krb5 commit: Make KDC "status" statements more homogeneous

Zhanna A Tsitkova tsitkova at MIT.EDU
Wed Feb 19 14:39:37 EST 2014


https://github.com/krb5/krb5/commit/daa80b9f4a478ce57be08f9dc3b7d5e65c6e7e66
commit daa80b9f4a478ce57be08f9dc3b7d5e65c6e7e66
Author: Zhanna Tsitkov <tsitkova at mit.edu>
Date:   Mon Dec 23 09:23:54 2013 -0500

    Make KDC "status" statements more homogeneous
    
    Generally we want KDC status strings to be concise, informative and follow
    some common rules:
    
    - All letters in the status string should be capitalized;
    - the words in the status phrase are separated by underscore;
    - abbreviations should be avoided.  Some acceptable "standard" acronyms
      are AS_REQ, TGS_REP etc.
    - since in almost all cases KDC status is set on error, no need
      to state this fact as part of the status string;
    - KDC status string should be an imperative phrase.
    
    For example, "DECRYPT_SERVER_KEY".
    
    This commit is to modify some KDC status messages to follow this format.
    
    Even though KDC status messages are not standardized, it is possible that some
    administrators use them in the Kerberos log file processing. Hence, the vast
    majority of them are left unchanged pending further investigation (mostly,
    feedback from the administrators).

 src/kdc/do_as_req.c  |   26 +++++++++++++-------------
 src/kdc/do_tgs_req.c |   16 ++++++++--------
 src/kdc/kdc_log.c    |   14 ++++++++++++++
 3 files changed, 35 insertions(+), 21 deletions(-)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 95c3e23..5057067 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -279,7 +279,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
     errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock,
                                     &state->ticket_reply);
     if (errcode) {
-        state->status = "ENCRYPTING_TICKET";
+        state->status = "ENCRYPT_TICKET";
         goto egress;
     }
 
@@ -296,7 +296,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
                                               &state->reply,
                                               state->client_keyblock.enctype);
     if (errcode) {
-        state->status = "fast response handling";
+        state->status = "MAKE_FAST_RESPONSE";
         goto egress;
     }
 
@@ -307,7 +307,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
     errcode = kdc_fast_handle_reply_key(state->rstate, &state->client_keyblock,
                                         &as_encrypting_key);
     if (errcode) {
-        state->status = "generating reply key";
+        state->status = "MAKE_FAST_REPLY_KEY";
         goto egress;
     }
     errcode = return_enc_padata(kdc_context, state->req_pkt, state->request,
@@ -508,7 +508,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->au_state = au_state;
 
     if (state->request->msg_type != KRB5_AS_REQ) {
-        state->status = "msg_type mismatch";
+        state->status = "VALIDATE_MESSAGE_TYPE";
         errcode = KRB5_BADMSGTYPE;
         goto errout;
     }
@@ -519,13 +519,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     if (fetch_asn1_field((unsigned char *) req_pkt->data,
                          1, 4, &encoded_req_body) != 0) {
         errcode = ASN1_BAD_ID;
-        state->status = "Finding req_body";
+        state->status = "FETCH_REQ_BODY";
         goto errout;
     }
     errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL,
                             state->rstate, &state->inner_body);
     if (errcode) {
-        state->status = "error decoding FAST";
+        state->status = "FIND_FAST";
         goto errout;
     }
     if (state->inner_body == NULL) {
@@ -533,7 +533,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         errcode = krb5_copy_data(kdc_context, &encoded_req_body,
                                  &state->inner_body);
         if (errcode) {
-            state->status = "storing req body";
+            state->status = "COPY_REQ_BODY";
             goto errout;
         }
     }
@@ -550,7 +550,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     if ((errcode = krb5_unparse_name(kdc_context,
                                      state->request->client,
                                      &state->cname))) {
-        state->status = "UNPARSING_CLIENT";
+        state->status = "UNPARSE_CLIENT";
         goto errout;
     }
     limit_string(state->cname);
@@ -563,7 +563,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     if ((errcode = krb5_unparse_name(kdc_context,
                                      state->request->server,
                                      &state->sname))) {
-        state->status = "UNPARSING_SERVER";
+        state->status = "UNPARSE_SERVER";
         goto errout;
     }
     limit_string(state->sname);
@@ -669,7 +669,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
                                           &state->session_key))) {
-        state->status = "RANDOM_KEY_FAILED";
+        state->status = "MAKE_RANDOM_KEY";
         goto errout;
     }
 
@@ -753,8 +753,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
                                               state->request->client,
                                               krb5_anonymous_principal())) {
             errcode = KRB5KDC_ERR_BADOPTION;
-            state->status = "Anonymous requested but anonymous "
-                "principal not used.";
+            /* Anonymous requested but anonymous principal not used.*/
+            state->status = "VALIDATE_ANONYMOUS_PRINCIPAL";
             goto errout;
         }
         setflag(state->enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
@@ -763,7 +763,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
                                       &state->request->client);
         if (errcode) {
-            state->status = "Copying anonymous principal";
+            state->status = "COPY_ANONYMOUS_PRINCIPAL";
             goto errout;
         }
         state->enc_tkt_reply.client = state->request->client;
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 6bc4f15..ef1aeed 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -209,7 +209,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     /* Reset sprinc because kdc_find_fast() can replace request. */
     sprinc = request->server;
     if (errcode !=0) {
-        status = "kdc_find_fast";
+        status = "FIND_FAST";
         goto cleanup;
     }
 
@@ -639,7 +639,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         /* assemble new transited field into allocated storage */
         if (header_enc_tkt->transited.tr_type !=
             KRB5_DOMAIN_X500_COMPRESS) {
-            status = "BAD_TRTYPE";
+            status = "VALIDATE_TRANSIT_TYPE";
             errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
             goto cleanup;
         }
@@ -651,7 +651,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                               header_ticket->server,
                               enc_tkt_reply.client,
                               request->server))) {
-            status = "ADD_TR_FAIL";
+            status = "ADD_TO_TRANSITED_LIST";
             goto cleanup;
         }
         newtransited = 1;
@@ -722,7 +722,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
         krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (errcode) {
-        status = "TKT_ENCRYPT";
+        status = "ENCRYPT_TICKET";
         goto cleanup;
     }
     ticket_reply.enc_part.kvno = ticket_kvno;
@@ -739,7 +739,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                                         &reply,
                                         &reply_encpart);
         if (errcode) {
-            status = "KDC_RETURN_S4U2SELF_PADATA";
+            status = "MAKE_S4U2SELF_PADATA";
             au_state->status = status;
         }
         kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
@@ -779,13 +779,13 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     errcode  = kdc_fast_response_handle_padata(state, request, &reply,
                                                subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
     if (errcode !=0 ) {
-        status = "Preparing FAST padata";
+        status = "MAKE_FAST_RESPONSE";
         goto cleanup;
     }
     errcode =kdc_fast_handle_reply_key(state,
                                        subkey?subkey:header_ticket->enc_part2->session, &reply_key);
     if (errcode) {
-        status  = "generating reply key";
+        status  = "MAKE_FAST_REPLY_KEY";
         goto cleanup;
     }
     errcode = return_enc_padata(kdc_context, pkt, request,
@@ -1066,7 +1066,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
     retval = krb5_c_make_random_key(kdc_context, useenctype, skey);
     if (retval != 0) {
         /* random key failed */
-        *status = "RANDOM_KEY_FAILED";
+        *status = "MAKE_RANDOM_KEY";
         goto cleanup;
     }
 cleanup:
diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c
index b1555b1..94a2a1c 100644
--- a/src/kdc/kdc_log.c
+++ b/src/kdc/kdc_log.c
@@ -29,6 +29,20 @@
 #include <syslog.h>
 #include "adm_proto.h"
 
+/*
+ * A note on KDC-status string format.
+ *
+ * - All letters in the status string should be capitalized;
+ * - the words in the status phrase are separated by underscores;
+ * - abbreviations should be avoided.  Some acceptable "standard" acronyms
+ *   are AS_REQ, TGS_REP etc.
+ * - since in almost all cases KDC status string is set on error, no need
+ *   to state this fact as part of the status string;
+ * - KDC status string should be an imperative phrase.
+ *
+ * Example: "MAKE_RANDOM_KEY"
+ */
+
 /* Main logging routines for ticket requests.
 
    There are a few simple cases -- unparseable requests mainly --


More information about the cvs-krb5 mailing list