The change in the webauth_webkdc_config struct means that some
interfaces are no longer compatible with previous releases. Be
conservative and bump all of the library versioning. (Normally
I wouldn't do an ABI bump in a minor release, but in this case
the effect of the changes is very minor, just still an ABI break.)
* Use Lancaster Consensus environment variables to control tests.
* Use calloc or reallocarray for protection against integer overflows.
* Suppress warnings from Kerberos headers in non-system paths.
* Update warning flags when building with make warnings.
* Only pass warning suppression flags to Perl under make warnings.
Update to C TAP Harness 3.1:
* Check for integer overflow on memory allocations.
* Avoid all remaining uses of sprintf.
Translate an EINVAL error from the Kerberos libraries during password
authentication to an incorrect password error code. Older versions of
MIT Kerberos returned EINVAL for excessively long passwords.
Translate KRB5_KDC_UNREACH to WA_PEC_USER_REJECTED
When translating Kerberos errors, treat KRB5_KDC_UNREACH (cannot
contact any KDC for realm) as a user rejected error instead of a
Kerberos error. This avoids returning an internal error from WebLogin
and instead tells the user the username is invalid. This is not
always correct, since the unreachable KDC could be the local KDC, but
it's better than the previous behavior of throwing internal errors
when users enter email addresses as their username.
Allow newlines, CR, and LF in XML from WebKDC to WebLogin
Allow newlines, carriage returns, and tabs in the XML sent from the
WebKDC to the WebLogin server rather than replacing them with periods.
This fixes the display of <user-message> elements that contain
newlines.
Add a new configuration directive, WebKdcFastArmorCache, for
mod_webkdc. If set, this specifies the path to a Kerberos ticket
cache that can (and must) be used for FAST (Flexible Authentication
Secure Tunneling) protection of Kerberos password authentications.
The Kerberos KDC must also support FAST in order to safely enable this
option. Based on a patch by Jakob Uhd Jepsen (One.com A/S).
Fix parsing of the WebKdcKerberosFactors configuration directive.
Warn about credential delegation to load-balanced pools
Warn in the mod_webauth documentation that, when using credential
delegation to a load-balanced pool, all members of that pool must have
the same Kerberos identity.
Fix various grammar and wording issues in the protocol spec
Clarify the contents of the token returned to the WAS from the
WebKDC and the reason for having the session key both outside and
inside the encrypted token. Fix various other grammar and wording
mistakes, including using a more appropriate preposition than "in"
for specifying the key used for an encryption.
Add new factors mp (mobile push) and v (voice), which count as
separate classes for determining multifactor. This means the
combination of those factors with any other factor class will result
in a synthensized multifactor factor.
Update WebKDC to WebLogin protocol for new factor information
Add support for passing additional information about each
configured factor to enable better prompting in WebLogin. Provide
a device ID and a mechanism for WebLogin to return it to the
WebKDC when requesting authentication.
Override the value of BYPASS_CONFIRM if the WebKDC returns a list
of permitted_authz identities. Without this, users are unable to
assert an authz identity.
Russ Allbery [Sat, 10 May 2014 05:59:42 +0000 (22:59 -0700)]
Build correctly when remctl support is disabled
The new remctl-based password change protocol broke the build of
the library when remctl support was not enabled due to an
incorrectly-named stub function. Fix the function name and
diagnose attempting to configure remctl-based password change
without support for it earlier in the code path.
Russ Allbery [Sat, 10 May 2014 05:58:36 +0000 (22:58 -0700)]
Avoid gcc warnings when built without remctl support
GCC 4.8 warns about use of uninitialized variables when the userinfo
code is built without remctl support since it doesn't realize we
never reach the problematic code. Initialize the relevant variables
to NULL to unconfuse it.
Improve WebLogin logic for showing password expiration warning
Show the expiring password warning in WebLogin if the browser request
was a POST. Previously, it was skipped if the user had a REMOTE_USER
preference or if the browser presented a single sign-on cookie. This
was too conservative, not warning in cases when REMOTE_USER failed,
when the browser presented an expired single sign-on cookie (systems
that are suspended rather than shut down, for example), and when the
user has to do multifactor authentication. Checking for a POST is a
closer match for when we can force a confirmation screen without too
much user disruption.
Support for AuthType StanfordAuth (for backward compatibility with
WebAuth 2.5) was broken in WebAuth 4.6.0, causing mod_webauth to
reject all accesses to resources protected with that AuthType. This
has been fixed in this release.
Check the username parameter in WebLogin multifactor pages
In WebLogin, verify that the username form field was sent before
attempting to do multifactor operations and return an error if it
isn't, avoiding undefined variable warnings and other errors deeper in
the WebLogin code.
Russ Allbery [Thu, 20 Mar 2014 00:23:13 +0000 (17:23 -0700)]
Add upgrade warning about keyring permissions
Retroactively add a warning to NEWS about the permission change
required for the keyring when upgrading from older versions of
WebAuth. Clarify keyring permissions in INSTALL.
Russ Allbery [Wed, 19 Mar 2014 05:38:56 +0000 (22:38 -0700)]
Restructure and improve the mod_webauth tests
Move the logout script up a level so that it isn't covered by the
authentication requirement (auth/logout was weird). Adjust the
test harness so that tests can use an alternative logout path.
Move the tests for cookie path scoping to a separate directory so
that the whole directory can have the same path scope and they can
have their own logout script. Simplify the structure of those
tests somewhat.
Russ Allbery [Wed, 19 Mar 2014 05:38:00 +0000 (22:38 -0700)]
Fix logout handling
When path-scoped cookies were introduced, the change broke the
cookie nuking for WebAuthDoLogout. Correct this, and use a path
of / instead of (null) if no path was set.
Russ Allbery [Wed, 19 Mar 2014 00:14:14 +0000 (17:14 -0700)]
Ensure the keyring can be loaded at module entry points
At each module entry point that might perform actions with the
keyring, ensure that the keyring is loaded and return an appropriate
error immediately if it's not. Ensure there are sanity checks in
place for all places the keyring might be used.
Return HTTP_INTERNAL_SERVER_ERROR if configuring the WebKDC fails.
Vegard Edvardsen [Tue, 18 Mar 2014 06:17:23 +0000 (23:17 -0700)]
Use separate per-virtual-host internal keyrings
mod_webauth and mod_webkdc now maintain separate in-memory keyrings
per virtual host, and the WebAuthKeyring, WebKdcKeyring, and related
directives are now correctly honored in the virtual host configuration
and can be meaningfully set to different values. This allows the
modules to work properly with the ITK MPM with separate keyrings owned
by different users for each virtual host so that proper privilege
separation between virtual hosts is maintained.
Russ Allbery [Tue, 18 Mar 2014 05:28:06 +0000 (22:28 -0700)]
Preserve ownership and permissions on keyring updates
WebAuth keyring updates via either mod_webauth's and mod_webkdc's
auto-update support or via wa_keyring now preserve the keyring
ownership and permissions where possible, with the exception that the
permissions are not preserved if the old permissions included group
access and the group ownership could not be preserved.
Russ Allbery [Wed, 12 Mar 2014 06:12:35 +0000 (23:12 -0700)]
Add locking to keyring updates
webauth_keyring_write and webauth_keyring_auto_update now lock the
keyring, using a separate lock file named by appending ".lock" to the
name of the keyring. This applies to the keyrings used by
mod_webauth, mod_webkdc, and the wa_keyring utility and ensures that
only one process attempts to update a keyring at the same time. These
functions continue to use atomic replacement on all writes, and no
locks are used for reading the keyring.
Russ Allbery [Tue, 11 Mar 2014 04:30:53 +0000 (21:30 -0700)]
Change wai_error_set* functions to return the new code
Change all library-internal wai_error_set* functions to return the
new error code. Make use of this in various places to shorten or
simplify the code logic.
Since I'm touching every error message anyway, fix a few places
where error messages were unclear or where the wrong error code was
used.
Russ Allbery [Tue, 11 Mar 2014 02:20:52 +0000 (19:20 -0700)]
Fix handling of non-directive sections in module manuals
Based on the mod_fcgid documentation, use the correct method of
labeling non-directive sections so that they get proper sidebar
links. Remove the code from the clean-apache-manual script that
was cobbling this together.
Set the module status to External instead of Contributed, and add
a compatibility section to each module documentation page.
Russ Allbery [Mon, 10 Mar 2014 20:51:19 +0000 (13:51 -0700)]
Update to rra-c-util 5.3 and C TAP Harness 3.0
Update to rra-c-util 5.3:
* Avoid leaking dummy symbols into shared libraries.
* Probe for libdl for OpenSSL libraries (required on AIX).
* Distinguish failure to format output in asprintf wrappers.
* Check return status of snprintf properly.
* Better remctld process management in the test suite.
* Better memory management in Kerberos tests.
* Fix syntax error when buiding portable/krb5.h with a C++ compiler.
Update to C TAP Harness 3.0:
* Reopen standard input for tests to /dev/null.
* Clean up inherited file descriptors from the test harness.
Russ Allbery [Fri, 28 Feb 2014 01:22:33 +0000 (17:22 -0800)]
Support remctl-based password change in WebLogin
The WebAuth::Krb5 change_password function now takes an optional args
parameter that can be used to set the same configuration that can be
set with webauth_krb5_change_config.
WebLogin now supports using the remctl-based password change protocol
instead of kpasswd. This is controlled by setting
$PASSWORD_CHANGE_HOST and several other variables in the WebLogin
configuration. See docs/weblogin-config for more information.
Russ Allbery [Thu, 27 Feb 2014 09:12:11 +0000 (01:12 -0800)]
Add support for Kerberos password change via remctl
The WebAuth Kerberos API now supports Kerberos password change via the
remctl protocol, which is more robust than the kpasswd protocol when
password changes can take some time. This can be configured via the
new webauth_krb5_change_config function. The remote remctl server
must provide a command and subcommand that takes a single argument,
the new password, and changes the password for the authenticated
principal that sent the command.
Russ Allbery [Thu, 27 Feb 2014 07:58:37 +0000 (23:58 -0800)]
Update Test::RRA modules from rra-c-util 5.2
This fixes support for use_prereq with version numbers containing
underscores, adds the test_tmpdir function, and adds the
@STRICT_IGNORE configuration option for tests. We're not using
any of this currently; the point of the import is to fix a test
suite failure in the pod-spelling test.
Russ Allbery [Mon, 24 Feb 2014 21:44:19 +0000 (13:44 -0800)]
Add WebAuthCookiePath directive to mod_webauth
mod_webauth supports a new configuration directive, WebAuthCookiePath,
which scopes all cookies set by mod_webauth to the given path. This
allows separate sections of the same virtual host to be treated as
independent for authentication purposes. This can be useful when
controlling factor restrictions via the user information service.
When using this directive with a logout link, be sure that the logout
configuration (WebAuthDoLogout) is subject to the same
WebAuthCookiePath directive or it will not work properly. Be aware
that the current version of mod_webauth does not correctly handle
receiving multiple cookies with the same name from the browser. When
using this directive, ensure that all WebAuth-protected portions of
the site use this directive and none of the scopes are overlapping.
Russ Allbery [Thu, 26 Dec 2013 20:49:46 +0000 (12:49 -0800)]
Update remctld test suite handling to new API
Update to the process_start API that will be part of rra-c-util 5.0.
This maintains the previous support for integrating remctld output
into the test output while generalizing the framework and making it
somewhat more robust.
Russ Allbery [Thu, 26 Dec 2013 20:35:58 +0000 (12:35 -0800)]
Update remctl TAP support to use diag_file_add
Use diag_file_add to interleave the remctld output properly with
the test cases we're running, and to avoid having remctld output
status messages that don't properly start with #.
Use test_cleanup_register to handle the remctld_stop cleanup
function and modify its call signature accordingly.
Russ Allbery [Thu, 26 Dec 2013 20:35:21 +0000 (12:35 -0800)]
Update to C TAP Harness 2.4
* Add new diag_file_add and _remove API to the C TAP library.
* Add new test_cleanup_register API to the C TAP library.
* Suppress lazy plans and test summaries if the test failed with bail.
* Add warn_unused_result gcc attributes to relevant functions.
Russ Allbery [Thu, 21 Nov 2013 21:01:03 +0000 (13:01 -0800)]
Use authenticated identity for username for multifactor
Use the authenticated identity returned by the WebKDC as the username
for multifactor authentication in WebLogin rather than preserving what
the user originally typed. The WebKDC may have done Kerberos
canonicalization and aname to localname mapping.
I found gather_tokens returns 302 in check_user_id in the subrequest
if WebAuthExtraRedirect is on, so check_user_id never gets to set the
N_SUBJECT note, but on the second pass through check_user_id (back in
the main request) the N_WEBAUTHR and N_WEBAUTHS notes are missing, so
mod_webauth thinks we need to go back to WebLogin to get them.
This can be fixed by not removing N_WEBAUTHR and N_WEBAUTHS from the
main request's notes. Then, subrequests should behave in the same way
as the main request.
By moving the gather_tokens portion of check_user_id into
ap_hook_check_access_ex, we can have the server bypass
check_user_id for the WebAuthOptional case.
Using the per-request config allows mod_webauth to persist context
between hook functions. Because the context keeps references to
the directory config and server config, set those as soon in the
request as we can (as soon as we have a per_dir_config). In the
httpd 2.2 server this is done in access_checker; in the httpd 2.4
server this is moved to post_perdir_config.
Fix Perl warning in WebLogin when expiring cookies
When the WebKDC says to delete a cookie by returning the cookie
with no value, the check for the value being empty was assuming
it was defined. Change to a truth check, which correctly handles
the undefined case without a warning.
Be even more aggressive about disabling browser caching
Be even more thorough in telling browsers not to cache responses from
WebLogin, redirects and logout pages from mod_webauth, and any page
marked with WebAuthDontCache. Add private and max-age=0 to the
existing Cache-Control headers, add Vary: *, and (for WebLogin pages)
set an expiration time in the past.
Translate malformed principal names into WA_PEC_USER_REJECTED
Malformed principal names were being rejected with a generic
Kerberos error, which is then translated into an internal error.
Catch this case and map them to WA_PEC_USER_REJECTED instead for
better user error message presentation.
Add support to the test infrastructure for error messages that
may contain context that we can't easily reproduce. Use that to
test an authentication failure due to an incorrect password.
Hold a reference to WebAuth objects in WebAuth::Krb5 objects
Ensure that the underlying WebAuth context is not freed until the
WebAuth::Krb5 objects created from it are freed. This avoids
awkward object lifespan handling where the WebAuth context going
out of scope invalidates all the WebAuth::Krb5 objects, at the
cost of possibly hanging on to more memory than intended.
Use an example IP address for Kerberos address testing
Rather than using a valid IP address from Stanford's network, use
one of the IP addresses reserved for testing and documentation when
testing handling of address-locked tickets.
Skip change password tests if Kerberos password change fails
If the test is being run behind NAT, the Kerberos password change
protocol will fail. Skip the tests that require contacting the
server in that case. Undo the password change just in case it
succeeded despite the error message.
Skip Kerberos address tests if we can't request an address
If the KDC is checking the addresses requested for tickets, we won't
be able to get an address-locked ticket to the IP address hard-coded
in the test. Detect this situation and skip the test in that case.
Silence remctld debugging output and drop valgrind support
Drop the special support for running only remctld under valgrind.
We now have a much more comprehensive way of doing valgrind
testing. Restructure the remctl TAP add-on to make it a bit
easier to read. Remove the -d flag so that remctld isn't quite so
verbose.
Increase the time tolerance for cookie expirations
On some slow hosts, such as the Debian m68k builder, the Perl
code may take long enough to run that the cookie expiration time
won't be exactly what we want. Allow a couple of seconds of
tolerance.