|
Packit |
fd8b60 |
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
Packit |
fd8b60 |
/* kdc/kdc_log.c - Logging functions for KDC requests */
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Copyright 2008,2009 by the Massachusetts Institute of Technology.
|
|
Packit |
fd8b60 |
* All Rights Reserved.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Export of this software from the United States of America may
|
|
Packit |
fd8b60 |
* require a specific license from the United States Government.
|
|
Packit |
fd8b60 |
* It is the responsibility of any person or organization contemplating
|
|
Packit |
fd8b60 |
* export to obtain such a license before exporting.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
Packit |
fd8b60 |
* distribute this software and its documentation for any purpose and
|
|
Packit |
fd8b60 |
* without fee is hereby granted, provided that the above copyright
|
|
Packit |
fd8b60 |
* notice appear in all copies and that both that copyright notice and
|
|
Packit |
fd8b60 |
* this permission notice appear in supporting documentation, and that
|
|
Packit |
fd8b60 |
* the name of M.I.T. not be used in advertising or publicity pertaining
|
|
Packit |
fd8b60 |
* to distribution of the software without specific, written prior
|
|
Packit |
fd8b60 |
* permission. Furthermore if you modify this software you must label
|
|
Packit |
fd8b60 |
* your software as modified software and not distribute it in such a
|
|
Packit |
fd8b60 |
* fashion that it might be confused with the original M.I.T. software.
|
|
Packit |
fd8b60 |
* M.I.T. makes no representations about the suitability of
|
|
Packit |
fd8b60 |
* this software for any purpose. It is provided "as is" without express
|
|
Packit |
fd8b60 |
* or implied warranty.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#include "k5-int.h"
|
|
Packit |
fd8b60 |
#include "kdc_util.h"
|
|
Packit |
fd8b60 |
#include <syslog.h>
|
|
Packit |
fd8b60 |
#include "adm_proto.h"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* A note on KDC-status string format.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* - All letters in the status string should be capitalized;
|
|
Packit |
fd8b60 |
* - the words in the status phrase are separated by underscores;
|
|
Packit |
fd8b60 |
* - abbreviations should be avoided. Some acceptable "standard" acronyms
|
|
Packit |
fd8b60 |
* are AS_REQ, TGS_REP etc.
|
|
Packit |
fd8b60 |
* - since in almost all cases KDC status string is set on error, no need
|
|
Packit |
fd8b60 |
* to state this fact as part of the status string;
|
|
Packit |
fd8b60 |
* - KDC status string should be an imperative phrase.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Example: "MAKE_RANDOM_KEY"
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Main logging routines for ticket requests.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
There are a few simple cases -- unparseable requests mainly --
|
|
Packit |
fd8b60 |
where messages are logged otherwise, but once a ticket request can
|
|
Packit |
fd8b60 |
be decoded in some basic way, these routines are used for logging
|
|
Packit |
fd8b60 |
the details. */
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* "status" is null to indicate success. */
|
|
Packit |
fd8b60 |
/* Someday, pass local address/port as well. */
|
|
Packit |
fd8b60 |
/* Currently no info about name canonicalization is logged. */
|
|
Packit |
fd8b60 |
void
|
|
Packit |
fd8b60 |
log_as_req(krb5_context context,
|
|
Packit |
fd8b60 |
const krb5_fulladdr *local_addr,
|
|
Packit |
fd8b60 |
const krb5_fulladdr *remote_addr,
|
|
Packit |
fd8b60 |
krb5_kdc_req *request, krb5_kdc_rep *reply,
|
|
Packit |
fd8b60 |
krb5_db_entry *client, const char *cname,
|
|
Packit |
fd8b60 |
krb5_db_entry *server, const char *sname,
|
|
Packit |
fd8b60 |
krb5_timestamp authtime,
|
|
Packit |
fd8b60 |
const char *status, krb5_error_code errcode, const char *emsg)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
const char *fromstring = 0;
|
|
Packit |
fd8b60 |
char fromstringbuf[70];
|
|
Packit |
fd8b60 |
char *ktypestr = NULL;
|
|
Packit |
fd8b60 |
const char *cname2 = cname ? cname : "<unknown client>";
|
|
Packit |
fd8b60 |
const char *sname2 = sname ? sname : "<unknown server>";
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
fromstring = inet_ntop(ADDRTYPE2FAMILY(remote_addr->address->addrtype),
|
|
Packit |
fd8b60 |
remote_addr->address->contents,
|
|
Packit |
fd8b60 |
fromstringbuf, sizeof(fromstringbuf));
|
|
Packit |
fd8b60 |
if (!fromstring)
|
|
Packit |
fd8b60 |
fromstring = "<unknown>";
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ktypestr = ktypes2str(request->ktype, request->nktypes);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (status == NULL) {
|
|
Packit |
fd8b60 |
/* success */
|
|
Packit |
fd8b60 |
char *rep_etypestr = rep_etypes2str(reply);
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, "
|
|
Packit |
fd8b60 |
"%s for %s"),
|
|
Packit |
fd8b60 |
ktypestr ? ktypestr : "", fromstring,
|
|
Packit |
fd8b60 |
(unsigned int)authtime,
|
|
Packit |
fd8b60 |
rep_etypestr ? rep_etypestr : "", cname2, sname2);
|
|
Packit |
fd8b60 |
free(rep_etypestr);
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
/* fail */
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: %s: %s for %s%s%s"),
|
|
Packit |
fd8b60 |
ktypestr ? ktypestr : "", fromstring, status, cname2,
|
|
Packit |
fd8b60 |
sname2, emsg ? ", " : "", emsg ? emsg : "");
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
krb5_db_audit_as_req(context, request,
|
|
Packit |
fd8b60 |
local_addr->address, remote_addr->address,
|
|
Packit |
fd8b60 |
client, server, authtime, errcode);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
free(ktypestr);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Unparse a principal for logging purposes and limit the string length.
|
|
Packit |
fd8b60 |
* Ignore errors because the most likely errors are memory exhaustion, and many
|
|
Packit |
fd8b60 |
* other things will fail in the logging functions in that case.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
unparse_and_limit(krb5_context ctx, krb5_principal princ, char **str)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
/* Ignore errors */
|
|
Packit |
fd8b60 |
krb5_unparse_name(ctx, princ, str);
|
|
Packit |
fd8b60 |
limit_string(*str);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Here "status" must be non-null. Error code
|
|
Packit |
fd8b60 |
KRB5KDC_ERR_SERVER_NOMATCH is handled specially.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Currently no info about name canonicalization is logged. */
|
|
Packit |
fd8b60 |
void
|
|
Packit |
fd8b60 |
log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
|
|
Packit |
fd8b60 |
krb5_kdc_req *request, krb5_kdc_rep *reply,
|
|
Packit |
fd8b60 |
krb5_principal cprinc, krb5_principal sprinc,
|
|
Packit |
fd8b60 |
krb5_principal altcprinc,
|
|
Packit |
fd8b60 |
krb5_timestamp authtime,
|
|
Packit |
fd8b60 |
unsigned int c_flags,
|
|
Packit |
fd8b60 |
const char *status, krb5_error_code errcode, const char *emsg)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
char *ktypestr = NULL, *rep_etypestr = NULL;
|
|
Packit |
fd8b60 |
const char *fromstring = 0;
|
|
Packit |
fd8b60 |
char fromstringbuf[70];
|
|
Packit |
fd8b60 |
char *cname = NULL, *sname = NULL, *altcname = NULL;
|
|
Packit |
fd8b60 |
char *logcname = NULL, *logsname = NULL, *logaltcname = NULL;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype),
|
|
Packit |
fd8b60 |
from->address->contents,
|
|
Packit |
fd8b60 |
fromstringbuf, sizeof(fromstringbuf));
|
|
Packit |
fd8b60 |
if (!fromstring)
|
|
Packit |
fd8b60 |
fromstring = "<unknown>";
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
unparse_and_limit(ctx, cprinc, &cname);
|
|
Packit |
fd8b60 |
logcname = (cname != NULL) ? cname : "<unknown client>";
|
|
Packit |
fd8b60 |
unparse_and_limit(ctx, sprinc, &sname);
|
|
Packit |
fd8b60 |
logsname = (sname != NULL) ? sname : "<unknown server>";
|
|
Packit |
fd8b60 |
unparse_and_limit(ctx, altcprinc, &altcname);
|
|
Packit |
fd8b60 |
logaltcname = (altcname != NULL) ? altcname : "<unknown>";
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Differences: server-nomatch message logs 2nd ticket's client
|
|
Packit |
fd8b60 |
name (useful), and doesn't log ktypestr (probably not
|
|
Packit |
fd8b60 |
important). */
|
|
Packit |
fd8b60 |
if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) {
|
|
Packit |
fd8b60 |
ktypestr = ktypes2str(request->ktype, request->nktypes);
|
|
Packit |
fd8b60 |
rep_etypestr = rep_etypes2str(reply);
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s "
|
|
Packit |
fd8b60 |
"%s for %s%s%s"),
|
|
Packit |
fd8b60 |
ktypestr ? ktypestr : "", fromstring, status,
|
|
Packit |
fd8b60 |
(unsigned int)authtime,
|
|
Packit |
fd8b60 |
rep_etypestr ? rep_etypestr : "",
|
|
Packit |
fd8b60 |
!errcode ? "," : "", logcname, logsname,
|
|
Packit |
fd8b60 |
errcode ? ", " : "", errcode ? emsg : "");
|
|
Packit |
fd8b60 |
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO,
|
|
Packit |
fd8b60 |
_("... PROTOCOL-TRANSITION s4u-client=%s"),
|
|
Packit |
fd8b60 |
logaltcname);
|
|
Packit |
fd8b60 |
else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO,
|
|
Packit |
fd8b60 |
_("... CONSTRAINED-DELEGATION s4u-client=%s"),
|
|
Packit |
fd8b60 |
logaltcname);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
} else
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %u, %s for %s, "
|
|
Packit |
fd8b60 |
"2nd tkt client %s"),
|
|
Packit |
fd8b60 |
fromstring, status, (unsigned int)authtime,
|
|
Packit |
fd8b60 |
logcname, logsname, logaltcname);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
free(rep_etypestr);
|
|
Packit |
fd8b60 |
free(ktypestr);
|
|
Packit |
fd8b60 |
krb5_free_unparsed_name(ctx, cname);
|
|
Packit |
fd8b60 |
krb5_free_unparsed_name(ctx, sname);
|
|
Packit |
fd8b60 |
krb5_free_unparsed_name(ctx, altcname);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
void
|
|
Packit |
fd8b60 |
log_tgs_badtrans(krb5_context ctx, krb5_principal cprinc,
|
|
Packit |
fd8b60 |
krb5_principal sprinc, krb5_data *trcont,
|
|
Packit |
fd8b60 |
krb5_error_code errcode)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
unsigned int tlen;
|
|
Packit |
fd8b60 |
char *tdots;
|
|
Packit |
fd8b60 |
const char *emsg = NULL;
|
|
Packit |
fd8b60 |
char *cname = NULL, *sname = NULL;
|
|
Packit |
fd8b60 |
char *logcname = NULL, *logsname = NULL;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
unparse_and_limit(ctx, cprinc, &cname);
|
|
Packit |
fd8b60 |
logcname = (cname != NULL) ? cname : "<unknown client>";
|
|
Packit |
fd8b60 |
unparse_and_limit(ctx, sprinc, &sname);
|
|
Packit |
fd8b60 |
logsname = (sname != NULL) ? sname : "<unknown server>";
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
tlen = trcont->length;
|
|
Packit |
fd8b60 |
tdots = tlen > 125 ? "..." : "";
|
|
Packit |
fd8b60 |
tlen = tlen > 125 ? 125 : tlen;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO, _("bad realm transit path from '%s' "
|
|
Packit |
fd8b60 |
"to '%s' via '%.*s%s'"),
|
|
Packit |
fd8b60 |
logcname, logsname, tlen,
|
|
Packit |
fd8b60 |
trcont->data, tdots);
|
|
Packit |
fd8b60 |
else {
|
|
Packit |
fd8b60 |
emsg = krb5_get_error_message(ctx, errcode);
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_ERR, _("unexpected error checking transit "
|
|
Packit |
fd8b60 |
"from '%s' to '%s' via '%.*s%s': %s"),
|
|
Packit |
fd8b60 |
logcname, logsname, tlen,
|
|
Packit |
fd8b60 |
trcont->data, tdots,
|
|
Packit |
fd8b60 |
emsg);
|
|
Packit |
fd8b60 |
krb5_free_error_message(ctx, emsg);
|
|
Packit |
fd8b60 |
emsg = NULL;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
krb5_free_unparsed_name(ctx, cname);
|
|
Packit |
fd8b60 |
krb5_free_unparsed_name(ctx, sname);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
void
|
|
Packit |
fd8b60 |
log_tgs_alt_tgt(krb5_context context, krb5_principal p)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
char *sname;
|
|
Packit |
fd8b60 |
if (krb5_unparse_name(context, p, &sname)) {
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO,
|
|
Packit |
fd8b60 |
_("TGS_REQ: issuing alternate <un-unparseable> TGT"));
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
limit_string(sname);
|
|
Packit |
fd8b60 |
krb5_klog_syslog(LOG_INFO, _("TGS_REQ: issuing TGT %s"), sname);
|
|
Packit |
fd8b60 |
free(sname);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
/* OpenSolaris: audit_krb5kdc_tgs_req_alt_tgt(...) */
|
|
Packit |
fd8b60 |
}
|