From: Ken Raeburn Date: Tue, 13 Jan 2009 21:54:45 +0000 (+0000) Subject: /tmp/3 X-Git-Tag: krb5-1.7-alpha1~79 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=671ceced3b5fec90cd2ad894a083d1b8b3d89997;p=krb5.git /tmp/3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21741 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 12d645980..9571fb212 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -2,7 +2,7 @@ * kdc/do_as_req.c * * Portions Copyright (C) 2007 Apple Inc. - * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007,2008,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -99,7 +99,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_error_code errcode; int c_nprincs = 0, s_nprincs = 0; krb5_boolean more; - krb5_timestamp kdc_time, authtime; + krb5_timestamp kdc_time, authtime = 0; krb5_keyblock session_key; const char *status; krb5_key_data *server_key, *client_key; @@ -550,9 +550,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); - log_as_req(from, request, &reply, cname, sname, authtime, 0, 0, 0); - did_log = 1; - #ifdef KRBCONF_KDC_MODIFIES_KDB /* * If we get this far, we successfully did the AS_REQ. @@ -562,6 +559,10 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, #endif /* KRBCONF_KDC_MODIFIES_KDB */ update_client = 1; + log_as_req(from, request, &reply, &client, cname, &server, sname, + authtime, 0, 0, 0); + did_log = 1; + goto egress; errout: @@ -569,10 +570,6 @@ errout: /* fall through */ egress: - if (update_client) { - audit_as_request(request, &client, &server, authtime, errcode); - } - if (pa_context) free_padata_context(kdc_context, &pa_context); @@ -580,7 +577,7 @@ egress: emsg = krb5_get_error_message(kdc_context, errcode); if (status) { - log_as_req(from, request, &reply, cname, sname, 0, + log_as_req(from, request, &reply, &client, cname, &server, sname, 0, status, errcode, emsg); did_log = 1; } diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 419bcf7ce..cd7f83958 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1,7 +1,7 @@ /* * kdc/kdc_util.c * - * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007,2008,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -2116,84 +2116,6 @@ kdc_check_transited_list(krb5_context context, return code; } -krb5_error_code -audit_as_request(krb5_kdc_req *request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_timestamp authtime, - krb5_error_code errcode) -{ - krb5_error_code code; - kdb_audit_as_req req; - krb5_data req_data; - krb5_data rep_data; - - memset(&req, 0, sizeof(req)); - - req.request = request; - req.client = client; - req.server = server; - req.authtime = authtime; - req.error_code = errcode; - - req_data.data = (void *)&req; - req_data.length = sizeof(req); - - rep_data.data = NULL; - rep_data.length = 0; - - code = krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_AUDIT_AS, - &req_data, - &rep_data); - if (code == KRB5_KDB_DBTYPE_NOSUP) { - return 0; - } - - assert(rep_data.length == 0); - - return code; -} - -krb5_error_code -audit_tgs_request(krb5_kdc_req *request, - krb5_const_principal client, - krb5_db_entry *server, - krb5_timestamp authtime, - krb5_error_code errcode) -{ - krb5_error_code code; - kdb_audit_tgs_req req; - krb5_data req_data; - krb5_data rep_data; - - memset(&req, 0, sizeof(req)); - - req.request = request; - req.client = client; - req.server = server; - req.authtime = authtime; - req.error_code = errcode; - - req_data.data = (void *)&req; - req_data.length = sizeof(req); - - rep_data.data = NULL; - rep_data.length = 0; - - code = krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_AUDIT_TGS, - &req_data, - &rep_data); - if (code == KRB5_KDB_DBTYPE_NOSUP) { - return 0; - } - - assert(rep_data.length == 0); - - return code; -} - krb5_error_code validate_transit_path(krb5_context context, krb5_const_principal client, @@ -2228,7 +2150,8 @@ validate_transit_path(krb5_context context, void log_as_req(const krb5_fulladdr *from, krb5_kdc_req *request, krb5_kdc_rep *reply, - const char *cname, const char *sname, + krb5_db_entry *client, const char *cname, + krb5_db_entry *server, const char *sname, krb5_timestamp authtime, const char *status, krb5_error_code errcode, const char *emsg) { @@ -2268,6 +2191,33 @@ log_as_req(const krb5_fulladdr *from, audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0, cname, sname, errcode); #endif +#if 1 + { + kdb_audit_as_req req; + krb5_data req_data; + krb5_data rep_data; + + memset(&req, 0, sizeof(req)); + + req.request = request; + req.client = client; + req.server = server; + req.authtime = authtime; + req.error_code = errcode; + + req_data.data = (void *)&req; + req_data.length = sizeof(req); + + rep_data.data = NULL; + rep_data.length = 0; + + (void) krb5_db_invoke(kdc_context, + KRB5_KDB_METHOD_AUDIT_AS, + &req_data, + &rep_data); + assert(rep_data.length == 0); + } +#endif } /* Here "status" must be non-null. Error code diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index d17b0b7f8..f0c5563ef 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -284,7 +284,8 @@ validate_transit_path(krb5_context context, void log_as_req(const krb5_fulladdr *from, krb5_kdc_req *request, krb5_kdc_rep *reply, - const char *cname, const char *sname, + krb5_db_entry *client, const char *cname, + krb5_db_entry *server, const char *sname, krb5_timestamp authtime, const char *status, krb5_error_code errcode, const char *emsg); void