diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-11-25 11:46:47 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-11-25 17:03:09 -0500 |
| commit | 5384f45e728957da20ecf82d8cf567945a2bbf6e (patch) | |
| tree | 263f24b16799eb1391b95879317fd21ef4e2e1f3 /src/kadmin | |
| parent | 4c57a429760a3b3aa89938a13708742675f9548b (diff) | |
| download | krb5-5384f45e728957da20ecf82d8cf567945a2bbf6e.tar.gz krb5-5384f45e728957da20ecf82d8cf567945a2bbf6e.tar.xz krb5-5384f45e728957da20ecf82d8cf567945a2bbf6e.zip | |
Correctly log IPv6 addresses in kadmind
Define client_addr() in server_stubs.c and use it consistently in that
file and ipropd_svc.c to get the client address from a transport
handle. In it, call getpeername() on the client socket and use
inet_ntop() on the result, instead of using inet_ntoa() on the IPv4
socket address. Provide a log_badauth2 callback to GSSRPC, so that we
get a transport handle instead of an IPv4 socket address, and use
client_addr() within it instead of inet_ntoa().
ticket: 7770
target_version: 1.12
tags: pullup
Diffstat (limited to 'src/kadmin')
| -rw-r--r-- | src/kadmin/server/ipropd_svc.c | 22 | ||||
| -rw-r--r-- | src/kadmin/server/kadm_rpc_svc.c | 18 | ||||
| -rw-r--r-- | src/kadmin/server/misc.h | 9 | ||||
| -rw-r--r-- | src/kadmin/server/ovsec_kadmd.c | 29 | ||||
| -rw-r--r-- | src/kadmin/server/server_stubs.c | 30 |
5 files changed, 50 insertions, 58 deletions
diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c index 4a25998f45..6d5ba3c032 100644 --- a/src/kadmin/server/ipropd_svc.c +++ b/src/kadmin/server/ipropd_svc.c @@ -38,13 +38,6 @@ extern short l_port; extern char *kdb5_util; extern char *kprop; extern char *dump_file; -static char abuf[33]; - -/* Result is stored in a static buffer and is invalidated by the next call. */ -static const char *client_addr(struct svc_req *svc) { - strlcpy(abuf, inet_ntoa(svc->rq_xprt->xp_raddr.sin_addr), sizeof(abuf)); - return abuf; -} static char *reply_ok_str = "UPDATE_OK"; static char *reply_err_str = "UPDATE_ERROR"; @@ -193,7 +186,7 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp) krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami, client_name, service_name, - client_addr(rqstp)); + client_addr(rqstp->rq_xprt)); goto out; } @@ -223,7 +216,7 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp) obuf, ((kret == 0) ? "success" : error_message(kret)), client_name, service_name, - client_addr(rqstp)); + client_addr(rqstp->rq_xprt)); out: if (nofork) @@ -320,7 +313,7 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp) DPRINT("%s: Permission denied\n", whoami); krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami, client_name, service_name, - client_addr(rqstp)); + client_addr(rqstp->rq_xprt)); goto out; } @@ -425,12 +418,12 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp) DPRINT("%s: spawned resync process %d, client=%s, " "service=%s, addr=%s\n", whoami, fret, client_name, - service_name, client_addr(rqstp)); + service_name, client_addr(rqstp->rq_xprt)); krb5_klog_syslog(LOG_NOTICE, _("Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"), whoami, fret, client_name, service_name, - client_addr(rqstp)); + client_addr(rqstp->rq_xprt)); goto out; } @@ -493,8 +486,7 @@ check_iprop_rpcsec_auth(struct svc_req *rqstp) krb5_klog_syslog(LOG_ERR, _("check_rpcsec_auth: failed inquire_context, " "stat=%u"), maj_stat); - log_badauth(maj_stat, min_stat, - &rqstp->rq_xprt->xp_raddr, NULL); + log_badauth(maj_stat, min_stat, rqstp->rq_xprt, NULL); goto fail_name; } @@ -547,7 +539,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp, if (!check_iprop_rpcsec_auth(rqstp)) { krb5_klog_syslog(LOG_ERR, _("authentication attempt failed: %s, RPC " "authentication flavor %d"), - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), + client_addr(rqstp->rq_xprt), rqstp->rq_cred.oa_flavor); svcerr_weakauth(transp); return; diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index a75bdb89d3..3837931b6f 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -12,9 +12,6 @@ #include <krb5.h> #include <kadm5/admin.h> #include <adm_proto.h> -#ifdef HAVE_ARPA_INET_H -#include <arpa/inet.h> -#endif #include "misc.h" #include "kadm5/server_internal.h" @@ -69,9 +66,9 @@ void kadm_1(rqstp, transp) if (rqstp->rq_cred.oa_flavor != AUTH_GSSAPI && !check_rpcsec_auth(rqstp)) { krb5_klog_syslog(LOG_ERR, "Authentication attempt failed: %s, " - "RPC authentication flavor %d", - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), - rqstp->rq_cred.oa_flavor); + "RPC authentication flavor %d", + client_addr(rqstp->rq_xprt), + rqstp->rq_cred.oa_flavor); svcerr_weakauth(transp); return; } @@ -227,8 +224,7 @@ void kadm_1(rqstp, transp) default: krb5_klog_syslog(LOG_ERR, "Invalid KADM5 procedure number: %s, %d", - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), - rqstp->rq_proc); + client_addr(rqstp->rq_xprt), rqstp->rq_proc); svcerr_noproc(transp); return; } @@ -278,8 +274,7 @@ check_rpcsec_auth(struct svc_req *rqstp) if (maj_stat != GSS_S_COMPLETE) { krb5_klog_syslog(LOG_ERR, _("check_rpcsec_auth: failed " "inquire_context, stat=%u"), maj_stat); - log_badauth(maj_stat, min_stat, - &rqstp->rq_xprt->xp_raddr, NULL); + log_badauth(maj_stat, min_stat, rqstp->rq_xprt, NULL); goto fail_name; } @@ -335,8 +330,7 @@ gss_to_krb5_name_1(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name, if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) { krb5_klog_syslog(LOG_ERR, _("gss_to_krb5_name: failed display_name " "status %d"), status); - log_badauth(status, minor_stat, - &rqstp->rq_xprt->xp_raddr, NULL); + log_badauth(status, minor_stat, rqstp->rq_xprt, NULL); return 0; } str = malloc(gss_str->length +1); diff --git a/src/kadmin/server/misc.h b/src/kadmin/server/misc.h index 3d2eda1043..ea0fc7d221 100644 --- a/src/kadmin/server/misc.h +++ b/src/kadmin/server/misc.h @@ -9,10 +9,6 @@ #include "net-server.h" /* for krb5_fulladdr */ -void -log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); - int setup_gss_names(struct svc_req *, gss_buffer_desc *, gss_buffer_desc *); @@ -55,8 +51,9 @@ gss_to_krb5_name_1(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name, void reset_db(void); -void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); +void log_badauth(OM_uint32 major, OM_uint32 minor, SVCXPRT *xprt, char *data); + +const char *client_addr(SVCXPRT *xprt); /* network.c */ #include "net-server.h" diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index 1273b07119..87aa47a804 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -43,7 +43,6 @@ #include <sys/socket.h> #include <unistd.h> #include <netinet/in.h> -#include <arpa/inet.h> /* inet_ntoa */ #include <netdb.h> #include <gssrpc/rpc.h> #include <gssapi/gssapi.h> @@ -71,8 +70,7 @@ gss_name_t gss_kadmin_name = NULL; void *global_server_handle; char *build_princ_name(char *name, char *realm); -void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); +void log_badauth(OM_uint32 major, OM_uint32 minor, SVCXPRT *xprt, char *data); void log_badverf(gss_name_t client_name, gss_name_t server_name, struct svc_req *rqst, struct rpc_msg *msg, char *data); @@ -489,11 +487,11 @@ kterr: (void) gss_import_name(&OMret, &in_buf, nt_krb5_name_oid, &gss_changepw_name); - svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); + svcauth_gssapi_set_log_badauth2_func(log_badauth, NULL); svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); - svcauth_gss_set_log_badauth_func(log_badauth, NULL); + svcauth_gss_set_log_badauth2_func(log_badauth, NULL); svcauth_gss_set_log_badverf_func(log_badverf, NULL); svcauth_gss_set_log_miscerr_func(log_miscerr, NULL); @@ -770,7 +768,7 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, OM_uint32 minor; gss_buffer_desc client, server; gss_OID gss_type; - char *a; + const char *a; rpcproc_t proc; unsigned int i; const char *procname; @@ -798,7 +796,7 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, slen = server.length; } trunc_name(&slen, &sdots); - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + a = client_addr(rqst->rq_xprt); proc = msg->rm_call.cb_proc; procname = NULL; @@ -844,11 +842,8 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, char *error, char *data) { - char *a; - - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - krb5_klog_syslog(LOG_NOTICE, _("Miscellaneous RPC error: %s, %s"), a, - error); + krb5_klog_syslog(LOG_NOTICE, _("Miscellaneous RPC error: %s, %s"), + client_addr(rqst->rq_xprt), error); } @@ -870,18 +865,14 @@ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, * Logs the GSS-API error via krb5_klog_syslog(); see functional spec for * format. */ -void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data) +void log_badauth(OM_uint32 major, OM_uint32 minor, SVCXPRT *xprt, char *data) { - char *a; - /* Authentication attempt failed: <IP address>, <GSS-API error */ /* strings> */ - a = inet_ntoa(addr->sin_addr); - krb5_klog_syslog(LOG_NOTICE, _("Authentication attempt failed: %s, " - "GSS-API error strings are:"), a); + "GSS-API error strings are:"), + client_addr(xprt)); log_badauth_display_status(" ", major, minor); krb5_klog_syslog(LOG_NOTICE, _(" GSS-API error strings complete.")); } diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index 446eaca595..5312792a2a 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -5,6 +5,7 @@ */ #include <k5-platform.h> +#include <socket-utils.h> #include <gssapi/gssapi.h> #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ #include <krb5.h> @@ -13,7 +14,6 @@ #include <kadm5/server_internal.h> #include <kadm5/server_acl.h> #include <syslog.h> -#include <arpa/inet.h> /* inet_ntoa */ #include <adm_proto.h> /* krb5_klog_syslog */ #include "misc.h" @@ -143,6 +143,24 @@ static void free_server_handle(kadm5_server_handle_t handle) free(handle); } +/* Result is stored in a static buffer and is invalidated by the next call. */ +const char * +client_addr(SVCXPRT *xprt) +{ + static char abuf[128]; + struct sockaddr_storage ss; + socklen_t len = sizeof(ss); + const char *p = NULL; + + if (getpeername(xprt->xp_sock, ss2sa(&ss), &len) != 0) + return "(unknown)"; + if (ss2sa(&ss)->sa_family == AF_INET) + p = inet_ntop(AF_INET, &ss2sin(&ss)->sin_addr, abuf, sizeof(abuf)); + else if (ss2sa(&ss)->sa_family == AF_INET6) + p = inet_ntop(AF_INET6, &ss2sin6(&ss)->sin6_addr, abuf, sizeof(abuf)); + return (p == NULL) ? "(unknown)" : p; +} + /* * Function: setup_gss_names * @@ -277,7 +295,7 @@ log_unauth( op, (int)tlen, target, tdots, (int)clen, (char *)client->value, cdots, (int)slen, (char *)server->value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + client_addr(rqstp->rq_xprt)); } static int @@ -308,7 +326,7 @@ log_done( op, (int)tlen, target, tdots, errmsg, (int)clen, (char *)client->value, cdots, (int)slen, (char *)server->value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + client_addr(rqstp->rq_xprt)); } generic_ret * @@ -614,7 +632,7 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) (int)tlen2, prime_arg2, tdots2, (int)clen, (char *)client_name.value, cdots, (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + client_addr(rqstp->rq_xprt)); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); @@ -631,7 +649,7 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) errmsg ? errmsg : _("success"), (int)clen, (char *)client_name.value, cdots, (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + client_addr(rqstp->rq_xprt)); if (errmsg != NULL) krb5_free_error_message(handle->context, errmsg); @@ -1774,7 +1792,7 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) errmsg ? errmsg : _("success"), (int)clen, (char *)client_name.value, cdots, (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), + client_addr(rqstp->rq_xprt), ret.api_version & ~(KADM5_API_VERSION_MASK), rqstp->rq_cred.oa_flavor); if (errmsg != NULL) |