Upstream ChangeLog:
2010-11-20 ludovic.rousseau
* [r475] configure.in: release 0.6.6
2010-11-18 ludovic.rousseau
* [r474] src/tools/Makefile.am, src/tools/card_eventmgr.c,
src/tools/pkcs11_eventmgr.c: Use daemon implementation from
daemon.c when needed (for example on
Solaris 10)
See
http://www.opensc-project.org/pipermail/opensc-user/2010-November/004331.html
* [r473] src/tools/daemon.c: Use config.h instead of includes.h
Define _PATH_DEVNULL if needed. It was defined in includes.h in
OpenSSH
* [r472] src/tools/daemon.c: new file from OpenSSH version 5.6p1
openssh-5.6p1/openbsd-compat/daemon.c
The licence is BSD 3-clause so compatible with the LGPL v2+ used
by
pam_pkcs11
2010-10-25 ludovic.rousseau
* [r471] configure.in: Fix the change in revision 470
Thanks (again) to Arfrever Frehtes Taifersar Arahesis
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015175.html
* [r470] configure.in: Default is to use pcsc-lite. The argument is
--without-pcsclite to
disable pcsc-lite use/support
Thanks to Arfrever Frehtes Taifersar Arahesis for the bug report
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015172.html
2010-10-23 ludovic.rousseau
* [r469] doc/pam_pkcs11.xml: rename make_hash_link.sh in
pkcs11_make_hash_link
* [r468] configure.in: Display ${libdir} value
* [r467] tools/Makefile.am, tools/make_hash_link.sh,
tools/pkcs11_make_hash_link: rename make_hash_link.sh to
pkcs11_make_hash_link to match the manpage
name
2010-10-19 ludovic.rousseau
* [r465] src/pam_pkcs11/pam_pkcs11.c: Unload the mapper also on
success
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015150.html
* [r464] doc/doxygen.conf.in: Update from doxygen version 1.5.6 to
1.7.1
* [r463] configure.in: release 0.6.5
* [r462] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
po/pt_br.po, po/ru.po: regenerate
* [r461] src/common/Makefile.am: Add the missing strndup.h file
* [r460] src/common/uri.c: get_http(): check if complete message
was transmitted
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html
* [r459] src/common/uri.c: get_http(): allocate enough memory to
fit http-request
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html
* [r458] src/common/uri.c: get_http(): add missing return statement
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html
* [r457] configure.in: If dlopen() is not found in libdl we try to
find it without specifying a
library before exiting in error.
I don't remember why I used this code. Maybe dlopen() is not in
libdl on
some systems.
2010-10-16 ludovic.rousseau
* [r456] po/fr.po: Translate a string
* [r455] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
po/pt_br.po, po/ru.po: Regenerate
* [r454] src/pam_pkcs11/pam_pkcs11.c: Replace "Found the %s." by
"%s found."
Thanks to Mr Dash Four for the bug report
http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015135.html
2010-10-15 ludovic.rousseau
* [r453] src/common/pkcs11_lib.c: crypto_init(): fix a typo in log
message
2010-09-22 ludovic.rousseau
* [r452] src/common/pkcs11_lib.c: pkcs11_pass_login(): check if the
PIN returned by getpass is NULL
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014976.html
* [r451] src/common/pkcs11_lib.c: pkcs11_pass_login(): log an error
if pkcs11_login() fails
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html
* [r450] src/common/pkcs11_lib.c: pkcs11_pass_login(): do not clean
a zero length PIN
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html
* [r449] src/common/pkcs11_lib.c, src/pam_pkcs11/pam_pkcs11.c: Show
PIN code in debug output only if DEBUG_SHOW_PASSWORD is defined
(not defined by default)
Thanks to Andre Zepezauer for the bug report
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html
2010-09-21 ludovic.rousseau
* [r448] src/pam_pkcs11/pam_config.c: parse_config_file(): get the
debug value from the configuration file
Thanks to Andre Zepezauer for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014949.html
2010-08-25 ludovic.rousseau
* [r447] src/tools/card_eventmgr.c: Do not call
SCardEstablishContext() before daemonize since pcsc-lite
handles are invalid after a fork.
Thanks to Patrik Martinsson for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014632.html
2010-08-19 ludovic.rousseau
* [r446] src/tools/card_eventmgr.c: Use SCARD_READERSTATE instead
of SCARD_READERSTATE_A since it was
removed in pcsc-lite >= 1.6.2
2010-08-14 ludovic.rousseau
* [r445] src/mappers/cn_mapper.c, src/mappers/digest_mapper.c,
src/mappers/generic_mapper.c, src/mappers/krb_mapper.c,
src/mappers/ldap_mapper.c, src/mappers/mail_mapper.c,
src/mappers/mapper.c, src/mappers/mapper.h,
src/mappers/ms_mapper.c, src/mappers/null_mapper.c,
src/mappers/opensc_mapper.c, src/mappers/openssh_mapper.c,
src/mappers/pwent_mapper.c, src/mappers/subject_mapper.c,
src/mappers/uid_mapper.c, src/pam_pkcs11/mapper_mgr.c,
src/tools/pklogin_finder.c: Patch for #239 and #240 (handle more
than one cert/pattern matching)
Thanks to Wolf Geldmacher for the patch.
http://www.opensc-project.org/pipermail/opensc-devel/2010-June/014405.html
" Here's a patch to solve the issues I've encountered using
pam_pkcs11.
In regards to #239 (pam_pkcs11 only looks at first certificate on
token):
The fix for this turns out to be somewhat problematic, and I'm
not at
all sure, whether my implementation of the fix is a valid one.
The basic problem (as I understood it from analyzing the code) is
that
finder functions of the mappers return a char*, allowing for a
single
value (NULL) to signalize failure and return the key if no
mapping (i.e.
no value associated with the key) was found (cf. comment for
mapfile_find in src/mappers/mapper.c). Thus a caller (i.e.
find_user in
src/pam_pkcs11/mapper_mgr.c) cannot distinguish between a mapping
or a
key being returned and thus will prematurely terminate on the
first
certificate that passes the other validity tests.
The fix provided changes the finder function interface by
requiring an
additional out parameter that is set to 1, if a real mapping
value was
returned and remains unchanged otherwise. This fix breaks
existing
loadable mappers.
I considered overloading of the value returned (e.g. having a
byte/substring as first character of the value returned to be
able to
distinguish between a value and a key being returned) which would
preserve the interface to the mappers, but refrained from
implementing
it that way as I believe this to be unclean and prone to
difficult to
track errors.
Another solution I considered was the addition of another entry
to the
structure encapsulating the mappers (e.g. a finder2 method), but
as this
is no better in breaking the interface for loadable mappers and
duplicates code I forfeited this solution, too.
If somebody could look into the problem and come up with a
solution that
preserves the interface to external mappers while allowing the
distinction between keys and values, I'd be more than happy to
implement
it.
It might also may make sense to add a new configuration parameter
for
the new behaviour of find_user, allowing existing applications to
continue to work with keys being returned instead of values
(Feedback
anyone? The comment for find_user actually states that a mapping
value
is returned).
In regards to #240 (Allow pattern matching in pam_pkcs11):
I restricted this to only work for mapfiles and the
implementation
turned out to be quite simple - it's essentially an 11 line
change in
src/mappers/mapper.c - and is triggered by the specification of a
fully
anchored (i.e. *must* have initial "^" and *must* end in "$")
pattern as
key in a mapfile.
This now allows syntax like
^.*/serialNumber=xxx-xxx-xxx-xxx$ -> username
in all mapfiles.
The patch attached contains the changes for both issues.
Cheers,
Wolf "
2010-08-13 ludovic.rousseau
* [r444] src/pam_pkcs11/pam_pkcs11.c: Do not use a variadic
parameter for pam_prompt. It is not supported on
FreeBSD.
2010-08-12 ludovic.rousseau
* [r443] src/common/strndup.h, src/tools/pkcs11_setup.c: Add a new
header file to define strndup if needed.
pkcs11_setup.c: In function ‘scconf_replace_str_list’:
pkcs11_setup.c:73: warning: implicit declaration of function
‘strndup’
pkcs11_setup.c:73: warning: incompatible implicit declaration of
built-in function ‘strndup’
* [r441] src/pam_pkcs11/pam_config.c, src/tools/pkcs11_inspect.c,
src/tools/pkcs11_listcerts.c, src/tools/pklogin_finder.c: Revert
changeset 301 parsing arguments in pam_config.c but skip the
first argument in command line tools.
Thanks to halfline for the patch. Closes ticket #29
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/739392
Title:
[FFe] Please sync new upstream release 0.6.6-2 from Debian Unstable
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
