krb5.git/src/lib/krb5/ccache, branch master Unnamed repository; edit this file 'description' to name the repository. Get time offsets for all keyring ccaches 2014-01-17T16:27:29+00:00 Greg Hudson ghudson@mit.edu 2014-01-16T22:48:54+00:00 e99c688913a7761c6adea9488ea9355f43539883 Move the time offset lookup from krb5_krcc_resolve to make_cache, so that we fetch time offsets for caches created by krb5_krcc_ptcursor_next. ticket: 7820 target_version: 1.12.2 tags: pullup 
Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.

ticket: 7820
target_version: 1.12.2
tags: pullup
Work around Linux session keyring write behavior 2014-01-10T05:56:24+00:00 Greg Hudson ghudson@mit.edu 2014-01-09T05:18:44+00:00 0642afa544b00054048775d0b9796923bf018e22 If the session keyring matches the user session keyring, write explicitly to the user session keyring. Otherwise the kernel might create a new session keyring for the process, making the resulting cache collection invisible to other processes. ticket: 7814 target_version: 1.12.1 tags: pullup 
If the session keyring matches the user session keyring, write
explicitly to the user session keyring.  Otherwise the kernel might
create a new session keyring for the process, making the resulting
cache collection invisible to other processes.

ticket: 7814
target_version: 1.12.1
tags: pullup
Avoid keyctl purge in keyring ccache tests 2013-12-21T04:10:03+00:00 Greg Hudson ghudson@mit.edu 2013-12-20T20:19:06+00:00 94da4584645475272abec6259d1666e34bd59594 keyctl purge was added in keyutils 1.5 (released in March 2011). Use keyctl unlink to clean up keys instead, as it is more universal. ticket: 7810 target_version: 1.12.1 tags: pullup 
keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup
Set an error message when keyring get_princ fails 2013-12-21T04:10:03+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-12-05T18:54:09+00:00 c25fc42e8eac7350209df61e4a7b9960d17755ca When attempting to use a keyring cache that doesn't exist, set an error message when we fail to read a principal name, as we do when we return the same error code when using a file ccache. [ghudson: removed unnecessary check for d->name nullity.] ticket: 7809 target_version: 1.12.1 tags: pullup 
When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup
make depend 2013-12-11T03:24:03+00:00 Tom Yu tlyu@mit.edu 2013-12-11T03:24:03+00:00 88bc9cfb9bcbdb0daffe02db5bdb8e22d14b6853 






Set expiration time on keys and keyrings
2013-11-15T23:17:59+00:00

Simo Sorce
simo@redhat.com

2013-11-15T21:36:05+00:00

29e60c5b7ac0980606971afc6fd6028bcf0c7f0f

By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.

[ghudson@mit.edu: simplified code slightly]

ticket: 7769 (new)
target_version: 1.12
tags: pullup





By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.

[ghudson@mit.edu: simplified code slightly]

ticket: 7769 (new)
target_version: 1.12
tags: pullup







Add support to store time offsets in cc_keyring
2013-11-15T23:17:59+00:00

Simo Sorce
simo@redhat.com

2013-11-14T22:23:59+00:00

fb4817a32d0c369049e0868468dd2eb75487630d

The code follows the same model used for the memory ccache type.  Time
offsets are stored in each credential cache in a special key just like
the principal name.  Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.

[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]

ticket: 7768 (new)
target_version: 1.12
tags: pullup





The code follows the same model used for the memory ccache type.  Time
offsets are stored in each credential cache in a special key just like
the principal name.  Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.

[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]

ticket: 7768 (new)
target_version: 1.12
tags: pullup







Catch more strtol() failures when using KEYRINGs
2013-11-12T16:13:51+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-11-11T18:10:08+00:00

5ac159e220297a8f62dd5edcec6f9b988b0627ea

When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number.  In addition to
checking errno, pass in and check the value of an "endptr".

[ghudson@mit.edu: simplified slightly]

ticket: 7764 (new)
target_version: 1.12
tags: pullup





When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number.  In addition to
checking errno, pass in and check the value of an "endptr".

[ghudson@mit.edu: simplified slightly]

ticket: 7764 (new)
target_version: 1.12
tags: pullup







Conditionally test KEYRING ccache type
2013-10-02T14:41:40+00:00

Greg Hudson
ghudson@mit.edu

2013-09-28T20:29:36+00:00

5d03cb6b235f0ee0e30b34630f95f208d6acd3d0

If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior.  Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.

Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.

Adapted from a patch by simo@redhat.com.

ticket: 7711





If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior.  Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.

Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.

Adapted from a patch by simo@redhat.com.

ticket: 7711







Support new KEYRING anchor names and big_key keys
2013-10-02T14:41:34+00:00

Greg Hudson
ghudson@mit.edu

2013-09-28T18:12:58+00:00

7c69a0372db5b7ed670ef3099a97942ede7a4739

Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring.  The session anchor uses the session keyring without legacy
semantics.

For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent.  (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.

Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key.  For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.

Adapted from a patch by simo@redhat.com.

ticket: 7711





Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring.  The session anchor uses the session keyring without legacy
semantics.

For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent.  (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.

Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key.  For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.

Adapted from a patch by simo@redhat.com.

ticket: 7711