From daa80b9f4a478ce57be08f9dc3b7d5e65c6e7e66 Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Mon, 23 Dec 2013 09:23:54 -0500 Subject: Make KDC "status" statements more homogeneous Generally we want KDC status strings to be concise, informative and follow some common rules: - All letters in the status string should be capitalized; - the words in the status phrase are separated by underscore; - abbreviations should be avoided. Some acceptable "standard" acronyms are AS_REQ, TGS_REP etc. - since in almost all cases KDC status is set on error, no need to state this fact as part of the status string; - KDC status string should be an imperative phrase. For example, "DECRYPT_SERVER_KEY". This commit is to modify some KDC status messages to follow this format. Even though KDC status messages are not standardized, it is possible that some administrators use them in the Kerberos log file processing. Hence, the vast majority of them are left unchanged pending further investigation (mostly, feedback from the administrators). --- src/kdc/do_as_req.c | 26 +++++++++++++------------- src/kdc/do_tgs_req.c | 16 ++++++++-------- src/kdc/kdc_log.c | 14 ++++++++++++++ 3 files changed, 35 insertions(+), 21 deletions(-) diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 95c3e23620..5057067bd5 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -279,7 +279,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock, &state->ticket_reply); if (errcode) { - state->status = "ENCRYPTING_TICKET"; + state->status = "ENCRYPT_TICKET"; goto egress; } @@ -296,7 +296,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &state->reply, state->client_keyblock.enctype); if (errcode) { - state->status = "fast response handling"; + state->status = "MAKE_FAST_RESPONSE"; goto egress; } @@ -307,7 +307,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = kdc_fast_handle_reply_key(state->rstate, &state->client_keyblock, &as_encrypting_key); if (errcode) { - state->status = "generating reply key"; + state->status = "MAKE_FAST_REPLY_KEY"; goto egress; } errcode = return_enc_padata(kdc_context, state->req_pkt, state->request, @@ -508,7 +508,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->au_state = au_state; if (state->request->msg_type != KRB5_AS_REQ) { - state->status = "msg_type mismatch"; + state->status = "VALIDATE_MESSAGE_TYPE"; errcode = KRB5_BADMSGTYPE; goto errout; } @@ -519,13 +519,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { errcode = ASN1_BAD_ID; - state->status = "Finding req_body"; + state->status = "FETCH_REQ_BODY"; goto errout; } errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL, state->rstate, &state->inner_body); if (errcode) { - state->status = "error decoding FAST"; + state->status = "FIND_FAST"; goto errout; } if (state->inner_body == NULL) { @@ -533,7 +533,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = krb5_copy_data(kdc_context, &encoded_req_body, &state->inner_body); if (errcode) { - state->status = "storing req body"; + state->status = "COPY_REQ_BODY"; goto errout; } } @@ -550,7 +550,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if ((errcode = krb5_unparse_name(kdc_context, state->request->client, &state->cname))) { - state->status = "UNPARSING_CLIENT"; + state->status = "UNPARSE_CLIENT"; goto errout; } limit_string(state->cname); @@ -563,7 +563,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if ((errcode = krb5_unparse_name(kdc_context, state->request->server, &state->sname))) { - state->status = "UNPARSING_SERVER"; + state->status = "UNPARSE_SERVER"; goto errout; } limit_string(state->sname); @@ -669,7 +669,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if ((errcode = krb5_c_make_random_key(kdc_context, useenctype, &state->session_key))) { - state->status = "RANDOM_KEY_FAILED"; + state->status = "MAKE_RANDOM_KEY"; goto errout; } @@ -753,8 +753,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->request->client, krb5_anonymous_principal())) { errcode = KRB5KDC_ERR_BADOPTION; - state->status = "Anonymous requested but anonymous " - "principal not used."; + /* Anonymous requested but anonymous principal not used.*/ + state->status = "VALIDATE_ANONYMOUS_PRINCIPAL"; goto errout; } setflag(state->enc_tkt_reply.flags, TKT_FLG_ANONYMOUS); @@ -763,7 +763,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(), &state->request->client); if (errcode) { - state->status = "Copying anonymous principal"; + state->status = "COPY_ANONYMOUS_PRINCIPAL"; goto errout; } state->enc_tkt_reply.client = state->request->client; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 6bc4f15c0e..ef1aeed87a 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -209,7 +209,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, /* Reset sprinc because kdc_find_fast() can replace request. */ sprinc = request->server; if (errcode !=0) { - status = "kdc_find_fast"; + status = "FIND_FAST"; goto cleanup; } @@ -639,7 +639,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, /* assemble new transited field into allocated storage */ if (header_enc_tkt->transited.tr_type != KRB5_DOMAIN_X500_COMPRESS) { - status = "BAD_TRTYPE"; + status = "VALIDATE_TRANSIT_TYPE"; errcode = KRB5KDC_ERR_TRTYPE_NOSUPP; goto cleanup; } @@ -651,7 +651,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, header_ticket->server, enc_tkt_reply.client, request->server))) { - status = "ADD_TR_FAIL"; + status = "ADD_TO_TRANSITED_LIST"; goto cleanup; } newtransited = 1; @@ -722,7 +722,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (errcode) { - status = "TKT_ENCRYPT"; + status = "ENCRYPT_TICKET"; goto cleanup; } ticket_reply.enc_part.kvno = ticket_kvno; @@ -739,7 +739,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, &reply, &reply_encpart); if (errcode) { - status = "KDC_RETURN_S4U2SELF_PADATA"; + status = "MAKE_S4U2SELF_PADATA"; au_state->status = status; } kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); @@ -779,13 +779,13 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, errcode = kdc_fast_response_handle_padata(state, request, &reply, subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype); if (errcode !=0 ) { - status = "Preparing FAST padata"; + status = "MAKE_FAST_RESPONSE"; goto cleanup; } errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); if (errcode) { - status = "generating reply key"; + status = "MAKE_FAST_REPLY_KEY"; goto cleanup; } errcode = return_enc_padata(kdc_context, pkt, request, @@ -1066,7 +1066,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, retval = krb5_c_make_random_key(kdc_context, useenctype, skey); if (retval != 0) { /* random key failed */ - *status = "RANDOM_KEY_FAILED"; + *status = "MAKE_RANDOM_KEY"; goto cleanup; } cleanup: diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c index b1555b1e95..94a2a1c87c 100644 --- a/src/kdc/kdc_log.c +++ b/src/kdc/kdc_log.c @@ -29,6 +29,20 @@ #include #include "adm_proto.h" +/* + * A note on KDC-status string format. + * + * - All letters in the status string should be capitalized; + * - the words in the status phrase are separated by underscores; + * - abbreviations should be avoided. Some acceptable "standard" acronyms + * are AS_REQ, TGS_REP etc. + * - since in almost all cases KDC status string is set on error, no need + * to state this fact as part of the status string; + * - KDC status string should be an imperative phrase. + * + * Example: "MAKE_RANDOM_KEY" + */ + /* Main logging routines for ticket requests. There are a few simple cases -- unparseable requests mainly -- -- cgit