kdc: remember kvno numbers for longterm key pre-auth

author Stefan Metzmacher <metze@samba.org>

Fri, 4 Mar 2022 23:39:14 +0000 (00:39 +0100)

committer Joseph Sutton <josephsutton@catalyst.net.nz>

Wed, 8 Nov 2023 21:19:16 +0000 (10:19 +1300)
author Stefan Metzmacher <metze@samba.org>
Fri, 4 Mar 2022 23:39:14 +0000 (00:39 +0100)
committer Joseph Sutton <josephsutton@catalyst.net.nz>
Wed, 8 Nov 2023 21:19:16 +0000 (10:19 +1300)
diff --git a/kdc/kdc-audit.h b/kdc/kdc-audit.h

index 1e58c258ae748a7fb0ca29b1d3b87d0d2385271f..df5362031f5ae72128eb35c963e8af2dc1d73821 100644 (file)
--- a/kdc/kdc-audit.h
+++ b/kdc/kdc-audit.h
@@ -62,7 +62,10 @@
  #define KDC_REQUEST_KV_AUTH_EVENT              "#auth_event"           /* heim_number_t */
  #define KDC_REQUEST_KV_PA_NAME                 "pa"                    /* heim_string_t */
  #define KDC_REQUEST_KV_PA_ETYPE                        "pa-etype"              /* heim_number_t */
+#define KDC_REQUEST_KV_PA_SUCCEEDED_KVNO       "pa-succeeded-kvno"     /* heim_number_t */
+#define KDC_REQUEST_KV_PA_FAILED_KVNO          "pa-failed-kvno"        /* heim_number_t */
  #define KDC_REQUEST_KV_GSS_INITIATOR           "gss_initiator"         /* heim_string_t */
  #define KDC_REQUEST_KV_PKINIT_CLIENT_CERT      "pkinit_client_cert"    /* heim_string_t */
+#define KDC_REQUEST_KV_PA_HISTORIC_KVNO                "pa-historic-kvno"      /* heim_number_t */
  
  #endif /* HEIMDAL_KDC_KDC_AUDIT_H */
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c

index bde3585e16207aafd1ac73797a5ee2b9c23419dc..49d7ea40d49653155d3972ee1b9161328e1bc511 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -828,6 +828,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
                        estr, r->cname);
         free(estr);
         free_EncryptedData(&enc_data);
+       kdc_audit_setkv_number((kdc_request_t)r,
+                              KDC_REQUEST_KV_PA_FAILED_KVNO,
+                              kvno);
         return ret;
      }
      if (ret == KRB5KRB_AP_ERR_SKEW) {
@@ -858,6 +861,10 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
          * via pa_enc_chal_decrypt_kvno()
          */
  
+       kdc_audit_setkv_number((kdc_request_t)r,
+                              KDC_REQUEST_KV_PA_FAILED_KVNO,
+                              kvno);
+
         /*
          * Check if old and older keys are
          * able to decrypt.
@@ -879,6 +886,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
                                             NULL, /* KDCchallengekey */
                                             NULL); /* used_key */
             if (hret == 0) {
+               kdc_audit_setkv_number((kdc_request_t)r,
+                                      KDC_REQUEST_KV_PA_HISTORIC_KVNO,
+                                      hkvno);
                 break;
             }
             if (hret == KRB5KDC_ERR_ETYPE_NOSUPP) {
@@ -943,6 +953,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
                    kstr ? kstr : "unknown enctype");
         kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
                                KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
+       kdc_audit_setkv_number((kdc_request_t)r,
+                              KDC_REQUEST_KV_PA_SUCCEEDED_KVNO,
+                              kvno);
         return 0;
      }
  
@@ -1070,6 +1083,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
                        estr, r->cname);
         free(estr);
         free_EncryptedData(&enc_data);
+       kdc_audit_setkv_number((kdc_request_t)r,
+                              KDC_REQUEST_KV_PA_FAILED_KVNO,
+                              kvno);
         goto out;
      }
      if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
@@ -1078,6 +1094,10 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
         krb5_error_code hret = ret;
         int hi;
  
+       kdc_audit_setkv_number((kdc_request_t)r,
+                              KDC_REQUEST_KV_PA_FAILED_KVNO,
+                              kvno);
+
         /*
          * Check if old and older keys are
          * able to decrypt.
@@ -1096,6 +1116,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
                                           NULL); /* pa_key */
             if (hret == 0) {
                 krb5_data_free(&ts_data);
+               kdc_audit_setkv_number((kdc_request_t)r,
+                                      KDC_REQUEST_KV_PA_HISTORIC_KVNO,
+                                      hkvno);
                 break;
             }
             if (hret == KRB5KDC_ERR_ETYPE_NOSUPP) {
@@ -1180,6 +1203,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
                            pa_key->key.keytype);
      kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
                            KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
+    kdc_audit_setkv_number((kdc_request_t)r,
+                          KDC_REQUEST_KV_PA_SUCCEEDED_KVNO,
+                          kvno);
  
      ret = 0;
author	Stefan Metzmacher <metze@samba.org>
	Fri, 4 Mar 2022 23:39:14 +0000 (00:39 +0100)
committer	Joseph Sutton <josephsutton@catalyst.net.nz>
	Wed, 8 Nov 2023 21:19:16 +0000 (10:19 +1300)
kdc/kdc-audit.h		patch \| blob \| history
kdc/kerberos5.c		patch \| blob \| history