krb5.git/src, branch keyring MIT Kerberos patches Set expiration time on keys and keyrings 2013-11-15T21:40:44+00:00 Simo Sorce simo@redhat.com 2013-11-15T21:36:05+00:00 64bf5e01cee2317d59084b6c134cdd11b21f7552 By setting the timeout based on the credetial's timeout we let the system automatically cleanup expired credentials. [ghudson@mit.edu: simplified code slightly] ticket: 7769 (new) target_version: 1.12 tags: pullup 
By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.

[ghudson@mit.edu: simplified code slightly]

ticket: 7769 (new)
target_version: 1.12
tags: pullup
Add support to store time offsets in cc_keyring 2013-11-15T19:50:04+00:00 Simo Sorce simo@redhat.com 2013-11-14T22:23:59+00:00 568fc6d12c231d00d3b4d75826da93b772e7c075 The code follows the same model used for the memory ccache type. Time offsets are stored in each credential cache in a special key just like the principal name. Legacy session caches do not store timestamps as legacy code would fail when iterating over the new offset key. [ghudson@mit.edu: minor formatting changes; note legacy session exception in commit message] ticket: 7768 (new) target_version: 1.12 tags: pullup 
The code follows the same model used for the memory ccache type.  Time
offsets are stored in each credential cache in a special key just like
the principal name.  Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.

[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]

ticket: 7768 (new)
target_version: 1.12
tags: pullup
Catch more strtol() failures when using KEYRINGs 2013-11-12T16:13:51+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-11-11T18:10:08+00:00 5ac159e220297a8f62dd5edcec6f9b988b0627ea When parsing what should be a UID while resolving a KEYRING ccache name, don't just depend on strtol() to set errno when the residual that we pass to it can't be parsed as a number. In addition to checking errno, pass in and check the value of an "endptr". [ghudson@mit.edu: simplified slightly] ticket: 7764 (new) target_version: 1.12 tags: pullup 
When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number.  In addition to
checking errno, pass in and check the value of an "endptr".

[ghudson@mit.edu: simplified slightly]

ticket: 7764 (new)
target_version: 1.12
tags: pullup
Multi-realm KDC null deref [CVE-2013-1418] 2013-11-04T19:37:05+00:00 Tom Yu tlyu@mit.edu 2013-11-04T18:44:29+00:00 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf If a KDC serves multiple realms, certain requests can cause setup_server_realm() to dereference a null pointer, crashing the KDC. CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C A related but more minor vulnerability requires authentication to exploit, and is only present if a third-party KDC database module can dereference a null pointer under certain conditions. ticket: 7755 (new) target_version: 1.12 tags: pullup 
If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.

CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.

ticket: 7755 (new)
target_version: 1.12
tags: pullup
Remove rtm_type_name() 2013-11-04T18:51:18+00:00 Ben Kaduk kaduk@mit.edu 2013-11-01T19:12:33+00:00 bcc91c8d8b3d5b775cfde1ee461d7e0394070852 It has been unused since 2009 when Ken decided that the routing log messages were too verbose (commit 91fc077c96926dd60). 
It has been unused since 2009 when Ken decided that the routing log
messages were too verbose (commit 91fc077c96926dd60).
Clean up the code to eliminate some clang warnings 2013-11-04T18:51:17+00:00 Ben Kaduk kaduk@mit.edu 2013-10-30T18:51:12+00:00 3a8eaa43045fb242739ad9729bb66f915be209b9 In ure.c, though k is a short, the literal 1 is of type 'int', and so the operation 'k + 1' is performed at the (32-bit) width of int, and therefore the "%d" format string is correct. In accept_sec_context.c, the 'length' field of krb5_data is an unsigned type, so checking for a negative value has no effect. In net-server.c, the helper routine rtm_type_name() is only used in code that is disabled with #if 0 conditionals; make the definition also disabled in the same way to avoid warnings of an unused function. In kdc_authdata.c, equality checks in double parentheses elicit a warning from clang. The double-parentheses idiom is normally used to indicate that an assignment is being performed, but the value of the assignment is also to be used as the value for the conditional. Since assignment and equality checking differ only by a single character, clang considers this worthy of a warning. Since the extra set of parentheses is redundant and against style, it is correct to remove them. In several places (sim_server.c, dump.c, kdb5_destroy.c, ovsec_kadmd.c), there are declarations of extern variables relating to getopt() functionality that are now unused in the code. Remove these unused variables. 
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.

In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.

In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.

In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang.  The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning.  Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.

In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code.  Remove
these unused variables.
Make set_cloexec_fd return void 2013-11-04T18:51:17+00:00 Ben Kaduk kaduk@mit.edu 2013-10-30T18:11:40+00:00 4547a1078afdeeb781307cf4a125baccf2edab02 We never check its return value (causing clang to emit warnings), and its use is primarily in cases where we should continue processing in the event of failure. Just ignore errors from the underlying fcntl() call (if present) and treat this operation as best-effort. The #if 0 code should probably be removed. 
We never check its return value (causing clang to emit warnings),
and its use is primarily in cases where we should continue processing
in the event of failure.  Just ignore errors from the underlying
fcntl() call (if present) and treat this operation as best-effort.

The #if 0 code should probably be removed.
Avoid deprecated krb5_get_in_tkt_with_keytab 2013-11-04T18:51:14+00:00 Ben Kaduk kaduk@mit.edu 2012-07-10T14:14:52+00:00 29dee7d2cece615bec4616fa9b727e77210051db The kprop code has been pretty unloved, and uses some routines that are marked as deprecated (which show up as warnings in the build log). Use the documented replacement for krb5_get_in_tkt_with_keytab, krb5_get_init_creds_keytab, instead. As a bonus, there is no longer a side effect of a credentials cache that needs to be destroyed. The also-deprecated function krb5_get_in_tkt_with_skey was backending to it when no keyblock was passed in; we can unroll the call to krb5_get_init_creds_keytab ourselves as the documented workaround. While here, improve style compliance with regards to cleanup. The setkey test just wants to know whether it can use the key it just put into a keytab to get credentials; as such the recommended krb5_get_init_creds_keytab is quite sufficient. While here, use that interface to request the particular enctype as well, reducing the scope of an XXX comment. ticket: 6366 
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead.  As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.

The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.

The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.

ticket: 6366
Remove last uses of "possibly-insecure" mktemp(3) 2013-11-04T18:43:36+00:00 Ben Kaduk kaduk@mit.edu 2012-07-03T14:27:20+00:00 0415740bb569bad53b18f4483837e7e037f88544 Many libc implementations include notations to the linker to generate warnings upon references to mktemp(3), due to its potential for insecure operation. This has been the case for quite some time, as was noted in RT #6199. Our usage of the function has decreased with time, but has not yet disappeared entirely. This commit removes the last few instances from our tree. kprop's credentials never need to hit the disk, so a MEMORY ccache is sufficient (and does not need randomization). store_master_key_list is explicitly putting keys on disk so as to do an atomic rename of the stash file, but since the stash file should be in a root-only directory, we can just use a fixed name for the temporary file. When using this fixed name, we must detect (and error out) if the temporary file already exists; add a test to confirm that we do so. ticket: 1794 
Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation.  This has been the case for quite some time,
as was noted in RT #6199.  Our usage of the function has decreased
with time, but has not yet disappeared entirely.  This commit
removes the last few instances from our tree.

kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file.  When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.

ticket: 1794
Clean up stash file error handling 2013-11-04T18:42:32+00:00 Ben Kaduk kaduk@mit.edu 2012-07-18T14:05:33+00:00 f7e434aa7ecb05a6ade5e3d4a435d25069acd5b2 The comment previously failed to match the behavior. The intent was that if we failed to write out the entire stash file into the temporary location, we should remove the partial file. However, the code was actually checking whether the *real* stash file existed, not whether the temporary one existed. It is safe to always try to unlink the partial file, and not worry about whether it already exists. 
The comment previously failed to match the behavior. The intent was
that if we failed to write out the entire stash file into the
temporary location, we should remove the partial file.  However, the
code was actually checking whether the *real* stash file existed,
not whether the temporary one existed.

It is safe to always try to unlink the partial file, and not worry
about whether it already exists.