Posts for July 2014

2014-07-02: C TAP Harness 3.1

Most of the changes in this release are based on work by Peter Pöschl to make the behavior of the C TAP library more consistent with the Perl Test::More functions. ok, okv, and all the is_* functions now return true if the test succeeds and false if it fails, allowing them to be used in conditionals. diag and sysdiag now always return 1, making it easier to insert (possibly temporary) calls into compound statements while debugging test cases.

The C TAP library now provides a new breallocarray API that does the same thing as brealloc but takes calloc-style arguments and checks internally for integer overflow. Tests for integer overflow during memory allocation have also been added to several other parts of C TAP Harness, including the runtests harness and other internals of the C TAP library. These probably don't matter a tremendous amount for test code, but best to be safe and consistent everywhere possible.

All uses of sprintf have now been replaced with a simpler internal string concatenation function that checks for allocation overflow. The previous usage was probably safe, but this approach is much easier to audit.

You can get the latest release from the C TAP Harness distribution page.

2014-07-02: rra-c-util 5.5

The most significant change in this release is a somewhat embarassing bug fix: the network_read and network_write functions introduced in version 4.2 to support timeouts didn't correctly handle a timeout interrupted by a signal. This is now fixed by restarting the calls on EINTR.

Also in this release is a general cleanup for integer overflows during memory allocation. rra-c-util now provides a replacement for reallocarray for systems that don't have it, and calloc and reallocarray are used internally where a size is calculated with multiplication. The util library also now provides a checked xreallocarray function.

There are also a few minor fixes: portable/system.h guarantees the inclusion of inttypes.h and limits.h, portable/pam.h will now build with a C++ compiler, the Kerberos Autoconf probes provide a Makefile variable that can be used to suppress warnings from Kerberos headers by forcing them to be system headers, and the util/messages-krb5 test will be skipped when not built with Kerberos support.

You can get the latest version from the rra-c-util distribution page.

2014-07-02: remctl 3.9

This release fixes an embarassing bug that caused the server to often abort sending information back to the client if the server-side program exited while the server was still sending data. It also fixes a more minor bug in which children of the server were spawned with SIGPIPE ignored instead of set to the default handling behavior.

The major new feature in this release is a new ACL type, localgroup, contributed by Remi Ferrand. When this ACL type is used, the remote principal is converted to a local username using the normal Kerberos krb5_aname_to_localname call, and then the server checks whether that local username is a member of a local (nsswitch) group.

This release also prefers calloc and reallocarray to malloc and realloc with calculated sizes across all code, and adds version and compatibility information to all manual pages.

You can get the latest release from the remctl distribution page.

2014-07-11: Net::Duo 1.00

This is the first release of Net::Duo, which provides an object-oriented Perl interface for the Duo Security REST APIs. It attempts to abstract some of the API details and provide an object-oriented view of the returned objects in order to make use of the API in Perl code more natural than dealing with JSON data structures directly. Currently, some parts of the Auth and Admin APIs are implemented alongside with generic methods to call any of the JSON-based APIs.

The approach I took with this module was a bit of a science experiment, and I'm still not entirely sure what I think about the results. Duo Security offers sample Perl code that provides the equivalent of the call and call_json Net::Duo methods but stops there. One sends in data structures and gets back data structures from JSON and manipulates everything in that format.

I prefer a more object-oriented style, and want the module to do a bit more of the work for me, so this implementation wraps some of the APIs in objects with method calls. For updates, there are setters for the object itself and then a commit method to push the changes to Duo. This requires more implementation effort, and each API that should get richer treatment has to be modelled, but the resulting code looks like more natural object-oriented code.

I wasn't completely sure going in if the effort to reward tradeoff made sense, and having finished the module sufficiently for Stanford's immediate needs, I'm still not sure. It was certainly more effort to write the base module this way, but on the other hand it also meant that I could map Perl notions of true and false to Duo's and provide much simpler methods for common operations. I still think this will make the code more maintainable in the long run, but I think it's within the margin of difference of opinion.

Regardless, you can get the latest version from the Net::Duo distribution page and shortly from CPAN as well.

2014-07-16: wallet 1.1

Wallet is the secure credential management infrastructure that we use at Stanford, primarily for keytabs but increasingly for any sort of security keys that have to be stored somewhere and retrieved by specific systems or people.

The primary goal of this release is to add Duo support. This is currently somewhat preliminary, with only a single Duo integration object type that creates a UNIX integration. (Well, technically it can create any type of integration, but the integration information is returned in the format expected by the UNIX integration.) I expect a later release to rename all existing "duo" object types to "duo-unix" and add additional object types for the various other types of integrations that one wants to support, but that work will have to wait for another day.

Since it's been over a year since the previous release, there are also other accumulated bug fixes and improvements. I also tried to merge or address as many issues or patches that had been sent to me over the past year as I could, although many larger patches or improvements had to be deferred. Highlights:

There are also multiple other bug fixes and general improvements, such as using DateTime objects uniformly for all database access that involves date fields, and recording ACL renames in the ACL history table. Both the API and the database layer are still kind of a mess, and I'd love to rewrite them with the benefit of experience and more knowledge, but that's a project for another day.

You can get the latest release from the wallet distribution page.

2014-07-23: WebAuth 4.6.1

This is a bug-fix release of the WebAuth site-wide web authentication system. As is typical, I accumulated a variety of minor bug fixes and improvements that I wanted to get into a release before starting larger work (in this case, adding JSON support for the user information service protocol).

The most severe bug fix is something that only folks at Stanford would notice: support for AuthType StanfordAuth was broken in the 4.6.0 release. This is for legacy compatibility with WebAuth 2.5. It has been fixed in this release.

In other, more minor bug fixes, build issues when remctl support is disabled have been fixed, expiring password warnings are shown in WebLogin after any POST-based authentication, the confirmation page is forced if authorization identity switching is available, the username field is verified before multifactor authentication to avoid subsequent warnings, newlines and tabs are allowed in the XML sent from the WebKDC for user messages, empty RT and ST parameters are correctly diagnosed, and there are some documentation improvements.

The main new feature in this release is support for using FAST armor during password authentication in mod_webkdc. A new WebKdcFastArmorCache directive can be set to point at a Kerberos ticket cache to use for FAST armor. If set, FAST is required, so the KDC must support it as well. This provides better wire security for the initial password authentication to protect against brute-force dictionary attacks against the password by a passive eavesdropper.

This release also adds a couple of new factor types, mp (mobile push) and v (voice), that Stanford will use as part of its Duo Security integration.

Note that, for the FAST armor feature, there is also an SONAME bump in the shared library in this release. Normally, I wouldn't bump the SONAME in a minor release, but in this case the feature was fairly minor and most people will not notice the change, so it didn't feel like it warranted a major release. I'm still of two minds about that, but oh well, it's done and built now. (At least I noticed that the SONAME bump was required prior to the release.)

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

2014-07-27: AFS::PAG 1.02

This is primarily a testing exercise. I moved my software release process and web page generation to a different host, and wanted to run through a release of a package to make sure that I got all the details right.

It's still a bit clunky, and I need to tweak the process, but it's close enough.

That said, there are a few minor changes in this module (which provides the minimum C glue required to do AFS operations from Perl — only the pieces that can't be duplicated by calling command-line programs). I'm improving the standardization of my Perl distributions, so I've moved NEWS to Changes and switched to the Lancaster Consensus environment variables for controlling testing. I also added some more pieces to the package metadata.

You can get the latest version from the AFS::PAG distribution page.

Last modified and spun 2017-09-17