Gentoo Attachment #114844 for bug #171889

View | Details | Raw Unified
Collapse All | Expand All

(-) krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c (-2 / +7 lines)

Lines 250-255	Link Here

     krb5_data *c1, *c2, *realm;

     krb5_data *c1, *c2, *realm;

     gss_buffer_desc gss_str;

     gss_buffer_desc gss_str;

     kadm5_server_handle_t handle;

     kadm5_server_handle_t handle;

	 size_t slen;

	 char *sdots;

     success = 0;

     success = 0;

     handle = (kadm5_server_handle_t)global_server_handle;

     handle = (kadm5_server_handle_t)global_server_handle;

Lines 274-279	Link Here

     if (ret == 0)

     if (ret == 0)

	  goto fail_name;

	  goto fail_name;

	 slen = gss_str.length;

	 trunc_name(&slen, &sdots);

/*

/*

      * Since we accept with GSS_C_NO_NAME, the client can authenticate

      * Since we accept with GSS_C_NO_NAME, the client can authenticate

      * against the entire kdb.  Therefore, ensure that the service

      * against the entire kdb.  Therefore, ensure that the service

Lines 296-303	Link Here

fail_princ:

fail_princ:

     if (!success) {

     if (!success) {

	 krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",

	 krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",

			  gss_str.length, gss_str.value);

			  slen, gss_str.value, sdots);

     gss_release_buffer(&min_stat, &gss_str);

     gss_release_buffer(&min_stat, &gss_str);

     krb5_free_principal(kctx, princ);

     krb5_free_principal(kctx, princ);

(-) krb5-1.5.2.orig/src/kadmin/server/misc.c (+9 lines)

Lines 171-173	Link Here

    return kadm5_free_principal_ent(handle->lhandle, &princ);

    return kadm5_free_principal_ent(handle->lhandle, &princ);

#define MAXPRINCLEN 125

void

trunc_name(size_t *len, char **dots)

	*dots = *len > MAXPRINCLEN ? "..." : "";

	*len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;

(-) krb5-1.5.2.orig/src/kadmin/server/misc.h (+2 lines)

Lines 45-47	Link Here

#ifdef SVC_GETARGS

#ifdef SVC_GETARGS

void  kadm_1(struct svc_req *, SVCXPRT *);

void  kadm_1(struct svc_req *, SVCXPRT *);

#endif

#endif

void trunc_name(size_t *len, char **dots);

(-) krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c (-10 / +22 lines)

Lines 989-994	Link Here

     rpcproc_t proc;

     rpcproc_t proc;

     int i;

     int i;

     const char *procname;

     const char *procname;

	 size_t clen, slen;

	 char *cdots, *sdots;

     client.length = 0;

     client.length = 0;

     client.value = NULL;

     client.value = NULL;

Lines 997-1006	Link Here

     (void) gss_display_name(&minor, client_name, &client, &gss_type);

     (void) gss_display_name(&minor, client_name, &client, &gss_type);

     (void) gss_display_name(&minor, server_name, &server, &gss_type);

     (void) gss_display_name(&minor, server_name, &server, &gss_type);

     if (client.value == NULL)

     if (client.value == NULL) {

	 client.value = "(null)";

	 	 client.value = "(null)";

     if (server.value == NULL)

		 clen = sizeof("(null)") - 1;

	 server.value = "(null)";

	 } else {

	 	 clen = client.length;

	 trunc_name(&clen, &cdots);

     if (server.value == NULL) {

	 	 server.value = "(null)";

		 slen = sizeof("(null)") - 1;

	 } else {

	 	 slen = server.length;

	 trunc_name(&slen, &sdots);

     a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);

     a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);

     proc = msg->rm_call.cb_proc;

     proc = msg->rm_call.cb_proc;

Lines 1013-1026	Link Here

     if (procname != NULL)

     if (procname != NULL)

	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "

	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "

			   "claimed client = %s, server = %s, addr = %s",

			   "claimed client = %.*s%s, server = %.*s%s, addr = %s",

			   procname, client.value,

			   procname, clen, client.value, cdots,

			   server.value, a);

			   slen, server.value, sdots, a);

     else

     else

	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "

	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "

			   "claimed client = %s, server = %s, addr = %s",

			   "claimed client = %.*s%s, server = %.*s%s, addr = %s",

			   proc, client.value,

			   proc, clen, client.value, cdots,

			   server.value, a);

			   slen, server.value, sdots, a);

     (void) gss_release_buffer(&minor, &client);

     (void) gss_release_buffer(&minor, &client);

     (void) gss_release_buffer(&minor, &server);

     (void) gss_release_buffer(&minor, &server);

(-) krb5-1.5.2.orig/src/kadmin/server/schpw.c (-2 / +7 lines)

Lines 40-45	Link Here

    int numresult;

    int numresult;

    char strresult[1024];

    char strresult[1024];

    char *clientstr;

    char *clientstr;

	size_t clen;

	char *cdots;

    ret = 0;

    ret = 0;

    rep->length = 0;

    rep->length = 0;

Lines 258-266	Link Here

    free(ptr);

    free(ptr);

    clear.length = 0;

    clear.length = 0;

    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",

	clen = strlen(clientstr);

	trunc_name(&clen, &cdots);

    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",

		     inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),

		     inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),

		     clientstr, ret ? krb5_get_error_message (context, ret) : "success");

		     clen, clientstr, cdots,

			 ret ? krb5_get_error_message (context, ret) : "success");

    krb5_free_unparsed_name(context, clientstr);

    krb5_free_unparsed_name(context, clientstr);

    if (ret) {

    if (ret) {

(-) krb5-1.5.2.orig/src/kadmin/server/server_stubs.c (-150 / +142 lines)

Lines 14-19	Link Here

#include <arpa/inet.h>  /* inet_ntoa */

#include <arpa/inet.h>  /* inet_ntoa */

#include <adm_proto.h>  /* krb5_klog_syslog */

#include <adm_proto.h>  /* krb5_klog_syslog */

#include "misc.h"

#include "misc.h"

#include <string.h>

#define LOG_UNAUTH  "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"

#define LOG_UNAUTH  "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"

#define	LOG_DONE    "Request: %s, %s, %s, client=%s, service=%s, addr=%s"

#define	LOG_DONE    "Request: %s, %s, %s, client=%s, service=%s, addr=%s"

Lines 237-242	Link Here

     return 0;

     return 0;

static int

log_unauth(char *op, char *target, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp)

	size_t tlen, clen, slen;

	char *tdots, *cdots, *sdots;

	tlen = strlen(target);

	trunc_name(&tlen, &tdots);

	clen = client->length;

	trunc_name(&clen, &cdots);

	slen = server->length;

	trunc_name(&slen, &sdots);

	return krb5_klog_syslog(LOG_NOTICE,

			"Unauthorized request: %s, %.*s%s, "

			"client=%.*s%s, service=%.*s%s, addr=%s",

			op, tlen, target, tdots,

			clen, client->value, cdots,

			slen, server->value, sdots,

			inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

static int

log_done(char *op, char *target, char *errmsg, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp)

	size_t tlen, clen, slen;

	char *tdots, *cdots, *sdots;

	tlen = strlen(target);

	trunc_name(&tlen, &tdots);

	clen = client->length;

	trunc_name(&clen, &cdots);

	slen = server->length;

	trunc_name(&slen, &sdots);

	return krb5_klog_syslog(LOG_NOTICE,

			"Request: %s, %.*s%s, %s, "

			"client=%.*s%s, service=%.*s%s, addr=%s",

			op, tlen, target, tdots, errmsg,

			clen, client->value, cdots,

			slen, server->value, sdots,

			inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

generic_ret *

generic_ret *

create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)

create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)

Lines 275-283	Link Here

	|| kadm5int_acl_impose_restrictions(handle->context,

	|| kadm5int_acl_impose_restrictions(handle->context,

				   &arg->rec, &arg->mask, rp)) {

				   &arg->rec, &arg->mask, rp)) {

	 ret.code = KADM5_AUTH_ADD;

	 ret.code = KADM5_AUTH_ADD;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",

	 log_unauth("kadm5_create_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

		&client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code = kadm5_create_principal((void *)handle,

	 ret.code = kadm5_create_principal((void *)handle,

						&arg->rec, arg->mask,

						&arg->rec, arg->mask,

Lines 287-296	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",

	 log_done("kadm5_create_principal", prime_arg, errmsg,

		prime_arg, errmsg,

			&client_name, &service_name, rqstp);

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

Lines 341-349	Link Here

	|| kadm5int_acl_impose_restrictions(handle->context,

	|| kadm5int_acl_impose_restrictions(handle->context,

				   &arg->rec, &arg->mask, rp)) {

				   &arg->rec, &arg->mask, rp)) {

	 ret.code = KADM5_AUTH_ADD;

	 ret.code = KADM5_AUTH_ADD;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",

	 log_unauth("kadm5_create_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code = kadm5_create_principal_3((void *)handle,

	 ret.code = kadm5_create_principal_3((void *)handle,

					     &arg->rec, arg->mask,

					     &arg->rec, arg->mask,

Lines 355-364	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",

	 log_done("kadm5_create_principal", prime_arg, errmsg,

		prime_arg, errmsg,

		&client_name, &service_name, rqstp);

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

Lines 406-414	Link Here

	|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,

	|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,

		      arg->princ, NULL)) {

		      arg->princ, NULL)) {

	 ret.code = KADM5_AUTH_DELETE;

	 ret.code = KADM5_AUTH_DELETE;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",

	 log_unauth("kadm5_delete_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code = kadm5_delete_principal((void *)handle, arg->princ);

	 ret.code = kadm5_delete_principal((void *)handle, arg->princ);

	 if( ret.code == 0 )

	 if( ret.code == 0 )

Lines 416-425	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal",

	 log_done("kadm5_delete_principal", prime_arg, errmsg,

			  prime_arg, errmsg,

			  &client_name, &service_name, rqstp);

			  client_name.value, service_name.value,

			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

Lines 469-477	Link Here

	|| kadm5int_acl_impose_restrictions(handle->context,

	|| kadm5int_acl_impose_restrictions(handle->context,

				   &arg->rec, &arg->mask, rp)) {

				   &arg->rec, &arg->mask, rp)) {

	 ret.code = KADM5_AUTH_MODIFY;

	 ret.code = KADM5_AUTH_MODIFY;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",

	 log_unauth("kadm5_modify_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code = kadm5_modify_principal((void *)handle, &arg->rec,

	 ret.code = kadm5_modify_principal((void *)handle, &arg->rec,

						arg->mask);

						arg->mask);

Lines 480-489	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",

	 log_done("kadm5_modify_principal", prime_arg, errmsg,

			  prime_arg, errmsg,

			  &client_name, &service_name, rqstp);

			  client_name.value, service_name.value,

			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */

Lines 546-554	Link Here

    } else

    } else

	 ret.code = KADM5_AUTH_INSUFFICIENT;

	 ret.code = KADM5_AUTH_INSUFFICIENT;

    if (ret.code != KADM5_OK) {

    if (ret.code != KADM5_OK) {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",

	 log_unauth("kadm5_rename_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code = kadm5_rename_principal((void *)handle, arg->src,

	 ret.code = kadm5_rename_principal((void *)handle, arg->src,

						arg->dest);

						arg->dest);

Lines 557-566	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",

	 log_done("kadm5_rename_principal", prime_arg, errmsg,

		prime_arg, errmsg,

		&client_name, &service_name, rqstp);

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    free(prime_arg1);

    free(prime_arg1);

Lines 614-622	Link Here

					       arg->princ,

					       arg->princ,

					       NULL))) {

					       NULL))) {

	 ret.code = KADM5_AUTH_GET;

	 ret.code = KADM5_AUTH_GET;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,

	 log_unauth(funcname, prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 if (handle->api_version == KADM5_API_VERSION_1) {

	 if (handle->api_version == KADM5_API_VERSION_1) {

	      ret.code  = kadm5_get_principal_v1((void *)handle,

	      ret.code  = kadm5_get_principal_v1((void *)handle,

Lines 636-646	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,

	 log_done(funcname, prime_arg,  errmsg,

		prime_arg,

		&client_name, &service_name, rqstp);

		errmsg,

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

Lines 688-696	Link Here

					      NULL,

					      NULL,

					      NULL)) {

					      NULL)) {

	 ret.code = KADM5_AUTH_LIST;

	 ret.code = KADM5_AUTH_LIST;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",

	 log_unauth("kadm5_get_principals", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code  = kadm5_get_principals((void *)handle,

	 ret.code  = kadm5_get_principals((void *)handle,

					       arg->exp, &ret.princs,

					       arg->exp, &ret.princs,

Lines 700-710	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",

	 log_done("kadm5_get_principals", prime_arg, errmsg,

		prime_arg,

		&client_name, &service_name, rqstp);

		errmsg,

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

Lines 755-763	Link Here

	 ret.code = kadm5_chpass_principal((void *)handle, arg->princ,

	 ret.code = kadm5_chpass_principal((void *)handle, arg->princ,

						arg->pass);

						arg->pass);

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",

	 log_unauth("kadm5_chpass_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_CHANGEPW;

	 ret.code = KADM5_AUTH_CHANGEPW;

Lines 767-776	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",

	log_done("kadm5_chpass_principal", prime_arg, errmsg,

	       prime_arg, errmsg,

	       &client_name, &service_name, rqstp);

	       client_name.value, service_name.value,

	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

Lines 828-836	Link Here

					     arg->ks_tuple,

					     arg->ks_tuple,

					     arg->pass);

					     arg->pass);

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",

	 log_unauth("kadm5_chpass_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_CHANGEPW;

	 ret.code = KADM5_AUTH_CHANGEPW;

Lines 840-849	Link Here

	else

	else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",

	log_done("kadm5_chpass_principal", prime_arg, errmsg,

	       prime_arg, errmsg,

	       &client_name, &service_name, rqstp);

	       client_name.value, service_name.value,

	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

Lines 892-900	Link Here

	 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,

	 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,

					     arg->keyblock);

					     arg->keyblock);

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",

	 log_unauth("kadm5_setv4key_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_SETKEY;

	 ret.code = KADM5_AUTH_SETKEY;

Lines 904-913	Link Here

	else

	else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal",

	log_done("kadm5_setv4key_principal", prime_arg, errmsg,

	       prime_arg, errmsg,

	       &client_name, &service_name, rqstp);

	       client_name.value, service_name.value,

	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

Lines 956-964	Link Here

	 ret.code = kadm5_setkey_principal((void *)handle, arg->princ,

	 ret.code = kadm5_setkey_principal((void *)handle, arg->princ,

					   arg->keyblocks, arg->n_keys);

					   arg->keyblocks, arg->n_keys);

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",

	 log_unauth("kadm5_setkey_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_SETKEY;

	 ret.code = KADM5_AUTH_SETKEY;

Lines 968-977	Link Here

	else

	else

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",

	log_done("kadm5_setkey_principal", prime_arg, errmsg,

	       prime_arg, errmsg,

	       &client_name, &service_name, rqstp);

	       client_name.value, service_name.value,

	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

Lines 1023-1031	Link Here

					     arg->ks_tuple,

					     arg->ks_tuple,

					     arg->keyblocks, arg->n_keys);

					     arg->keyblocks, arg->n_keys);

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",

	 log_unauth("kadm5_setkey_principal", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_SETKEY;

	 ret.code = KADM5_AUTH_SETKEY;

Lines 1035-1044	Link Here

	else

	else

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",

	log_done("kadm5_setkey_principal", prime_arg, errmsg,

	       prime_arg, errmsg,

	 		 &client_name, &service_name, rqstp);

	       client_name.value, service_name.value,

	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

Lines 1097-1105	Link Here

	 ret.code = kadm5_randkey_principal((void *)handle, arg->princ,

	 ret.code = kadm5_randkey_principal((void *)handle, arg->princ,

					    &k, &nkeys);

					    &k, &nkeys);

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,

	 log_unauth(funcname, prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_CHANGEPW;

	 ret.code = KADM5_AUTH_CHANGEPW;

Lines 1119-1128	Link Here

	else

	else

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,

	log_done(funcname, prime_arg, errmsg,

	       prime_arg, errmsg,

	 		 &client_name, &service_name, rqstp);

	       client_name.value, service_name.value,

	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    free(prime_arg);

    free(prime_arg);

Lines 1185-1193	Link Here

					      arg->ks_tuple,

					      arg->ks_tuple,

					      &k, &nkeys);

					      &k, &nkeys);

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,

	 log_unauth(funcname, prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_CHANGEPW;

	 ret.code = KADM5_AUTH_CHANGEPW;

Lines 1207-1216	Link Here

	else

	else

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,

	log_done(funcname, prime_arg, errmsg,

	       prime_arg, errmsg,

	 		 &client_name, &service_name, rqstp);

	       client_name.value, service_name.value,

	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    free(prime_arg);

    free(prime_arg);

Lines 1253-1261	Link Here

					      rqst2name(rqstp),

					      rqst2name(rqstp),

					      ACL_ADD, NULL, NULL)) {

					      ACL_ADD, NULL, NULL)) {

	 ret.code = KADM5_AUTH_ADD;

	 ret.code = KADM5_AUTH_ADD;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",

	 log_unauth("kadm5_create_policy", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code = kadm5_create_policy((void *)handle, &arg->rec,

	 ret.code = kadm5_create_policy((void *)handle, &arg->rec,

Lines 1265-1275	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",

	 log_done("kadm5_create_policy",

		((prime_arg == NULL) ? "(null)" : prime_arg),

		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,

		errmsg,

	 	&client_name, &service_name, rqstp);

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    gss_release_buffer(&minor_stat, &client_name);

    gss_release_buffer(&minor_stat, &client_name);

Lines 1310-1318	Link Here

    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,

    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,

					      rqst2name(rqstp),

					      rqst2name(rqstp),

					      ACL_DELETE, NULL, NULL)) {

					      ACL_DELETE, NULL, NULL)) {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",

	 log_unauth("kadm5_delete_policy", prime_arg,

		prime_arg, client_name.value, service_name.value,

	 		 &client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_DELETE;

	 ret.code = KADM5_AUTH_DELETE;

    } else {

    } else {

	 ret.code = kadm5_delete_policy((void *)handle, arg->name);

	 ret.code = kadm5_delete_policy((void *)handle, arg->name);

Lines 1321-1331	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",

	 log_done("kadm5_delete_policy",

		((prime_arg == NULL) ? "(null)" : prime_arg),

		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,

		errmsg,

		&client_name, &service_name, rqstp);

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    gss_release_buffer(&minor_stat, &client_name);

    gss_release_buffer(&minor_stat, &client_name);

Lines 1366-1374	Link Here

    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,

    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,

					      rqst2name(rqstp),

					      rqst2name(rqstp),

					      ACL_MODIFY, NULL, NULL)) {

					      ACL_MODIFY, NULL, NULL)) {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",

	 log_unauth("kadm5_modify_policy", prime_arg,

		prime_arg, client_name.value, service_name.value,

		&client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 ret.code = KADM5_AUTH_MODIFY;

	 ret.code = KADM5_AUTH_MODIFY;

    } else {

    } else {

	 ret.code = kadm5_modify_policy((void *)handle, &arg->rec,

	 ret.code = kadm5_modify_policy((void *)handle, &arg->rec,

Lines 1378-1388	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",

	 log_done("kadm5_modify_policy",

		((prime_arg == NULL) ? "(null)" : prime_arg),

		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,

		errmsg,

		&client_name, &service_name, rqstp);

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    gss_release_buffer(&minor_stat, &client_name);

    gss_release_buffer(&minor_stat, &client_name);

Lines 1464-1478	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,

	 log_done(funcname,

		((prime_arg == NULL) ? "(null)" : prime_arg),

		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg,

		errmsg,

		&client_name, &service_name, rqstp);

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,

	 log_unauth(funcname, prime_arg,

		prime_arg, client_name.value, service_name.value,

		&client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    gss_release_buffer(&minor_stat, &client_name);

    gss_release_buffer(&minor_stat, &client_name);

Lines 1517-1525	Link Here

					      rqst2name(rqstp),

					      rqst2name(rqstp),

					      ACL_LIST, NULL, NULL)) {

					      ACL_LIST, NULL, NULL)) {

	 ret.code = KADM5_AUTH_LIST;

	 ret.code = KADM5_AUTH_LIST;

	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",

	 log_unauth("kadm5_get_policies", prime_arg,

		prime_arg, client_name.value, service_name.value,

		&client_name, &service_name, rqstp);

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    } else {

    } else {

	 ret.code  = kadm5_get_policies((void *)handle,

	 ret.code  = kadm5_get_policies((void *)handle,

					       arg->exp, &ret.pols,

					       arg->exp, &ret.pols,

Lines 1529-1539	Link Here

	 else

	 else

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",

	 log_done("kadm5_get_policies", prime_arg, errmsg,

		prime_arg,

		&client_name, &service_name, rqstp);

		errmsg,

		client_name.value, service_name.value,

		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    free_server_handle(handle);

    free_server_handle(handle);

    gss_release_buffer(&minor_stat, &client_name);

    gss_release_buffer(&minor_stat, &client_name);

Lines 1573-1583	Link Here

     else

     else

	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

     krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",

     log_done("kadm5_get_privs", client_name.value, errmsg,

	    client_name.value,

	    &client_name, &service_name, rqstp);

	    errmsg,

	    client_name.value, service_name.value,

	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

     free_server_handle(handle);

     free_server_handle(handle);

     gss_release_buffer(&minor_stat, &client_name);

     gss_release_buffer(&minor_stat, &client_name);

Lines 1594-1599	Link Here

     kadm5_server_handle_t	handle;

     kadm5_server_handle_t	handle;

     OM_uint32			minor_stat;

     OM_uint32			minor_stat;

     char                       *errmsg = 0;

     char                       *errmsg = 0;

	 size_t clen, slen;

	 char *cdots, *sdots;

     xdr_free(xdr_generic_ret, &ret);

     xdr_free(xdr_generic_ret, &ret);

Lines 1611-1623	Link Here

     if (ret.code != 0)

     if (ret.code != 0)

	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

 	 	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

     krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",

	 else

	 	 errmsg = "success";

	 clen = client_name.length;

	 trunc_name(&clen, &cdots);

	 slen = service_name.length;

	 trunc_name(&slen, &sdots);

     krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "

	 	"client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",

	    (ret.api_version == KADM5_API_VERSION_1 ?

	    (ret.api_version == KADM5_API_VERSION_1 ?

	     "kadm5_init (V1)" : "kadm5_init"),

	     "kadm5_init (V1)" : "kadm5_init"),

	    client_name.value,

	    clen, client_name.value, cdots, errmsg,

	    (ret.code == 0) ? "success" : errmsg,

	    clen, client_name.value, cdots,

	    client_name.value, service_name.value,

		slen, service_name.value, sdots,

	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),

	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),

	    rqstp->rq_cred.oa_flavor);

	    rqstp->rq_cred.oa_flavor);

     gss_release_buffer(&minor_stat, &client_name);

     gss_release_buffer(&minor_stat, &client_name);

(-) krb5-1.5.2.orig/src/kdc/do_tgs_req.c (-15 / +29 lines)

Lines 491-520	Link Here

	newtransited = 1;

	newtransited = 1;

    if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {

    if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {

	errcode = krb5_check_transited_list (kdc_context,

		unsigned int tlen;

		char *tdots;

		errcode = krb5_check_transited_list (kdc_context,

					     &enc_tkt_reply.transited.tr_contents,

					     &enc_tkt_reply.transited.tr_contents,

					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),

					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),

					     krb5_princ_realm (kdc_context, request->server));

					     krb5_princ_realm (kdc_context, request->server));

	if (errcode == 0) {

		tlen = enc_tkt_reply.transited.tr_contents.length;

	    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);

		tdots = tlen > 125 ? "..." : "";

	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)

		tlen = tlen > 125 ? 125 : tlen;

	    krb5_klog_syslog (LOG_INFO,

			      "bad realm transit path from '%s' to '%s' via '%.*s'",

		if (errcode == 0) {

	    	setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);

		} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)

	    	krb5_klog_syslog (LOG_INFO,

			      "bad realm transit path from '%s' to '%s' "

				  "via '%.*s%s'",

			      cname ? cname : "<unknown client>",

			      cname ? cname : "<unknown client>",

			      sname ? sname : "<unknown server>",

			      sname ? sname : "<unknown server>",

			      enc_tkt_reply.transited.tr_contents.length,

				  tlen,

			      enc_tkt_reply.transited.tr_contents.data);

			      enc_tkt_reply.transited.tr_contents.data,

	else {

				  tdots);

	    char *emsg = krb5_get_error_message(kdc_context, errcode);

		else {

	    krb5_klog_syslog (LOG_ERR,

	    	const char *emsg = krb5_get_error_message(kdc_context, errcode);

			      "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",

	    	krb5_klog_syslog (LOG_ERR,

			      "unexpected error checking transit from "

				  "'%s' to '%s' via '%.*s%s': %s",

			      cname ? cname : "<unknown client>",

			      cname ? cname : "<unknown client>",

			      sname ? sname : "<unknown server>",

			      sname ? sname : "<unknown server>",

			      enc_tkt_reply.transited.tr_contents.length,

				  tlen,

			      enc_tkt_reply.transited.tr_contents.data,

			      enc_tkt_reply.transited.tr_contents.data,

			      emsg);

			      tdots, emsg);

	    krb5_free_error_message(kdc_context, emsg);

	    krb5_free_error_message(kdc_context, emsg);

    } else

    } else

	krb5_klog_syslog (LOG_INFO, "not checking transit path");

	krb5_klog_syslog (LOG_INFO, "not checking transit path");

    if (reject_bad_transit

    if (reject_bad_transit

Lines 542-547	Link Here

	if (!krb5_principal_compare(kdc_context, request->server, client2)) {

	if (!krb5_principal_compare(kdc_context, request->server, client2)) {

		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))

		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))

			tmp = 0;

			tmp = 0;

		if (tmp != NULL)

			limit_string(tmp);

		krb5_klog_syslog(LOG_INFO,

		krb5_klog_syslog(LOG_INFO,

				 "TGS_REQ %s: 2ND_TKT_MISMATCH: "

				 "TGS_REQ %s: 2ND_TKT_MISMATCH: "

				 "authtime %d, %s for %s, 2nd tkt client %s",

				 "authtime %d, %s for %s, 2nd tkt client %s",

Lines 816-821	Link Here

		krb5_klog_syslog(LOG_INFO,

		krb5_klog_syslog(LOG_INFO,

		       "TGS_REQ: issuing alternate <un-unparseable> TGT");

		       "TGS_REQ: issuing alternate <un-unparseable> TGT");

	    } else {

	    } else {

			limit_string(sname);

		krb5_klog_syslog(LOG_INFO,

		krb5_klog_syslog(LOG_INFO,

		       "TGS_REQ: issuing TGT %s", sname);

		       "TGS_REQ: issuing TGT %s", sname);

		free(sname);

		free(sname);

(-) krb5-1.5.2.orig/src/kdc/kdc_util.c (+1 lines)

Lines 404-409	Link Here

	krb5_db_free_principal(kdc_context, &server, nprincs);

	krb5_db_free_principal(kdc_context, &server, nprincs);

	if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {

	if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {

		limit_string(sname);

	    krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",

	    krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",

			     sname);

			     sname);

	    free(sname);

	    free(sname);

(-) krb5-1.5.2.orig/src/lib/kadm5/logger.c (-3 / +7 lines)

Lines 45-51	Link Here

#include <varargs.h>

#include <varargs.h>

#endif	/* HAVE_STDARG_H */

#endif	/* HAVE_STDARG_H */

#define	KRB5_KLOG_MAX_ERRMSG_SIZE	1024

#define	KRB5_KLOG_MAX_ERRMSG_SIZE	2048

#ifndef	MAXHOSTNAMELEN

#ifndef	MAXHOSTNAMELEN

#define	MAXHOSTNAMELEN	256

#define	MAXHOSTNAMELEN	256

#endif	/* MAXHOSTNAMELEN */

#endif	/* MAXHOSTNAMELEN */

Lines 261-267	Link Here

#endif	/* HAVE_SYSLOG */

#endif	/* HAVE_SYSLOG */

    /* Now format the actual message */

    /* Now format the actual message */

#if	HAVE_VSPRINTF

#if	HAVE_VSNPRINTF

    vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);

#elif	HAVE_VSPRINTF

    vsprintf(cp, actual_format, ap);

    vsprintf(cp, actual_format, ap);

#else	/* HAVE_VSPRINTF */

#else	/* HAVE_VSPRINTF */

    sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],

    sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],

Lines 850-856	Link Here

    syslogp = &outbuf[strlen(outbuf)];

    syslogp = &outbuf[strlen(outbuf)];

    /* Now format the actual message */

    /* Now format the actual message */

#ifdef	HAVE_VSPRINTF

#ifdef	HAVE_VSNPRINTF

    vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);

#elif	HAVE_VSPRINTF

    vsprintf(syslogp, format, arglist);

    vsprintf(syslogp, format, arglist);

#else	/* HAVE_VSPRINTF */

#else	/* HAVE_VSPRINTF */

    sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],

    sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],

Attachment #114844: The second patch to fix syslogging for bug #171889