krb5.git/src/lib/krb5, branch keyring MIT Kerberos patches Set expiration time on keys and keyrings 2013-11-15T21:40:44+00:00 Simo Sorce simo@redhat.com 2013-11-15T21:36:05+00:00 64bf5e01cee2317d59084b6c134cdd11b21f7552 By setting the timeout based on the credetial's timeout we let the system automatically cleanup expired credentials. [ghudson@mit.edu: simplified code slightly] ticket: 7769 (new) target_version: 1.12 tags: pullup 
By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.

[ghudson@mit.edu: simplified code slightly]

ticket: 7769 (new)
target_version: 1.12
tags: pullup
Add support to store time offsets in cc_keyring 2013-11-15T19:50:04+00:00 Simo Sorce simo@redhat.com 2013-11-14T22:23:59+00:00 568fc6d12c231d00d3b4d75826da93b772e7c075 The code follows the same model used for the memory ccache type. Time offsets are stored in each credential cache in a special key just like the principal name. Legacy session caches do not store timestamps as legacy code would fail when iterating over the new offset key. [ghudson@mit.edu: minor formatting changes; note legacy session exception in commit message] ticket: 7768 (new) target_version: 1.12 tags: pullup 
The code follows the same model used for the memory ccache type.  Time
offsets are stored in each credential cache in a special key just like
the principal name.  Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.

[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]

ticket: 7768 (new)
target_version: 1.12
tags: pullup
Catch more strtol() failures when using KEYRINGs 2013-11-12T16:13:51+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-11-11T18:10:08+00:00 5ac159e220297a8f62dd5edcec6f9b988b0627ea When parsing what should be a UID while resolving a KEYRING ccache name, don't just depend on strtol() to set errno when the residual that we pass to it can't be parsed as a number. In addition to checking errno, pass in and check the value of an "endptr". [ghudson@mit.edu: simplified slightly] ticket: 7764 (new) target_version: 1.12 tags: pullup 
When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number.  In addition to
checking errno, pass in and check the value of an "endptr".

[ghudson@mit.edu: simplified slightly]

ticket: 7764 (new)
target_version: 1.12
tags: pullup
Clean up the code to eliminate some clang warnings 2013-11-04T18:51:17+00:00 Ben Kaduk kaduk@mit.edu 2013-10-30T18:51:12+00:00 3a8eaa43045fb242739ad9729bb66f915be209b9 In ure.c, though k is a short, the literal 1 is of type 'int', and so the operation 'k + 1' is performed at the (32-bit) width of int, and therefore the "%d" format string is correct. In accept_sec_context.c, the 'length' field of krb5_data is an unsigned type, so checking for a negative value has no effect. In net-server.c, the helper routine rtm_type_name() is only used in code that is disabled with #if 0 conditionals; make the definition also disabled in the same way to avoid warnings of an unused function. In kdc_authdata.c, equality checks in double parentheses elicit a warning from clang. The double-parentheses idiom is normally used to indicate that an assignment is being performed, but the value of the assignment is also to be used as the value for the conditional. Since assignment and equality checking differ only by a single character, clang considers this worthy of a warning. Since the extra set of parentheses is redundant and against style, it is correct to remove them. In several places (sim_server.c, dump.c, kdb5_destroy.c, ovsec_kadmd.c), there are declarations of extern variables relating to getopt() functionality that are now unused in the code. Remove these unused variables. 
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.

In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.

In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.

In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang.  The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning.  Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.

In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code.  Remove
these unused variables.
Avoid deprecated krb5_get_in_tkt_with_keytab 2013-11-04T18:51:14+00:00 Ben Kaduk kaduk@mit.edu 2012-07-10T14:14:52+00:00 29dee7d2cece615bec4616fa9b727e77210051db The kprop code has been pretty unloved, and uses some routines that are marked as deprecated (which show up as warnings in the build log). Use the documented replacement for krb5_get_in_tkt_with_keytab, krb5_get_init_creds_keytab, instead. As a bonus, there is no longer a side effect of a credentials cache that needs to be destroyed. The also-deprecated function krb5_get_in_tkt_with_skey was backending to it when no keyblock was passed in; we can unroll the call to krb5_get_init_creds_keytab ourselves as the documented workaround. While here, improve style compliance with regards to cleanup. The setkey test just wants to know whether it can use the key it just put into a keytab to get credentials; as such the recommended krb5_get_init_creds_keytab is quite sufficient. While here, use that interface to request the particular enctype as well, reducing the scope of an XXX comment. ticket: 6366 
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead.  As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.

The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.

The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.

ticket: 6366
Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100 2013-10-15T03:44:25+00:00 Greg Hudson ghudson@mit.edu 2013-10-09T17:37:17+00:00 2938851a5ec77ab68bcd1f5cfd07991c7ccabea6 draft-ietf-krb-wg-pkinit-alg-agility-07 specifies KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been reassigned to 100 to fix the conflict. Use the correct value. We believe that this error won't crop up in practice for a long time (when SHA-2 has been superceded by other hash algorithms and people are desupporting it), by which time implementations will mostly have been upgraded to use the new value. ticket: 7715 (new) target_version: 1.12 
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111.  The former value has been
reassigned to 100 to fix the conflict.  Use the correct value.

We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.

ticket: 7715 (new)
target_version: 1.12
KDC Audit infrastructure and plugin implementation 2013-10-05T00:25:49+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-07-20T19:47:42+00:00 1003f0173f266a6428ccf2c89976f0029d3ee831 Per project http://k5wiki.kerberos.org/wiki/Projects/Audit The purpose of this project is to create an Audit infrastructure to monitor security related events on the KDC. The following events are targeted in the initial version: - startup and shutdown of the KDC; - AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC request and request ID, KDC reply, primary and derived ticket and their ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and validated, local policy violation and protocol constraints, and KDC status message. Ticket ID is introduced to allow to link tickets to their initial TGT at any stage of the Kerberos exchange. For the purpose of this project it is a private to KDC ticket ID: each successfully created ticket is hashed and recorded into audit log. The administrators can correlate the primary and derived ticket IDs after the fact. Request ID is a randomly generated alpha-numeric string. Using this ID an administrator can easily correlate multiple audit events related to a single request. It should be informative both in cases when the request is sent to multiple KDCs, or to the same KDC multiple times. For the purpose of testing and demo of the Audit, the JSON based modules are implemented: "test" and "simple" audit modules respectively. The file plugins/audit/j_dict.h is a dictionary used in this implememtations. The new Audit system is build-time enabled and run-time pluggable. [kaduk@mit.edu: remove potential KDC crashes, minor reordering] ticket: 7712 target_version: 1.12 
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit

The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.

The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges.  This includes client address and port, KDC
  request and request ID, KDC reply, primary and derived ticket and their
  ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
  validated, local policy violation and protocol constraints, and KDC status
  message.

Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.

Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.

For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.

The new Audit system is build-time enabled and run-time pluggable.

[kaduk@mit.edu: remove potential KDC crashes, minor reordering]

ticket: 7712
target_version: 1.12
Conditionally test KEYRING ccache type 2013-10-02T14:41:40+00:00 Greg Hudson ghudson@mit.edu 2013-09-28T20:29:36+00:00 5d03cb6b235f0ee0e30b34630f95f208d6acd3d0 If the keyctl command is found and klist recognizes the KEYRING credential cache type, then run several tests against keyring ccaches: the collection test program in lib/krb5/ccache, the command-line collection tests in tests/t_ccache.py, and some new tests to verify legacy session cache behavior. Much of the Python code in t_ccache.py is moved into a new function named "collection_test" so we can run it once against a DIR collection and once against a KEYRING collection. Also: fix a memory leak in the collection test program; add a test for iteration when the default cache name is a subsidiary name; use a process keyring ccache in t_cc.c to avoid leaving behind empty collections in the session keyring after each test run. Adapted from a patch by simo@redhat.com. ticket: 7711 
If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior.  Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.

Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.

Adapted from a patch by simo@redhat.com.

ticket: 7711
Support new KEYRING anchor names and big_key keys 2013-10-02T14:41:34+00:00 Greg Hudson ghudson@mit.edu 2013-09-28T18:12:58+00:00 7c69a0372db5b7ed670ef3099a97942ede7a4739 Add support for the new anchor names persistent, user, and session. The persistent anchor attempts to use a persistent keyring for a specified uid, and falls back to the user keyring if it cannot; the collection is stored at a fixed name within the persistent or user keyring. The session anchor uses the session keyring without legacy semantics. For all keyring types except legacy, attempt to use the "big_key" key type on systems which have keyctl_get_persistent. (They are essentially unrelated features, but were added at the same time.) This key type is stored in a kernel tmpfs and can store larger tickets. Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys created by add_key() only have VIEW permission for the user, and the rest of the permissions require "possession," which means there is a path from the thread, process, or session keyring to the key. For the user and persistent anchor types, we link the collection into the process keyring to ensure that we have a possession rights on the collection. Adapted from a patch by simo@redhat.com. ticket: 7711 
Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring.  The session anchor uses the session keyring without legacy
semantics.

For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent.  (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.

Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key.  For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.

Adapted from a patch by simo@redhat.com.

ticket: 7711
Add collection support for KEYRING ccache type 2013-10-02T14:41:09+00:00 Greg Hudson ghudson@mit.edu 2013-09-27T22:45:29+00:00 c1e8d03a6254e3ce86a71eed31e4c127e3324f9b Augment the KEYRING ccache type to support collection semantics similar to those of the DIR type. For keyrings with no anchor prefix, maintain compatibility with old code by linking the initial primary cache directly from the session keyring and naming it after the collection. See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache for more information. Adapted from a patch by simo@redhat.com. ticket: 7711 (new) 
Augment the KEYRING ccache type to support collection semantics
similar to those of the DIR type.  For keyrings with no anchor prefix,
maintain compatibility with old code by linking the initial primary
cache directly from the session keyring and naming it after the
collection.

See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache
for more information.  Adapted from a patch by simo@redhat.com.

ticket: 7711 (new)