From c00e039a1b6ab62946d31d8be08af073f9c9d730 Mon Sep 17 00:00:00 2001
From: Claudio Luck <cluck@ini.uzh.ch>
Date: Fri, 4 Nov 2016 01:27:17 +0100
Subject: [PATCH] Fix security issue

When username+password authentication is disabled, the module fails to reject invalid tickets, allowing
anyone to log in with trivially crafted tickets.

Reported by Pat Hennessy on GitHub (pathennessy)

Fixes #4
---
 README    | 1 +
 pam_cas.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README b/README
index 9301d33..fe5059f 100644
--- a/README
+++ b/README
@@ -18,6 +18,7 @@ Test! (Watch the syslog for authentication attempts)
 
 Changelog:
 
+- 04/Nov/2016: v0.4 Fix security fail (reported by Pat Hennessy)
 - 26/Jan/2012: v0.3 Configuration file support added
 - 25/Jan/2012: v0.2 CAS full user+pass combo login, and serviceValidate implemented
 - 25/Jan/2012: v0.1 Initial code
diff --git a/pam_cas.c b/pam_cas.c
index fe67580..5ac7d14 100644
--- a/pam_cas.c
+++ b/pam_cas.c
@@ -72,6 +72,7 @@ int pam_sm_authenticate(pam_handle_t *pamhandle, int flags, int arg, const char
                 return PAM_AUTH_ERR;
         }
 
+	ret = 0;
 	CAS_init(&cas, c.CAS_BASE_URL, c.SERVICE_URL, c.SERVICE_CALLBACK_URL);
 
 	if (c.ENABLE_ST && strncmp(pw, "ST-", 3) == 0 && strlen(pw) > MIN_TICKET_LEN) { // Possibly serviceTicket?