krb5.git/src/lib/krb5/krb, branch keyring MIT Kerberos patches Avoid deprecated krb5_get_in_tkt_with_keytab 2013-11-04T18:51:14+00:00 Ben Kaduk kaduk@mit.edu 2012-07-10T14:14:52+00:00 29dee7d2cece615bec4616fa9b727e77210051db The kprop code has been pretty unloved, and uses some routines that are marked as deprecated (which show up as warnings in the build log). Use the documented replacement for krb5_get_in_tkt_with_keytab, krb5_get_init_creds_keytab, instead. As a bonus, there is no longer a side effect of a credentials cache that needs to be destroyed. The also-deprecated function krb5_get_in_tkt_with_skey was backending to it when no keyblock was passed in; we can unroll the call to krb5_get_init_creds_keytab ourselves as the documented workaround. While here, improve style compliance with regards to cleanup. The setkey test just wants to know whether it can use the key it just put into a keytab to get credentials; as such the recommended krb5_get_init_creds_keytab is quite sufficient. While here, use that interface to request the particular enctype as well, reducing the scope of an XXX comment. ticket: 6366 
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead.  As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.

The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.

The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.

ticket: 6366
KDC Audit infrastructure and plugin implementation 2013-10-05T00:25:49+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-07-20T19:47:42+00:00 1003f0173f266a6428ccf2c89976f0029d3ee831 Per project http://k5wiki.kerberos.org/wiki/Projects/Audit The purpose of this project is to create an Audit infrastructure to monitor security related events on the KDC. The following events are targeted in the initial version: - startup and shutdown of the KDC; - AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC request and request ID, KDC reply, primary and derived ticket and their ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and validated, local policy violation and protocol constraints, and KDC status message. Ticket ID is introduced to allow to link tickets to their initial TGT at any stage of the Kerberos exchange. For the purpose of this project it is a private to KDC ticket ID: each successfully created ticket is hashed and recorded into audit log. The administrators can correlate the primary and derived ticket IDs after the fact. Request ID is a randomly generated alpha-numeric string. Using this ID an administrator can easily correlate multiple audit events related to a single request. It should be informative both in cases when the request is sent to multiple KDCs, or to the same KDC multiple times. For the purpose of testing and demo of the Audit, the JSON based modules are implemented: "test" and "simple" audit modules respectively. The file plugins/audit/j_dict.h is a dictionary used in this implememtations. The new Audit system is build-time enabled and run-time pluggable. [kaduk@mit.edu: remove potential KDC crashes, minor reordering] ticket: 7712 target_version: 1.12 
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit

The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.

The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges.  This includes client address and port, KDC
  request and request ID, KDC reply, primary and derived ticket and their
  ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
  validated, local policy violation and protocol constraints, and KDC status
  message.

Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.

Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.

For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.

The new Audit system is build-time enabled and run-time pluggable.

[kaduk@mit.edu: remove potential KDC crashes, minor reordering]

ticket: 7712
target_version: 1.12
Factor out krb5int_random_string() routine 2013-09-24T17:02:57+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-09-24T14:13:26+00:00 ee61e4adf18c6f032b7ab2fa790fb261cfc4105c Make krb5int_random_string() function available outside ccache code. Move it into a separate file under lib/krb5/krb hierarchy. 
Make krb5int_random_string() function available outside ccache code.
Move it into a separate file under lib/krb5/krb hierarchy.
Add a flag to prevent all host canonicalization 2013-09-06T05:02:28+00:00 Greg Hudson ghudson@mit.edu 2013-09-05T22:30:02+00:00 60edb321af64081e3eb597da0256faf117c9c441 If dns_canonicalize_hostname is set to false in [libdefaults], krb5_sname_to_principal will not canonicalize the hostname using either forward or reverse lookups. ticket: 7703 (new) 
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.

ticket: 7703 (new)
Use hostrealm interface for realm mapping 2013-08-15T16:39:57+00:00 Greg Hudson ghudson@mit.edu 2013-08-05T19:57:29+00:00 db21244a069e581a392dff5b320e758e06a28e4d Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and krb5_get_default_realm in terms of the hostrealm interface. Three built-in modules (dns, domain, and profile) implement the current behavior. ticket: 7687 
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface.  Three
built-in modules (dns, domain, and profile) implement the current
behavior.

ticket: 7687
Add hostrealm pluggable interface definition 2013-08-15T16:27:39+00:00 Greg Hudson ghudson@mit.edu 2013-08-05T18:43:24+00:00 d61fbd85467c71c9bfb185e0e675e1619972bd0b ticket: 7687 (new) 
ticket: 7687 (new)
Fix localauth memory leak 2013-08-12T19:26:21+00:00 Greg Hudson ghudson@mit.edu 2013-08-12T19:17:20+00:00 37eb601a1294244b179cb0e6e6cfb4a16709ccfa localauth modules were not freed by krb5_free_context(), causing a memory leak. 
localauth modules were not freed by krb5_free_context(), causing a
memory leak.
Add non-JSON APIs for PKINIT responder items 2013-07-17T18:57:12+00:00 Nalin Dahyabhai nalin@redhat.com 2013-07-15T17:37:00+00:00 ce02b69e27bcfa21bcab2ed195dfdbaa8040d773 Add wrappers for the JSON-oriented APIs for PKINIT responder items, modeled after the API we provide for OTP items: * krb5_responder_pkinit_get_challenge() returns the list of identities for which we need PINs * krb5_responder_pkinit_challenge_free() frees the structure that was returned by krb5_responder_pkinit_get_challenge() * krb5_responder_pkinit_set_answer() sets the answer to the PIN for one of the identities [ghudson@mit.edu: style cleanup; added comment pointing to main body of PKINIT module] ticket: 7680 
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:

* krb5_responder_pkinit_get_challenge() returns the list of
  identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
  was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
  one of the identities

[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]

ticket: 7680
Use k5calloc instead of k5alloc where appropriate 2013-07-12T00:39:51+00:00 Greg Hudson ghudson@mit.edu 2013-07-12T00:39:51+00:00 443ce5fef316e3dc324fe84557a06b069dbe33f9 Wherever we use k5alloc with a multiplication in the size parameter,, use the new k5calloc helper function instead. 
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
Fix uninitialized variable bugs 2013-06-28T02:37:21+00:00 Greg Hudson ghudson@mit.edu 2013-06-27T22:41:04+00:00 ed515a396ee78361ca514be464978da38305f0fb The previous few commits introduced a couple of bugs where variables could be used without being initialized. Fix them. 
The previous few commits introduced a couple of bugs where variables
could be used without being initialized.  Fix them.