Russ Allbery [Tue, 5 Jun 2012 22:46:35 +0000 (15:46 -0700)]
Improvements to the keyutils support
Move the keyutils library out of LIBS into a separate variable so
that we can link only mod_webauth with it. Fix some coding style
issues. Never treat KEYRING caches as relative to the server root,
rather than conditioning that on the existence of libkeyutils.
Remove another stray Kerberos context free.
MIT Kerberos defines the keyring ccache type which can protect
credentials from sibling processes. On systems with libkeyutils,
override WebAuthCredCacheDir to enable protected session-linked
keyring credential caches.
Russ Allbery [Fri, 25 May 2012 05:52:37 +0000 (22:52 -0700)]
Flesh out key tests and move keyring_from_key test
Flesh out tests/lib/keys-t.c to include the other key functions
and to test error cases and more of the key contents. Move the
test of keyring_from_key into tests/lib/key-t.c with the other
existing keyring tests.
Russ Allbery [Fri, 25 May 2012 00:05:31 +0000 (17:05 -0700)]
Remove all the token attribute strings from the Perl API
Now that we have WebAuth::Token classes and wrappers around the
high-level token API, the Perl code doesn't need to know the wire
representation of token attributes. Remove the exported constants
used for that purpose.
Russ Allbery [Thu, 24 May 2012 23:48:22 +0000 (16:48 -0700)]
Move WebAuth::Exception into a separate file, drop match method
Move WebAuth::Exception into its own *.pm file instead of including
it in WebAuth.pm. Drop the match method, which was only used inside
the test suite. Add some tests for the most important accessor
methods in the WebAuth::Exception class.
Add the missing WA_ERR_INVALID error code to the WebAuth Perl module
to allow for testing.
Move the Exporter and $VERSION information for WebAuth into a BEGIN
block so that it's safe for WebAuth and WebAuth::Exception to depend
on each other.
Russ Allbery [Wed, 23 May 2012 00:48:58 +0000 (17:48 -0700)]
Merge Perl keyring_from_key and keyring_new interfaces
Allow keyring_new to take either a ring capacity or a WebAuth::Key
and call the appropriate underlying C function. Remove the
duplicate keyring_from_key API.
Russ Allbery [Wed, 23 May 2012 00:19:27 +0000 (17:19 -0700)]
Add Perl dependencies on perl/Makefile.PL and lib/libwebauth.la
Rebuild the Perl modules when perl/Makefile.PL or lib/libwebauth.la
have changed. This should result in fewer cases where make check
stops and forces rebuilding of the Perl module.
Russ Allbery [Tue, 22 May 2012 23:50:24 +0000 (16:50 -0700)]
Fold webauth_random_key into webauth_key_create
The only caller of webauth_random_key was webauth_key_create, so
incorporate its logic into that function. Pull out the actual
OpenSSL error message and report it.
Russ Allbery [Tue, 22 May 2012 22:25:31 +0000 (15:25 -0700)]
Move webauth_random_bytes into token-crypto.c
The only use of this function was to generate the random nonce for
tokens, so inline the function into its only caller. Update the
OpenSSL code in token-crypto.c to properly obtain and report the
OpenSSL error message, if any.
Russ Allbery [Tue, 22 May 2012 21:48:29 +0000 (14:48 -0700)]
Remove webauth_random_{bytes,key} from the public API
Now that there's an API to generate a random key, there's no need
for these functions to be part of the public API. Remove them,
the very short test case, and the Perl bindings for them.
Russ Allbery [Sat, 19 May 2012 02:31:21 +0000 (19:31 -0700)]
Rewrite the keyring library functions to use APR
All key and keyring functions in the WebAuth library API have changed
to take the WebAuth context and use APR memory management and
new-style error message handling. All the *_free functions have
therefore been removed. Keyrings are now represented by an APR array;
callers that want to walk through the keyring entries will need the
relevant APR headers. Functions that could only fail if memory
allocation failed now either return new objects directly or are
declared void, since APR code assumes memory allocation does not fail.
The API now uses named structs instead of typedefs.
webauth_key_create will now create a random key if passed NULL for the
key material. It also now returns a status code so that better error
messages can be reported.
webauth_keyring_read_file has been renamed to webauth_keyring_read.
webauth_keyring_write_file has been renamed to webauth_keyring_write.
The webauth_keyring_encode and webauth_keyring_decode functions have
been removed from the public API.
webauth_keyring_best_key now takes a WA_KEY_DECRYPT or WA_KEY_ENCRYPT
argument instead of a boolean. This makes the meaning clearer at the
call site.
The Perl API for manipulating keyrings has been modified to include
the WebAuth context. The read_file method in the WebAuth::Keyring
class has been replaced with a keyring_read method in the WebAuth
class and the WebAuth::Keyring new constructor has been replaced with
a keyring_new method in the WebAuth class so that the WebAuth context
can be tracked. The capacity method on a WebAuth::Keyring object has
been removed since it's not part of the abstraction.
Russ Allbery [Wed, 16 May 2012 01:46:00 +0000 (18:46 -0700)]
Clean up layering separation for token decryption
Remove the remaining token attribute decoding and sanity checks from
webauth_token_parse and rename it to webauth_token_decrypt. Add them
to the decoding logic in lib/token-decode.c.
Modify webauth_token_decrypt to take two pairs of buffers and sizes
instead of decoding in place, and clean up all the internal logic
accordingly.
Remove the remaining code to do staleness checks during decoding. All
these checks are now done farther up the application layer and the
functions were never called with the data saying to do those checks.
Russ Allbery [Tue, 15 May 2012 23:38:15 +0000 (16:38 -0700)]
Replace webauth_token_encode with webauth_token_encrypt
Move all the attribute handling up to the caller and just encrypt
a given buffer into the token format in this function. Remove the
ability to provide a hint in favor of always using the current time.
Russ Allbery [Tue, 15 May 2012 23:22:31 +0000 (16:22 -0700)]
Rename lib/token.c to lib/token-crypto.c, hide encoded_length
This source file will eventually contain only the crypto code.
Make webauth_token_encoded_length static and rename it, since it's
no longer called outside of this file.
Russ Allbery [Tue, 15 May 2012 22:51:44 +0000 (15:51 -0700)]
Make the old webauth_token_{create,parse} functions private
The old webauth_token_create and webauth_token_parse functions have
been removed from the public API in favor of the new _encode and
_decode functions. The token_create and token_parse methods have also
been removed from the Perl API in favor of the new token_decode method
and WebAuth::Token::* classes.
Russ Allbery [Tue, 15 May 2012 22:35:36 +0000 (15:35 -0700)]
Remove the generate-tokens test script
The WebKDC::Token module is gone, so remove this script, which relied
on using it. This temporarily leaves us without a way to generate the
various bad tokens. Add a comment about another couple of token types
that we can't currently generate.
Russ Allbery [Tue, 15 May 2012 22:22:21 +0000 (15:22 -0700)]
Perl: Resurrect and fix the webkdc.t test
Bring the webkdc.t test up to date with the changes to the Perl API
and confirm that it works properly if all of its prerequisites are
met. Fix the syntax of the pwexpiration date passed to remctl.
Improve the diagnostic messages if the test is skipped. Allow running
the tests that don't require kadmin-remctl and only skipping that one
test if Net::Remctl is not available. Drop the probing for remctld,
since we don't use it.
Russ Allbery [Tue, 15 May 2012 21:07:39 +0000 (14:07 -0700)]
Perl: Don't pass the token into encode
Now that encode is a method on a WebAuth::Token object, the first
argument is the token and we shouldn't have to pass the token as
a regular argument as well.
Russ Allbery [Tue, 15 May 2012 20:51:11 +0000 (13:51 -0700)]
Perl: Allow WebAuth::Token->new to decode tokens
Support passing the token and keyring into WebAuth::Token->new, which
will call WebAuth->token_decode under the hood and then return an
appropriate subclass of WebAuth::Token.
Russ Allbery [Tue, 15 May 2012 20:31:27 +0000 (13:31 -0700)]
Perl: Load all token classes when loading the WebAuth module
Our C code also creates WebAuth::Token::* objects, and callers expect to
be able to call methods on those objects. Load all of the Perl classes
for the caller so that the caller doesn't have to remember to do so.
Russ Allbery [Tue, 15 May 2012 20:27:25 +0000 (13:27 -0700)]
Formatting and comments in Perl WebAuth XS code
Wrap all PPCODE and CODE segments in braces so that Emacs c-mode
doesn't get quite as confused. Add some additional comments around
tricky parts of the code.
Russ Allbery [Tue, 15 May 2012 20:08:51 +0000 (13:08 -0700)]
Perl: Make encode a method on a WebAuth::Token
A more natural object-oriented API is to let a token encode itself
rather than using a WebAuth method to do so. Towards that end, store
a copy of the WebAuth context in the token when created via decoding
and require a WebAuth context argument in the constructor.
Russ Allbery [Tue, 15 May 2012 06:30:34 +0000 (23:30 -0700)]
Allow krb5 id tokens to omit the subject on encoding
webauth_token_encode now correctly allows id tokens of type krb5 to
omit the subject attribute. The receiver is supposed to determine the
subject via the Kerberos authenticator.
Russ Allbery [Tue, 15 May 2012 03:53:01 +0000 (20:53 -0700)]
Add new webauth-make-tokens script based on generate-tokens
Add new tools/webauth-make-tokens script to generate WebAuth tokens
given a configuration file and keyring. This is not installed by
default and is normally only used to generate test data, but it may be
useful in some other cases of manual token generation.
This doesn't replace generate-tokens yet, since not all tokens are
supported by the new library and there isn't yet support for generating
the various invalid tokens.
Russ Allbery [Tue, 15 May 2012 03:49:48 +0000 (20:49 -0700)]
Convert Perl token tests to be data-driven
Load the tokens from the tokens.conf configuration file and use
them for testing both encoding and decoding rather than having to
write Perl code matching the token contents.
Russ Allbery [Tue, 15 May 2012 03:48:25 +0000 (20:48 -0700)]
Perl: Do not store 0 numeric values in Perl hash
It's cleaner for testing and seems to be more consistent to not
decode zero numeric values (time_t and unsigned long) and instead
let them be undefined in the Perl hash. 0 is generally used to
mean not set. This needs to be formalized in the protocol.
Russ Allbery [Tue, 15 May 2012 03:09:59 +0000 (20:09 -0700)]
New test token configuration based on generate-tokens
As the first step of shifting the Perl test suite to be more
data-driven, create a new configuration file that lists all of our
test tokens. This is like the token data in generate-tokens, except
using the new WebAuth::Token::* class names and with attribute names
that match the struct members for the webauth_token_* structs and
therefore our accessor functions.
Divide the test tokens into three groups: ones that are good, ones
that are syntactically valid but will produce errors on decoding,
and ones that are syntactically invalid.
Russ Allbery [Mon, 14 May 2012 23:24:34 +0000 (16:24 -0700)]
Add encoding for WebAuth::Token::App
Add a generic encoding framework parallel to the decoding framework
and support encoding a WebAuth::Token::App to a base64-encoded token.
Add a constructor to the WebAuth::Token::App class.
Russ Allbery [Mon, 14 May 2012 22:35:10 +0000 (15:35 -0700)]
Add WebAuth::Token::App and decoding app tokens
Add a new framework for token decoding that uses the new libwebauth
API and then maps the resulting token to a Perl hash. Create a
WebAuth::Token::App class to wrap app tokens and add decoding and a
test for app tokens.
This also adds a test framework that starts duplicating some of the
TAP library functions for C and shell in a Perl module framework.
Russ Allbery [Mon, 14 May 2012 03:36:33 +0000 (20:36 -0700)]
Include new WebAuth dependency libraries in DEPEND_LIBS
The Perl module may need to be linked with all of the dependencies
of the WebAuth library if --enable-reduced-depends was not given,
but the new additions (APR, APR-Util, and remctl) weren't included.
Fix that.
Russ Allbery [Tue, 8 May 2012 19:49:16 +0000 (12:49 -0700)]
Rewrite the Perl API to create a WebAuth object for the context
The WebAuth Perl module API now requires creating a WebAuth object
first and passing that object as the first argument to most other
functions. This is the first step in making the API more
object-oriented. All users will need code changes to work with the
new API. WebAuth::Keyring and WebAuth::Krb5 have not yet been
converted, but will be in a subsequent release. This means that the
WebKDC and WebLogin Perl modules in this release require the WebAuth
module from this release and vice versa, so be careful of partial
upgrades.
Russ Allbery [Tue, 8 May 2012 16:39:15 +0000 (09:39 -0700)]
Obtain better error messages in Perl API where possible
Modify webauth_croak to take a struct webauth_context as well and
call webauth_error_message immediately to obtain the last error
message, including the context if possible. Modify the
WebAuth::Exception class to pull the message from the rich exception
object instead of calling WebAuth::error_message at the time of
querying the exception.
Currently, we mostly pass NULL into webauth_error_message, but that
will change as the WebAuth Perl module becomes more object-oriented.
Russ Allbery [Tue, 8 May 2012 15:44:56 +0000 (08:44 -0700)]
Log authorization denied at debug level for Apache 2.4
In Apache 2.4, we might have a bunch of separate directives or
be called in complex ways, so it doesn't make sense to log the
authorization denied state at a high priority level. Previously,
that made sense because mod_webauthldap handled the complete group
list at once, but that's no longer the case. Reduce the level to
debug.
Russ Allbery [Tue, 8 May 2012 15:43:08 +0000 (08:43 -0700)]
Only attempt LDAP lookups if the user authenticated with WebAuth
The new fixups hook for Apache 2.4 unconditionally attempted to
look up the user, even if there was no user or they didn't log on
with WebAuth. Restore the previous behavior by checking first.
Russ Allbery [Mon, 7 May 2012 16:09:07 +0000 (09:09 -0700)]
Use webauth_token_encode_raw for the mod_webauth app state
The sole remaining use of the low-level token functions outside of
the WebAuth library and Perl module was in handling the app state
token in mod_webauth. Replace that with webauth_token_encode_raw.
Russ Allbery [Fri, 4 May 2012 06:12:22 +0000 (23:12 -0700)]
Refactor the mod_webauth configuration parsing
Rewrite the mod_webauth configuration parsing to move it into a
separate config.c source file and to use the same macros and structure
as the mod_webkdc configuration parsing.
Russ Allbery [Fri, 4 May 2012 06:10:20 +0000 (23:10 -0700)]
Fix merging of mod_webkdc Apache directives in multiple merges
Fix merging of mod_webkdc Apache directives in some corner cases where
the directive has a default value or is explicitly set to off.
Previously, the _set flag was not set on the newly generated config
after a merge of a set value, which could cause the winning value to be
discarded in a later merge.
Russ Allbery [Fri, 4 May 2012 02:20:41 +0000 (19:20 -0700)]
Finish port to Apache 2.4
Add Autoconf probes to restore previous behavior when built with
Apache 2.2 or earlier. Add a portable/apache.h header to encapsulate
the various portability fixes and the inclusion of a basic set of
Apache headers. Adjust all Apache module code to use that header.
Move modules/mod-config.h to config-mod.h at the top level.
Add a NEWS entry for the Apache 2.4 port and warn that the legacy
StanfordAuth support is not available in mod_webauthldap when built
with Apache 2.4.
Russ Allbery [Thu, 3 May 2012 23:22:21 +0000 (16:22 -0700)]
Initial ugly port to Apache 2.4
The minimum changes required for the modules to compile and work with
Apache 2.4 and pass basic testing. This breaks compilation on Apache
2.2, which will be restored in a subsequent commit with additional
Autoconf probing.
This duplicates a bunch of code in mod_authldap and removes old code
that will no longer compile with #if 0. This too will be cleaned up
in a subsequent release.
* Update the set of flags enabled by make warnings.
Update to C TAP Harness 1.11:
* Only use feature-test macros when requested or built with gcc -ansi.
* New tests/tap/macros.h header with some common definitions.
* Drop is_double from the C TAP library to avoid requiring -lm.
* Avoid using local in the shell libtap.sh library.
Fix the sample confirm template to use the correct attribute for login
history timestamps and to suppress the timestamp section if that
history entry had no associated timestamp.
Fix webauth_user_info parsing of timestamps in login history
Fix a bug in webauth_user_info that misparsed timestamp attributes
from the user information query results, causing timestamps to be
ignored and always set to 0 in user login history information and
causing the function to fail if any unknown attributes were returned.
Russ Allbery [Tue, 27 Mar 2012 18:23:41 +0000 (11:23 -0700)]
Add explicit HTML filters to WebLogin variable interpolation
Add explicit HTML filters to all interpolated variables in the
sample WebLogin templates. Previous versions of the sample templates
(since the conversion to Template Toolkit in 4.0) did not uniformly
apply the HTML filter, which could cause rendering problems or even
cross-site scripting vulnerabilities in some corner cases. For most
attributes missing this filter there was no chance of HTML special
characters, but now the filter is applied uniformly for consistency.
Sites with custom templates should check their templates for any
instance of a variable interpolation ([% variable %]) and ensure that
the HTML filter is applied ([% variable FILTER html %] instead).