Russ Allbery [Sun, 17 Oct 2021 22:21:38 +0000 (15:21 -0700)]
Add Makefile rule to regenerate the man page
The manual page is normally generated by the bootstrap script and
included in release tarballs, but that meant it would not be
regenerated when the POD source was modified. Add an explicit
Makefile rule for it to address this problem.
Properly support calling pam_end with PAM_DATA_SILENT by not deleting
the underlying ticket cache. This flag is used when the application
is closing the PAM session after a fork to free memory resources, but
doesn't intend to free resources external to the process because
another process may still depend on them. Thanks to Andrew G. Morgan
for the report.
Stop attempting to guess the correct PAM module installation path on
Linux systems when --prefix is set to /usr and instead document that
--libdir will probably need to be set explicitly. The previous logic
is now broken on Debian usrmerge systems and the guesswork seems too
fragile to maintain.
Russ Allbery [Sat, 20 Mar 2021 22:22:36 +0000 (15:22 -0700)]
Simplify GitHub Actions testing
We don't need to run the full test suite separately for Clang
builds, since we're not expecting different behavior, just different
warnings. Build with both Clang and GCC in one ci/test pass and
only matrix the Kerberos version.
Russ Allbery [Mon, 15 Mar 2021 04:51:36 +0000 (21:51 -0700)]
Update to rra-c-util 9.0 and C TAP Harness 4.7
Update to rra-c-util 9.0:
* Check that at least one Kerberos header file was found and works.
* Use AS_ECHO in all Autoconf macros in preference to echo.
* Fix portability of reallocarray on NetBSD systems.
* Stop providing a replacement for a broken snprintf.
Russ Allbery [Sat, 30 Jan 2021 19:55:44 +0000 (11:55 -0800)]
Avoid double free of ctx->princ in a failure case
When re-retrieving the authenticated principal from the current cache,
ensure the stored principal in the authentication context is always
either valid or NULL. Otherwise, a failure of krb5_cc_get_principal
could result in a double free. Thanks to Michael Muehle for the
report.
Russ Allbery [Sun, 29 Mar 2020 04:28:38 +0000 (21:28 -0700)]
Suppress fallthrough warnings with clang 10
clang 10 (and possibly clang 9) requires an __attribute__ marker
to suppress fallthrough warnings and no longer supports a special
comment. Adjust portable/snprintf.c accordingly.
Russ Allbery [Tue, 3 Mar 2020 07:57:02 +0000 (23:57 -0800)]
Fix buffer overflow in prompting, further cleanup
SECURITY: All previous versions of this module could overflow the
buffer provided by the underlying Kerberos library for the response to
a prompt by writing a single nul character past the end of the buffer.
Return more accurate errors from the Kerberos prompter function if it
was unable to prompt for the password. This may translate into better
debug log messages and, in some situations, returning the slightly
more accurate PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR.
Russ Allbery [Sun, 29 Mar 2020 02:27:29 +0000 (19:27 -0700)]
Add full CI testing of MIT Kerberos
Attempt to install an MIT Kerberos KDC and create users and
certificates so that all tests will run in GitHub Workflows when
testing under MIT Kerberos.
Russ Allbery [Mon, 2 Mar 2020 07:45:39 +0000 (23:45 -0800)]
Clean up PAM response freeing
Refactor the code to free PAM responses into its own function.
Properly free the PAM responses to the selection of a PKINIT
identity, closing a memory leak. Use explicit_bzero to overwrite
any possible secrets, where available.
Russ Allbery [Mon, 2 Mar 2020 06:02:23 +0000 (22:02 -0800)]
Remove Travis CI configuration
Delete the Travis CI configuration, change the documentation
metadata to indicate that GitHub Actions are now being used,
and regenerate the documentation to update the status badge.
Russ Allbery [Mon, 2 Mar 2020 04:27:35 +0000 (20:27 -0800)]
Add a test for PIN prompting
If the openssl command-line utility is found during the build and
pam-krb5 is built with MIT Kerberos, prompting for a PKINIT PIN will
be tested by building a PKCS12 file from the provided PKINIT test
configuration.
Russ Allbery [Mon, 2 Mar 2020 01:31:04 +0000 (17:31 -0800)]
Support use_pkinit with MIT Kerberos
Support use_pkinit with MIT Kerberos 1.12 or later. Be aware that
this option is implemented by using a responder without a prompter,
and thus any informational messages from the Kerberos libraries or KDC
during authentication will not be displayed. (Debian Bug#871699)
Russ Allbery [Mon, 20 Jan 2020 06:30:42 +0000 (22:30 -0800)]
Reject excessively long passwords
Reject passwords as long or longer than PAM_MAX_RESP_SIZE (normally
512 octets), since extremely long passwords can be used for a denial
of service attack via the Kerberos string to key function. Thanks to
Florian Best for pointing out this issue and suggesting a good fix.
Russ Allbery [Sun, 19 Jan 2020 03:56:45 +0000 (19:56 -0800)]
Split module/fast test into two components
Test keytab-based FAST authentication separately from anonymous
FAST, since the latter has to be excluded from valgrind testing.
This also simplifies some of the skipping logic.
Russ Allbery [Sun, 19 Jan 2020 02:19:50 +0000 (18:19 -0800)]
Update to new mechanism of valgrind testing
Use the C TAP Harness support for valgrind testing and mark the
tests that can be run under valgrind. Fix problems in one module
that knew too much about the contents of the test temporary
directory. Exclude the tests that use the pkinit.so module, since
they cause valgrind to go into an infinite loop.
Russ Allbery [Sat, 18 Jan 2020 21:38:56 +0000 (13:38 -0800)]
Update to rra-c-util 8.1 and C TAP Harness 4.6
Update to rra-c-util 8.1:
* Drop support for Perl 5.6.
* Reformat all C source using clang-format 10.
* Remove bogus snprintf tests.
* Fix misplaced va_end in the pam-util putil_log_failure function.
* Skip checking for krb5-config on the path if a prefix was given.
* Add SPDX-License-Identifier headers to all substantial source files.
Update to C TAP Harness 4.6:
* Fixed malloc error checking in bstrndup.
* Fix (harmless) allocation error in runtests driver.
* Add support for valgrind testing via test list options.
* Report test failures as left and right, not wanted and seen.
* Fix is_string comparisons involving NULL pointers and "(null)".
* Add SPDX-License-Identifier headers to all substantial source files.
Russ Allbery [Sat, 30 Dec 2017 19:08:22 +0000 (11:08 -0800)]
Update to rra-c-util 7.0 and C TAP Harness 4.2
Update to rra-c-util 7.0:
* Support a warning build under Clang.
* Avoid zero-length allocations in reallocarray and vector.
Update to C TAP Harness 4.2:
* Avoid zero-length allocations in breallocarray.
* Add is_blob and is_bool functions.
* Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests.
Compile cleanly under GCC 7 and Clang warnings and Clang's static
analyzer.
Better document that the default Kerberos library ticket cache
location is not used (and why), and how to set configuration
parameters in krb5.conf. Thanks, Matthew Gabeler-Lee. (Debian
Bug#872943)
Russ Allbery [Sat, 12 Aug 2017 03:00:35 +0000 (20:00 -0700)]
Set credential options properly to verify expired passwords
When verifying that an expired password can still be used to get
kadmin/changepw credentials, correctly set the credential options for
getting password change credentials, not for getting initial
credentials. This should fix password change issues when, for
example, krb5.conf requests that all tickets be proxiable but
kadmin/changepw doesn't allow proxiable credentials. Thanks to
Florian Best for the bug report.
Russ Allbery [Fri, 11 Aug 2017 02:45:45 +0000 (19:45 -0700)]
Update to rra-c-util 6.3 and C TAP Harness 3.4
Update to rra-c-util 6.3:
* Fix new warnings in GCC 7.
* Probe for warning flags instead of hard-coding a list.
* New test for obsolete URLs and email addresses.
* Remove unused portable replacements for strlcpy and strlcat.
* Use C_TAP_SOURCE and C_TAP_BUILD environment variables in tests.
* Fix portability defines for anonymous principal strings.
* Clear errno on pam_modutil_getpwnam to improve other testing.
* Add portability defines for macOS's PAM implementation.
* Add new Autoconf macro to probe for pam_strerror const usage.
* Support Solaris 10's included Kerberos.
Update to C TAP Harness 3.4:
* Fix segfault in runtests with an empty test list.
* Display verbose test results with -v or C_TAP_VERBOSE.
* Test infrastructure builds cleanly with Clang warnings.
Russ Allbery [Sun, 16 Aug 2015 23:29:46 +0000 (16:29 -0700)]
Rework better Heimdal PKINIT error reporting
Move the error reporting into a separate function, and maintain
backward compatibility with older versions of Heimdal that don't
have the new status codes. Don't break the try_pkinit handling,
and continue not to report messages for missing PKINIT keys under
try_pkinit but not use_pkinit.
This PR depends on whether the HX509_PKCS11_* code are defined in hx509_err.h.
Those are introduced in the Heimdal's PR #136 (https://github.com/heimdal/heimdal/pull/136)