krb5.git/src/lib, branch keyring MIT Kerberos patches Set expiration time on keys and keyrings 2013-11-15T21:40:44+00:00 Simo Sorce simo@redhat.com 2013-11-15T21:36:05+00:00 64bf5e01cee2317d59084b6c134cdd11b21f7552 By setting the timeout based on the credetial's timeout we let the system automatically cleanup expired credentials. [ghudson@mit.edu: simplified code slightly] ticket: 7769 (new) target_version: 1.12 tags: pullup 
By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.

[ghudson@mit.edu: simplified code slightly]

ticket: 7769 (new)
target_version: 1.12
tags: pullup
Add support to store time offsets in cc_keyring 2013-11-15T19:50:04+00:00 Simo Sorce simo@redhat.com 2013-11-14T22:23:59+00:00 568fc6d12c231d00d3b4d75826da93b772e7c075 The code follows the same model used for the memory ccache type. Time offsets are stored in each credential cache in a special key just like the principal name. Legacy session caches do not store timestamps as legacy code would fail when iterating over the new offset key. [ghudson@mit.edu: minor formatting changes; note legacy session exception in commit message] ticket: 7768 (new) target_version: 1.12 tags: pullup 
The code follows the same model used for the memory ccache type.  Time
offsets are stored in each credential cache in a special key just like
the principal name.  Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.

[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]

ticket: 7768 (new)
target_version: 1.12
tags: pullup
Catch more strtol() failures when using KEYRINGs 2013-11-12T16:13:51+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-11-11T18:10:08+00:00 5ac159e220297a8f62dd5edcec6f9b988b0627ea When parsing what should be a UID while resolving a KEYRING ccache name, don't just depend on strtol() to set errno when the residual that we pass to it can't be parsed as a number. In addition to checking errno, pass in and check the value of an "endptr". [ghudson@mit.edu: simplified slightly] ticket: 7764 (new) target_version: 1.12 tags: pullup 
When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number.  In addition to
checking errno, pass in and check the value of an "endptr".

[ghudson@mit.edu: simplified slightly]

ticket: 7764 (new)
target_version: 1.12
tags: pullup
Remove rtm_type_name() 2013-11-04T18:51:18+00:00 Ben Kaduk kaduk@mit.edu 2013-11-01T19:12:33+00:00 bcc91c8d8b3d5b775cfde1ee461d7e0394070852 It has been unused since 2009 when Ken decided that the routing log messages were too verbose (commit 91fc077c96926dd60). 
It has been unused since 2009 when Ken decided that the routing log
messages were too verbose (commit 91fc077c96926dd60).
Clean up the code to eliminate some clang warnings 2013-11-04T18:51:17+00:00 Ben Kaduk kaduk@mit.edu 2013-10-30T18:51:12+00:00 3a8eaa43045fb242739ad9729bb66f915be209b9 In ure.c, though k is a short, the literal 1 is of type 'int', and so the operation 'k + 1' is performed at the (32-bit) width of int, and therefore the "%d" format string is correct. In accept_sec_context.c, the 'length' field of krb5_data is an unsigned type, so checking for a negative value has no effect. In net-server.c, the helper routine rtm_type_name() is only used in code that is disabled with #if 0 conditionals; make the definition also disabled in the same way to avoid warnings of an unused function. In kdc_authdata.c, equality checks in double parentheses elicit a warning from clang. The double-parentheses idiom is normally used to indicate that an assignment is being performed, but the value of the assignment is also to be used as the value for the conditional. Since assignment and equality checking differ only by a single character, clang considers this worthy of a warning. Since the extra set of parentheses is redundant and against style, it is correct to remove them. In several places (sim_server.c, dump.c, kdb5_destroy.c, ovsec_kadmd.c), there are declarations of extern variables relating to getopt() functionality that are now unused in the code. Remove these unused variables. 
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.

In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.

In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.

In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang.  The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning.  Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.

In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code.  Remove
these unused variables.
Avoid deprecated krb5_get_in_tkt_with_keytab 2013-11-04T18:51:14+00:00 Ben Kaduk kaduk@mit.edu 2012-07-10T14:14:52+00:00 29dee7d2cece615bec4616fa9b727e77210051db The kprop code has been pretty unloved, and uses some routines that are marked as deprecated (which show up as warnings in the build log). Use the documented replacement for krb5_get_in_tkt_with_keytab, krb5_get_init_creds_keytab, instead. As a bonus, there is no longer a side effect of a credentials cache that needs to be destroyed. The also-deprecated function krb5_get_in_tkt_with_skey was backending to it when no keyblock was passed in; we can unroll the call to krb5_get_init_creds_keytab ourselves as the documented workaround. While here, improve style compliance with regards to cleanup. The setkey test just wants to know whether it can use the key it just put into a keytab to get credentials; as such the recommended krb5_get_init_creds_keytab is quite sufficient. While here, use that interface to request the particular enctype as well, reducing the scope of an XXX comment. ticket: 6366 
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead.  As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.

The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.

The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.

ticket: 6366
Remove last uses of "possibly-insecure" mktemp(3) 2013-11-04T18:43:36+00:00 Ben Kaduk kaduk@mit.edu 2012-07-03T14:27:20+00:00 0415740bb569bad53b18f4483837e7e037f88544 Many libc implementations include notations to the linker to generate warnings upon references to mktemp(3), due to its potential for insecure operation. This has been the case for quite some time, as was noted in RT #6199. Our usage of the function has decreased with time, but has not yet disappeared entirely. This commit removes the last few instances from our tree. kprop's credentials never need to hit the disk, so a MEMORY ccache is sufficient (and does not need randomization). store_master_key_list is explicitly putting keys on disk so as to do an atomic rename of the stash file, but since the stash file should be in a root-only directory, we can just use a fixed name for the temporary file. When using this fixed name, we must detect (and error out) if the temporary file already exists; add a test to confirm that we do so. ticket: 1794 
Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation.  This has been the case for quite some time,
as was noted in RT #6199.  Our usage of the function has decreased
with time, but has not yet disappeared entirely.  This commit
removes the last few instances from our tree.

kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file.  When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.

ticket: 1794
Clean up stash file error handling 2013-11-04T18:42:32+00:00 Ben Kaduk kaduk@mit.edu 2012-07-18T14:05:33+00:00 f7e434aa7ecb05a6ade5e3d4a435d25069acd5b2 The comment previously failed to match the behavior. The intent was that if we failed to write out the entire stash file into the temporary location, we should remove the partial file. However, the code was actually checking whether the *real* stash file existed, not whether the temporary one existed. It is safe to always try to unlink the partial file, and not worry about whether it already exists. 
The comment previously failed to match the behavior. The intent was
that if we failed to write out the entire stash file into the
temporary location, we should remove the partial file.  However, the
code was actually checking whether the *real* stash file existed,
not whether the temporary one existed.

It is safe to always try to unlink the partial file, and not worry
about whether it already exists.
Fix decoding of mkey kvno in mkey_aux tl-data 2013-10-29T16:39:21+00:00 Greg Hudson ghudson@mit.edu 2013-10-27T00:17:10+00:00 64ec2941af1561ef06e7e885b2ffb65a675516ce krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an int, resulting in the wrong value on big-endian platforms. The consequences are mostly invisible because we ignore this field and try all mkey_aux nodes in krb5_def_fetch_mkey_list. ticket: 7738 (new) target_version: 1.12 tags: pullup 
krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an
int, resulting in the wrong value on big-endian platforms.  The
consequences are mostly invisible because we ignore this field and try
all mkey_aux nodes in krb5_def_fetch_mkey_list.

ticket: 7738 (new)
target_version: 1.12
tags: pullup
Reset key-generation parameters for each enctype 2013-10-25T18:15:12+00:00 Ben Kaduk kaduk@mit.edu 2013-10-25T18:00:29+00:00 381cf01afb13ad28de0927de37f8e1d12749bf49 In add_key_pwd, initialize s2k_params to NULL inside the loop over enctypes instead of outside the loop, so that if the afs3 salt type is used it does not contaminate later enctype/salt pairs in the list. ticket: 7733 tags: pullup target_version: 1.12 
In add_key_pwd, initialize s2k_params to NULL inside the loop over
enctypes instead of outside the loop, so that if the afs3 salt type
is used it does not contaminate later enctype/salt pairs in the list.

ticket: 7733
tags: pullup
target_version: 1.12