Hello,
I just released a new version of PAM PKCS#11. This version fixes
problems and adds features.
>From ChangeLog.svn:
2010-10-19 ludovic.rousseau
* [r464] doc/doxygen.conf.in: Update from doxygen version 1.5.6 to
1.7.1
* [r463] configure.in: release 0.6.5
* [r462] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
po/pt_br.po, po/ru.po: regenerate
* [r461] src/common/Makefile.am: Add the missing strndup.h file
* [r460] src/common/uri.c: get_http(): check if complete message
was transmitted
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html
* [r459] src/common/uri.c: get_http(): allocate enough memory to
fit http-request
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html
* [r458] src/common/uri.c: get_http(): add missing return statement
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html
* [r457] configure.in: If dlopen() is not found in libdl we try to
find it without specifying a
library before exiting in error.
I don't remember why I used this code. Maybe dlopen() is not in
libdl on some systems.
2010-10-16 ludovic.rousseau
* [r456] po/fr.po: Translate a string
* [r455] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
po/pt_br.po, po/ru.po: Regenerate
* [r454] src/pam_pkcs11/pam_pkcs11.c: Replace "Found the %s." by
"%s found."
Thanks to Mr Dash Four for the bug report
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015135.html
2010-10-15 ludovic.rousseau
* [r453] src/common/pkcs11_lib.c: crypto_init(): fix a typo in log
message
2010-09-22 ludovic.rousseau
* [r452] src/common/pkcs11_lib.c: pkcs11_pass_login(): check if the
PIN returned by getpass is NULL
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014976.html
* [r451] src/common/pkcs11_lib.c: pkcs11_pass_login(): log an error
if pkcs11_login() fails
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html
* [r450] src/common/pkcs11_lib.c: pkcs11_pass_login(): do not clean
a zero length PIN
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html
* [r449] src/common/pkcs11_lib.c, src/pam_pkcs11/pam_pkcs11.c: Show
PIN code in debug output only if DEBUG_SHOW_PASSWORD is defined
(not defined by default)
Thanks to Andre Zepezauer for the bug report
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html
2010-09-21 ludovic.rousseau
* [r448] src/pam_pkcs11/pam_config.c: parse_config_file(): get the
debug value from the configuration file
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014949.html
2010-08-25 ludovic.rousseau
* [r447] src/tools/card_eventmgr.c: Do not call
SCardEstablishContext() before daemonize since pcsc-lite
handles are invalid after a fork.
Thanks to Patrik Martinsson for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014632.html
2010-08-19 ludovic.rousseau
* [r446] src/tools/card_eventmgr.c: Use SCARD_READERSTATE instead
of SCARD_READERSTATE_A since it was
removed in pcsc-lite >= 1.6.2
2010-08-14 ludovic.rousseau
* [r445] src/mappers/cn_mapper.c, src/mappers/digest_mapper.c,
src/mappers/generic_mapper.c, src/mappers/krb_mapper.c,
src/mappers/ldap_mapper.c, src/mappers/mail_mapper.c,
src/mappers/mapper.c, src/mappers/mapper.h,
src/mappers/ms_mapper.c, src/mappers/null_mapper.c,
src/mappers/opensc_mapper.c, src/mappers/openssh_mapper.c,
src/mappers/pwent_mapper.c, src/mappers/subject_mapper.c,
src/mappers/uid_mapper.c, src/pam_pkcs11/mapper_mgr.c,
src/tools/pklogin_finder.c: Patch for #239 and #240 (handle more
than one cert/pattern matching)
Thanks to Wolf Geldmacher for the patch.
http://www.opensc-project.org/pipermail/opensc-devel/2010-June/014405.html
" Here's a patch to solve the issues I've encountered using
pam_pkcs11.
In regards to #239 (pam_pkcs11 only looks at first certificate on
token):
The fix for this turns out to be somewhat problematic, and I'm not
at all sure, whether my implementation of the fix is a valid one.
The basic problem (as I understood it from analyzing the code) is
that finder functions of the mappers return a char*, allowing for
a single value (NULL) to signalize failure and return the key if
no mapping (i.e. no value associated with the key) was found (cf.
comment for mapfile_find in src/mappers/mapper.c). Thus a caller
(i.e. find_user in src/pam_pkcs11/mapper_mgr.c) cannot
distinguish between a mapping or a key being returned and thus
will prematurely terminate on the first certificate that passes
the other validity tests.
The fix provided changes the finder function interface by
requiring an additional out parameter that is set to 1, if a real
mapping value was returned and remains unchanged otherwise. This
fix breaks existing loadable mappers.
I considered overloading of the value returned (e.g. having a
byte/substring as first character of the value returned to be able
to distinguish between a value and a key being returned) which
would preserve the interface to the mappers, but refrained from
implementing it that way as I believe this to be unclean and prone
to difficult to track errors.
Another solution I considered was the addition of another entry to
the structure encapsulating the mappers (e.g. a finder2 method),
but as this is no better in breaking the interface for loadable
mappers and duplicates code I forfeited this solution, too.
If somebody could look into the problem and come up with a
solution that preserves the interface to external mappers while
allowing the distinction between keys and values, I'd be more than
happy to implement it.
It might also may make sense to add a new configuration parameter
for the new behaviour of find_user, allowing existing applications
to continue to work with keys being returned instead of values
(Feedback anyone? The comment for find_user actually states that a
mapping value is returned).
In regards to #240 (Allow pattern matching in pam_pkcs11):
I restricted this to only work for mapfiles and the implementation
turned out to be quite simple - it's essentially an 11 line change
in src/mappers/mapper.c - and is triggered by the specification of
a fully anchored (i.e. *must* have initial "^" and *must* end in
"$") pattern as key in a mapfile.
This now allows syntax like ^.*/serialNumber=xxx-xxx-xxx-xxx$ ->
username in all mapfiles.
The patch attached contains the changes for both issues.
Cheers, Wolf "
2010-08-13 ludovic.rousseau
* [r444] src/pam_pkcs11/pam_pkcs11.c: Do not use a variadic
parameter for pam_prompt. It is not supported on
FreeBSD.
2010-08-12 ludovic.rousseau
* [r443] src/common/strndup.h, src/tools/pkcs11_setup.c: Add a new
header file to define strndup if needed.
pkcs11_setup.c: In function ‘scconf_replace_str_list’:
pkcs11_setup.c:73: warning: implicit declaration of function
‘strndup’
pkcs11_setup.c:73: warning: incompatible implicit declaration of
built-in function ‘strndup’
* [r441] src/pam_pkcs11/pam_config.c, src/tools/pkcs11_inspect.c,
src/tools/pkcs11_listcerts.c, src/tools/pklogin_finder.c: Revert
changeset 301 parsing arguments in pam_config.c but skip the
first argument in command line tools.
Thanks to halfline for the patch. Closes ticket #29
--
Dr. Ludovic Rousseau
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
