Attachment #114844 for bug #171889

Lines 250-255 Link Here

(-)krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c (-2 / +7 lines)
250	krb5_data c1, c2, *realm;	250	krb5_data c1, c2, *realm;
251	gss_buffer_desc gss_str;	251	gss_buffer_desc gss_str;
252	kadm5_server_handle_t handle;	252	kadm5_server_handle_t handle;
		253	size_t slen;
		254	char *sdots;
253		255
254	success = 0;	256	success = 0;
255	handle = (kadm5_server_handle_t)global_server_handle;	257	handle = (kadm5_server_handle_t)global_server_handle;
Lines 274-279 Link Here
274	if (ret == 0)	276	if (ret == 0)
275	goto fail_name;	277	goto fail_name;
276		278
		279	slen = gss_str.length;
		280	trunc_name(&slen, &sdots);
		281
277	/*	282	/*
278	* Since we accept with GSS_C_NO_NAME, the client can authenticate	283	* Since we accept with GSS_C_NO_NAME, the client can authenticate
279	* against the entire kdb. Therefore, ensure that the service	284	* against the entire kdb. Therefore, ensure that the service
Lines 296-303 Link Here
296		301
297	fail_princ:	302	fail_princ:
298	if (!success) {	303	if (!success) {
299	krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",	304	krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
300	gss_str.length, gss_str.value);	305	slen, gss_str.value, sdots);
301	}	306	}
302	gss_release_buffer(&min_stat, &gss_str);	307	gss_release_buffer(&min_stat, &gss_str);
303	krb5_free_principal(kctx, princ);	308	krb5_free_principal(kctx, princ);





    return kadm5_free_principal_ent(handle->lhandle, &princ);
}

#define MAXPRINCLEN 125

void
trunc_name(size_t *len, char **dots)
{
	*dots = *len > MAXPRINCLEN ? "..." : "";
	*len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
}

Lines 45-47 Link Here

(-)krb5-1.5.2.orig/src/kadmin/server/misc.h (+2 lines)
45	#ifdef SVC_GETARGS	45	#ifdef SVC_GETARGS
46	void kadm_1(struct svc_req , SVCXPRT );	46	void kadm_1(struct svc_req , SVCXPRT );
47	#endif	47	#endif
		48
		49	void trunc_name(size_t len, char *dots);

Lines 989-994 Link Here

(-)krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c (-10 / +22 lines)
989	rpcproc_t proc;	989	rpcproc_t proc;
990	int i;	990	int i;
991	const char *procname;	991	const char *procname;
		992	size_t clen, slen;
		993	char cdots, sdots;
992		994
993	client.length = 0;	995	client.length = 0;
994	client.value = NULL;	996	client.value = NULL;
Lines 997-1006 Link Here
997		999
998	(void) gss_display_name(&minor, client_name, &client, &gss_type);	1000	(void) gss_display_name(&minor, client_name, &client, &gss_type);
999	(void) gss_display_name(&minor, server_name, &server, &gss_type);	1001	(void) gss_display_name(&minor, server_name, &server, &gss_type);
1000	if (client.value == NULL)	1002	if (client.value == NULL) {
1001	client.value = "(null)";	1003	client.value = "(null)";
1002	if (server.value == NULL)	1004	clen = sizeof("(null)") - 1;
1003	server.value = "(null)";	1005	} else {
		1006	clen = client.length;
		1007	}
		1008	trunc_name(&clen, &cdots);
		1009	if (server.value == NULL) {
		1010	server.value = "(null)";
		1011	slen = sizeof("(null)") - 1;
		1012	} else {
		1013	slen = server.length;
		1014	}
		1015	trunc_name(&slen, &sdots);
1004	a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);	1016	a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
1005		1017
1006	proc = msg->rm_call.cb_proc;	1018	proc = msg->rm_call.cb_proc;
Lines 1013-1026 Link Here
1013	}	1025	}
1014	if (procname != NULL)	1026	if (procname != NULL)
1015	krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "	1027	krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
1016	"claimed client = %s, server = %s, addr = %s",	1028	"claimed client = %.s%s, server = %.s%s, addr = %s",
1017	procname, client.value,	1029	procname, clen, client.value, cdots,
1018	server.value, a);	1030	slen, server.value, sdots, a);
1019	else	1031	else
1020	krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "	1032	krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
1021	"claimed client = %s, server = %s, addr = %s",	1033	"claimed client = %.s%s, server = %.s%s, addr = %s",
1022	proc, client.value,	1034	proc, clen, client.value, cdots,
1023	server.value, a);	1035	slen, server.value, sdots, a);
1024		1036
1025	(void) gss_release_buffer(&minor, &client);	1037	(void) gss_release_buffer(&minor, &client);
1026	(void) gss_release_buffer(&minor, &server);	1038	(void) gss_release_buffer(&minor, &server);

Lines 40-45 Link Here

(-)krb5-1.5.2.orig/src/kadmin/server/schpw.c (-2 / +7 lines)
40	int numresult;	40	int numresult;
41	char strresult[1024];	41	char strresult[1024];
42	char *clientstr;	42	char *clientstr;
		43	size_t clen;
		44	char *cdots;
43		45
44	ret = 0;	46	ret = 0;
45	rep->length = 0;	47	rep->length = 0;
Lines 258-266 Link Here
258	free(ptr);	260	free(ptr);
259	clear.length = 0;	261	clear.length = 0;
260		262
261	krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",	263	clen = strlen(clientstr);
		264	trunc_name(&clen, &cdots);
		265	krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
262	inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),	266	inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
263	clientstr, ret ? krb5_get_error_message (context, ret) : "success");	267	clen, clientstr, cdots,
		268	ret ? krb5_get_error_message (context, ret) : "success");
264	krb5_free_unparsed_name(context, clientstr);	269	krb5_free_unparsed_name(context, clientstr);
265		270
266	if (ret) {	271	if (ret) {




#include <arpa/inet.h>  /* inet_ntoa */
#include <adm_proto.h>  /* krb5_klog_syslog */
#include "misc.h"
#include <string.h>

#define LOG_UNAUTH  "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
#define	LOG_DONE    "Request: %s, %s, %s, client=%s, service=%s, addr=%s"

     return 0;
}

static int
log_unauth(char *op, char *target, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp)
{
	size_t tlen, clen, slen;
	char *tdots, *cdots, *sdots;

	tlen = strlen(target);
	trunc_name(&tlen, &tdots);
	clen = client->length;
	trunc_name(&clen, &cdots);
	slen = server->length;
	trunc_name(&slen, &sdots);

	return krb5_klog_syslog(LOG_NOTICE,
			"Unauthorized request: %s, %.*s%s, "
			"client=%.*s%s, service=%.*s%s, addr=%s",
			op, tlen, target, tdots,
			clen, client->value, cdots,
			slen, server->value, sdots,
			inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}

static int
log_done(char *op, char *target, char *errmsg, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp)
{
	size_t tlen, clen, slen;
	char *tdots, *cdots, *sdots;

	tlen = strlen(target);
	trunc_name(&tlen, &tdots);
	clen = client->length;
	trunc_name(&clen, &cdots);
	slen = server->length;
	trunc_name(&slen, &sdots);

	return krb5_klog_syslog(LOG_NOTICE,
			"Request: %s, %.*s%s, %s, "
			"client=%.*s%s, service=%.*s%s, addr=%s",
			op, tlen, target, tdots, errmsg,
			clen, client->value, cdots,
			slen, server->value, sdots,
			inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}

generic_ret *
create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
{

	|| kadm5int_acl_impose_restrictions(handle->context,
				   &arg->rec, &arg->mask, rp)) {
	 ret.code = KADM5_AUTH_ADD;
	 log_unauth("kadm5_create_principal", prime_arg,
		&client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 ret.code = kadm5_create_principal((void *)handle,
						&arg->rec, arg->mask,

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_create_principal", prime_arg, errmsg,
			&client_name, &service_name, rqstp);
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
    }

	|| kadm5int_acl_impose_restrictions(handle->context,
				   &arg->rec, &arg->mask, rp)) {
	 ret.code = KADM5_AUTH_ADD;
	 log_unauth("kadm5_create_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 ret.code = kadm5_create_principal_3((void *)handle,
					     &arg->rec, arg->mask,

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_create_principal", prime_arg, errmsg,
		&client_name, &service_name, rqstp);
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
    }

	|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
		      arg->princ, NULL)) {
	 ret.code = KADM5_AUTH_DELETE;
	 log_unauth("kadm5_delete_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 ret.code = kadm5_delete_principal((void *)handle, arg->princ);
	 if( ret.code == 0 )

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_delete_principal", prime_arg, errmsg,
			  &client_name, &service_name, rqstp);
			  client_name.value, service_name.value,
			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
    }

	|| kadm5int_acl_impose_restrictions(handle->context,
				   &arg->rec, &arg->mask, rp)) {
	 ret.code = KADM5_AUTH_MODIFY;
	 log_unauth("kadm5_modify_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
						arg->mask);

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_modify_principal", prime_arg, errmsg,
			  &client_name, &service_name, rqstp);
			  client_name.value, service_name.value,
			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

	 /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */
    }

    } else
	 ret.code = KADM5_AUTH_INSUFFICIENT;
    if (ret.code != KADM5_OK) {
	 log_unauth("kadm5_rename_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
						arg->dest);

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_rename_principal", prime_arg, errmsg,
		&client_name, &service_name, rqstp);
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }
    free_server_handle(handle);
    free(prime_arg1);

					       arg->princ,
					       NULL))) {
	 ret.code = KADM5_AUTH_GET;
	 log_unauth(funcname, prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 if (handle->api_version == KADM5_API_VERSION_1) {
	      ret.code  = kadm5_get_principal_v1((void *)handle,

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done(funcname, prime_arg,  errmsg,
		&client_name, &service_name, rqstp);
		errmsg,
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    }
    free_server_handle(handle);

					      NULL,
					      NULL)) {
	 ret.code = KADM5_AUTH_LIST;
	 log_unauth("kadm5_get_principals", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 ret.code  = kadm5_get_principals((void *)handle,
					       arg->exp, &ret.princs,

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_get_principals", prime_arg, errmsg,
		&client_name, &service_name, rqstp);
		errmsg,
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

    }
    free_server_handle(handle);

	 ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
						arg->pass);
    } else {
	 log_unauth("kadm5_chpass_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_CHANGEPW;
    }


	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	log_done("kadm5_chpass_principal", prime_arg, errmsg,
	       &client_name, &service_name, rqstp);
	       client_name.value, service_name.value,
	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }

    free_server_handle(handle);

					     arg->ks_tuple,
					     arg->pass);
    } else {
	 log_unauth("kadm5_chpass_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_CHANGEPW;
    }


	else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	log_done("kadm5_chpass_principal", prime_arg, errmsg, 
	       &client_name, &service_name, rqstp);
	       client_name.value, service_name.value,
	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }

    free_server_handle(handle);

	 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
					     arg->keyblock);
    } else {
	 log_unauth("kadm5_setv4key_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_SETKEY;
    }


	else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	log_done("kadm5_setv4key_principal", prime_arg, errmsg, 
	       &client_name, &service_name, rqstp);
	       client_name.value, service_name.value,
	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }

    free_server_handle(handle);

	 ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
					   arg->keyblocks, arg->n_keys);
    } else {
	 log_unauth("kadm5_setkey_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_SETKEY;
    }


	else
	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	log_done("kadm5_setkey_principal", prime_arg, errmsg, 
	       &client_name, &service_name, rqstp);
	       client_name.value, service_name.value,
	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }

    free_server_handle(handle);

					     arg->ks_tuple,
					     arg->keyblocks, arg->n_keys);
    } else {
	 log_unauth("kadm5_setkey_principal", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_SETKEY;
    }


	else
	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	log_done("kadm5_setkey_principal", prime_arg, errmsg, 
	 		 &client_name, &service_name, rqstp);
	       client_name.value, service_name.value,
	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }

    free_server_handle(handle);

	 ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
					    &k, &nkeys);
    } else {
	 log_unauth(funcname, prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_CHANGEPW;
    }


	else
	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	log_done(funcname, prime_arg, errmsg, 
	 		 &client_name, &service_name, rqstp);
	       client_name.value, service_name.value,
	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }
    free_server_handle(handle);
    free(prime_arg);

					      arg->ks_tuple,
					      &k, &nkeys);
    } else {
	 log_unauth(funcname, prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_CHANGEPW;
    }


	else
	    errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	log_done(funcname, prime_arg, errmsg, 
	 		 &client_name, &service_name, rqstp);
	       client_name.value, service_name.value,
	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }
    free_server_handle(handle);
    free(prime_arg);

					      rqst2name(rqstp),
					      ACL_ADD, NULL, NULL)) {
	 ret.code = KADM5_AUTH_ADD;
	 log_unauth("kadm5_create_policy", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 
    } else {
	 ret.code = kadm5_create_policy((void *)handle, &arg->rec,

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_create_policy",
		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
	 	&client_name, &service_name, rqstp);
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);

    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
					      rqst2name(rqstp),
					      ACL_DELETE, NULL, NULL)) {
	 log_unauth("kadm5_delete_policy", prime_arg,
	 		 &client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_DELETE;
    } else {
	 ret.code = kadm5_delete_policy((void *)handle, arg->name);

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_delete_policy",
		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
		&client_name, &service_name, rqstp);
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);

    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
					      rqst2name(rqstp),
					      ACL_MODIFY, NULL, NULL)) {
	 log_unauth("kadm5_modify_policy", prime_arg,
		&client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
	 ret.code = KADM5_AUTH_MODIFY;
    } else {
	 ret.code = kadm5_modify_policy((void *)handle, &arg->rec,

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_modify_policy",
		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
		&client_name, &service_name, rqstp);
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done(funcname,
		((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, 
		&client_name, &service_name, rqstp);
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
    } else {
	 log_unauth(funcname, prime_arg,
		&client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);

					      rqst2name(rqstp),
					      ACL_LIST, NULL, NULL)) {
	 ret.code = KADM5_AUTH_LIST;
	 log_unauth("kadm5_get_policies", prime_arg,
		&client_name, &service_name, rqstp);
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    } else {
	 ret.code  = kadm5_get_policies((void *)handle,
					       arg->exp, &ret.pols,

	 else
	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

	 log_done("kadm5_get_policies", prime_arg, errmsg, 
		&client_name, &service_name, rqstp);
		errmsg, 
		client_name.value, service_name.value,
		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
    }
    free_server_handle(handle);
    gss_release_buffer(&minor_stat, &client_name);

     else
	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

     log_done("kadm5_get_privs", client_name.value, errmsg, 
	    &client_name, &service_name, rqstp);
	    errmsg, 
	    client_name.value, service_name.value,
	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));

     free_server_handle(handle);
     gss_release_buffer(&minor_stat, &client_name);

     kadm5_server_handle_t	handle;
     OM_uint32			minor_stat;
     char                       *errmsg = 0;
	 size_t clen, slen;
	 char *cdots, *sdots;

     xdr_free(xdr_generic_ret, &ret);


     }

     if (ret.code != 0)
 	 	 errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
	 else
	 	 errmsg = "success";

	 clen = client_name.length;
	 trunc_name(&clen, &cdots);
	 slen = service_name.length;
	 trunc_name(&slen, &sdots);
     krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
	 	"client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
	    (ret.api_version == KADM5_API_VERSION_1 ?
	     "kadm5_init (V1)" : "kadm5_init"),
	    clen, client_name.value, cdots, errmsg,
	    clen, client_name.value, cdots,
		slen, service_name.value, sdots,
	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
	    rqstp->rq_cred.oa_flavor);
     gss_release_buffer(&minor_stat, &client_name);




	newtransited = 1;
    }
    if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
		unsigned int tlen;
		char *tdots;

		errcode = krb5_check_transited_list (kdc_context,
					     &enc_tkt_reply.transited.tr_contents,
					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
					     krb5_princ_realm (kdc_context, request->server));
		tlen = enc_tkt_reply.transited.tr_contents.length;
		tdots = tlen > 125 ? "..." : "";
		tlen = tlen > 125 ? 125 : tlen;

		if (errcode == 0) {
	    	setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
		} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
	    	krb5_klog_syslog (LOG_INFO,
			      "bad realm transit path from '%s' to '%s' "
				  "via '%.*s%s'",
			      cname ? cname : "<unknown client>",
			      sname ? sname : "<unknown server>",
				  tlen,
			      enc_tkt_reply.transited.tr_contents.data,
				  tdots);
		else {
	    	const char *emsg = krb5_get_error_message(kdc_context, errcode);
	    	krb5_klog_syslog (LOG_ERR,
			      "unexpected error checking transit from "
				  "'%s' to '%s' via '%.*s%s': %s",
			      cname ? cname : "<unknown client>",
			      sname ? sname : "<unknown server>",
				  tlen,
			      enc_tkt_reply.transited.tr_contents.data,
			      tdots, emsg);
	    krb5_free_error_message(kdc_context, emsg);
		}
    } else
	krb5_klog_syslog (LOG_INFO, "not checking transit path");
    if (reject_bad_transit

	if (!krb5_principal_compare(kdc_context, request->server, client2)) {
		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
			tmp = 0;
		if (tmp != NULL)
			limit_string(tmp);

		krb5_klog_syslog(LOG_INFO,
				 "TGS_REQ %s: 2ND_TKT_MISMATCH: "
				 "authtime %d, %s for %s, 2nd tkt client %s",

		krb5_klog_syslog(LOG_INFO,
		       "TGS_REQ: issuing alternate <un-unparseable> TGT");
	    } else {
			limit_string(sname);
		krb5_klog_syslog(LOG_INFO,
		       "TGS_REQ: issuing TGT %s", sname);
		free(sname);

Lines 404-409 Link Here

(-)krb5-1.5.2.orig/src/kdc/kdc_util.c (+1 lines)
404		404
405	krb5_db_free_principal(kdc_context, &server, nprincs);	405	krb5_db_free_principal(kdc_context, &server, nprincs);
406	if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {	406	if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
		407	limit_string(sname);
407	krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",	408	krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
408	sname);	409	sname);
409	free(sname);	410	free(sname);

Lines 45-51 Link Here

(-)krb5-1.5.2.orig/src/lib/kadm5/logger.c (-3 / +7 lines)
45	#include <varargs.h>	45	#include <varargs.h>
46	#endif /* HAVE_STDARG_H */	46	#endif /* HAVE_STDARG_H */
47		47
48	#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024	48	#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048
49	#ifndef MAXHOSTNAMELEN	49	#ifndef MAXHOSTNAMELEN
50	#define MAXHOSTNAMELEN 256	50	#define MAXHOSTNAMELEN 256
51	#endif /* MAXHOSTNAMELEN */	51	#endif /* MAXHOSTNAMELEN */
Lines 261-267 Link Here
261	#endif /* HAVE_SYSLOG */	261	#endif /* HAVE_SYSLOG */
262		262
263	/* Now format the actual message */	263	/* Now format the actual message */
264	#if HAVE_VSPRINTF	264	#if HAVE_VSNPRINTF
		265	vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
		266	#elif HAVE_VSPRINTF
265	vsprintf(cp, actual_format, ap);	267	vsprintf(cp, actual_format, ap);
266	#else /* HAVE_VSPRINTF */	268	#else /* HAVE_VSPRINTF */
267	sprintf(cp, actual_format, ((int ) ap)[0], ((int ) ap)[1],	269	sprintf(cp, actual_format, ((int ) ap)[0], ((int ) ap)[1],
Lines 850-856 Link Here
850	syslogp = &outbuf[strlen(outbuf)];	852	syslogp = &outbuf[strlen(outbuf)];
851		853
852	/* Now format the actual message */	854	/* Now format the actual message */
853	#ifdef HAVE_VSPRINTF	855	#ifdef HAVE_VSNPRINTF
		856	vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
		857	#elif HAVE_VSPRINTF
854	vsprintf(syslogp, format, arglist);	858	vsprintf(syslogp, format, arglist);
855	#else /* HAVE_VSPRINTF */	859	#else /* HAVE_VSPRINTF */
856	sprintf(syslogp, format, ((int ) arglist)[0], ((int ) arglist)[1],	860	sprintf(syslogp, format, ((int ) arglist)[0], ((int ) arglist)[1],

Return to bug 171889

Lines 171-173 Link Here

(-)krb5-1.5.2.orig/src/kadmin/server/misc.c (+9 lines)
171		171
172	return kadm5_free_principal_ent(handle->lhandle, &princ);	172	return kadm5_free_principal_ent(handle->lhandle, &princ);
173	}	173	}
		174
		175	#define MAXPRINCLEN 125
		176
		177	void
		178	trunc_name(size_t len, char *dots)
		179	{
		180	dots = len > MAXPRINCLEN ? "..." : "";
		181	len = len > MAXPRINCLEN ? MAXPRINCLEN : *len;
		182	}

Lines 491-520 Link Here

(-)krb5-1.5.2.orig/src/kdc/do_tgs_req.c (-15 / +29 lines)
491	newtransited = 1;	491	newtransited = 1;
492	}	492	}
493	if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {	493	if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
494	errcode = krb5_check_transited_list (kdc_context,	494	unsigned int tlen;
		495	char *tdots;
		496
		497	errcode = krb5_check_transited_list (kdc_context,
495	&enc_tkt_reply.transited.tr_contents,	498	&enc_tkt_reply.transited.tr_contents,
496	krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),	499	krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
497	krb5_princ_realm (kdc_context, request->server));	500	krb5_princ_realm (kdc_context, request->server));
498	if (errcode == 0) {	501	tlen = enc_tkt_reply.transited.tr_contents.length;
499	setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);	502	tdots = tlen > 125 ? "..." : "";
500	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)	503	tlen = tlen > 125 ? 125 : tlen;
501	krb5_klog_syslog (LOG_INFO,	504
502	"bad realm transit path from '%s' to '%s' via '%.*s'",	505	if (errcode == 0) {
		506	setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
		507	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
		508	krb5_klog_syslog (LOG_INFO,
		509	"bad realm transit path from '%s' to '%s' "
		510	"via '%.*s%s'",
503	cname ? cname : "<unknown client>",	511	cname ? cname : "<unknown client>",
504	sname ? sname : "<unknown server>",	512	sname ? sname : "<unknown server>",
505	enc_tkt_reply.transited.tr_contents.length,	513	tlen,
506	enc_tkt_reply.transited.tr_contents.data);	514	enc_tkt_reply.transited.tr_contents.data,
507	else {	515	tdots);
508	char *emsg = krb5_get_error_message(kdc_context, errcode);	516	else {
509	krb5_klog_syslog (LOG_ERR,	517	const char *emsg = krb5_get_error_message(kdc_context, errcode);
510	"unexpected error checking transit from '%s' to '%s' via '%.*s': %s",	518	krb5_klog_syslog (LOG_ERR,
		519	"unexpected error checking transit from "
		520	"'%s' to '%s' via '%.*s%s': %s",
511	cname ? cname : "<unknown client>",	521	cname ? cname : "<unknown client>",
512	sname ? sname : "<unknown server>",	522	sname ? sname : "<unknown server>",
513	enc_tkt_reply.transited.tr_contents.length,	523	tlen,
514	enc_tkt_reply.transited.tr_contents.data,	524	enc_tkt_reply.transited.tr_contents.data,
515	emsg);	525	tdots, emsg);
516	krb5_free_error_message(kdc_context, emsg);	526	krb5_free_error_message(kdc_context, emsg);
517	}	527	}
518	} else	528	} else
519	krb5_klog_syslog (LOG_INFO, "not checking transit path");	529	krb5_klog_syslog (LOG_INFO, "not checking transit path");
520	if (reject_bad_transit	530	if (reject_bad_transit
Lines 542-547 Link Here
542	if (!krb5_principal_compare(kdc_context, request->server, client2)) {	552	if (!krb5_principal_compare(kdc_context, request->server, client2)) {
543	if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))	553	if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
544	tmp = 0;	554	tmp = 0;
		555	if (tmp != NULL)
		556	limit_string(tmp);
		557
545	krb5_klog_syslog(LOG_INFO,	558	krb5_klog_syslog(LOG_INFO,
546	"TGS_REQ %s: 2ND_TKT_MISMATCH: "	559	"TGS_REQ %s: 2ND_TKT_MISMATCH: "
547	"authtime %d, %s for %s, 2nd tkt client %s",	560	"authtime %d, %s for %s, 2nd tkt client %s",
Lines 816-821 Link Here
816	krb5_klog_syslog(LOG_INFO,	829	krb5_klog_syslog(LOG_INFO,
817	"TGS_REQ: issuing alternate <un-unparseable> TGT");	830	"TGS_REQ: issuing alternate <un-unparseable> TGT");
818	} else {	831	} else {
		832	limit_string(sname);
819	krb5_klog_syslog(LOG_INFO,	833	krb5_klog_syslog(LOG_INFO,
820	"TGS_REQ: issuing TGT %s", sname);	834	"TGS_REQ: issuing TGT %s", sname);
821	free(sname);	835	free(sname);