Hello community, here is the log from the commit of package pam_p11 for openSUSE:Factory checked in at 2019-08-13 13:27:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_p11 (Old) and /work/SRC/openSUSE:Factory/.pam_p11.new.9556 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_p11" Tue Aug 13 13:27:38 2019 rev:23 rq:722958 version:0.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_p11/pam_p11.changes 2019-02-24 17:17:51.932424205 +0100 +++ /work/SRC/openSUSE:Factory/.pam_p11.new.9556/pam_p11.changes 2019-08-13 13:27:39.673317384 +0200 @@ -1,0 +2,18 @@ +Sat Aug 10 09:38:00 UTC 2019 - Antoine Belvire <[email protected]> + +- Update to version 0.3.0: + * Add Italian translation. + * Add support for matching the PIN-input with a regular + expression. + * Add support for macOS + * Add support for building with OpenSSL 1.1.1 + * Add support for nistp256/384/521 keys in authorized_keys file. +- Remove README.SUSE: Its content is present in README.md which + is now installed. +- Add pam_p11-0.3.0-lto-type-mismatch.patch: Fix build with LTO on + x86_64. +- Drop upstreamed patches: + * pam_p11-replace-deprecated-OpenSSL-API-functions.patch + * pam_p11-unsigned-comparison.patch + +------------------------------------------------------------------- Old: ---- README.SUSE pam_p11-0.2.0.tar.gz pam_p11-replace-deprecated-OpenSSL-API-functions.patch pam_p11-unsigned-comparison.patch New: ---- pam_p11-0.3.0-lto-type-mismatch.patch pam_p11-0.3.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_p11.spec ++++++ --- /var/tmp/diff_new_pack.KmTu8M/_old 2019-08-13 13:27:40.269317227 +0200 +++ /var/tmp/diff_new_pack.KmTu8M/_new 2019-08-13 13:27:40.269317227 +0200 @@ -17,19 +17,16 @@ Name: pam_p11 -Version: 0.2.0 +Version: 0.3.0 Release: 0 Summary: PAM Authentication Module for Using Cryptographic Tokens License: LGPL-2.1-or-later Group: Hardware/Other URL: https://github.com/OpenSC/pam_p11 -Source: https://github.com/OpenSC/pam_p11/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Source1: README.SUSE -Source2: baselibs.conf -#PATCH-FIX-UPSTREAM https://github.com/OpenSC/pam_p11/pull/12 -Patch0: pam_p11-replace-deprecated-OpenSSL-API-functions.patch -#PATCH-FIX-UPSTREAM unsigned comparison -Patch1: pam_p11-unsigned-comparison.patch +Source0: https://github.com/OpenSC/pam_p11/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Source1: baselibs.conf +# PATCH-FIX-UPSTREAM -- Fix build with LTO, picked from upstream +Patch0: pam_p11-0.3.0-lto-type-mismatch.patch BuildRequires: libp11-devel BuildRequires: openssl-devel BuildRequires: pam-devel @@ -49,7 +46,6 @@ %prep %setup -q %patch0 -p1 -%patch1 -p1 %build %configure\ @@ -67,7 +63,7 @@ %files -f %{name}.mo %license COPYING -%doc NEWS +%doc README.md NEWS /%{_lib}/security/*.so %changelog ++++++ pam_p11-0.3.0-lto-type-mismatch.patch ++++++ >From 26e329f1a5ec3c2651211a101191ec2d7d5176d3 Mon Sep 17 00:00:00 2001 From: Frank Morgner <[email protected]> Date: Mon, 12 Aug 2019 23:27:37 +0200 Subject: [PATCH] fixed type mismatch closes https://github.com/OpenSC/pam_p11/pull/17 --- src/base64.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/base64.c b/src/base64.c index 28d812d..420fe8f 100644 --- a/src/base64.c +++ b/src/base64.c @@ -18,7 +18,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -extern int sc_base64_decode(const char *in, unsigned char *out, unsigned int outlen); +#include <stddef.h> + +extern int sc_base64_decode(const char *in, unsigned char *out, size_t outlen); static const unsigned char bin_table[128] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, @@ -71,7 +73,7 @@ static int from_base64(const char *in, unsigned int *out, int *skip) return c * 6 / 8; } -int sc_base64_decode(const char *in, unsigned char *out, unsigned int outlen) +int sc_base64_decode(const char *in, unsigned char *out, size_t outlen) { int len = 0, r, skip; unsigned int i; ++++++ pam_p11-0.2.0.tar.gz -> pam_p11-0.3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/Makefile.am new/pam_p11-0.3.0/Makefile.am --- old/pam_p11-0.2.0/Makefile.am 2018-04-14 10:18:28.000000000 +0200 +++ new/pam_p11-0.3.0/Makefile.am 2019-04-24 23:25:31.000000000 +0200 @@ -18,7 +18,7 @@ SUBDIRS = po src dist_noinst_SCRIPTS = bootstrap -dist_doc_DATA = NEWS +dist_doc_DATA = NEWS README.md # Allow detection of packaged tarball dist-hook: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/Makefile.in new/pam_p11-0.3.0/Makefile.in --- old/pam_p11-0.2.0/Makefile.in 2018-05-16 18:55:49.000000000 +0200 +++ new/pam_p11-0.3.0/Makefile.in 2019-04-24 23:27:11.000000000 +0200 @@ -199,7 +199,7 @@ DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ ABOUT-NLS COPYING NEWS compile config.guess config.rpath \ - config.sub install-sh ltmain.sh missing + config.sub depcomp install-sh ltmain.sh missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) @@ -402,7 +402,7 @@ EXTRA_DIST = ./config.rpath .gitignore SUBDIRS = po src dist_noinst_SCRIPTS = bootstrap -dist_doc_DATA = NEWS +dist_doc_DATA = NEWS README.md all: config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/NEWS new/pam_p11-0.3.0/NEWS --- old/pam_p11-0.2.0/NEWS 2018-05-16 18:47:53.000000000 +0200 +++ new/pam_p11-0.3.0/NEWS 2019-04-24 23:21:32.000000000 +0200 @@ -1,6 +1,13 @@ NEWS for Pam_p11 -- History of user visible changes -New in 0.2.0; 2018-05-16 Frank Morgner +New in 0.3.0; 2019-04-24; Frank Morgner +* Add Italian translation +* Add support for matching the PIN-input with a regular expression +* Add support for macOS +* Add support for building with OpenSSL 1.1.1 +* Add support for nistp256/384/521 keys in authorized_keys file + +New in 0.2.0; 2018-05-16; Frank Morgner * Add user documentation in Readme.md * Add support for PIN pad readers * Add support for changing/unblocking PIN (use with passwd) @@ -12,7 +19,7 @@ * Fixed memory leaks, coverity issues, compiler warnings * Created `test-passwd` and `test-login` for testing standard use cases -New in 0.1.6; 2017-03-06 Alon Bar-Lev +New in 0.1.6; 2017-03-06; Alon Bar-Lev * Build system rewritten (NOTICE: configure options was modified). New in 0.1.5; 2008-08-27; Andreas Jellinghaus diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/README.md new/pam_p11-0.3.0/README.md --- old/pam_p11-0.2.0/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_p11-0.3.0/README.md 2019-04-24 23:18:33.000000000 +0200 @@ -0,0 +1,102 @@ +# Welcome to pam_p11 + +Pam_p11 is a plugable authentication module (pam) package for using crpytographic tokens such as smart cards and usb crypto tokens for authentication. + +Pam_p11 uses [libp11](https://github.com/OpenSC/libp11/) to access any PKCS#11 module. It should be compatible with any implementation, but it is primarely developed using [OpenSC](https://github.com/OpenSC/OpenSC/). + +Pam_p11 implements two authentication methods: + +- verify a token using a known public key found in OpenSSH's `~/.ssh/authorized_keys`. +- verify a token using a known certificate found in `~/.eid/authorized_certificates`. + +Pam_p11 is very simple, it has no config file, does not know about certificate chains, certificate authorities, revocation lists or OCSP. Perfect for the small installation with no frills. + +Pam_p11 was written by an international team and is licensed as Open Source software under the LGPL license. + +[](https://travis-ci.org/OpenSC/pam_p11) [](https://scan.coverity.com/projects/opensc-pam_p11) + +## Installing pam_p11 + +Installation is quite easy: + +``` +wget https://github.com/OpenSC/pam_p11/releases/download/pam_p11-0.1.6/pam_p11-0.1.6.tar.gz +tar xfvz pam_p11-0.1.6.tar.gz +cd pam_p11-0.1.6 +./configure --prefix=/usr --libdir=/lib/ +make +make install +``` + +Pam_p11 depends on pkg-config, openssl, libp11 and pam. If you don't have pkg-config installed, please do so and try again. If pkg-config is not found, please change your PATH environment setting. If openssl is not installed, please do so. If openssl is not found, please change your PKG_CONFIG_PATH environment setting to include the directory with "openssl.pc" or "libp11.pc" file. Some linux distributions split openssl into a runtime package and a development package, you need to install both. Same might be true for pam and libp11. + +## Using pam_p11 + +### Login + +To use pam_p11 with some application like `sudo`, edit `/etc/pam.d/sudo` and add something like the following at the beginning of the file: + +``` +auth sufficient /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so +``` + +Replace `/usr/local/lib/opensc-pkcs11.so` with your PKCS#11 implementation. Using an absolute path to `pam_p11.so` avoids the need to write to a system directory, which is especially useful for macOS with system integrity protection (SIP) enabled. + +An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching. + +While testing it is best to keep a door open. Editing the configuration files from a different machine via SSH helps reverting a bad PAM login configuration. Replace `sufficient` with `required` and remove other unwanted PAM modules from the file only when you've successfully verified the configuration. + +To enable pam_p11 for all logins (graphical and terminal based), change the following configuration files as described above: + +| Operating System | PAM configuration file | +| ---------------- | -------------------------- | +| macOS | `/etc/pam.d/authorization` | +| Debian | `/etc/pam.d/common-auth` | +| Arch Linux | `/etc/pam.d/system-auth` | + +### PIN change and unblock + +To allow changing and unblocking the PIN via pam_p11, add the following to your configuration: + +``` +password optional /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so +``` + +An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching. + +### User configuration via `~/.eid/authorized_certificates` + +A user may create a `~/.eid/` directory and create a file `~/.eid/authorized_certificates` with authorized certificates. You can do that via + +``` +mkdir -p ~/.eid +chmod 0755 ~/.eid +pkcs11-tool --read-object --type cert --id 45 --module /usr/lib/opensc-pkcs11.so --outfile cert.cer +openssl x509 -inform DER -in cert.cer -outform PEM >> ~/.eid/authorized_certificates +chmod 0644 ~/.eid/authorized_certificates +``` + +This example uses the `pkcs11-tool` command from opensc to read a certificate (id `45`) from the smart card. Use `pkcs11-tool --list-objects --type cert --module /usr/lib/opensc-pkcs11.so` to view all certificates available on the card. + +It is very important that only the user of the file can write to it. You can have any number of certificates in that file. The certificates need to be in PEM format. DER format is not supported. + +### User configuration via `~/.ssh/authorized_keys` + +A user may create a `~/.ssh/` directory and create a file `~/.ssh/authorized_keys` with authorized public keys. You can do that via + +``` +mkdir -p ~/.ssh +chmod 0755 ~/.ssh +ssh-keygen -D /usr/lib/opensc-pkcs11.so >> ~/.ssh/authorized_keys +chmod 0644 ~/.ssh/authorized_keys +``` + +This example uses the `ssh-keygen` command from openssh to read the default user public key (id 45) from the smart card in reader 0. Note that this tool prints the public keys in two formats: ssh v1 and ssh v2 format. It is recommended to edit the file and delete one of those two lines. Also you might want to add a comment / identifier at the end of the line. + +It is very important that only the user of the file can write to it. You can have any number of public keys in that file. + +Note it is currently not possible to convert existing ssh keys into pem format and store them on a smart card. (To be precise: OpenSC has no such functionality, not sure about other implementations.) + +## Security Note + +pam_p11 simply compares public keys and request the cryptographic token to sign some random data and verifiy the signature with the public key. No CA chain checking is done, no CRL is looked at, and they don't know what OCSP is. This works fine for small installations, but if you want any of those features, please have a look at [Pam_pkcs11](https://github.com/OpenSC/pam_pkcs11) for a fully fledged PAM module for smart card authentication. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/config.h.in new/pam_p11-0.3.0/config.h.in --- old/pam_p11-0.2.0/config.h.in 2018-05-16 18:55:48.000000000 +0200 +++ new/pam_p11-0.3.0/config.h.in 2019-04-24 23:23:32.000000000 +0200 @@ -25,6 +25,15 @@ /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */ #undef HAVE_DOPRNT +/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ +#undef HAVE_EVP_MD_CTX_FREE + +/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ +#undef HAVE_EVP_MD_CTX_NEW + +/* Define to 1 if you have the `EVP_MD_CTX_reset' function. */ +#undef HAVE_EVP_MD_CTX_RESET + /* Define to 1 if you have the <fcntl.h> header file. */ #undef HAVE_FCNTL_H @@ -37,6 +46,9 @@ /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H +/* Define to 1 if you have the `pam_misc' library (-lpam_misc). */ +#undef HAVE_LIBPAM_MISC + /* Define to 1 if your system has a GNU libc compatible `malloc' function, and to 0 otherwise. */ #undef HAVE_MALLOC @@ -47,6 +59,12 @@ /* Define to 1 if you have the `memset' function. */ #undef HAVE_MEMSET +/* Define to 1 if you have the `openpam_ttyconv' function. */ +#undef HAVE_OPENPAM_TTYCONV + +/* Define to 1 if you have the `pam_vprompt' function. */ +#undef HAVE_PAM_VPROMPT + /* Define to 1 if you have the `PKCS11_enumerate_public_keys' function. */ #undef HAVE_PKCS11_ENUMERATE_PUBLIC_KEYS @@ -60,6 +78,9 @@ /* Define to 1 if you have the <security/pam_ext.h> header file. */ #undef HAVE_SECURITY_PAM_EXT_H +/* Define to 1 if you have the <security/pam_misc.h> header file. */ +#undef HAVE_SECURITY_PAM_MISC_H + /* Define to 1 if `stat' has the bug that it succeeds when given the zero-length file name argument. */ #undef HAVE_STAT_EMPTY_STRING_BUG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/configure new/pam_p11-0.3.0/configure --- old/pam_p11-0.2.0/configure 2018-05-16 18:55:48.000000000 +0200 +++ new/pam_p11-0.3.0/configure 2019-04-24 23:23:07.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for pam_p11 0.2.0. +# Generated by GNU Autoconf 2.69 for pam_p11 0.3.0. # # Report bugs to <https://github.com/OpenSC/pam_p11/issues>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='pam_p11' PACKAGE_TARNAME='pam_p11' -PACKAGE_VERSION='0.2.0' -PACKAGE_STRING='pam_p11 0.2.0' +PACKAGE_VERSION='0.3.0' +PACKAGE_STRING='pam_p11 0.3.0' PACKAGE_BUGREPORT='https://github.com/OpenSC/pam_p11/issues' PACKAGE_URL='' @@ -637,6 +637,8 @@ am__EXEEXT_TRUE LTLIBOBJS pamdir +HAVE_PAM_MISC_FALSE +HAVE_PAM_MISC_TRUE LIBOBJS PAM_LIBS PAM_CFLAGS @@ -1368,7 +1370,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pam_p11 0.2.0 to adapt to many kinds of systems. +\`configure' configures pam_p11 0.3.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1439,7 +1441,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pam_p11 0.2.0:";; + short | recursive ) echo "Configuration of pam_p11 0.3.0:";; esac cat <<\_ACEOF @@ -1573,7 +1575,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pam_p11 configure 0.2.0 +pam_p11 configure 0.3.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1996,7 +1998,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pam_p11 $as_me 0.2.0, which was +It was created by pam_p11 $as_me 0.3.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2863,7 +2865,7 @@ # Define the identity of the package. PACKAGE='pam_p11' - VERSION='0.2.0' + VERSION='0.3.0' cat >>confdefs.h <<_ACEOF @@ -6980,7 +6982,7 @@ -ALL_LINGUAS="de" +ALL_LINGUAS="de it" ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -15296,6 +15298,22 @@ fi +saved_LIBS="$LIBS" +LIBS="$OPENSSL_LIBS $LIBS" +for ac_func in EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +LIBS="$saved_LIBS" + if test -z "${PAM_LIBS}"; then @@ -15502,7 +15520,7 @@ fi for ac_header in \ - string.h syslog.h fcntl.h unistd.h security/pam_ext.h \ + string.h syslog.h fcntl.h unistd.h security/pam_ext.h security/pam_misc.h \ do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` @@ -15788,7 +15806,7 @@ done -for ac_func in memset strdup strerror PKCS11_enumerate_public_keys PKCS11_is_logged_in +for ac_func in memset strdup strerror PKCS11_enumerate_public_keys PKCS11_is_logged_in pam_vprompt openpam_ttyconv do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -15801,6 +15819,60 @@ done +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for misc_conv in -lpam_misc" >&5 +$as_echo_n "checking for misc_conv in -lpam_misc... " >&6; } +if ${ac_cv_lib_pam_misc_misc_conv+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpam_misc $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char misc_conv (); +int +main () +{ +return misc_conv (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pam_misc_misc_conv=yes +else + ac_cv_lib_pam_misc_misc_conv=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_misc_misc_conv" >&5 +$as_echo "$ac_cv_lib_pam_misc_misc_conv" >&6; } +if test "x$ac_cv_lib_pam_misc_misc_conv" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPAM_MISC 1 +_ACEOF + + LIBS="-lpam_misc $LIBS" + +fi + + if test "$ac_cv_lib_pam_misc_misc_conv" = yes; then + HAVE_PAM_MISC_TRUE= + HAVE_PAM_MISC_FALSE='#' +else + HAVE_PAM_MISC_TRUE='#' + HAVE_PAM_MISC_FALSE= +fi + + CFLAGS="${saved_CFLAGS}" LIBS="$saved_LIBS" @@ -15949,6 +16021,10 @@ Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${HAVE_PAM_MISC_TRUE}" && test -z "${HAVE_PAM_MISC_FALSE}"; then + as_fn_error $? "conditional \"HAVE_PAM_MISC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 @@ -16346,7 +16422,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pam_p11 $as_me 0.2.0, which was +This file was extended by pam_p11 $as_me 0.3.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16412,7 +16488,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -pam_p11 config.status 0.2.0 +pam_p11 config.status 0.3.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/configure.ac new/pam_p11-0.3.0/configure.ac --- old/pam_p11-0.2.0/configure.ac 2018-05-16 18:53:50.000000000 +0200 +++ new/pam_p11-0.3.0/configure.ac 2019-04-24 23:22:00.000000000 +0200 @@ -1,7 +1,7 @@ AC_PREREQ(2.60) define([PACKAGE_VERSION_MAJOR], [0]) -define([PACKAGE_VERSION_MINOR], [2]) +define([PACKAGE_VERSION_MINOR], [3]) define([PACKAGE_VERSION_FIX], [0]) define([PACKAGE_SUFFIX], []) define([PRODUCT_BUGREPORT], [https://github.com/OpenSC/pam_p11/issues]) @@ -50,7 +50,7 @@ AM_GNU_GETTEXT_VERSION(0.18.3) dnl Add the languages which your application supports here. -ALL_LINGUAS="de" +ALL_LINGUAS="de it" dnl Checks for programs. AC_PROG_CPP @@ -85,6 +85,11 @@ )] ) +saved_LIBS="$LIBS" +LIBS="$OPENSSL_LIBS $LIBS" +AC_CHECK_FUNCS(EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset) +LIBS="$saved_LIBS" + if test -z "${PAM_LIBS}"; then AC_ARG_VAR([PAM_CFLAGS], [C compiler flags for pam]) AC_ARG_VAR([PAM_LIBS], [linker flags for pam]) @@ -104,14 +109,17 @@ AC_HEADER_STDC AC_HEADER_SYS_WAIT AC_CHECK_HEADERS([ \ - string.h syslog.h fcntl.h unistd.h security/pam_ext.h \ + string.h syslog.h fcntl.h unistd.h security/pam_ext.h security/pam_misc.h \ ]) AC_TYPE_SIZE_T AC_FUNC_MALLOC AC_FUNC_REALLOC AC_FUNC_STAT AC_FUNC_VPRINTF -AC_CHECK_FUNCS([memset strdup strerror PKCS11_enumerate_public_keys PKCS11_is_logged_in]) +AC_CHECK_FUNCS([memset strdup strerror PKCS11_enumerate_public_keys PKCS11_is_logged_in pam_vprompt openpam_ttyconv]) + +AC_CHECK_LIB([pam_misc], [misc_conv]) +AM_CONDITIONAL([HAVE_PAM_MISC], [test "$ac_cv_lib_pam_misc_misc_conv" = yes]) CFLAGS="${saved_CFLAGS}" LIBS="$saved_LIBS" Binary files old/pam_p11-0.2.0/po/de.gmo and new/pam_p11-0.3.0/po/de.gmo differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/po/de.po new/pam_p11-0.3.0/po/de.po --- old/pam_p11-0.2.0/po/de.po 2018-05-16 18:56:03.000000000 +0200 +++ new/pam_p11-0.3.0/po/de.po 2019-04-24 23:27:12.000000000 +0200 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: pam_p11 0.1.7_git\n" "Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"; -"POT-Creation-Date: 2018-05-16 18:56+0200\n" +"POT-Creation-Date: 2019-04-24 23:27+0200\n" "PO-Revision-Date: 2018-04-05 11:14+0200\n" "Last-Translator: Frank Morgner <[email protected]>\n" "Language-Team: German\n" @@ -17,94 +17,98 @@ "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" -#: src/pam_p11.c:177 +#: src/pam_p11.c:204 msgid "Error loading PKCS#11 module" msgstr "Fehler beim Laden des PKCS#11-Moduls" -#: src/pam_p11.c:185 src/pam_p11.c:236 +#: src/pam_p11.c:212 src/pam_p11.c:264 msgid "Error initializing PKCS#11 module" msgstr "Fehler beim Initialisieren des PKCS#11-Moduls" -#: src/pam_p11.c:290 +#: src/pam_p11.c:332 msgid " (last try)" msgstr " (letzter Versuch)" -#: src/pam_p11.c:297 +#: src/pam_p11.c:339 #, c-format msgid "Login on PIN pad with %s%s" msgstr "Login auf dem PIN-Pad mit %s%s" -#: src/pam_p11.c:303 +#: src/pam_p11.c:345 #, c-format msgid "Login with %s%s: " msgstr "Login mit %s%s: " -#: src/pam_p11.c:312 +#: src/pam_p11.c:369 +msgid "Invalid PIN" +msgstr "" + +#: src/pam_p11.c:377 msgid "PIN not verified; PIN locked" msgstr "PIN nicht verifiziert; PIN gesperrt" -#: src/pam_p11.c:314 +#: src/pam_p11.c:379 msgid "PIN not verified; one try remaining" msgstr "PIN nicht verifiziert; ein Versuch verbleibend" -#: src/pam_p11.c:316 +#: src/pam_p11.c:381 msgid "PIN not verified" msgstr "PIN nicht verifiziert" -#: src/pam_p11.c:358 +#: src/pam_p11.c:423 #, c-format msgid "Change PIN with PUK on PIN pad for %s" msgstr "Ändere PIN mit PUK auf dem PIN-Pad für %s" -#: src/pam_p11.c:362 +#: src/pam_p11.c:427 #, c-format msgid "Change PIN on PIN pad for %s" msgstr "Ändere PIN auf dem PIN-Pad für %s" -#: src/pam_p11.c:369 +#: src/pam_p11.c:434 #, c-format msgid "PUK for %s: " msgstr "PUK für %s: " -#: src/pam_p11.c:380 +#: src/pam_p11.c:445 msgid "Current PIN: " msgstr "Aktuelle PIN: " -#: src/pam_p11.c:398 +#: src/pam_p11.c:463 msgid "Enter new PIN: " msgstr "Neue PIN eingeben: " -#: src/pam_p11.c:401 +#: src/pam_p11.c:466 msgid "Retype new PIN: " msgstr "Neue PIN wiederholen: " -#: src/pam_p11.c:405 +#: src/pam_p11.c:470 msgid "PINs don't match" msgstr "PINs verschieden" -#: src/pam_p11.c:412 +#: src/pam_p11.c:477 #, fuzzy msgid "PIN not changed; PIN locked" msgstr "PIN nicht verifiziert; PIN gesperrt" -#: src/pam_p11.c:414 +#: src/pam_p11.c:479 #, fuzzy msgid "PIN not changed; one try remaining" msgstr "PIN nicht verifiziert; ein Versuch verbleibend" -#: src/pam_p11.c:416 +#: src/pam_p11.c:481 #, fuzzy msgid "PIN not changed" msgstr "PIN nicht verifiziert" -#: src/pam_p11.c:544 +#: src/pam_p11.c:609 msgid "No token found" msgstr "Kein Token gefunden" -#: src/pam_p11.c:546 +#: src/pam_p11.c:611 msgid "No authorized keys on token" msgstr "Keine autorisierten Schlüssel auf dem Token" -#: src/pam_p11.c:599 +#: src/pam_p11.c:664 msgid "Error verifying key" msgstr "Fehler beim Verifizieren des Schlüssels" Binary files old/pam_p11-0.2.0/po/it.gmo and new/pam_p11-0.3.0/po/it.gmo differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/po/it.po new/pam_p11-0.3.0/po/it.po --- old/pam_p11-0.2.0/po/it.po 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_p11-0.3.0/po/it.po 2019-04-24 23:27:12.000000000 +0200 @@ -0,0 +1,110 @@ +# Italian translation for pam-p11 +# Copyright (c) 2019 OpenSC Project +# This file is distributed under the same license as the pam-p11 package. +# Milo Casagrande <[email protected]>, 2019. +# +msgid "" +msgstr "" +"Project-Id-Version: pam-p11\n" +"Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"; +"POT-Creation-Date: 2019-04-24 23:27+0200\n" +"PO-Revision-Date: 2019-02-28 14:03+0000\n" +"Last-Translator: Milo Casagrande <[email protected]>\n" +"Language-Team: Italian <[email protected]>\n" +"Language: it\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: src/pam_p11.c:204 +msgid "Error loading PKCS#11 module" +msgstr "Errore nel caricare il modulo PKCS#11" + +#: src/pam_p11.c:212 src/pam_p11.c:264 +msgid "Error initializing PKCS#11 module" +msgstr "Errore nell'inizializzare il modulo PKCS#11" + +#: src/pam_p11.c:332 +msgid " (last try)" +msgstr " (ultimo tentativo)" + +#: src/pam_p11.c:339 +#, c-format +msgid "Login on PIN pad with %s%s" +msgstr "Accesso su dispositivo inserimento PIN con %s%s" + +#: src/pam_p11.c:345 +#, c-format +msgid "Login with %s%s: " +msgstr "Accesso con %s%s: " + +#: src/pam_p11.c:369 +msgid "Invalid PIN" +msgstr "" + +#: src/pam_p11.c:377 +msgid "PIN not verified; PIN locked" +msgstr "PIN non verificato; PIN bloccato" + +#: src/pam_p11.c:379 +msgid "PIN not verified; one try remaining" +msgstr "PIN non verificato; un tentativo rimasto" + +#: src/pam_p11.c:381 +msgid "PIN not verified" +msgstr "PIN non verificato" + +#: src/pam_p11.c:423 +#, c-format +msgid "Change PIN with PUK on PIN pad for %s" +msgstr "Modifica del PIN con PUK su dispositivo inserimento PIN per %s" + +#: src/pam_p11.c:427 +#, c-format +msgid "Change PIN on PIN pad for %s" +msgstr "Modifica del PIN su dispositivo inserimento PIN per %s" + +#: src/pam_p11.c:434 +#, c-format +msgid "PUK for %s: " +msgstr "PUK per %s: " + +#: src/pam_p11.c:445 +msgid "Current PIN: " +msgstr "PIN attuale: " + +#: src/pam_p11.c:463 +msgid "Enter new PIN: " +msgstr "Inserire nuovo PIN: " + +#: src/pam_p11.c:466 +msgid "Retype new PIN: " +msgstr "Ripetere nuovo PIN: " + +#: src/pam_p11.c:470 +msgid "PINs don't match" +msgstr "I PIN non sono uguali" + +#: src/pam_p11.c:477 +msgid "PIN not changed; PIN locked" +msgstr "PIN non modificato; PIN bloccato" + +#: src/pam_p11.c:479 +msgid "PIN not changed; one try remaining" +msgstr "PIN non modificato; un tentativo rimasto" + +#: src/pam_p11.c:481 +msgid "PIN not changed" +msgstr "PIN non modificato" + +#: src/pam_p11.c:609 +msgid "No token found" +msgstr "Nessun token trovato" + +#: src/pam_p11.c:611 +msgid "No authorized keys on token" +msgstr "Nessuna chiave autorizzata sul token" + +#: src/pam_p11.c:664 +msgid "Error verifying key" +msgstr "Errore nel verificare la chiave" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/po/pam_p11.pot new/pam_p11-0.3.0/po/pam_p11.pot --- old/pam_p11-0.2.0/po/pam_p11.pot 2018-05-16 18:56:03.000000000 +0200 +++ new/pam_p11-0.3.0/po/pam_p11.pot 2019-04-24 23:27:12.000000000 +0200 @@ -6,9 +6,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: pam_p11 0.2.0\n" +"Project-Id-Version: pam_p11 0.3.0\n" "Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"; -"POT-Creation-Date: 2018-05-16 18:56+0200\n" +"POT-Creation-Date: 2019-04-24 23:27+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <[email protected]>\n" @@ -17,91 +17,95 @@ "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_p11.c:177 +#: src/pam_p11.c:204 msgid "Error loading PKCS#11 module" msgstr "" -#: src/pam_p11.c:185 src/pam_p11.c:236 +#: src/pam_p11.c:212 src/pam_p11.c:264 msgid "Error initializing PKCS#11 module" msgstr "" -#: src/pam_p11.c:290 +#: src/pam_p11.c:332 msgid " (last try)" msgstr "" -#: src/pam_p11.c:297 +#: src/pam_p11.c:339 #, c-format msgid "Login on PIN pad with %s%s" msgstr "" -#: src/pam_p11.c:303 +#: src/pam_p11.c:345 #, c-format msgid "Login with %s%s: " msgstr "" -#: src/pam_p11.c:312 +#: src/pam_p11.c:369 +msgid "Invalid PIN" +msgstr "" + +#: src/pam_p11.c:377 msgid "PIN not verified; PIN locked" msgstr "" -#: src/pam_p11.c:314 +#: src/pam_p11.c:379 msgid "PIN not verified; one try remaining" msgstr "" -#: src/pam_p11.c:316 +#: src/pam_p11.c:381 msgid "PIN not verified" msgstr "" -#: src/pam_p11.c:358 +#: src/pam_p11.c:423 #, c-format msgid "Change PIN with PUK on PIN pad for %s" msgstr "" -#: src/pam_p11.c:362 +#: src/pam_p11.c:427 #, c-format msgid "Change PIN on PIN pad for %s" msgstr "" -#: src/pam_p11.c:369 +#: src/pam_p11.c:434 #, c-format msgid "PUK for %s: " msgstr "" -#: src/pam_p11.c:380 +#: src/pam_p11.c:445 msgid "Current PIN: " msgstr "" -#: src/pam_p11.c:398 +#: src/pam_p11.c:463 msgid "Enter new PIN: " msgstr "" -#: src/pam_p11.c:401 +#: src/pam_p11.c:466 msgid "Retype new PIN: " msgstr "" -#: src/pam_p11.c:405 +#: src/pam_p11.c:470 msgid "PINs don't match" msgstr "" -#: src/pam_p11.c:412 +#: src/pam_p11.c:477 msgid "PIN not changed; PIN locked" msgstr "" -#: src/pam_p11.c:414 +#: src/pam_p11.c:479 msgid "PIN not changed; one try remaining" msgstr "" -#: src/pam_p11.c:416 +#: src/pam_p11.c:481 msgid "PIN not changed" msgstr "" -#: src/pam_p11.c:544 +#: src/pam_p11.c:609 msgid "No token found" msgstr "" -#: src/pam_p11.c:546 +#: src/pam_p11.c:611 msgid "No authorized keys on token" msgstr "" -#: src/pam_p11.c:599 +#: src/pam_p11.c:664 msgid "Error verifying key" msgstr "" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/src/Makefile.am new/pam_p11-0.3.0/src/Makefile.am --- old/pam_p11-0.2.0/src/Makefile.am 2018-04-14 10:18:28.000000000 +0200 +++ new/pam_p11-0.3.0/src/Makefile.am 2019-04-17 01:28:53.000000000 +0200 @@ -13,13 +13,16 @@ noinst_PROGRAMS = test-login test-passwd -test_login_SOURCES = test.c login.c $(pam_p11_la_SOURCES) -test_login_LDADD = -lpam_misc -test_login_CFLAGS = $(AM_CFLAGS) -DLIBDIR=\"$(libdir)\" -DTEST +test_login_SOURCES = test.c login.c $(pam_p11_la_SOURCES) +test_login_CFLAGS = $(AM_CFLAGS) -DLIBDIR=\"$(libdir)\" -DTEST test_passwd_SOURCES = test.c passwd.c $(pam_p11_la_SOURCES) -test_passwd_LDADD = -lpam_misc test_passwd_CFLAGS = $(AM_CFLAGS) -DLIBDIR=\"$(libdir)\" -DTEST +if HAVE_PAM_MISC +test_login_LDADD = -lpam_misc +test_passwd_LDADD = -lpam_misc +endif + format: indent -kr -i8 -ts8 -sob -l80 -ss -ncs *.c *.h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/src/Makefile.in new/pam_p11-0.3.0/src/Makefile.in --- old/pam_p11-0.2.0/src/Makefile.in 2018-05-16 18:55:49.000000000 +0200 +++ new/pam_p11-0.3.0/src/Makefile.in 2019-04-24 23:23:32.000000000 +0200 @@ -384,11 +384,11 @@ pam_p11.exports test_login_SOURCES = test.c login.c $(pam_p11_la_SOURCES) -test_login_LDADD = -lpam_misc test_login_CFLAGS = $(AM_CFLAGS) -DLIBDIR=\"$(libdir)\" -DTEST test_passwd_SOURCES = test.c passwd.c $(pam_p11_la_SOURCES) -test_passwd_LDADD = -lpam_misc test_passwd_CFLAGS = $(AM_CFLAGS) -DLIBDIR=\"$(libdir)\" -DTEST +@HAVE_PAM_MISC_TRUE@test_login_LDADD = -lpam_misc +@HAVE_PAM_MISC_TRUE@test_passwd_LDADD = -lpam_misc all: all-am .SUFFIXES: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/src/match_openssh.c new/pam_p11-0.3.0/src/match_openssh.c --- old/pam_p11-0.2.0/src/match_openssh.c 2018-04-14 10:18:28.000000000 +0200 +++ new/pam_p11-0.3.0/src/match_openssh.c 2019-04-17 01:28:53.000000000 +0200 @@ -200,28 +200,37 @@ i += len; - key = EVP_PKEY_new(); - rsa = RSA_new(); - + /* to prevent access beyond 'decoded' array, index 'i' must be always checked */ + if ( i + 4 > OPENSSH_LINE_MAX ) + return NULL; /* get integer from blob */ len = (decoded[i] << 24) + (decoded[i + 1] << 16) + (decoded[i + 2] << 8) + (decoded[i + 3]); i += 4; + if ( i + len > OPENSSH_LINE_MAX ) + return NULL; /* get bignum */ rsa_e = BN_bin2bn(decoded + i, len, NULL); i += len; + if ( i + 4 > OPENSSH_LINE_MAX ) + return NULL; /* get integer from blob */ len = (decoded[i] << 24) + (decoded[i + 1] << 16) + (decoded[i + 2] << 8) + (decoded[i + 3]); i += 4; + if ( i + len > OPENSSH_LINE_MAX ) + return NULL; /* get bignum */ rsa_n = BN_bin2bn(decoded + i, len, NULL); + key = EVP_PKEY_new(); + rsa = RSA_new(); + /* set e and n */ if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) { EVP_PKEY_free(key); @@ -233,6 +242,119 @@ return key; } +static EVP_PKEY *ssh_nistp_line_to_key(char *line) +{ + EVP_PKEY *key; + EC_KEY *ec_key; + BIGNUM *x; + BIGNUM *y; + + unsigned char decoded[OPENSSH_LINE_MAX]; + int len; + int flen; + + char *b, *c; + int i; + int nid; + + /* check allowed key size */ + if (strncmp(line + 16, "256", 3) == 0) + flen = 32, nid = NID_X9_62_prime256v1; + else if (strncmp(line + 16, "384", 3) == 0) + flen = 48, nid = NID_secp384r1; + else if (strncmp(line + 16, "521", 3) == 0) + flen = 66, nid = NID_secp521r1; + else + return NULL; + + /* find the mime-blob */ + b = line; + + if (!b) + return NULL; + + /* find the first whitespace */ + while (*b && *b != ' ') + b++; + + /* skip that whitespace */ + b++; + + /* find the end of the blob / comment */ + for (c = b; *c && *c != ' ' && 'c' != '\t' && *c != '\r' + && *c != '\n'; c++) ; + + *c = 0; + + /* decode binary data */ + if (sc_base64_decode(b, decoded, OPENSSH_LINE_MAX) < 0) + return NULL; + + i = 0; + /* get integer from blob */ + len = + (decoded[i] << 24) + (decoded[i + 1] << 16) + + (decoded[i + 2] << 8) + (decoded[i + 3]); + i += 4; + + /* always check 'len' to get safe 'i' as index into 'decoded' array */ + if (len != 19) + return NULL; + /* check key type (must be same in decoded data and at line start) */ + if (strncmp((char *)&decoded[i], line, 19) != 0) + return NULL; + i += len; + + /* get integer from blob */ + len = + (decoded[i] << 24) + (decoded[i + 1] << 16) + + (decoded[i + 2] << 8) + (decoded[i + 3]); + i += 4; + + /* check curve name - must match key type */ + if(len != 8) + return NULL; + if (strncmp((char *)&decoded[i], line + 11, 8) != 0) + return NULL; + i += len; + + /* get integer from blob */ + len = + (decoded[i] << 24) + (decoded[i + 1] << 16) + + (decoded[i + 2] << 8) + (decoded[i + 3]); + i += 4; + + /* read public key (uncompressed point) */ + /* test if data length is corresponding to key size */ + if (len != 1 + flen * 2) + return NULL; + + /* check uncompressed indicator */ + if (decoded[i] != 4 ) + return NULL; + i++; + + /* create key */ + ec_key = EC_KEY_new_by_curve_name(nid); + + /* read point coordinates */ + x = BN_bin2bn(decoded + i, flen, NULL); + i += flen; + y = BN_bin2bn(decoded + i, flen, NULL); + + /* do error checking here: valid x, y, ec_key, point on curve.. */ + if (!EC_KEY_set_public_key_affine_coordinates(ec_key, x, y)) { + EC_KEY_free(ec_key); + BN_free(x); + BN_free(y); + return NULL; + } + + key = EVP_PKEY_new(); + EVP_PKEY_assign_EC_KEY(key, ec_key); + return key; +} + extern int match_user_openssh(EVP_PKEY *authkey, const char *login) { char filename[PATH_MAX]; @@ -271,6 +393,9 @@ } else if (strncmp("ssh-rsa", cp, 7) == 0) { /* ssh v2 rsa key format */ key = ssh2_line_to_key(cp); + } else if (strncmp("ecdsa-sha2-nistp", cp, 16) == 0) { + /* ssh nistp256/384/521 key */ + key = ssh_nistp_line_to_key(cp); } if (key == NULL) continue; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/src/pam_p11.c new/pam_p11-0.3.0/src/pam_p11.c --- old/pam_p11-0.2.0/src/pam_p11.c 2018-05-04 16:52:04.000000000 +0200 +++ new/pam_p11-0.3.0/src/pam_p11.c 2019-04-17 01:28:53.000000000 +0200 @@ -30,6 +30,18 @@ #include <unistd.h> #include <openssl/crypto.h> #include <libp11.h> +#include <regex.h> + +/* openssl deprecated API emulation */ +#ifndef HAVE_EVP_MD_CTX_NEW +#define EVP_MD_CTX_new() EVP_MD_CTX_create() +#endif +#ifndef HAVE_EVP_MD_CTX_FREE +#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy((ctx)) +#endif +#ifndef HAVE_EVP_MD_CTX_RESET +#define EVP_MD_CTX_reset(ctx) EVP_MD_CTX_cleanup((ctx)) +#endif #ifdef ENABLE_NLS #include <libintl.h> @@ -53,6 +65,9 @@ #include <security/pam_ext.h> #else #define pam_syslog(handle, level, msg...) syslog(level, ## msg) +#endif + +#ifndef HAVE_PAM_VPROMPT static int pam_vprompt(pam_handle_t *pamh, int style, char **response, const char *fmt, va_list args) { @@ -107,12 +122,24 @@ { int r; - if (PAM_SILENT == (flags & PAM_SILENT)) { + if (PAM_SILENT == (flags & PAM_SILENT) + && style != PAM_TEXT_INFO + && style != PAM_PROMPT_ECHO_OFF) { + /* PAM_SILENT does not override the prompting of the user for passwords + * etc., it only stops informative messages from being generated. We + * use PAM_TEXT_INFO and PAM_PROMPT_ECHO_OFF exclusively for the + * password prompt. */ r = PAM_SUCCESS; } else { va_list args; va_start (args, fmt); - r = pam_vprompt(pamh, style, response, fmt, args); + if (!response) { + char *p = NULL; + r = pam_vprompt(pamh, style, &p, fmt, args); + free(p); + } else { + r = pam_vprompt(pamh, style, response, fmt, args); + } va_end(args); } @@ -170,7 +197,7 @@ /* Load and initialize PKCS#11 module */ data->ctx = PKCS11_CTX_new(); - if (1 != argc || NULL == data->ctx + if (0 == argc || NULL == data->ctx || 0 != PKCS11_CTX_load(data->ctx, argv[0])) { pam_syslog(pamh, LOG_ALERT, "Loading PKCS#11 engine failed: %s\n", ERR_reason_error_string(ERR_get_error())); @@ -212,7 +239,8 @@ static int module_refresh(pam_handle_t *pamh, int flags, int argc, const char **argv, const char **user, PKCS11_CTX **ctx, - PKCS11_SLOT **slots, unsigned int *nslots) + PKCS11_SLOT **slots, unsigned int *nslots, + const char **pin_regex) { int r; struct module_data *module_data; @@ -239,6 +267,20 @@ } } + if (1 < argc) { + *pin_regex = argv[1]; + } else { +#ifdef __APPLE__ + /* If multiple PAMs are allowed for macOS' login, then the captured + * password is used for all possible modules. To not block the token's + * PIN if the user enters his standard password, we're refusing to use + * anything that doesn't look like a PIN. */ + *pin_regex = "^[[:digit:]]*$"; +#else + *pin_regex = NULL; +#endif + } + r = pam_get_user(pamh, user, NULL); if (PAM_SUCCESS != r) { pam_syslog(pamh, LOG_ERR, "pam_get_user() failed %s", @@ -258,7 +300,7 @@ extern int match_user_opensc(EVP_PKEY *authkey, const char *login); extern int match_user_openssh(EVP_PKEY *authkey, const char *login); -static int key_login(pam_handle_t *pamh, int flags, PKCS11_SLOT *slot) +static int key_login(pam_handle_t *pamh, int flags, PKCS11_SLOT *slot, const char *pin_regex) { char *password = NULL; int ok; @@ -307,6 +349,29 @@ } } + if (NULL != password && NULL != pin_regex && 0 < strlen(pin_regex)) { + regex_t regex; + int regex_compiled = 0; + int result = 0; + result = regcomp(®ex, pin_regex, REG_EXTENDED); + if (0 == result) { + regex_compiled = 1; + result = regexec(®ex, password, 0, NULL, 0); + } + if (result) { + char regex_error[256]; + regerror(result, ®ex, regex_error, sizeof regex_error); + pam_syslog(pamh, LOG_CRIT, "PIN regex didn't match: %s", + regex_error); + if (1 == regex_compiled) { + regfree(®ex); + } + prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("Invalid PIN")); + goto err; + } + regfree(®ex); + } + if (0 != PKCS11_login(slot, 0, password)) { if (slot->token->userPinLocked) { prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PIN not verified; PIN locked")); @@ -331,7 +396,7 @@ return ok; } -static int key_change_login(pam_handle_t *pamh, int flags, PKCS11_SLOT *slot) +static int key_change_login(pam_handle_t *pamh, int flags, PKCS11_SLOT *slot, const char *pin_regex) { char *old = NULL, *new = NULL, *retyped = NULL; int ok; @@ -347,7 +412,7 @@ * a R/W user session to change the PIN via PIN */ if (0 != PKCS11_open_session(slot, 1) || (0 == slot->token->userPinLocked - && 1 != key_login(pamh, flags, slot))) { + && 1 != key_login(pamh, flags, slot, pin_regex))) { goto err; } @@ -553,7 +618,7 @@ { int ok = 0; int fd = open("/dev/urandom", O_RDONLY); - if (0 <= fd && read(fd, r, r_len) == r_len) { + if (0 <= fd && read(fd, r, r_len) == (ssize_t)r_len) { ok = 1; } else { pam_syslog(pamh, LOG_CRIT, "Error reading from /dev/urandom: %s", @@ -572,7 +637,7 @@ unsigned char signature[256]; unsigned int siglen = sizeof signature; const EVP_MD *md = EVP_sha1(); - EVP_MD_CTX *md_ctx = EVP_MD_CTX_create(); + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY *privkey = PKCS11_get_private_key(authkey); EVP_PKEY *pubkey = PKCS11_get_public_key(authkey); @@ -590,7 +655,7 @@ || !EVP_SignInit(md_ctx, md) || !EVP_SignUpdate(md_ctx, challenge, sizeof challenge) || !EVP_SignFinal(md_ctx, signature, &siglen, privkey) - || !EVP_MD_CTX_cleanup(md_ctx) + || !EVP_MD_CTX_reset(md_ctx) || !EVP_VerifyInit(md_ctx, md) || !EVP_VerifyUpdate(md_ctx, challenge, sizeof challenge) || 1 != EVP_VerifyFinal(md_ctx, signature, siglen, pubkey)) { @@ -607,7 +672,7 @@ if (NULL != privkey) EVP_PKEY_free(privkey); if (NULL != md_ctx) { - EVP_MD_CTX_destroy(md_ctx); + EVP_MD_CTX_free(md_ctx); } return ok; } @@ -621,9 +686,10 @@ PKCS11_KEY *authkey; PKCS11_SLOT *slots, *authslot; const char *user; + const char *pin_regex; r = module_refresh(pamh, flags, argc, argv, - &user, &ctx, &slots, &nslots); + &user, &ctx, &slots, &nslots, &pin_regex); if (PAM_SUCCESS != r) { goto err; } @@ -633,7 +699,7 @@ r = PAM_AUTHINFO_UNAVAIL; goto err; } - if (1 != key_login(pamh, flags, authslot) + if (1 != key_login(pamh, flags, authslot, pin_regex) || 1 != key_verify(pamh, flags, authkey)) { if (authslot->token->userPinLocked) { r = PAM_MAXTRIES; @@ -692,10 +758,10 @@ unsigned int nslots; PKCS11_KEY *authkey; PKCS11_SLOT *slots, *authslot; - const char *user; + const char *user, *pin_regex; r = module_refresh(pamh, flags, argc, argv, - &user, &ctx, &slots, &nslots); + &user, &ctx, &slots, &nslots, &pin_regex); if (PAM_SUCCESS != r) { goto err; } @@ -719,7 +785,7 @@ } if (flags & PAM_UPDATE_AUTHTOK) { - if (1 != key_change_login(pamh, flags, authslot)) { + if (1 != key_change_login(pamh, flags, authslot, pin_regex)) { if (authslot->token->userPinLocked) { r = PAM_MAXTRIES; } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_p11-0.2.0/src/test.c new/pam_p11-0.3.0/src/test.c --- old/pam_p11-0.2.0/src/test.c 2018-05-04 16:52:04.000000000 +0200 +++ new/pam_p11-0.3.0/src/test.c 2019-04-17 01:28:53.000000000 +0200 @@ -22,10 +22,14 @@ #include <stdio.h> #include <stdlib.h> +#include <string.h> +#include <unistd.h> #include <security/pam_appl.h> -#include <security/pam_misc.h> #include <security/pam_modules.h> +#ifdef HAVE_SECURITY_PAM_MISC_H +#include <security/pam_misc.h> +#endif #ifndef LIBDIR #define LIBDIR "/usr/lib" @@ -42,7 +46,11 @@ }; pam_handle_t *pamh = NULL; struct pam_conv conv = { +#ifdef HAVE_OPENPAM_TTYCONV + openpam_ttyconv, +#else misc_conv, +#endif NULL, }; int r; @@ -55,10 +63,10 @@ switch (argc) { case 3: - strncpy(user, argv[2], sizeof user); + strncpy(user, argv[2], (sizeof user) - 1); /* fall through */ case 2: - strncpy(module, argv[1], sizeof module); + strncpy(module, argv[1], (sizeof module) - 1); /* fall through */ case 1: break; @@ -73,7 +81,7 @@ user[(sizeof user) - 1] = '\0'; printf("Using '%s' for '%s'\n", module, user); - r = pam_start("", user, &conv, &pamh); + r = pam_start("test", user, &conv, &pamh); if (PAM_SUCCESS != r) goto pam_err;
