krb5.git/src/lib/krb5/ccache, branch gss_cs MIT Kerberos patches Avoid keyctl purge in keyring ccache tests 2013-12-21T04:10:03+00:00 Greg Hudson ghudson@mit.edu 2013-12-20T20:19:06+00:00 94da4584645475272abec6259d1666e34bd59594 keyctl purge was added in keyutils 1.5 (released in March 2011). Use keyctl unlink to clean up keys instead, as it is more universal. ticket: 7810 target_version: 1.12.1 tags: pullup 
keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup
Set an error message when keyring get_princ fails 2013-12-21T04:10:03+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-12-05T18:54:09+00:00 c25fc42e8eac7350209df61e4a7b9960d17755ca When attempting to use a keyring cache that doesn't exist, set an error message when we fail to read a principal name, as we do when we return the same error code when using a file ccache. [ghudson: removed unnecessary check for d->name nullity.] ticket: 7809 target_version: 1.12.1 tags: pullup 
When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup
make depend 2013-12-11T03:24:03+00:00 Tom Yu tlyu@mit.edu 2013-12-11T03:24:03+00:00 88bc9cfb9bcbdb0daffe02db5bdb8e22d14b6853 






Set expiration time on keys and keyrings
2013-11-15T23:17:59+00:00

Simo Sorce
simo@redhat.com

2013-11-15T21:36:05+00:00

29e60c5b7ac0980606971afc6fd6028bcf0c7f0f

By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.

[ghudson@mit.edu: simplified code slightly]

ticket: 7769 (new)
target_version: 1.12
tags: pullup





By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.

[ghudson@mit.edu: simplified code slightly]

ticket: 7769 (new)
target_version: 1.12
tags: pullup







Add support to store time offsets in cc_keyring
2013-11-15T23:17:59+00:00

Simo Sorce
simo@redhat.com

2013-11-14T22:23:59+00:00

fb4817a32d0c369049e0868468dd2eb75487630d

The code follows the same model used for the memory ccache type.  Time
offsets are stored in each credential cache in a special key just like
the principal name.  Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.

[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]

ticket: 7768 (new)
target_version: 1.12
tags: pullup





The code follows the same model used for the memory ccache type.  Time
offsets are stored in each credential cache in a special key just like
the principal name.  Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.

[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]

ticket: 7768 (new)
target_version: 1.12
tags: pullup







Catch more strtol() failures when using KEYRINGs
2013-11-12T16:13:51+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-11-11T18:10:08+00:00

5ac159e220297a8f62dd5edcec6f9b988b0627ea

When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number.  In addition to
checking errno, pass in and check the value of an "endptr".

[ghudson@mit.edu: simplified slightly]

ticket: 7764 (new)
target_version: 1.12
tags: pullup





When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number.  In addition to
checking errno, pass in and check the value of an "endptr".

[ghudson@mit.edu: simplified slightly]

ticket: 7764 (new)
target_version: 1.12
tags: pullup







Conditionally test KEYRING ccache type
2013-10-02T14:41:40+00:00

Greg Hudson
ghudson@mit.edu

2013-09-28T20:29:36+00:00

5d03cb6b235f0ee0e30b34630f95f208d6acd3d0

If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior.  Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.

Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.

Adapted from a patch by simo@redhat.com.

ticket: 7711





If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior.  Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.

Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.

Adapted from a patch by simo@redhat.com.

ticket: 7711







Support new KEYRING anchor names and big_key keys
2013-10-02T14:41:34+00:00

Greg Hudson
ghudson@mit.edu

2013-09-28T18:12:58+00:00

7c69a0372db5b7ed670ef3099a97942ede7a4739

Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring.  The session anchor uses the session keyring without legacy
semantics.

For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent.  (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.

Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key.  For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.

Adapted from a patch by simo@redhat.com.

ticket: 7711





Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring.  The session anchor uses the session keyring without legacy
semantics.

For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent.  (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.

Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key.  For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.

Adapted from a patch by simo@redhat.com.

ticket: 7711







Add collection support for KEYRING ccache type
2013-10-02T14:41:09+00:00

Greg Hudson
ghudson@mit.edu

2013-09-27T22:45:29+00:00

c1e8d03a6254e3ce86a71eed31e4c127e3324f9b

Augment the KEYRING ccache type to support collection semantics
similar to those of the DIR type.  For keyrings with no anchor prefix,
maintain compatibility with old code by linking the initial primary
cache directly from the session keyring and naming it after the
collection.

See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache
for more information.  Adapted from a patch by simo@redhat.com.

ticket: 7711 (new)





Augment the KEYRING ccache type to support collection semantics
similar to those of the DIR type.  For keyrings with no anchor prefix,
maintain compatibility with old code by linking the initial primary
cache directly from the session keyring and naming it after the
collection.

See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache
for more information.  Adapted from a patch by simo@redhat.com.

ticket: 7711 (new)







Clarify variable names in cc_keyring.c
2013-09-28T19:25:27+00:00

Greg Hudson
ghudson@mit.edu

2013-09-26T16:23:23+00:00

253155e1db678546358b69ab953f8fdd9b7fb23a

Consistently use "cache_name" and "cache_id" to talk about the name
and ID of the keyring containing the cache.  In krb5_krcc_resolve, use
"residual" for the residual string as we are no longer using it for
the cache keyring name, and use "anchor_id" for the keyring identified
by the prefix to make it clear that it is not the cache keyring.

Adapted from a patch by simo@redhat.com.





Consistently use "cache_name" and "cache_id" to talk about the name
and ID of the keyring containing the cache.  In krb5_krcc_resolve, use
"residual" for the residual string as we are no longer using it for
the cache keyring name, and use "anchor_id" for the keyring identified
by the prefix to make it clear that it is not the cache keyring.

Adapted from a patch by simo@redhat.com.