Hello community, here is the log from the commit of package pam_pkcs11 for openSUSE:Factory checked in at 2019-02-01 11:46:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_pkcs11 (Old) and /work/SRC/openSUSE:Factory/.pam_pkcs11.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_pkcs11" Fri Feb 1 11:46:58 2019 rev:32 rq:670213 version:0.6.10 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_pkcs11/pam_pkcs11.changes 2018-09-11 17:19:57.311165819 +0200 +++ /work/SRC/openSUSE:Factory/.pam_pkcs11.new.28833/pam_pkcs11.changes 2019-02-01 11:46:59.820456877 +0100 @@ -1,0 +2,16 @@ +Tue Jan 29 22:45:28 CET 2019 - sbra...@suse.com + +- Update to version 0.6.10: + * Fix some security issues (thx @frankmorgner): + https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/ + (drop 0001-verify-using-a-nonce-from-the-system-not-the-card.patch, + 0002-fixed-buffer-overflow-with-long-home-directory.patch, + 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch). + * Fix buffer overflow with long home directory. + * Fix wiping secrets (now using OpenSSL_cleanse()). + * Verify using a nonce from the system, not the card. + * Fix segfalt when checking CRLs + (drop pam_pkcs11-crl-check.patch). +- Add rcpkcs11_eventmgr service symlink. + +------------------------------------------------------------------- Old: ---- 0001-verify-using-a-nonce-from-the-system-not-the-card.patch 0002-fixed-buffer-overflow-with-long-home-directory.patch 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch pam_pkcs11-0.6.9-ChangeLog.git pam_pkcs11-crl-check.patch pam_pkcs11-pam_pkcs11-0.6.9.tar.gz New: ---- pam_pkcs11-0.6.10-ChangeLog.git pam_pkcs11-0.6.10.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_pkcs11.spec ++++++ --- /var/tmp/diff_new_pack.2lCZ7h/_old 2019-02-01 11:47:01.520455131 +0100 +++ /var/tmp/diff_new_pack.2lCZ7h/_new 2019-02-01 11:47:01.520455131 +0100 @@ -1,7 +1,7 @@ # # spec file for package pam_pkcs11 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,33 +12,28 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # # It seems to be an upstream naming bug: %define _name pam_pkcs11-pam_pkcs11 Name: pam_pkcs11 -Version: 0.6.9 +Version: 0.6.10 Release: 0 Summary: PKCS #11 PAM Module License: LGPL-2.1-or-later Group: Productivity/Security Url: https://github.com/OpenSC/pam_pkcs11 -Source: %{_name}-%{version}.tar.gz +Source: https://github.com/OpenSC/pam_pkcs11/archive/%{name}-%{version}.tar.gz Source1: pam_pkcs11-common-auth-smartcard.pam Source2: baselibs.conf # make dist was not called. -Source3: pam_pkcs11-0.6.9-ChangeLog.git +Source3: pam_pkcs11-0.6.10-ChangeLog.git Source4: pkcs11_eventmgr.service Patch0: %{name}-fsf-address.patch Patch1: %{name}-0.5.3-nss-conf.patch Patch3: %{name}-0.6.0-nss-autoconf.patch -# PATCH-FIX-UPSTEAM-PENDING pam_pkcs11-crl-check.patch https://github.com/OpenSC/pam_pkcs11/pull/26 -- Fix segfault and fetch problems when checking CRLs. -Patch4: %{name}-crl-check.patch -Patch5: 0001-verify-using-a-nonce-from-the-system-not-the-card.patch -Patch6: 0002-fixed-buffer-overflow-with-long-home-directory.patch -Patch7: 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch BuildRequires: curl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: doxygen @@ -93,10 +88,6 @@ %patch0 -p1 %patch1 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 cp -a %{SOURCE1} common-auth-smartcard sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example # make dist was not called and cannot be called on a non git snapshot. @@ -132,6 +123,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/pam.d cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/ install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service +mkdir -p %{buildroot}%{_sbindir} +ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr %find_lang %{name} %fdupes -s %{buildroot}%{_docdir}/%{name} @@ -160,6 +153,7 @@ %config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf %config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard %{_prefix}/lib/systemd/system/pkcs11_eventmgr.service +%{_sbindir}/* %files devel-doc %doc %{_docdir}/%{name}/api ++++++ pam_pkcs11-0.6.9-ChangeLog.git -> pam_pkcs11-0.6.10-ChangeLog.git ++++++ ++++ 6284 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/pam_pkcs11/pam_pkcs11-0.6.9-ChangeLog.git ++++ and /work/SRC/openSUSE:Factory/.pam_pkcs11.new.28833/pam_pkcs11-0.6.10-ChangeLog.git ++++++ pam_pkcs11-pam_pkcs11-0.6.9.tar.gz -> pam_pkcs11-0.6.10.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/ChangeLog new/pam_pkcs11-pam_pkcs11-0.6.10/ChangeLog --- old/pam_pkcs11-pam_pkcs11-0.6.9/ChangeLog 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/ChangeLog 2018-09-11 23:06:08.000000000 +0200 @@ -1,3 +1,11 @@ +12- Sep 2018 + - Version 0.6.10 is out. + - Fixed some security issues (thx @frankmorgner): + (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/) + -- fixed buffer overflow with long home directory; + -- fixed wiping secrets (now using OpenSSL_cleanse()); + -- verify using a nonce from the system, not the card. + 08- Sep 2005 - Fixes to pam_pkcs11.spec diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/NEWS new/pam_pkcs11-pam_pkcs11-0.6.10/NEWS --- old/pam_pkcs11-pam_pkcs11-0.6.9/NEWS 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/NEWS 2018-09-11 23:06:08.000000000 +0200 @@ -1,3 +1,13 @@ +12- Sep 2018 + - Version 0.6.10 is out. + - Fixed some security issues (thx @frankmorgner): + (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/) + -- fixed buffer overflow with long home directory; + -- fixed wiping secrets (now using OpenSSL_cleanse()); + -- verify using a nonce from the system, not the card. + +... 0.6.9 ... 0.6.0 are yet undescribed. + 12- Sep 2005 - Finally pam_pkcs11-0.5.3 is out. - New mapper API and Docs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/README new/pam_pkcs11-pam_pkcs11-0.6.10/README --- old/pam_pkcs11-pam_pkcs11-0.6.9/README 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/README 2018-09-11 23:06:08.000000000 +0200 @@ -1,10 +1,11 @@ This is the README of the PKCS #11 PAM Login Module ====================================================================== -Release: 0.6.1 +Release: 0.6.10 Authors: Mario Strasser <m...@gmx.net> Juan Antonio Martinez <jons...@teleline.es> Ludovic Rouseau <ludovic.rouss...@free.fr> + Frank Morgner <frankmorg...@gmail.com> This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/README.md new/pam_pkcs11-pam_pkcs11-0.6.10/README.md --- old/pam_pkcs11-pam_pkcs11-0.6.9/README.md 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/README.md 2018-09-11 23:06:08.000000000 +0200 @@ -1,7 +1,126 @@ -# This project is no more maintained +PAM-PKCS\#11 Login Tools +======================== -I @LudovicRousseau do not use this software any more and have no time to take care of it. -See "Pam-pkcs#11 needs a new maintainer(s) soon, or it will die" https://sourceforge.net/p/opensc/mailman/message/35191905/ +Description +----------- -If you want to become the new maintainer just ask me @LudovicRousseau to add you -in the https://github.com/orgs/OpenSC/teams/pam_pkcs11-maintainers group. +This Linux-PAM login module allows a X.509 certificate based user login. +The certificate and its dedicated private key are thereby accessed by +means of an appropriate PKCS\#11 module. For the verification of the +users' certificates, locally stored CA certificates as well as either +online or locally accessible CRLs are used. + +Detailed information about the Linux-PAM system can be found in [The +Linux-PAM System Administrators' +Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html), +[The Linux-PAM Module Writers' +Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html) +and [The Linux-PAM Application Developers' +Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_ADG.html) +The specification of the Cryptographic Token Interface Standard +(PKCS\#11) is available at [PKCS\#11 - Cryptographic Token Interface +Standard](https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html). + +PAM-PKCS\#11 package provides: + +* A PAM module able to: + * Use certificates to get user credentials + * Deduce a login based on provided certificate +* Several tools: + * Standalone cert-to-login finder tool + * Certificate contents viewer + * Card Event status monitor, to trigger actions on card insert/removal + +You can read the online [PAM-PKCS\#11 User +Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) to know +how to install, configure and use this software. + +### PKCS\#11 Module Requirements + +The PKCS\#11 modules must fulfill the requirements given by the RSA +Asymmetric Client Signing Profile, which has been specified in the + [PKCS\#11: Conformance Profile +Specification](http://www.rsa.com/rsalabs/node.asp?id=2133) by RSA +Laboratories. + +### User Matching + +To map the ownership of a certificate into a user login, pam-pkcs11 uses +the concept of *mapper* that is, a list of configurable, stackable +list of dynamic modules, each one trying to do a specific cert-to-login +maping. Several mappers are provided: + +* the common name of the subject matches the login name +* the unique identifier of the subject matches the login name +* the user part of an e-mail subject alternative name extension matches the login name +* the Microsoft universal principal name extension matches the login name +* etc...(see documentation on provided mappers) + +Many mappers may use also a *mapfile* to translate Certificate +contents to a login name. + +Download +-------- + +* [pam\_pkcs11-0.6.9.tar.gz](http://sourceforge.net/projects/opensc/files/pam_pkcs11/) + +Packages for [various Linux +distributions](https://repology.org/metapackage/pam-pkcs11) are +available through the their standard package management system. + +Installation +------------ + +Unpack the archive, configure, compile and install it: + +```sh +tar xvzf pkcs11_login-X.Y.Z.tar.gz +cd pkcs11_login-X.Y.Z +./configure +make +sudo make install +``` + +If you want to use [cURL](http://curl.haxx.se/libcurl/) instead of +our native URI-functions for downloading CRLs, use `./configure --with-curl` + +However, up to now cURL is not able to handle binary LDAP replies and +thus CRL download might not work for all LDAP URIs. + +Next, you have to create the needed openssl-hash-links. + +```sh +make_hash_link.sh ${path to the directory with the CA certificates} +make_hash_link.sh ${path to the directory with the CRLs} +``` + +Configuration +------------- + +See [PAM-PKCS\#11 User +Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) to +configure and set up pam\_pkcs11. + +See [PAM-PKCS\#11 Mappers +API](http://opensc.github.io/pam_pkcs11/doc/mappers_api.html) to get +advanced information on mappers (mainly for developers). + +Documentation +------------- + +* Online Manuals +* [PAM-PKCS\#11 User Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) +* [PAM-PKCS\#11 Mappers API Reference](http://opensc.github.io/pam_pkcs11/doc/mappers_api.html) +* [TODO](https://raw.github.com/OpenSC/pam_pkcs11/master/TODO) file (outdated) +* Man pages + * [`pam_pkcs11(8)`](https://linux.die.net/man/8/pam_pkcs11) + * [`card_eventmgr(1)`](https://linux.die.net/man/1/card_eventmgr) + * [`pkcs11_eventmgr(1)`](https://linux.die.net/man/1/pkcs11_eventmgr) + * [`pklogin_finder(1)`](https://linux.die.net/man/1/pklogin_finder) + * [`pkcs11_inspect(1)`](https://linux.die.net/man/1/pkcs11_inspect) + +Contact +------- + +[Get involved](https://github.com/OpenSC/pam_pkcs11/issues) +in development! All comments, suggestions and bug reports are welcome. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/configure.ac new/pam_pkcs11-pam_pkcs11-0.6.10/configure.ac --- old/pam_pkcs11-pam_pkcs11-0.6.9/configure.ac 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/configure.ac 2018-09-11 23:06:08.000000000 +0200 @@ -4,7 +4,7 @@ AC_PREREQ([2.69]) # Process this file with autoconf to produce a configure script. -AC_INIT([pam_pkcs11],[0.6.9]) +AC_INIT([pam_pkcs11],[0.6.10]) AC_CONFIG_SRCDIR([src/pam_pkcs11/pam_pkcs11.c]) AC_CANONICAL_HOST AM_INIT_AUTOMAKE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/cert_vfy.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c --- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/cert_vfy.c 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c 2018-09-11 23:06:08.000000000 +0200 @@ -143,21 +143,20 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) { int rv; - X509_OBJECT *obj = NULL; + X509_OBJECT obj; EVP_PKEY *pkey = NULL; X509 *issuer_cert; /* get issuer certificate */ - rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj); + rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj); if (rv <= 0) { set_error("getting the certificate of the crl-issuer failed"); return -1; } /* extract public key and verify signature */ - issuer_cert = X509_OBJECT_get0_X509(obj); + issuer_cert = X509_OBJECT_get0_X509((&obj)); pkey = X509_get_pubkey(issuer_cert); - if (obj) - X509_OBJECT_free(obj); + X509_OBJECT_free_contents(&obj); if (pkey == NULL) { set_error("getting the issuer's public key failed"); return -1; @@ -203,13 +202,14 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) { int rv, i, j; - X509_OBJECT *obj = NULL; + X509_OBJECT obj; X509_REVOKED *rev = NULL; STACK_OF(DIST_POINT) * dist_points; DIST_POINT *point; GENERAL_NAME *name; X509_CRL *crl; X509 *x509_ca = NULL; + EVP_PKEY crl_pkey; DBG1("crl policy: %d", policy); if (policy == CRLP_NONE) { @@ -227,28 +227,27 @@ } else if (policy == CRLP_OFFLINE) { /* OFFLINE */ DBG("looking for an dedicated local crl"); - rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); + rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); if (rv <= 0) { set_error("no dedicated crl available"); return -1; } - crl = X509_OBJECT_get0_X509_CRL(obj); - if (obj) - X509_OBJECT_free(obj); + crl = X509_OBJECT_get0_X509_CRL((&obj)); + X509_OBJECT_free_contents(&obj); } else if (policy == CRLP_ONLINE) { /* ONLINE */ DBG("extracting crl distribution points"); dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); if (dist_points == NULL) { /* if there is not crl distribution point in the certificate hava a look at the ca certificate */ - rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj); + rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); if (rv <= 0) { set_error("no dedicated ca certificate available"); return -1; } - x509_ca = X509_OBJECT_get0_X509(obj); + x509_ca = X509_OBJECT_get0_X509((&obj)); dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); - X509_OBJECT_free(obj); + X509_OBJECT_free_contents(&obj); if (dist_points == NULL) { set_error("neither the user nor the ca certificate does contain a crl distribution point"); return -1; @@ -296,10 +295,10 @@ } else if (rv == 0) { return 0; } + DBG("checking revocation"); rv = X509_CRL_get0_by_cert(crl, &rev, x509); X509_CRL_free(crl); - X509_REVOKED_free(rev); - return (rv == -1); + return (rv == 0); } static int add_hash( X509_LOOKUP *lookup, const char *dir) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.c --- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.c 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.c 2018-09-11 23:06:08.000000000 +0200 @@ -63,7 +63,7 @@ /* perform pkcs #11 login */ rv = pkcs11_login(h, pin); - memset(pin, 0, strlen(pin)); + cleanse(pin, strlen(pin)); if (rv != 0) { set_error("pkcs11_login() failed: %s", get_error()); return -1; @@ -131,6 +131,43 @@ return (0); } +int get_random_value(unsigned char *data, int length) +{ + static const char *random_device = "/dev/urandom"; + int rv, fh, l; + + DBG2("reading %d random bytes from %s", length, random_device); + fh = open(random_device, O_RDONLY); + if (fh == -1) { + set_error("open() failed: %s", strerror(errno)); + return -1; + } + + l = 0; + while (l < length) { + rv = read(fh, data + l, length - l); + if (rv <= 0) { + close(fh); + set_error("read() failed: %s", strerror(errno)); + return -1; + } + l += rv; + } + close(fh); + DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0], + data[1], data[2], data[length - 1]); + return 0; +} + +void cleanse(void *ptr, size_t len) +{ +#ifdef HAVE_OPENSSL + OPENSSL_cleanse(ptr, len); +#else + memset(ptr, 0, len); +#endif +} + #ifdef HAVE_NSS /* @@ -609,7 +646,7 @@ if (h->module) { SECMOD_DestroyModule(h->module); } - memset(h, 0, sizeof(pkcs11_handle_t)); + cleanse(h, sizeof(pkcs11_handle_t)); free(h); /* if we initialized NSS, then we need to shut it down */ @@ -834,16 +871,6 @@ return 0; } -int get_random_value(unsigned char *data, int length) -{ - SECStatus rv = PK11_GenerateRandom(data,length); - if (rv != SECSuccess) { - DBG1("couldn't generate random number: %s", SECU_Strerror(PR_GetError())); - } - return (rv == SECSuccess) ? 0 : -1; -} - - struct tuple_str { PRErrorCode errNum; const char * errString; @@ -1181,7 +1208,7 @@ /* release all allocated memory */ if (h->slots != NULL) free(h->slots); - memset(h, 0, sizeof(pkcs11_handle_t)); + cleanse(h, sizeof(pkcs11_handle_t)); free(h); } @@ -1778,32 +1805,4 @@ (*signature)[0], (*signature)[1], (*signature)[2], (*signature)[*signature_length - 1]); return 0; } - -int get_random_value(unsigned char *data, int length) -{ - static const char *random_device = "/dev/urandom"; - int rv, fh, l; - - DBG2("reading %d random bytes from %s", length, random_device); - fh = open(random_device, O_RDONLY); - if (fh == -1) { - set_error("open() failed: %s", strerror(errno)); - return -1; - } - - l = 0; - while (l < length) { - rv = read(fh, data + l, length - l); - if (rv <= 0) { - close(fh); - set_error("read() failed: %s", strerror(errno)); - return -1; - } - l += rv; - } - close(fh); - DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0], - data[1], data[2], data[length - 1]); - return 0; -} #endif /* HAVE_NSS */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.h new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.h --- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.h 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.h 2018-09-11 23:06:08.000000000 +0200 @@ -67,6 +67,7 @@ unsigned char *data, unsigned long length, unsigned char **signature, unsigned long *signature_length); PKCS11_EXTERN int get_random_value(unsigned char *data, int length); +PKCS11_EXTERN void cleanse(void *ptr, size_t len); #undef PKCS11_EXTERN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/uri.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/uri.c --- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/uri.c 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/uri.c 2018-09-11 23:06:08.000000000 +0200 @@ -407,7 +407,7 @@ set_error("not enough free memory available"); return -1; } - sprintf(request, "GET %s HTTP/1.0\nHost: %s\n\n\n", uri->http->path, uri->http->host); + sprintf(request, "GET %s HTTP/1.0\r\nHost: %s\r\n\r\n", uri->http->path, uri->http->host); len = strlen(request); rv = send(sock, request, len, 0); free(request); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/mappers/openssh_mapper.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/mappers/openssh_mapper.c --- old/pam_pkcs11-pam_pkcs11-0.6.9/src/mappers/openssh_mapper.c 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/mappers/openssh_mapper.c 2018-09-11 23:06:08.000000000 +0200 @@ -311,7 +311,7 @@ */ static int openssh_mapper_match_user(X509 *x509, const char *user, void *context) { struct passwd *pw; - char filename[512]; + char filename[PATH_MAX]; if (!x509) return -1; if (!user) return -1; pw = getpwnam(user); @@ -333,7 +333,7 @@ /* parse list of users until match */ setpwent(); while((pw=getpwent()) != NULL) { - char filename[512]; + char filename[PATH_MAX]; DBG1("Trying to match certificate with user: '%s'",pw->pw_name); if ( is_empty_str(pw->pw_dir) ) { DBG1("User '%s' has no home directory",pw->pw_name); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/pam_pkcs11/pam_pkcs11.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/pam_pkcs11/pam_pkcs11.c --- old/pam_pkcs11-pam_pkcs11-0.6.9/src/pam_pkcs11/pam_pkcs11.c 2016-09-28 13:44:52.000000000 +0200 +++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/pam_pkcs11/pam_pkcs11.c 2018-09-11 23:06:08.000000000 +0200 @@ -108,7 +108,7 @@ *response = strdup(resp[0].resp); } /* overwrite memory and release it */ - memset(resp[0].resp, 0, strlen(resp[0].resp)); + cleanse(resp[0].resp, strlen(resp[0].resp)); free(&resp[0]); return PAM_SUCCESS; } @@ -191,7 +191,7 @@ return PAM_CRED_INSUFFICIENT; *pwd = strdup(resp[0].resp); /* overwrite memory and release it */ - memset(resp[0].resp, 0, strlen(resp[0].resp)); + cleanse(resp[0].resp, strlen(resp[0].resp)); free(&resp[0]); /* save password if variable nitem is set */ if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) { @@ -517,7 +517,7 @@ /* check password length */ if (!configuration->nullok && strlen(password) == 0) { release_pkcs11_module(ph); - memset(password, 0, strlen(password)); + cleanse(password, strlen(password)); free(password); pam_syslog(pamh, LOG_ERR, "password length is zero but the 'nullok' argument was not defined."); @@ -543,7 +543,7 @@ /* erase and free in-memory password data asap */ if (password) { - memset(password, 0, strlen(password)); + cleanse(password, strlen(password)); free(password); } if (rv != 0) { @@ -831,7 +831,7 @@ return PAM_SUCCESS; /* quick and dirty fail exit point */ - memset(password, 0, strlen(password)); + cleanse(password, strlen(password)); free(password); /* erase and free in-memory password data */ auth_failed_nopw: