diff options
Diffstat (limited to 'src/kdc/do_as_req.c')
-rw-r--r-- | src/kdc/do_as_req.c | 49 |
1 files changed, 47 insertions, 2 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 036840739c..268d4f452b 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -2,8 +2,8 @@ /* kdc/do_as_req.c */ /* * Portions Copyright (C) 2007 Apple Inc. - * Copyright 1990,1991,2007,2008,2009 by the Massachusetts Institute of Technology. - * All Rights Reserved. + * Copyright 1990, 1991, 2007, 2008, 2009, 2013 by the Massachusetts Institute + * of Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -68,6 +68,7 @@ #endif /* HAVE_NETINET_IN_H */ #include "kdc_util.h" +#include "kdc_audit.h" #include "policy.h" #include <kadm5/admin.h> #include "adm_proto.h" @@ -121,6 +122,7 @@ struct as_req_state { krb5_error_code preauth_err; kdc_realm_t *active_realm; + krb5_audit_state *au_state; }; static void @@ -137,6 +139,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) loop_respond_fn oldrespond; void *oldarg; kdc_realm_t *kdc_active_realm = state->active_realm; + krb5_audit_state *au_state = state->au_state; assert(state); oldrespond = state->respond; @@ -145,6 +148,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) if (errcode) goto egress; + au_state->stage = ENCR_REP; + if ((errcode = validate_forwardable(state->request, *state->client, *state->server, state->kdc_time, &state->status))) { @@ -277,6 +282,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->status = "ENCRYPTING_TICKET"; goto egress; } + + errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply, + &au_state->tkt_out_id); + if (errcode) { + state->status = "GENERATE_TICKET_ID"; + goto egress; + } + state->ticket_reply.enc_part.kvno = server_key->key_data_kvno; errcode = kdc_fast_response_handle_padata(state->rstate, state->request, @@ -332,6 +345,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) egress: if (errcode != 0) assert (state->status != 0); + + au_state->status = state->status; + au_state->reply = &state->reply; + kau_as_req(kdc_context, + (errcode || state->preauth_err) ? FALSE : TRUE, au_state); + kau_free_kdc_req(au_state); + free_padata_context(kdc_context, state->pa_context); if (as_encrypting_key) krb5_free_keyblock(kdc_context, as_encrypting_key); @@ -456,6 +476,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_data encoded_req_body; krb5_enctype useenctype; struct as_req_state *state; + krb5_audit_state *au_state = NULL; state = k5alloc(sizeof(*state), &errcode); if (state == NULL) { @@ -472,13 +493,29 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = kdc_make_rstate(kdc_active_realm, &state->rstate); if (errcode != 0) { (*respond)(arg, errcode, NULL); + free(state); return; } + + /* Initialize audit state. */ + errcode = kau_init_kdc_req(kdc_context, state->request, from, &au_state); + if (errcode) { + (*respond)(arg, errcode, NULL); + kdc_free_rstate(state->rstate); + free(state); + return; + } + state->au_state = au_state; + if (state->request->msg_type != KRB5_AS_REQ) { state->status = "msg_type mismatch"; errcode = KRB5_BADMSGTYPE; goto errout; } + + /* Seed the audit trail with the request ID and basic information. */ + kau_as_req(kdc_context, TRUE, au_state); + if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { errcode = ASN1_BAD_ID; @@ -500,6 +537,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } } + au_state->request = state->request; state->rock.request = state->request; state->rock.inner_body = state->inner_body; state->rock.rstate = state->rstate; @@ -559,10 +597,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (!is_local_principal(kdc_active_realm, state->client->princ)) { /* Entry is a referral to another realm */ state->status = "REFERRAL"; + au_state->cl_realm = &state->client->princ->realm; errcode = KRB5KDC_ERR_WRONG_REALM; goto errout; } + au_state->stage = SRVC_PRINC; + if (!state->request->server) { state->status = "NULL_SERVER"; errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; @@ -593,6 +634,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } + au_state->stage = VALIDATE_POL; + if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) { state->status = "TIMEOFDAY"; goto errout; @@ -609,6 +652,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } + au_state->stage = ISSUE_TKT; + /* * Select the keytype for the ticket session key. */ |