[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU shishi branch, master, updated. shishi-1-0-2-50-g4370162
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU shishi branch, master, updated. shishi-1-0-2-50-g4370162 |
|
Date: |
Tue, 02 Sep 2014 15:41:41 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU shishi".
http://git.savannah.gnu.org/cgit/shishi.git/commit/?id=43701625b25369bcd34241fed622364ea11e2f29
The branch, master has been updated
via 43701625b25369bcd34241fed622364ea11e2f29 (commit)
from fb1c9d5a3a33fb8c4ce26e4da29ff44d02e01636 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 43701625b25369bcd34241fed622364ea11e2f29
Author: Mats Erik Andersson <address@hidden>
Date: Tue Sep 2 16:33:35 2014 +0200
Examine every use of syslog().
Redirect many messages using an explicit LOG_DAEMON,
messages that clearly are of no security concern.
Also change some priorities for better transparence
and easier suppression of debugging traces.
-----------------------------------------------------------------------
Summary of changes:
lib/error.c | 9 ++++++---
src/kdc.c | 15 ++++++++++-----
src/server.c | 48 +++++++++++++++++++++++++++++-------------------
src/shishid.c | 7 ++++---
src/starttls.c | 55 ++++++++++++++++++++++++++++++++-----------------------
5 files changed, 81 insertions(+), 53 deletions(-)
diff --git a/lib/error.c b/lib/error.c
index 8f4d1c5..e2746bc 100644
--- a/lib/error.c
+++ b/lib/error.c
@@ -331,7 +331,8 @@ shishi_info (Shishi * handle, const char *format, ...)
case SHISHI_OUTPUTTYPE_SYSLOG:
/* If we don't have syslog, log to stderr... */
#ifdef HAVE_SYSLOG
- syslog (LOG_ERR, _("libshishi: info: %s"), out);
+ /* Which facility is optimal? */
+ syslog (LOG_INFO, _("libshishi: info: %s"), out);
break;
#endif
case SHISHI_OUTPUTTYPE_STDERR:
@@ -370,7 +371,8 @@ shishi_warn (Shishi * handle, const char *format, ...)
case SHISHI_OUTPUTTYPE_SYSLOG:
/* If we don't have syslog, log to stderr... */
#ifdef HAVE_SYSLOG
- syslog (LOG_ERR, _("libshishi: warning: %s"), out);
+ /* Which facility is optimal? */
+ syslog (LOG_WARNING, _("libshishi: warning: %s"), out);
break;
#endif
case SHISHI_OUTPUTTYPE_STDERR:
@@ -414,7 +416,8 @@ shishi_verbose (Shishi * handle, const char *format, ...)
case SHISHI_OUTPUTTYPE_SYSLOG:
/* If we don't have syslog, log to stderr... */
#ifdef HAVE_SYSLOG
- syslog (LOG_DEBUG, "%s", out);
+ /* Which facility is optimal? */
+ syslog (LOG_INFO, "%s", out);
break;
#endif
case SHISHI_OUTPUTTYPE_STDERR:
diff --git a/src/kdc.c b/src/kdc.c
index 2c23c51..16bd968 100644
--- a/src/kdc.c
+++ b/src/kdc.c
@@ -20,7 +20,12 @@
*
*/
-/* Note: only use syslog to report errors in this file. */
+/* Note: only use syslog to report errors in this file.
+ *
+ * XXX: Examine in detail the made choices of syslog facility.
+ * Messages should not exessively use 'auth', be it as default
+ * by openlog(), or explicitly.
+ */
/* Get Shishid stuff. */
#include "kdc.h"
@@ -116,8 +121,8 @@ asreq1 (Shishi_as * as)
if (rc == SHISA_NO_PRINCIPAL)
{
syslog (LOG_NOTICE,
- "AS-REQ from address@hidden for address@hidden failed: no such
server", username,
- realm, servername, realm);
+ "AS-REQ from address@hidden for address@hidden failed: no such
server",
+ username, realm, servername, realm);
rc =
shishi_krberror_errorcode_set (handle, shishi_as_krberror (as),
SHISHI_KDC_ERR_S_PRINCIPAL_UNKNOWN);
@@ -184,7 +189,7 @@ asreq1 (Shishi_as * as)
if (userdbkey == NULL)
for (j = 0; j < nuserkeys; j++)
{
- /* Keep facility coordinated with 'AS-REQ as ...'. */
+ /* Keep facility coordinated with 'AS-REQ from ...'. */
syslog (LOG_DEBUG,
"Matching client etype %d against user key etype %d",
etype, userkeys[j]->etype);
@@ -195,7 +200,7 @@ asreq1 (Shishi_as * as)
if (userdbkey == NULL)
{
- /* Again keeping facility coordinated with 'AS-REQ as ...'. */
+ /* Again keeping facility coordinated with 'AS-REQ from ...'. */
syslog (LOG_NOTICE, "No matching client keys for address@hidden",
username, realm);
rc = shishi_krberror_errorcode_set (handle, shishi_as_krberror (as),
diff --git a/src/server.c b/src/server.c
index b7461e8..b5914ec 100644
--- a/src/server.c
+++ b/src/server.c
@@ -64,7 +64,8 @@ kdc_close (struct listenspec *ls)
struct listenspec *tmp;
int rc;
- syslog (LOG_INFO, "Closing %s socket %d", ls->str, ls->sockfd);
+ syslog (LOG_DEBUG | LOG_DAEMON,
+ "Closing %s socket %d", ls->str, ls->sockfd);
#ifdef USE_STARTTLS
if (ls->usetls)
@@ -74,7 +75,8 @@ kdc_close (struct listenspec *ls)
while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED);
if (rc != GNUTLS_E_SUCCESS)
- syslog (LOG_ERR, "TLS terminate failed to %s on socket %d (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "TLS terminate failed to %s on socket %d (%d): %s",
ls->str, ls->sockfd, rc, gnutls_strerror (rc));
gnutls_deinit (ls->session);
@@ -85,7 +87,8 @@ kdc_close (struct listenspec *ls)
{
rc = close (ls->sockfd);
if (rc != 0)
- syslog (LOG_ERR, "Close failed to %s on socket %d (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Close failed to %s on socket %d (%d): %s",
ls->str, ls->sockfd, rc, strerror (rc));
}
@@ -122,13 +125,16 @@ kdc_send1 (struct listenspec *ls)
while (sent_bytes == -1 && errno == EAGAIN);
if (sent_bytes < 0)
- syslog (LOG_ERR, "Error writing %zu bytes to %s on socket %d: %s",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Error writing %zu bytes to %s on socket %d: %s",
ls->bufpos, ls->str, ls->sockfd, strerror (errno));
else if ((size_t) sent_bytes > ls->bufpos)
- syslog (LOG_ERR, "Overlong write (%zu > %zu) to %s on socket %d",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Overlong write (%zu > %zu) to %s on socket %d",
sent_bytes, ls->bufpos, ls->str, ls->sockfd);
else if ((size_t) sent_bytes < ls->bufpos)
- syslog (LOG_ERR, "Short write (%zu < %zu) to %s on socket %d",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Short write (%zu < %zu) to %s on socket %d",
sent_bytes, ls->bufpos, ls->str, ls->sockfd);
}
@@ -171,8 +177,8 @@ kdc_extension_reject (struct listenspec *ls)
size_t derlen;
int rc;
- syslog (LOG_INFO, "Reject extension from %s on socket %d",
- ls->str, ls->sockfd);
+ syslog (LOG_NOTICE | LOG_AUTH,
+ "Reject extension from %s on socket %d", ls->str, ls->sockfd);
krberr = shishi_krberror (handle);
if (!krberr)
@@ -183,7 +189,7 @@ kdc_extension_reject (struct listenspec *ls)
if (rc != SHISHI_OK)
return rc;
- rc = shishi_krberror_set_etext (handle, krberr, "Extension not support");
+ rc = shishi_krberror_set_etext (handle, krberr, "Extension not supported");
if (rc != SHISHI_OK)
return rc;
@@ -245,12 +251,14 @@ kdc_read (struct listenspec *ls)
{
#ifdef USE_STARTTLS
if (ls->usetls)
- syslog (LOG_ERR, "Corrupt TLS data from %s on socket %d (%zd): %s",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Corrupt TLS data from %s on socket %d (%zd): %s",
ls->str, ls->sockfd, read_bytes,
gnutls_strerror (read_bytes));
else
#endif
- syslog (LOG_ERR, "Error reading from %s on socket %d (%zd): %s",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Error reading from %s on socket %d (%zd): %s",
ls->str, ls->sockfd, read_bytes, strerror (read_bytes));
return -1;
}
@@ -328,7 +336,8 @@ kdc_process (struct listenspec *ls)
if (plen <= 0)
{
- syslog (LOG_ERR, "Processing request failed on socket %d", ls->sockfd);
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Processing request failed on socket %d", ls->sockfd);
memcpy (ls->buf, fatal_krberror, fatal_krberror_len);
ls->bufpos = fatal_krberror_len;
}
@@ -354,9 +363,9 @@ ctrlc (int signum)
#define MAX(a,b) ((a) > (b) ? (a) : (b))
-/* Main KDC logic, loop around select and call kdc_accept, kdc_read,
- kdc_extension, kdc_process and kdc_send. This return when the
- SIGINT or SIGTERM signals are received. */
+/* Main KDC logic, loops around select and calls kdc_accept, kdc_read,
+ kdc_extension, kdc_process and kdc_send. This returns when either
+ of the signals SIGINT or SIGTERM is received. */
void
kdc_loop (void)
{
@@ -369,10 +378,10 @@ kdc_loop (void)
signal (SIGTERM, ctrlc);
#ifdef USE_STARTTLS
- syslog (LOG_DEBUG | LOG_DAEMON, "Starting (GNUTLS `%s')",
+ syslog (LOG_INFO | LOG_DAEMON, "Starting (GNUTLS `%s')",
gnutls_check_version (NULL));
#else
- syslog (LOG_DEBUG | LOG_DAEMON, "Starting (no TLS)");
+ syslog (LOG_INFO | LOG_DAEMON, "Starting (no TLS)");
#endif
while (!quit)
@@ -399,7 +408,8 @@ kdc_loop (void)
if (rc < 0)
{
if (errno != EINTR)
- syslog (LOG_ERR, "Error listening on sockets (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Error listening on sockets (%d): %s",
rc, strerror (errno));
continue;
}
@@ -421,5 +431,5 @@ kdc_loop (void)
}
}
- syslog (LOG_DEBUG | LOG_DAEMON, "Shutting down");
+ syslog (LOG_INFO | LOG_DAEMON, "Shutting down");
}
diff --git a/src/shishid.c b/src/shishid.c
index b909e31..7d03dc5 100644
--- a/src/shishid.c
+++ b/src/shishid.c
@@ -139,7 +139,7 @@ kdc_unlisten (void)
tmp = ls->next;
if (!ls->listening)
- syslog (LOG_NOTICE,
+ syslog (LOG_NOTICE | LOG_DAEMON,
"Closing outstanding connection to %s on socket %d",
ls->str, ls->sockfd);
@@ -149,7 +149,8 @@ kdc_unlisten (void)
printf ("Closing %s (%s)...\n", ls->str, ls->addrname);
rc = close (ls->sockfd);
if (rc != 0)
- syslog (LOG_ERR, "Could not close %s on socket %d: %s (%d)",
+ syslog (LOG_ERR | LOG_DAEMON,
+ "Could not close %s on socket %d: %s (%d)",
ls->str, ls->sockfd, strerror (errno), errno);
}
@@ -520,7 +521,7 @@ main (int argc, char *argv[])
if (arg.version_given)
{
- version_etc (stdout, "shishid", PACKAGE_NAME, VERSION,
+ version_etc (stdout, "shishid", PACKAGE_NAME, PACKAGE_VERSION,
"Simon Josefsson", (char *) NULL);
return EXIT_SUCCESS;
}
diff --git a/src/starttls.c b/src/starttls.c
index 2436e1c..3033394 100644
--- a/src/starttls.c
+++ b/src/starttls.c
@@ -44,7 +44,8 @@ logcertinfo (gnutls_session_t session)
rc = gnutls_x509_crt_init (&cert);
if (rc < 0)
{
- syslog (LOG_ERR, "TLS xci failed (%d): %s", rc, gnutls_strerror (rc));
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xci failed (%d): %s",
+ rc, gnutls_strerror (rc));
return;
}
@@ -66,7 +67,7 @@ logcertinfo (gnutls_session_t session)
GNUTLS_X509_FMT_DER);
if (rc < 0)
{
- syslog (LOG_ERR, "TLS xci[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xci[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -76,7 +77,7 @@ logcertinfo (gnutls_session_t session)
md5fingerprint, &md5fingerprintlen);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS f[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS f[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -88,7 +89,7 @@ logcertinfo (gnutls_session_t session)
expiration_time = gnutls_x509_crt_get_expiration_time (cert);
if (expiration_time == (time_t) - 1)
{
- syslog (LOG_ERR, "TLS xcget[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcget[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -96,7 +97,7 @@ logcertinfo (gnutls_session_t session)
activation_time = gnutls_x509_crt_get_activation_time (cert);
if (expiration_time == (time_t) - 1)
{
- syslog (LOG_ERR, "TLS xcgat[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcgat[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -112,7 +113,7 @@ logcertinfo (gnutls_session_t session)
rc = gnutls_x509_crt_get_dn (cert, NULL, &subjectlen);
if (rc != GNUTLS_E_SUCCESS && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
- syslog (LOG_ERR, "TLS xcgd[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcgd[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -120,7 +121,7 @@ logcertinfo (gnutls_session_t session)
rc = gnutls_x509_crt_get_dn (cert, subject, &subjectlen);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS xcgd2[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcgd2[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -128,7 +129,7 @@ logcertinfo (gnutls_session_t session)
rc = gnutls_x509_crt_get_issuer_dn (cert, NULL, &issuerlen);
if (rc != GNUTLS_E_SUCCESS && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
- syslog (LOG_ERR, "TLS xcgid[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcgid[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -136,7 +137,7 @@ logcertinfo (gnutls_session_t session)
rc = gnutls_x509_crt_get_issuer_dn (cert, issuer, &issuerlen);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS xcgid2[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcgid2[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -145,7 +146,7 @@ logcertinfo (gnutls_session_t session)
rc = gnutls_x509_crt_get_serial (cert, NULL, &seriallen);
if (rc != GNUTLS_E_SUCCESS && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
- syslog (LOG_ERR, "TLS xcgs[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcgs[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -153,7 +154,7 @@ logcertinfo (gnutls_session_t session)
rc = gnutls_x509_crt_get_serial (cert, serial, &seriallen);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS xcgs2[%zu] failed (%d): %s",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS xcgs2[%zu] failed (%d): %s",
i, rc, gnutls_strerror (rc));
goto cleanup;
}
@@ -177,6 +178,7 @@ logcertinfo (gnutls_session_t session)
else
validity = "valid";
+ /* This message can arguably belong to LOG_AUTH. */
syslog (LOG_INFO, "TLS client certificate `%s', issued by `%s', "
"serial number `%s', MD5 fingerprint `%s', activated `%s', "
"expires `%s', version #%d, key %s %d bits, currently %s",
@@ -197,6 +199,9 @@ logcertinfo (gnutls_session_t session)
{
unsigned int status;
+
+ /* Accept default syslog facility for these errors.
+ * They are clearly relevant as audit traces. */
rc = gnutls_certificate_verify_peers2 (session, &status);
if (rc != GNUTLS_E_SUCCESS)
syslog (LOG_ERR, "TLS client certificate failed (%d): %s",
@@ -224,6 +229,7 @@ logtlsinfo (gnutls_session_t session)
gnutls_compression_get_name (gnutls_compression_get (session));
int resumedp = gnutls_session_is_resumed (session);
+ /* This message can arguably belong to LOG_AUTH. */
syslog (LOG_INFO, "TLS handshake negotiated protocol `%s', "
"key exchange `%s', certficate type `%s', cipher `%s', "
"mac `%s', compression `%s', %s",
@@ -238,14 +244,15 @@ logtlsinfo (gnutls_session_t session)
switch (cred)
{
case GNUTLS_CRD_ANON:
- syslog (LOG_INFO,
+ syslog (LOG_INFO | LOG_DAEMON,
"TLS anonymous authentication with %d bit Diffie-Hellman",
gnutls_dh_get_prime_bits (session));
break;
case GNUTLS_CRD_CERTIFICATE:
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
- syslog (LOG_INFO, "TLS certificate authentication with %d bit "
+ syslog (LOG_INFO | LOG_DAEMON,
+ "TLS certificate authentication with %d bits "
"ephemeral Diffie-Hellman",
gnutls_dh_get_prime_bits (session));
logcertinfo (session);
@@ -255,7 +262,7 @@ logtlsinfo (gnutls_session_t session)
case GNUTLS_CRD_PSK:
case GNUTLS_CRD_IA:
default:
- syslog (LOG_ERR, "Unknown TLS authentication (%d)", cred);
+ syslog (LOG_ERR | LOG_DAEMON, "Unknown TLS authentication (%d)", cred);
break;
}
}
@@ -279,6 +286,8 @@ kdc_extension (struct listenspec *ls)
STARTTLS_LEN) != 0)
return kdc_extension_reject (ls);
+ /* This message can arguably belong to LOG_AUTH,
+ * but leave it at the default facility. */
syslog (LOG_INFO, "Trying STARTTLS");
memcpy (ls->buf, STARTTLS_SERVER_ACCEPT, STARTTLS_LEN);
@@ -289,32 +298,32 @@ kdc_extension (struct listenspec *ls)
rc = gnutls_init (&ls->session, GNUTLS_SERVER);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS initialization failed (%d): %s", rc,
- gnutls_strerror (rc));
+ syslog (LOG_ERR | LOG_DAEMON, "TLS initialization failed (%d): %s",
+ rc, gnutls_strerror (rc));
return -1;
}
rc = gnutls_priority_set_direct (ls->session, "NORMAL:+ANON-DH", NULL);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS failed, gnutls_psd %d: %s", rc,
- gnutls_strerror (rc));
+ syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_psd %d: %s",
+ rc, gnutls_strerror (rc));
return -1;
}
rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_ANON, anoncred);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS failed, gnutls_cs %d: %s", rc,
- gnutls_strerror (rc));
+ syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_cs %d: %s",
+ rc, gnutls_strerror (rc));
return -1;
}
rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_CERTIFICATE, x509cred);
if (rc != GNUTLS_E_SUCCESS)
{
- syslog (LOG_ERR, "TLS failed, gnutls_cs X.509 %d: %s", rc,
- gnutls_strerror (rc));
+ syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_cs X.509 %d: %s",
+ rc, gnutls_strerror (rc));
return -1;
}
@@ -331,7 +340,7 @@ kdc_extension (struct listenspec *ls)
rc = gnutls_handshake (ls->session);
if (rc < 0)
{
- syslog (LOG_ERR, "TLS handshake failed (%d): %s\n",
+ syslog (LOG_ERR | LOG_DAEMON, "TLS handshake failed (%d): %s\n",
rc, gnutls_strerror (rc));
return -1;
}
hooks/post-receive
--
GNU shishi
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU shishi branch, master, updated. shishi-1-0-2-50-g4370162,
Mats Erik Andersson <=