Get ready to handle the openssl move from bsd -> apache2

branches: 1.12.16;
switch everyone to openssl.old

Default to -Wno-sign-compare -Wno-pointer-sign for clang.
Push -Wno-array-bounds down to the cases that depend on it.
Selectively disable warnings for 3rd party software or non-trivial
issues to be reviewed later to get clang -Werror to build most of the
tree.

Upgrade Heimdal to 1.5pre1 by switching the build from crypto/dist/heimdal
to crypto/external/bsd/heimdal. The latter was just imported as the head
of the Heimdal tree as of a few days ago.

use the proper libcrypto

use LIBDPLIBS+= not =.

don't set LIBDPLIBS in libpam/modules/Makefile - it is not necessary
and it interferes with the compat lib build. don't use LIB_ROOT_DIR.

Remove CPPFLAGS

Add ${DESTDIR}/usr/include/krb5 to CPPFLAGS so <parse_units.h> can be found.

Use LIBDPLIBS to provide the list of libraries for the modules to depend
upon, because:
* it's MUCH quicker; no need to calculate the OBJDIRS of every library
we might require in every subdir.
(make obj drops from 21s to 3s on my system.)
* it's more robust when building to a fresh DESTDIR.

Link with libraries from the source build directory.

- NetBSD build glue
- Warning fixes
- RCSID's

branches: 1.1.1;
Initial revision

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:

- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129

branches: 1.12.8; 1.12.16;
Remove workaround for ancient HTML generation code.

branches: 1.11.40;
Add missing copyright and license.

This license is identical to that on the pam_krb5.c file minus the
other copyrights and the unrelated contract attribution.

From email communication with the author, Frank Cusack.

eg -> e.g.

branches: 1.9.4;
bump date

tyop

PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets

Bump date for new SECURITY CONSIDERATIONS section.

Add a SECURITY CONSIDERATIONS section.

Wording consistency nits.

<> -> \*[Lt]\*[Gt].

- NetBSD build glue
- Warning fixes
- RCSID's

branches: 1.1.1;
Initial revision

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.

XXX pullup-10
XXX pullup-9
XXX pullup-8

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:

- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129

branches: 1.30.2;
libpam: remove stray semicolon

No binary change.

lib/libpam: Fix the possible -Werror=stringop-truncation

Replace strncpy(3) with the safer strlcpy(3) and adjust the code.

Error was reported when build.sh was run with MKLIBCSANITIZER=yes flag.

Reviewed by: kamil@, christos@

there is no potential overflow anymore (thanks Kamil)

stop using sprintf and check for buffer overflow.

branches: 1.26.18; 1.26.26; 1.26.28;
avoid using freed pointers and non-format strings

branches: 1.25.4; 1.25.10;
- make log_krb5 varyadic
- centralize error handling to one function
- check for NULL context

Remove use of functions marked as deprecated in Heimdal.

Fix misplaced parenthesis, from henning.petersen@t-online.de, thanks.

consistency in password prompt setting code (and with ssh)

branches: 1.21.12;
Fix compilation

branches: 1.20.4;
off by one, reported by jukka salmi.

PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets

init the syslog data.

use the re-entrant syslog functions so that we don't depend on the syslog
settings of the calling program.

Coverity CID 3783: Fix uninit variable.

Coverity CID 3677: Plug memory leak

Coverity CID 1909: Prevent memory leak.

Coverity CID 2480: Move variable initialization higher up to prevent
uninitialized access during error cleanup.

Coverity CID 2481: Move initialization of variable higher up to prevent
uninitialized access in error path.

Coverity CID 2595: Don't call cc_destroy after cc_close because cc_close
free's the second argument.

Implement PAM_REFRESH_CRED / PAM_REINITIALIZE_CRED
support in pam_sm_setcred()

With this and a suitably pam-aware screen locker (eg xscreensaver built
with PAM), you now get the nice Windows-style behavior of having
your tickets refreshed (and tokens, with pam_afslog) when you unlock
your screen.

getpw*_r() may return 0 and set pwd==NULL

check for pwd != in getpw*_r functions.

Use getpwnam_r().

branches: 1.6.2;
Place some limits on the creds acquired for password change. Other
minor cleanup inspired by passwd(1).

Use the more familar princ@realm style of password prompt.

Check for PAM_PRELIM_CHECK and simply do nothing. (Did this even work
in FreeBSD?)

Merge PAM20050226.

- NetBSD build glue
- Warning fixes
- RCSID's

branches: 1.1.1;
Initial revision