From: Andreas Schneider Date: Fri, 19 May 2017 09:00:52 +0000 (+0200) Subject: Pass local address to DAL audit_as_req X-Git-Tag: krb5-1.16-beta1~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03d33d42f7302fb7e2804d4206009208ad5d509f;p=thirdparty%2Fkrb5.git Pass local address to DAL audit_as_req In the KDC, pass the local address from dispatch() to process_as_req(), then to log_as_req(), then to krb5_db_audit_as_req(), and finally to the KDB modules. [ghudson@mit.edu: squashed commits and rewrote commit message] ticket: 8583 --- diff --git a/src/include/kdb.h b/src/include/kdb.h index 808e2830f5..5615329c0b 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -695,6 +695,7 @@ krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext, krb5_pa_data ***e_data); void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); @@ -1357,6 +1358,7 @@ typedef struct _kdb_vftabl { * AS request. */ void (*audit_as_req)(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c index 57f0865ac8..3867ff952e 100644 --- a/src/kdc/dispatch.c +++ b/src/kdc/dispatch.c @@ -187,8 +187,9 @@ dispatch(void *cb, const krb5_fulladdr *local_addr, */ state->active_realm = setup_server_realm(handle, as_req->server); if (state->active_realm != NULL) { - process_as_req(as_req, pkt, remote_addr, state->active_realm, - vctx, finish_dispatch_cache, state); + process_as_req(as_req, pkt, local_addr, remote_addr, + state->active_realm, vctx, + finish_dispatch_cache, state); return; } else { retval = KRB5KDC_ERR_WRONG_REALM; diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index acaa651757..2d3ad134d0 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -160,6 +160,7 @@ struct as_req_state { struct kdc_request_state *rstate; char *sname, *cname; void *pa_context; + const krb5_fulladdr *local_addr; const krb5_fulladdr *remote_addr; krb5_data **auth_indicators; @@ -359,9 +360,9 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->reply.enc_part.ciphertext.length); free(state->reply.enc_part.ciphertext.data); - log_as_req(kdc_context, state->remote_addr, state->request, &state->reply, - state->client, state->cname, state->server, - state->sname, state->authtime, 0, 0, 0); + log_as_req(kdc_context, state->local_addr, state->remote_addr, + state->request, &state->reply, state->client, state->cname, + state->server, state->sname, state->authtime, 0, 0, 0); did_log = 1; egress: @@ -381,10 +382,10 @@ egress: emsg = krb5_get_error_message(kdc_context, errcode); if (state->status) { - log_as_req(kdc_context, state->remote_addr, state->request, - &state->reply, state->client, state->cname, state->server, - state->sname, state->authtime, state->status, errcode, - emsg); + log_as_req(kdc_context, state->local_addr, state->remote_addr, + state->request, &state->reply, state->client, + state->cname, state->server, state->sname, state->authtime, + state->status, errcode, emsg); did_log = 1; } if (errcode) { @@ -492,6 +493,7 @@ finish_preauth(void *arg, krb5_error_code code) /*ARGSUSED*/ void process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, + const krb5_fulladdr *local_addr, const krb5_fulladdr *remote_addr, kdc_realm_t *kdc_active_realm, verto_ctx *vctx, loop_respond_fn respond, void *arg) { @@ -511,6 +513,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->arg = arg; state->request = request; state->req_pkt = req_pkt; + state->local_addr = local_addr; state->remote_addr = remote_addr; state->active_realm = kdc_active_realm; diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c index 13fcfa7ed7..7e8733980a 100644 --- a/src/kdc/kdc_log.c +++ b/src/kdc/kdc_log.c @@ -54,7 +54,9 @@ /* Someday, pass local address/port as well. */ /* Currently no info about name canonicalization is logged. */ void -log_as_req(krb5_context context, const krb5_fulladdr *remote_addr, +log_as_req(krb5_context context, + const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, krb5_kdc_req *request, krb5_kdc_rep *reply, krb5_db_entry *client, const char *cname, krb5_db_entry *server, const char *sname, @@ -89,8 +91,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *remote_addr, ktypestr, fromstring, status, cname2, sname2, emsg ? ", " : "", emsg ? emsg : ""); } - krb5_db_audit_as_req(context, request, remote_addr->address, client, - server, authtime, errcode); + krb5_db_audit_as_req(context, request, + local_addr->address, remote_addr->address, + client, server, authtime, errcode); #if 0 /* Sun (OpenSolaris) version would probably something like this. The client and server names passed can be null, unlike in the diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 1c183de85c..3d87f36213 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -140,7 +140,7 @@ cammac_check_kdcver(krb5_context context, krb5_cammac *cammac, /* do_as_req.c */ void process_as_req (krb5_kdc_req *, krb5_data *, - const krb5_fulladdr *, kdc_realm_t *, + const krb5_fulladdr *, const krb5_fulladdr *, kdc_realm_t *, verto_ctx *, loop_respond_fn, void *); /* do_tgs_req.c */ @@ -346,7 +346,9 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, krb5_db_entry *server, krb5_enc_tkt_part *tkt); void -log_as_req(krb5_context context, const krb5_fulladdr *remote_addr, +log_as_req(krb5_context context, + const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, krb5_kdc_req *request, krb5_kdc_rep *reply, krb5_db_entry *client, const char *cname, krb5_db_entry *server, const char *sname, diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 02e0a2de6c..ad637b6d43 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -2672,6 +2672,7 @@ krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request, void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code) @@ -2682,8 +2683,8 @@ krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, status = get_vftabl(kcontext, &v); if (status || v->audit_as_req == NULL) return; - v->audit_as_req(kcontext, request, remote_addr, client, server, authtime, - error_code); + v->audit_as_req(kcontext, request, local_addr, remote_addr, + client, server, authtime, error_code); } void diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 3b42b0aef3..4d905db774 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -167,10 +167,11 @@ WRAP_K (krb5_db2_check_policy_as, WRAP_VOID (krb5_db2_audit_as_req, (krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code), - (kcontext, request, remote_addr, client, server, + (kcontext, request, local_addr, remote_addr, client, server, authtime, error_code)); static krb5_error_code diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index 3ee6fdd605..d23587a597 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -1551,6 +1551,7 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code) diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index 52bc508b58..349244dd92 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -134,6 +134,7 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index b77989d455..4fbf898965 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -277,6 +277,7 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index cf1192bf9c..5c8539a6cc 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -282,6 +282,7 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c index 6e2d439c4f..3f61f3e83b 100644 --- a/src/tests/kdbtest.c +++ b/src/tests/kdbtest.c @@ -243,8 +243,9 @@ check_entry(krb5_db_entry *ent) static void sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp) { - /* Both back ends ignore the request and from parameters for now. */ - krb5_db_audit_as_req(ctx, NULL, NULL, *entp, *entp, authtime, + /* Both back ends ignore the request, local_addr, and remote_addr + * parameters for now. */ + krb5_db_audit_as_req(ctx, NULL, NULL, NULL, *entp, *entp, authtime, ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED); krb5_db_free_principal(ctx, *entp); CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));