krb5.git/src/plugins, branch keyring MIT Kerberos patches Improve LDAP KDB initialization error messages 2013-10-30T16:38:03+00:00 Greg Hudson ghudson@mit.edu 2013-10-28T15:23:11+00:00 5a77bb85294f37d1dfa4c7faedfdfb0d7faaf8dc In krb5_ldap_initialize, don't just blat the LDAP error into the extended message; give an indication of which LDAP operation we were trying to do and show what parameters we gave to it. (Also, krb5_set_error_message can handle a null context argument, so don't bother to check before calling.) ticket: 7739 (new) target_version: 1.12 tags: pullup 
In krb5_ldap_initialize, don't just blat the LDAP error into the
extended message; give an indication of which LDAP operation we were
trying to do and show what parameters we gave to it.

(Also, krb5_set_error_message can handle a null context argument, so
don't bother to check before calling.)

ticket: 7739 (new)
target_version: 1.12
tags: pullup
Use protocol error for PKINIT cert expiry 2013-10-17T18:13:02+00:00 Greg Hudson ghudson@mit.edu 2013-10-14T21:02:31+00:00 cd59782cb32b79e4001a86b0fe47af8b6275ef0c If we fail to create a cert chain in cms_signeddata_create(), return KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code, rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more consistent with other error clauses in the same function. ticket: 7718 (new) target_version: 1.12 tags: pullup 
If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't.  This is also more
consistent with other error clauses in the same function.

ticket: 7718 (new)
target_version: 1.12
tags: pullup
Fix audit test module initialization 2013-10-06T00:13:39+00:00 Greg Hudson ghudson@mit.edu 2013-10-06T00:13:39+00:00 5036f91e7b61a73a1ec2d39ce1cc6bbf60dd82ab Check if the fopen result is NULL, not whether it's less than zero. ticket: 7713 (new) target_version: 1.12 tags: pullups 
Check if the fopen result is NULL, not whether it's less than zero.

ticket: 7713 (new)
target_version: 1.12
tags: pullups
KDC Audit infrastructure and plugin implementation 2013-10-05T00:25:49+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-07-20T19:47:42+00:00 1003f0173f266a6428ccf2c89976f0029d3ee831 Per project http://k5wiki.kerberos.org/wiki/Projects/Audit The purpose of this project is to create an Audit infrastructure to monitor security related events on the KDC. The following events are targeted in the initial version: - startup and shutdown of the KDC; - AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC request and request ID, KDC reply, primary and derived ticket and their ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and validated, local policy violation and protocol constraints, and KDC status message. Ticket ID is introduced to allow to link tickets to their initial TGT at any stage of the Kerberos exchange. For the purpose of this project it is a private to KDC ticket ID: each successfully created ticket is hashed and recorded into audit log. The administrators can correlate the primary and derived ticket IDs after the fact. Request ID is a randomly generated alpha-numeric string. Using this ID an administrator can easily correlate multiple audit events related to a single request. It should be informative both in cases when the request is sent to multiple KDCs, or to the same KDC multiple times. For the purpose of testing and demo of the Audit, the JSON based modules are implemented: "test" and "simple" audit modules respectively. The file plugins/audit/j_dict.h is a dictionary used in this implememtations. The new Audit system is build-time enabled and run-time pluggable. [kaduk@mit.edu: remove potential KDC crashes, minor reordering] ticket: 7712 target_version: 1.12 
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit

The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.

The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges.  This includes client address and port, KDC
  request and request ID, KDC reply, primary and derived ticket and their
  ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
  validated, local policy violation and protocol constraints, and KDC status
  message.

Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.

Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.

For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.

The new Audit system is build-time enabled and run-time pluggable.

[kaduk@mit.edu: remove potential KDC crashes, minor reordering]

ticket: 7712
target_version: 1.12
Use constant-time comparisons for checksums 2013-10-03T19:26:00+00:00 Greg Hudson ghudson@mit.edu 2013-10-02T21:58:06+00:00 07d68eec2788bfe80686608813f644838707c168 






Add hostrealm interface tests
2013-08-15T16:39:58+00:00

Greg Hudson
ghudson@mit.edu

2013-08-05T20:10:10+00:00

7ad5f3bfd8b57d2f4c001182792e25968309ca8a

Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).

ticket: 7687





Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).

ticket: 7687







Don't ask empty responder questions in PKINIT
2013-07-22T16:25:31+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-19T15:33:20+00:00

b37a0be87e5146d730b89abd1378a3043d5015b2

When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.

[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]





When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.

[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]







Add the error to some PKINIT NSS debug messages
2013-07-17T18:57:13+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-03T21:11:09+00:00

bb051a93f31c274cec6c9788558911a0c6b5ddc8












Support PKINIT OpenSSL deferred identity prompting
2013-07-17T18:57:12+00:00

Nalin Dahyabhai
nalin@redhat.com

2013-06-28T21:12:39+00:00

a3abb0bf5fade0009c9899624d4b996a4e12a49f

Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles.  If we're
meant to defer identity prompts, just store the name of the identity
which we're loading.  Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.

Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else.  If not, and we're passed a password, use that.  Otherwise, try to
use the prompter callback to get one.

ticket: 7680





Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles.  If we're
meant to defer identity prompts, just store the name of the identity
which we're loading.  Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.

Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else.  If not, and we're passed a password, use that.  Otherwise, try to
use the prompter callback to get one.

ticket: 7680







Support PKINIT NSS deferred identity prompting
2013-07-17T18:57:11+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-08T20:49:16+00:00

c5bf0caa8abf2b931f5ad258463d706d3cfd5f5b

The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.

If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.

Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found.  If none of that
works, try to use the prompter callback to ask for the password.

ticket: 7680





The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.

If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.

Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found.  If none of that
works, try to use the prompter callback to ask for the password.

ticket: 7680