From: rbasch <probe@tardis.internal.bright-prospects.com>
Date: Mon, 16 Dec 2013 15:54:41 +0000 (-0500)
Subject: Log service princ in KDC more reliably
X-Git-Tag: krb5-1.13-alpha1~268
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f37067776f9431879769f3874fdab6120ba3f155;p=thirdparty%2Fkrb5.git

Log service princ in KDC more reliably

Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions.  Set the appropriate variables
earlier.

do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.

do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.

[tlyu@mit.edu: commit message; fix TGS to catch more error cases]

ticket: 7802
target_version: 1.12.1
tags: pullup
---

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 268d4f452b..95c3e23620 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
     limit_string(state->cname);
 
+    if (!state->request->server) {
+        state->status = "NULL_SERVER";
+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+        goto errout;
+    }
+    if ((errcode = krb5_unparse_name(kdc_context,
+                                     state->request->server,
+                                     &state->sname))) {
+        state->status = "UNPARSING_SERVER";
+        goto errout;
+    }
+    limit_string(state->sname);
+
     /*
      * We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
      * to the backend to return naming information in lieu
@@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     au_state->stage = SRVC_PRINC;
 
-    if (!state->request->server) {
-        state->status = "NULL_SERVER";
-        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-        goto errout;
-    }
-    if ((errcode = krb5_unparse_name(kdc_context,
-                                     state->request->server,
-                                     &state->sname))) {
-        state->status = "UNPARSING_SERVER";
-        goto errout;
-    }
-    limit_string(state->sname);
     s_flags = 0;
     setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
     if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c12de2b3e6..5cfe0b64b1 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -145,6 +145,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
+    /* Save pointer to client-requested service principal, in case of errors
+     * before a successful call to search_sprinc(). */
+    sprinc = request->server;
     if (retval)
         return retval;
     if (request->msg_type != KRB5_TGS_REQ) {
@@ -202,6 +205,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     scratch.data = (char *) pa_tgs_req->contents;
     errcode = kdc_find_fast(&request, &scratch, subkey,
                             header_ticket->enc_part2->session, state, NULL);
+    /* Reset sprinc because kdc_find_fast() can replace request. */
+    sprinc = request->server;
     if (errcode !=0) {
         status = "kdc_find_fast";
         goto cleanup;