Hello community, here is the log from the commit of package pam_pkcs11 for openSUSE:Factory checked in at 2018-08-03 12:38:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_pkcs11 (Old) and /work/SRC/openSUSE:Factory/.pam_pkcs11.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_pkcs11" Fri Aug 3 12:38:56 2018 rev:30 rq:627119 version:0.6.9 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_pkcs11/pam_pkcs11.changes 2017-09-27 16:55:16.647705858 +0200 +++ /work/SRC/openSUSE:Factory/.pam_pkcs11.new/pam_pkcs11.changes 2018-08-03 12:38:58.643719012 +0200 @@ -1,0 +2,6 @@ +Mon Jul 23 17:36:18 CEST 2018 - sbra...@suse.com + +- Fix segfault and fetch problems when checking CRLs + (pam_pkcs11-crl-check.patch). + +------------------------------------------------------------------- New: ---- pam_pkcs11-crl-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_pkcs11.spec ++++++ --- /var/tmp/diff_new_pack.US4y7E/_old 2018-08-03 12:38:59.103719697 +0200 +++ /var/tmp/diff_new_pack.US4y7E/_new 2018-08-03 12:38:59.107719703 +0200 @@ -1,7 +1,7 @@ # # spec file for package pam_pkcs11 # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ Version: 0.6.9 Release: 0 Summary: PKCS #11 PAM Module -License: LGPL-2.1+ +License: LGPL-2.1-or-later Group: Productivity/Security Url: https://github.com/OpenSC/pam_pkcs11 Source: %{_name}-%{version}.tar.gz @@ -34,6 +34,8 @@ Patch0: %{name}-fsf-address.patch Patch1: %{name}-0.5.3-nss-conf.patch Patch3: %{name}-0.6.0-nss-autoconf.patch +# PATCH-FIX-UPSTEAM-PENDING pam_pkcs11-crl-check.patch https://github.com/OpenSC/pam_pkcs11/pull/26 -- Fix segfault and fetch problems when checking CRLs. +Patch4: %{name}-crl-check.patch BuildRequires: curl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: doxygen @@ -88,6 +90,7 @@ %patch0 -p1 %patch1 -p1 %patch3 -p1 +%patch4 -p1 cp -a %{SOURCE1} common-auth-smartcard sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example # make dist was not called and cannot be called on a non git snapshot. ++++++ pam_pkcs11-crl-check.patch ++++++ https://github.com/OpenSC/pam_pkcs11/pull/26 https://github.com/gkloepfer/pam_pkcs11/commit/94325a2c2b03a10b7618375f828c90063881227e >From 94325a2c2b03a10b7618375f828c90063881227e Mon Sep 17 00:00:00 2001 From: Gil Kloepfer <ghub0...@kloepfer.org> Date: Thu, 17 Aug 2017 07:51:25 -0500 Subject: [PATCH] Fixed segfault and fetch problems when checking CRLs Fixed segfault issue in src/common/cert_vfy.c that occurs when an attempt is made to check a certificate's CRL. This seems to be caused by changes that happened in the OpenSSL API, and got overlooked during updates to the code. Also fixed a problem in src/common/uri.c in the builtin URI fetch via HTTP where an extra newline (and missing carriage-returns) were sent, causing the HTTP request to fail. --- src/common/cert_vfy.c | 29 ++++++++++++++--------------- src/common/uri.c | 2 +- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 7efb0cb..6016ca0 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -143,21 +143,20 @@ static X509_CRL *download_crl(const char *uri) static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) { int rv; - X509_OBJECT *obj = NULL; + X509_OBJECT obj; EVP_PKEY *pkey = NULL; X509 *issuer_cert; /* get issuer certificate */ - rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj); + rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj); if (rv <= 0) { set_error("getting the certificate of the crl-issuer failed"); return -1; } /* extract public key and verify signature */ - issuer_cert = X509_OBJECT_get0_X509(obj); + issuer_cert = X509_OBJECT_get0_X509((&obj)); pkey = X509_get_pubkey(issuer_cert); - if (obj) - X509_OBJECT_free(obj); + X509_OBJECT_free_contents(&obj); if (pkey == NULL) { set_error("getting the issuer's public key failed"); return -1; @@ -203,13 +202,14 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) { int rv, i, j; - X509_OBJECT *obj = NULL; + X509_OBJECT obj; X509_REVOKED *rev = NULL; STACK_OF(DIST_POINT) * dist_points; DIST_POINT *point; GENERAL_NAME *name; X509_CRL *crl; X509 *x509_ca = NULL; + EVP_PKEY crl_pkey; DBG1("crl policy: %d", policy); if (policy == CRLP_NONE) { @@ -227,28 +227,27 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t } else if (policy == CRLP_OFFLINE) { /* OFFLINE */ DBG("looking for an dedicated local crl"); - rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); + rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); if (rv <= 0) { set_error("no dedicated crl available"); return -1; } - crl = X509_OBJECT_get0_X509_CRL(obj); - if (obj) - X509_OBJECT_free(obj); + crl = X509_OBJECT_get0_X509_CRL((&obj)); + X509_OBJECT_free_contents(&obj); } else if (policy == CRLP_ONLINE) { /* ONLINE */ DBG("extracting crl distribution points"); dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); if (dist_points == NULL) { /* if there is not crl distribution point in the certificate hava a look at the ca certificate */ - rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj); + rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); if (rv <= 0) { set_error("no dedicated ca certificate available"); return -1; } - x509_ca = X509_OBJECT_get0_X509(obj); + x509_ca = X509_OBJECT_get0_X509((&obj)); dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); - X509_OBJECT_free(obj); + X509_OBJECT_free_contents(&obj); if (dist_points == NULL) { set_error("neither the user nor the ca certificate does contain a crl distribution point"); return -1; @@ -296,10 +295,10 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t } else if (rv == 0) { return 0; } + DBG("checking revocation"); rv = X509_CRL_get0_by_cert(crl, &rev, x509); X509_CRL_free(crl); - X509_REVOKED_free(rev); - return (rv == -1); + return (rv == 0); } static int add_hash( X509_LOOKUP *lookup, const char *dir) { diff --git a/src/common/uri.c b/src/common/uri.c index 2d74c04..8e65884 100644 --- a/src/common/uri.c +++ b/src/common/uri.c @@ -407,7 +407,7 @@ static int get_http(uri_t *uri, unsigned char **data, size_t *length, int rec_le set_error("not enough free memory available"); return -1; } - sprintf(request, "GET %s HTTP/1.0\nHost: %s\n\n\n", uri->http->path, uri->http->host); + sprintf(request, "GET %s HTTP/1.0\r\nHost: %s\r\n\r\n", uri->http->path, uri->http->host); len = strlen(request); rv = send(sock, request, len, 0); free(request); -- 2.18.0
