Bug 146224

Summary: When an application that links against libcrypto fails a pam_krb5 authentication the application will enter an endless loop in error_message() from <et/com_err.h>
Product: [Fedora] Fedora Reporter: Robert Theisen <trobert>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 3CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-05 06:00:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
source file for sample application none

Description Robert Theisen 2005-01-26 02:28:37 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001
Firefox/0.10.1

Description of problem:

When an application is linked against libcrypto and uses pam for
authentication the application will slip into an endless loop after a
failed authentication attempt against kerberos if there has been a
previous authentication (successful or un)

So the first authentication attempt will not cause the loop, and any
subsequent successful attempts will not cause the loop but as soon as
an attempt (as long as it is not the first attempt) fails the
application will slip into an endless loop at error_message() provided
libcom_err (from e2fsprogs).

sample program.

-------------------------------------------------------------
#include <stdio.h>
#include <security/pam_appl.h>

static int _ar_pam_conversation(int nmsg, const struct pam_message
**msg, struct pam_response **res, void *arg) {
    int i;
    struct pam_response *reply;

    if(nmsg <= 0)
        return PAM_CONV_ERR;

    reply = (struct pam_response *) malloc( sizeof( struct
pam_response ) * ( nmsg + 1 ) );
    memset(reply, 0, sizeof(struct pam_response) * nmsg);

    for(i = 0; i < nmsg; i++) {
        if(msg[i]->msg_style == PAM_PROMPT_ECHO_OFF ||
msg[i]->msg_style == PAM_PROMPT_ECHO_ON) {
            reply[i].resp = strdup((char *) arg);
            reply[i].resp_retcode = 0;
        }
    }

    *res = reply;

    return PAM_SUCCESS;
}


int main(int argc, char **argv)
{

        struct pam_conv conv;
        pam_handle_t *pam;
        char * password;
        char * username;
        int ret;
        char buffer[1024];

        while (1) {
                printf("Enter username: ");
                fgets(buffer, 1024, stdin);
                buffer[(strlen(buffer)-1)] = 0;
                username = malloc(strlen(buffer)+1);
                if ( username ) {
                        strcpy(username, buffer);
                } else {
                        return 1;
                }

                memset(buffer, 0, 1024);

                printf("Enter password: ");
                fgets(buffer, 1024, stdin);
                buffer[(strlen(buffer)-1)] = 0;
                password = malloc(strlen(buffer)+1);
                if ( username ) {
                        strcpy(password, buffer);
                } else {
                        free(username);
                        return 1;
                }

                memset(buffer, 0, 1024);

                conv.conv = _ar_pam_conversation;
                conv.appdata_ptr = password;

                ret = pam_start("pamtest", username, &conv, &pam);

                if(ret != PAM_SUCCESS) {
                        printf("There was a problem in pam_start()\n");
                        free(username);
                        free(password);
                        return 1;
                }

                ret = pam_authenticate(pam, 0);


                if(ret != PAM_SUCCESS) {
                        printf("Pam authentication failed\n");
                }

                if(ret == PAM_SUCCESS) {
                        printf("Pam authentication succeeded\n");
                }

                pam_end(pam, ret);

                free(username);
                free(password);

        }
        return 0;
}
----------------------------------------------------------

if the above program is compiled with the command

gcc -lpam -o outfile source.c

and then outfile is executed then everything will work fine for
repeated authentication attempts.

if however it is compiled with the command

gcc -lpam -lcrypto -o outfile source.c

then the observerd bug will show up.

This bahaviour has been replicated in RHEL 4 test2.

Version-Release number of selected component (if applicable):
pam_krb5-2.1.2-1

How reproducible:
Always

Steps to Reproduce:
1.Link application against libcrypto
2.attempt to login first time (successfully or not)
3.attempt to login a second time during the same app run (but after a
pam_end ... pam_start)
4. only happens when kerberos authentication occurs
    

Actual Results:  endless loop

Expected Results:  should have timed out and failed gracefully with
the appropriate error message.

Additional info:

Reproducable in RHEL 4 test2!!!
Comment 1 Robert Theisen 2005-01-26 02:32:40 UTC 
Created attachment 110237 [details]
source file for sample application
Comment 2 Matthew Miller 2006-07-10 20:50:20 UTC 
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 3 petrosyan 2008-02-05 06:00:13 UTC 
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug.