/tmp/3
authorKen Raeburn <raeburn@mit.edu>
Tue, 13 Jan 2009 21:54:45 +0000 (21:54 +0000)
committerKen Raeburn <raeburn@mit.edu>
Tue, 13 Jan 2009 21:54:45 +0000 (21:54 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21741 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_as_req.c
src/kdc/kdc_util.c
src/kdc/kdc_util.h

index 12d645980aaa4737d75b7d98746bcc9ff087399b..9571fb21224f9e8ca3b3417b3b06dd3fe93233bb 100644 (file)
@@ -2,7 +2,7 @@
  * kdc/do_as_req.c
  *
  * Portions Copyright (C) 2007 Apple Inc.
- * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007,2008,2009 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -99,7 +99,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     krb5_error_code errcode;
     int c_nprincs = 0, s_nprincs = 0;
     krb5_boolean more;
-    krb5_timestamp kdc_time, authtime;
+    krb5_timestamp kdc_time, authtime = 0;
     krb5_keyblock session_key;
     const char *status;
     krb5_key_data *server_key, *client_key;
@@ -550,9 +550,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
     free(reply.enc_part.ciphertext.data);
 
-    log_as_req(from, request, &reply, cname, sname, authtime, 0, 0, 0);
-    did_log = 1;
-
 #ifdef KRBCONF_KDC_MODIFIES_KDB
     /*
      * If we get this far, we successfully did the AS_REQ.
@@ -562,6 +559,10 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 #endif /* KRBCONF_KDC_MODIFIES_KDB */
     update_client = 1;
 
+    log_as_req(from, request, &reply, &client, cname, &server, sname,
+              authtime, 0, 0, 0);
+    did_log = 1;
+
     goto egress;
 
 errout:
@@ -569,10 +570,6 @@ errout:
     /* fall through */
 
 egress:
-    if (update_client) {
-       audit_as_request(request, &client, &server, authtime, errcode);
-    }
-
     if (pa_context)
        free_padata_context(kdc_context, &pa_context);
 
@@ -580,7 +577,7 @@ egress:
        emsg = krb5_get_error_message(kdc_context, errcode);
 
     if (status) {
-       log_as_req(from, request, &reply, cname, sname, 0,
+       log_as_req(from, request, &reply, &client, cname, &server, sname, 0,
                   status, errcode, emsg);
        did_log = 1;
     }
index 419bcf7cecc04cd7eff54b92b73cb7877f19450c..cd7f839588416b5568d8b61ef01e8074097296e1 100644 (file)
@@ -1,7 +1,7 @@
 /*
  * kdc/kdc_util.c
  *
- * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007,2008,2009 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -2116,84 +2116,6 @@ kdc_check_transited_list(krb5_context context,
     return code;
 }
 
-krb5_error_code
-audit_as_request(krb5_kdc_req *request,
-                krb5_db_entry *client,
-                krb5_db_entry *server,
-                krb5_timestamp authtime,
-                krb5_error_code errcode)
-{
-    krb5_error_code            code;
-    kdb_audit_as_req           req;
-    krb5_data                  req_data;
-    krb5_data                  rep_data;
-
-    memset(&req, 0, sizeof(req));
-
-    req.request                        = request;
-    req.client                 = client;
-    req.server                 = server;
-    req.authtime               = authtime;
-    req.error_code             = errcode;
-
-    req_data.data = (void *)&req;
-    req_data.length = sizeof(req);
-
-    rep_data.data = NULL;
-    rep_data.length = 0;
-
-    code = krb5_db_invoke(kdc_context,
-                         KRB5_KDB_METHOD_AUDIT_AS,
-                         &req_data,
-                         &rep_data);
-    if (code == KRB5_KDB_DBTYPE_NOSUP) {
-       return 0;
-    }
-
-    assert(rep_data.length == 0);
-
-    return code;
-}
-
-krb5_error_code
-audit_tgs_request(krb5_kdc_req *request,
-                 krb5_const_principal client,
-                 krb5_db_entry *server,
-                 krb5_timestamp authtime,
-                 krb5_error_code errcode)
-{
-    krb5_error_code            code;
-    kdb_audit_tgs_req          req;
-    krb5_data                  req_data;
-    krb5_data                  rep_data;
-
-    memset(&req, 0, sizeof(req));
-
-    req.request                        = request;
-    req.client                 = client;
-    req.server                 = server;
-    req.authtime               = authtime;
-    req.error_code             = errcode;
-
-    req_data.data = (void *)&req;
-    req_data.length = sizeof(req);
-
-    rep_data.data = NULL;
-    rep_data.length = 0;
-
-    code = krb5_db_invoke(kdc_context,
-                         KRB5_KDB_METHOD_AUDIT_TGS,
-                         &req_data,
-                         &rep_data);
-    if (code == KRB5_KDB_DBTYPE_NOSUP) {
-       return 0;
-    }
-
-    assert(rep_data.length == 0);
-
-    return code;
-}
-
 krb5_error_code
 validate_transit_path(krb5_context context,
                      krb5_const_principal client,
@@ -2228,7 +2150,8 @@ validate_transit_path(krb5_context context,
 void
 log_as_req(const krb5_fulladdr *from,
           krb5_kdc_req *request, krb5_kdc_rep *reply,
-          const char *cname, const char *sname,
+          krb5_db_entry *client, const char *cname,
+          krb5_db_entry *server, const char *sname,
           krb5_timestamp authtime,
           const char *status, krb5_error_code errcode, const char *emsg)
 {
@@ -2268,6 +2191,33 @@ log_as_req(const krb5_fulladdr *from,
     audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0,
                         cname, sname, errcode);
 #endif
+#if 1
+    {
+       kdb_audit_as_req        req;
+       krb5_data               req_data;
+       krb5_data               rep_data;
+
+       memset(&req, 0, sizeof(req));
+
+       req.request             = request;
+       req.client              = client;
+       req.server              = server;
+       req.authtime            = authtime;
+       req.error_code          = errcode;
+
+       req_data.data = (void *)&req;
+       req_data.length = sizeof(req);
+
+       rep_data.data = NULL;
+       rep_data.length = 0;
+
+       (void) krb5_db_invoke(kdc_context,
+                             KRB5_KDB_METHOD_AUDIT_AS,
+                             &req_data,
+                             &rep_data);
+       assert(rep_data.length == 0);
+    }
+#endif
 }
 
 /* Here "status" must be non-null.  Error code
index d17b0b7f8dce79ecbba60a72e9f3bb17cdf59c03..f0c5563efe42ea93907cb1361b13302316b58ba6 100644 (file)
@@ -284,7 +284,8 @@ validate_transit_path(krb5_context context,
 void
 log_as_req(const krb5_fulladdr *from,
           krb5_kdc_req *request, krb5_kdc_rep *reply,
-          const char *cname, const char *sname,
+          krb5_db_entry *client, const char *cname,
+          krb5_db_entry *server, const char *sname,
           krb5_timestamp authtime,
           const char *status, krb5_error_code errcode, const char *emsg);
 void