commit pam_p11 for openSUSE:Factory

Sun, 24 Feb 2019 08:18:09 -0800 

Hello community,

here is the log from the commit of package pam_p11 for openSUSE:Factory checked 
in at 2019-02-24 17:17:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam_p11 (Old)
 and      /work/SRC/openSUSE:Factory/.pam_p11.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pam_p11"

Sun Feb 24 17:17:47 2019 rev:22 rq:677825 version:0.2.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/pam_p11/pam_p11.changes  2018-01-24 
15:31:56.674320828 +0100
+++ /work/SRC/openSUSE:Factory/.pam_p11.new.28833/pam_p11.changes       
2019-02-24 17:17:51.932424205 +0100
@@ -1,0 +2,26 @@
+Thu Jan 31 18:40:50 UTC 2019 - Pedro Monreal Gonzalez 
<[email protected]>
+
+- Update to version 0.2.0 [bsc#1123392, bsc#1123916]
+  * Add user documentation in Readme.md
+  * Add support for PIN pad readers
+  * Add support for changing/unblocking PIN (use with passwd)
+  * Add support for localized user feedback
+  * Add support for cards without certificates (e.g. OpenPGP card)
+  * Add support for PKCS#11 modules with multiple slots
+  * Add support for building with OpenSSL 1.1
+  * Merged opensc and openssh module into pam_p11.so
+  * Fixed memory leaks, coverity issues, compiler warnings
+  * Created test-passwd and test-login for testing standard use cases
+- Added patch to replace deprecated EVP_MD_CTX_cleanup(md_ctx) with
+  EVP_MD_CTX_reset(md_ctx)
+  * pam_p11-replace-deprecated-OpenSSL-API-functions.patch
+- Added patch to fix unsigned comparison
+  * pam_p11-unsigned-comparison.patch
+- Removed patch fixed upstream:
+  * pam_p11-openssl11.patch
+- Mark locale-dependent file:
+  /usr/share/locale/de/LC_MESSAGES/pam_p11.mo
+- Added documentation file README.SUSE with a Security Note
+- Cleaned with spec-cleaner
+
+-------------------------------------------------------------------

Old:
----
  pam_p11-0.1.6.tar.gz
  pam_p11-openssl11.patch

New:
----
  README.SUSE
  pam_p11-0.2.0.tar.gz
  pam_p11-replace-deprecated-OpenSSL-API-functions.patch
  pam_p11-unsigned-comparison.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pam_p11.spec ++++++
--- /var/tmp/diff_new_pack.OkdEqA/_old  2019-02-24 17:17:52.516424101 +0100
+++ /var/tmp/diff_new_pack.OkdEqA/_new  2019-02-24 17:17:52.520424100 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package pam_p11
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,21 +12,24 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 Name:           pam_p11
-Version:        0.1.6
+Version:        0.2.0
 Release:        0
 Summary:        PAM Authentication Module for Using Cryptographic Tokens
-License:        LGPL-2.1+
+License:        LGPL-2.1-or-later
 Group:          Hardware/Other
-Url:            https://github.com/OpenSC/pam_p11
+URL:            https://github.com/OpenSC/pam_p11
 Source:         
https://github.com/OpenSC/pam_p11/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source1:        README.SUSE
 Source2:        baselibs.conf
-#PATCH-FIX-UPSTREAM https://github.com/OpenSC/pam_p11/pull/7
-Patch0:         pam_p11-openssl11.patch
+#PATCH-FIX-UPSTREAM https://github.com/OpenSC/pam_p11/pull/12
+Patch0:         pam_p11-replace-deprecated-OpenSSL-API-functions.patch
+#PATCH-FIX-UPSTREAM unsigned comparison 
+Patch1:         pam_p11-unsigned-comparison.patch
 BuildRequires:  libp11-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
@@ -38,9 +41,15 @@
 cryptographic tokens, such as smart cards and usb crypto tokens, for
 authentication.
 
+Pam_p11 has limited functionality since it simply compares public
+keys to sign some random data and verifies the signature with the
+public key. This works fine for small installations but may have
+security implications, see README.SUSE.
+
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %build
 %configure\
@@ -54,9 +63,11 @@
 %make_install
 # remove .la files
 find %{buildroot} -type f -name "*.la" -delete -print
+%find_lang %{name} %{name}.mo
 
-%files
-%doc COPYING NEWS
+%files -f %{name}.mo
+%license COPYING
+%doc NEWS
 /%{_lib}/security/*.so
 
 %changelog

++++++ README.SUSE ++++++
pam_p11 Security Note:

  * Pam_p11 simply compares public keys and request the cryptographic
    token to sign some random data and verifiy the signature with the
    public key. No CA chain checking is done, no CRL is looked at, and
    they don't know what OCSP is. This works fine for small installations,
    but if you want any of those features, please have a look at Pam_pkcs11
    for a fully fledged PAM module for smart card authentication.

For more information, see https://github.com/OpenSC/pam_p11
++++++ pam_p11-0.1.6.tar.gz -> pam_p11-0.2.0.tar.gz ++++++
++++ 12326 lines of diff (skipped)

++++++ pam_p11-replace-deprecated-OpenSSL-API-functions.patch ++++++
From: Peter Popovec <[email protected]>
Date: Thu, 17 May 2018 08:51:28 +0200
Subject: Allow compilation with newer openssl version

from https://www.openssl.org/news/changelog.html#x4:
   EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
   HMAC_CTX_cleanup() were removed.  HMAC_CTX_reset() and
   EVP_MD_CTX_reset() should be called instead to reinitialise
   an already created structure.
---
 src/pam_p11.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/pam_p11.c b/src/pam_p11.c
index 960c164..09aaa3c 100644
--- a/src/pam_p11.c
+++ b/src/pam_p11.c
@@ -590,7 +590,11 @@ static int key_verify(pam_handle_t *pamh, int flags, 
PKCS11_KEY *authkey)
                        || !EVP_SignInit(md_ctx, md)
                        || !EVP_SignUpdate(md_ctx, challenge, sizeof challenge)
                        || !EVP_SignFinal(md_ctx, signature, &siglen, privkey)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
                        || !EVP_MD_CTX_cleanup(md_ctx)
+#else
+                       || !EVP_MD_CTX_reset(md_ctx)
+#endif
                        || !EVP_VerifyInit(md_ctx, md)
                        || !EVP_VerifyUpdate(md_ctx, challenge, sizeof 
challenge)
                        || 1 != EVP_VerifyFinal(md_ctx, signature, siglen, 
pubkey)) {
++++++ pam_p11-unsigned-comparison.patch ++++++
From: Alon Bar-Lev <[email protected]>
Date: Wed, 15 Aug 2018 18:30:51 +0300
Subject: build: pam_p11: unsigned comparison

Signed-off-by: Alon Bar-Lev <[email protected]>
---
 src/pam_p11.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pam_p11.c b/src/pam_p11.c
index 09aaa3c..0c0c3ff 100644
--- a/src/pam_p11.c
+++ b/src/pam_p11.c
@@ -553,7 +553,7 @@ static int randomize(pam_handle_t *pamh, unsigned char *r, 
unsigned int r_len)
 {
        int ok = 0;
        int fd = open("/dev/urandom", O_RDONLY);
-       if (0 <= fd && read(fd, r, r_len) == r_len) {
+       if (0 <= fd && read(fd, r, r_len) == (ssize_t)r_len) {
                ok = 1;
        } else {
                pam_syslog(pamh, LOG_CRIT, "Error reading from /dev/urandom: 
%s",

Reply via email to