *errmsg, ++ gss_buffer_t client, ++ gss_buffer_t server, ++ struct svc_req *rqstp) ++ { ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Request: %s, %.*s%s, %s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, errmsg, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ } ++ + generic_ret * + create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + { +*************** +*** 275,283 **** + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, +--- 331,338 ---- + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! log_unauth("kadm5_create_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, +*************** +*** 287,296 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 342,349 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_create_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 341,349 **** + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, +--- 394,401 ---- + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +! log_unauth("kadm5_create_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, +*************** +*** 355,364 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 407,414 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_create_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 406,414 **** + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code == 0 ) +--- 456,463 ---- + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; +! log_unauth("kadm5_delete_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code == 0 ) +*************** +*** 416,425 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 465,472 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_delete_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 469,477 **** + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); +--- 516,523 ---- + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; +! log_unauth("kadm5_modify_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); +*************** +*** 480,489 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +--- 526,533 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_modify_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +*************** +*** 546,554 **** + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +--- 590,597 ---- + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! log_unauth("kadm5_rename_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +*************** +*** 557,566 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg1); +--- 600,607 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_rename_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg1); +*************** +*** 614,622 **** + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_principal_v1((void *)handle, +--- 655,662 ---- + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + } else { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_principal_v1((void *)handle, +*************** +*** 636,646 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! prime_arg, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + } + free_server_handle(handle); +--- 676,683 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +*************** +*** 688,696 **** + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, +--- 725,732 ---- + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; +! log_unauth("kadm5_get_principals", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, +*************** +*** 700,710 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", +! prime_arg, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + } + free_server_handle(handle); +--- 736,743 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_get_principals", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +*************** +*** 755,763 **** + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 788,795 ---- + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); + } else { +! log_unauth("kadm5_chpass_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 767,776 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 799,806 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_chpass_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 828,836 **** + arg->ks_tuple, + arg->pass); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 858,865 ---- + arg->ks_tuple, + arg->pass); + } else { +! log_unauth("kadm5_chpass_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 840,849 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 869,876 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_chpass_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 892,900 **** + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_SETKEY; + } + +--- 919,926 ---- + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); + } else { +! log_unauth("kadm5_setv4key_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +*************** +*** 904,913 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 930,937 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_setv4key_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 956,964 **** + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_SETKEY; + } + +--- 980,987 ---- + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); + } else { +! log_unauth("kadm5_setkey_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +*************** +*** 968,977 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 991,998 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_setkey_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 1023,1031 **** + arg->ks_tuple, + arg->keyblocks, arg->n_keys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_SETKEY; + } + +--- 1044,1051 ---- + arg->ks_tuple, + arg->keyblocks, arg->n_keys); + } else { +! log_unauth("kadm5_setkey_principal", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +*************** +*** 1035,1044 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + free_server_handle(handle); +--- 1055,1062 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_setkey_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +*************** +*** 1097,1105 **** + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 1115,1122 ---- + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); + } else { +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 1119,1128 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg); +--- 1136,1143 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +*************** +*** 1185,1193 **** + arg->ks_tuple, + &k, &nkeys); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_CHANGEPW; + } + +--- 1200,1207 ---- + arg->ks_tuple, + &k, &nkeys); + } else { +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +*************** +*** 1207,1216 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! prime_arg, errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg); +--- 1221,1228 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +*************** +*** 1253,1262 **** + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); +! + } else { + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); +--- 1265,1273 ---- + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; +! log_unauth("kadm5_create_policy", prime_arg, +! &client_name, &service_name, rqstp); +! + } else { + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); +*************** +*** 1265,1275 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1276,1284 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_create_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1310,1318 **** + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_DELETE; + } else { + ret.code = kadm5_delete_policy((void *)handle, arg->name); +--- 1319,1326 ---- + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { +! log_unauth("kadm5_delete_policy", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_DELETE; + } else { + ret.code = kadm5_delete_policy((void *)handle, arg->name); +*************** +*** 1321,1331 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1329,1337 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_delete_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1366,1374 **** + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + ret.code = KADM5_AUTH_MODIFY; + } else { + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, +--- 1372,1379 ---- + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { +! log_unauth("kadm5_modify_policy", prime_arg, +! &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_MODIFY; + } else { + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, +*************** +*** 1378,1388 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1383,1391 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_modify_policy", +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1464,1478 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +! ((prime_arg == NULL) ? "(null)" : prime_arg), +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1467,1478 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done(funcname, +! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, +! &client_name, &service_name, rqstp); + } else { +! log_unauth(funcname, prime_arg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1517,1525 **** + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; +! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", +! prime_arg, client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, +--- 1517,1524 ---- + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; +! log_unauth("kadm5_get_policies", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, +*************** +*** 1529,1539 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", +! prime_arg, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1528,1535 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_get_policies", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1573,1583 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", +! client_name.value, +! errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +--- 1569,1576 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_get_privs", client_name.value, errmsg, +! &client_name, &service_name, rqstp); + + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +*************** +*** 1594,1599 **** +--- 1587,1594 ---- + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + char *errmsg = 0; ++ size_t clen, slen; ++ char *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + +*************** +*** 1612,1625 **** + + if (ret.code != 0) + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); +! krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", +! (ret.api_version == KADM5_API_VERSION_1 ? +! "kadm5_init (V1)" : "kadm5_init"), +! client_name.value, +! (ret.code == 0) ? "success" : errmsg, +! client_name.value, service_name.value, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), +! rqstp->rq_cred.oa_flavor); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); + +--- 1607,1628 ---- + + if (ret.code != 0) + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); +! else +! errmsg = "success"; +! +! clen = client_name.length; +! trunc_name(&clen, &cdots); +! slen = service_name.length; +! trunc_name(&slen, &sdots); +! krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " +! "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", +! (ret.api_version == KADM5_API_VERSION_1 ? +! "kadm5_init (V1)" : "kadm5_init"), +! clen, client_name.value, cdots, errmsg, +! clen, client_name.value, cdots, +! slen, service_name.value, sdots, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), +! rqstp->rq_cred.oa_flavor); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); + +*** src/kdc/do_tgs_req.c (revision 19480) +--- src/kdc/do_tgs_req.c (local) +*************** +*** 489,516 **** + newtransited = 1; + } + if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { + errcode = krb5_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), + krb5_princ_realm (kdc_context, request->server)); + if (errcode == 0) { + setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); + } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) + krb5_klog_syslog (LOG_INFO, +! "bad realm transit path from '%s' to '%s' via '%.*s'", + cname ? cname : "", + sname ? sname : "", +! enc_tkt_reply.transited.tr_contents.length, +! enc_tkt_reply.transited.tr_contents.data); + else { + const char *emsg = krb5_get_error_message(kdc_context, errcode); + krb5_klog_syslog (LOG_ERR, +! "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", + cname ? cname : "", + sname ? sname : "", +! enc_tkt_reply.transited.tr_contents.length, + enc_tkt_reply.transited.tr_contents.data, +! emsg); + krb5_free_error_message(kdc_context, emsg); + } + } else +--- 489,526 ---- + newtransited = 1; + } + if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { ++ unsigned int tlen; ++ char *tdots; ++ + errcode = krb5_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), + krb5_princ_realm (kdc_context, request->server)); ++ tlen = enc_tkt_reply.transited.tr_contents.length; ++ tdots = tlen > 125 ? "..." : ""; ++ tlen = tlen > 125 ? 125 : tlen; ++ + if (errcode == 0) { + setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); + } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) + krb5_klog_syslog (LOG_INFO, +! "bad realm transit path from '%s' to '%s' " +! "via '%.*s%s'", + cname ? cname : "", + sname ? sname : "", +! tlen, +! enc_tkt_reply.transited.tr_contents.data, +! tdots); + else { + const char *emsg = krb5_get_error_message(kdc_context, errcode); + krb5_klog_syslog (LOG_ERR, +! "unexpected error checking transit from " +! "'%s' to '%s' via '%.*s%s': %s", + cname ? cname : "", + sname ? sname : "", +! tlen, + enc_tkt_reply.transited.tr_contents.data, +! tdots, emsg); + krb5_free_error_message(kdc_context, emsg); + } + } else +*************** +*** 542,547 **** +--- 552,560 ---- + if (!krb5_principal_compare(kdc_context, request->server, client2)) { + if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) + tmp = 0; ++ if (tmp != NULL) ++ limit_string(tmp); ++ + krb5_klog_syslog(LOG_INFO, + "TGS_REQ %s: 2ND_TKT_MISMATCH: " + "authtime %d, %s for %s, 2nd tkt client %s", +*************** +*** 816,821 **** +--- 829,835 ---- + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing alternate TGT"); + } else { ++ limit_string(sname); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing TGT %s", sname); + free(sname); +*** src/kdc/kdc_util.c (revision 19480) +--- src/kdc/kdc_util.c (local) +*************** +*** 404,409 **** +--- 404,410 ---- + + krb5_db_free_principal(kdc_context, &server, nprincs); + if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { ++ limit_string(sname); + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", + sname); + free(sname); +*** src/lib/kadm5/logger.c (revision 19480) +--- src/lib/kadm5/logger.c (local) +*************** +*** 45,51 **** + #include + #endif /* HAVE_STDARG_H */ + +! #define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 + #ifndef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 256 + #endif /* MAXHOSTNAMELEN */ +--- 45,51 ---- + #include + #endif /* HAVE_STDARG_H */ + +! #define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 + #ifndef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 256 + #endif /* MAXHOSTNAMELEN */ +*************** +*** 261,267 **** + #endif /* HAVE_SYSLOG */ + + /* Now format the actual message */ +! #if HAVE_VSPRINTF + vsprintf(cp, actual_format, ap); + #else /* HAVE_VSPRINTF */ + sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], +--- 261,269 ---- + #endif /* HAVE_SYSLOG */ + + /* Now format the actual message */ +! #if HAVE_VSNPRINTF +! vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); +! #elif HAVE_VSPRINTF + vsprintf(cp, actual_format, ap); + #else /* HAVE_VSPRINTF */ + sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], +*************** +*** 850,856 **** + syslogp = &outbuf[strlen(outbuf)]; + + /* Now format the actual message */ +! #ifdef HAVE_VSPRINTF + vsprintf(syslogp, format, arglist); + #else /* HAVE_VSPRINTF */ + sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], +--- 852,860 ---- + syslogp = &outbuf[strlen(outbuf)]; + + /* Now format the actual message */ +! #ifdef HAVE_VSNPRINTF +! vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); +! #elif HAVE_VSPRINTF + vsprintf(syslogp, format, arglist); + #else /* HAVE_VSPRINTF */ + sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], +