Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pam_p11 for openSUSE:Factory checked in at 2023-08-31 13:46:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam_p11 (Old)
and /work/SRC/openSUSE:Factory/.pam_p11.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_p11"
Thu Aug 31 13:46:20 2023 rev:27 rq:1108233 version:0.5.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam_p11/pam_p11.changes 2023-02-16 16:56:50.378937506 +0100
+++ /work/SRC/openSUSE:Factory/.pam_p11.new.1766/pam_p11.changes 2023-08-31 13:52:30.562787709 +0200
@@ -1,0 +2,13 @@
+Tue Aug 29 13:36:20 UTC 2023 - Otto Hollmann
+
+- Update to version 0.5.0
+ * Add support for tokens that only contain a certificate
+ (and no public key)
+ * Fixed never-ending loop if the PIN is locked
+
+- Update to version 0.4.0
+ * Add Russian translation
+ * Add support for building with LibreSSL
+ * Add support for building with OpenSSL 3.0 and later
+
+-------------------------------------------------------------------
Old:
----
pam_p11-0.3.1.tar.gz
New:
----
pam_p11-0.5.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_p11.spec ++++++
--- /var/tmp/diff_new_pack.RtewwR/_old 2023-08-31 13:52:31.678827599 +0200
+++ /var/tmp/diff_new_pack.RtewwR/_new 2023-08-31 13:52:31.682827742 +0200
@@ -17,7 +17,7 @@
Name: pam_p11
-Version: 0.3.1
+Version: 0.5.0
Release: 0
Summary: PAM Authentication Module for Using Cryptographic Tokens
License: LGPL-2.1-or-later
++++++ pam_p11-0.3.1.tar.gz -> pam_p11-0.5.0.tar.gz ++++++
++++ 5453 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/NEWS new/pam_p11-0.5.0/NEWS
--- old/pam_p11-0.3.1/NEWS 2019-09-11 22:36:09.000000000 +0200
+++ new/pam_p11-0.5.0/NEWS 2023-08-03 01:35:31.000000000 +0200
@@ -1,5 +1,14 @@
NEWS for Pam_p11 -- History of user visible changes
+New in 0.5.0; 2023-08-03; Frank Morgner
+* Add support for tokens that only contain a certificate (and no public key)
+* Fixed never-ending loop if the PIN is locked
+
+New in 0.4.0; 2023-06-08; Frank Morgner
+* Add Russian translation
+* Add support for building with LibreSSL
+* Add support for building with OpenSSL 3.0 and later
+
New in 0.3.1; 2019-09-11; Frank Morgner
* CVE-2019-16058: Fixed buffer overflow when creating signatures longer than 256 bytes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/README.md new/pam_p11-0.5.0/README.md
--- old/pam_p11-0.3.1/README.md 2019-09-11 22:29:30.000000000 +0200
+++ new/pam_p11-0.5.0/README.md 2023-08-03 01:38:33.000000000 +0200
@@ -13,16 +13,16 @@
Pam_p11 was written by an international team and is licensed as Open Source software under the LGPL license.
-[![Build Status](https://travis-ci.org/OpenSC/pam_p11.svg?branch=master)](https://travis-ci.org/OpenSC/pam_p11) [![Coverity Scan Status](https://scan.coverity.com/projects/15452/badge.svg)](https://scan.coverity.com/projects/opensc-pam_p11)
+[![GitHub CI Status](https://img.shields.io/github/actions/workflow/status/OpenSC/pam_p11/ci.yml?branch=master&label=Linux%2FmacOS&logo=github)](https://github.com/OpenSC/pam_p11/actions/workflows/ci.yml?branch=master) [![Coverity Scan CI Status](https://img.shields.io/coverity/scan/15452.svg?label=Coverity%20Scan)](https://scan.coverity.com/projects/15452) [![CodeQL CI Status](https://img.shields.io/github/actions/workflow/status/OpenSC/pam_p11/codeql.yml?branch=master&label=CodeQL&logo=github)](https://github.com/OpenSC/pam_p11/actions/workflows/codeql.yml?branch=master)
## Installing pam_p11
Installation is quite easy:
```
-wget https://github.com/OpenSC/pam_p11/releases/download/pam_p11-0.1.6/pam_p11-0....
-tar xfvz pam_p11-0.1.6.tar.gz
-cd pam_p11-0.1.6
+wget https://github.com/OpenSC/pam_p11/releases/download/pam_p11-0.5.0/pam_p11-0....
+tar xfvz pam_p11-0.5.0.tar.gz
+cd pam_p11-0.5.0
./configure --prefix=/usr --libdir=/lib/
make
make install
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/compile new/pam_p11-0.5.0/compile
--- old/pam_p11-0.3.1/compile 2017-01-25 19:15:10.000000000 +0100
+++ new/pam_p11-0.5.0/compile 2020-02-05 15:31:03.000000000 +0100
@@ -1,9 +1,9 @@
#! /bin/sh
# Wrapper for compilers which do not understand '-c -o'.
-scriptversion=2012-10-14.11; # UTC
+scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Written by Tom Tromey .
#
# This program is free software; you can redistribute it and/or modify
@@ -17,7 +17,7 @@
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
-# along with this program. If not, see http://www.gnu.org/licenses/.
+# along with this program. If not, see https://www.gnu.org/licenses/.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@@ -255,7 +255,8 @@
echo "compile $scriptversion"
exit $?
;;
- cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
+ cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
+ icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
func_cl_wrapper "$@" # Doesn't return...
;;
esac
@@ -339,9 +340,9 @@
# Local Variables:
# mode: shell-script
# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
+# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/config.h.in new/pam_p11-0.5.0/config.h.in
--- old/pam_p11-0.3.1/config.h.in 2019-09-11 22:36:22.000000000 +0200
+++ new/pam_p11-0.5.0/config.h.in 2023-08-03 01:39:01.000000000 +0200
@@ -25,15 +25,6 @@
/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
#undef HAVE_DOPRNT
-/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
-#undef HAVE_EVP_MD_CTX_FREE
-
-/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
-#undef HAVE_EVP_MD_CTX_NEW
-
-/* Define to 1 if you have the `EVP_MD_CTX_reset' function. */
-#undef HAVE_EVP_MD_CTX_RESET
-
/* Define to 1 if you have the header file. */
#undef HAVE_FCNTL_H
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/configure.ac new/pam_p11-0.5.0/configure.ac
--- old/pam_p11-0.3.1/configure.ac 2019-09-11 22:30:15.000000000 +0200
+++ new/pam_p11-0.5.0/configure.ac 2023-08-03 01:37:50.000000000 +0200
@@ -1,8 +1,8 @@
AC_PREREQ(2.60)
define([PACKAGE_VERSION_MAJOR], [0])
-define([PACKAGE_VERSION_MINOR], [3])
-define([PACKAGE_VERSION_FIX], [1])
+define([PACKAGE_VERSION_MINOR], [5])
+define([PACKAGE_VERSION_FIX], [0])
define([PACKAGE_SUFFIX], [])
define([PRODUCT_BUGREPORT], [https://github.com/OpenSC/pam_p11/issues])
@@ -50,7 +50,7 @@
AM_GNU_GETTEXT_VERSION(0.18.3)
dnl Add the languages which your application supports here.
-ALL_LINGUAS="de it"
+ALL_LINGUAS="de it ru"
dnl Checks for programs.
AC_PROG_CPP
@@ -70,11 +70,11 @@
PKG_CHECK_MODULES([LIBP11], [libp11 >= 0.2.4],, [AC_MSG_ERROR([libp11 is required])])
PKG_CHECK_MODULES(
[OPENSSL],
- [libcrypto >= 0.9.7],
+ [libcrypto >= 1.1.1],
,
[PKG_CHECK_MODULES(
[OPENSSL],
- [openssl >= 0.9.7],
+ [openssl >= 1.1.1],
,
[AC_CHECK_LIB(
[crypto],
@@ -85,10 +85,10 @@
)]
)
-saved_LIBS="$LIBS"
-LIBS="$OPENSSL_LIBS $LIBS"
-AC_CHECK_FUNCS(EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset)
-LIBS="$saved_LIBS"
+#saved_LIBS="$LIBS"
+#LIBS="$OPENSSL_LIBS $LIBS"
+#AC_CHECK_FUNCS(EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset)
+#LIBS="$saved_LIBS"
if test -z "${PAM_LIBS}"; then
AC_ARG_VAR([PAM_CFLAGS], [C compiler flags for pam])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/m4/libtool.m4 new/pam_p11-0.5.0/m4/libtool.m4
--- old/pam_p11-0.3.1/m4/libtool.m4 2016-08-20 14:34:31.000000000 +0200
+++ new/pam_p11-0.5.0/m4/libtool.m4 2020-03-02 10:35:42.000000000 +0100
@@ -1041,8 +1041,8 @@
_LT_EOF
echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
$LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
- echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
- $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+ echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+ $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
$RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
cat > conftest.c << _LT_EOF
@@ -1492,7 +1492,7 @@
m4_defun([_LT_PROG_AR],
[AC_CHECK_TOOLS(AR, [ar], false)
: ${AR=ar}
-: ${AR_FLAGS=cru}
+: ${AR_FLAGS=cr}
_LT_DECL([], [AR], [1], [The archiver])
_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
@@ -4063,7 +4063,8 @@
if AC_TRY_EVAL(ac_compile); then
# Now try to grab the symbols.
nlist=conftest.nm
- if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
+ $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
+ if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
# Try sorting and uniquifying the output.
if sort "$nlist" | uniq > "$nlist"T; then
mv -f "$nlist"T "$nlist"
@@ -4703,6 +4704,12 @@
_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
;;
+ # flang / f18. f95 an alias for gfortran or flang on Debian
+ flang* | f18* | f95*)
+ _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+ _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+ ;;
# icc used to be incompatible with GCC.
# ICC 10 doesn't accept -KPIC any more.
icc* | ifort*)
@@ -6438,7 +6445,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
GXX=no
@@ -6813,7 +6820,7 @@
# explicitly linking system object files so we need to strip them
# from the output so that they don't get included in the library
# dependencies.
- output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+ output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
;;
*)
if test yes = "$GXX"; then
@@ -6878,7 +6885,7 @@
# explicitly linking system object files so we need to strip them
# from the output so that they don't get included in the library
# dependencies.
- output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+ output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
;;
*)
if test yes = "$GXX"; then
@@ -7217,7 +7224,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
# FIXME: insert proper C++ library support
@@ -7301,7 +7308,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
# g++ 2.7 appears to require '-G' NOT '-shared' on this
# platform.
@@ -7312,7 +7319,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
fi
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/missing new/pam_p11-0.5.0/missing
--- old/pam_p11-0.3.1/missing 2017-01-25 19:15:10.000000000 +0100
+++ new/pam_p11-0.5.0/missing 2020-02-05 15:31:03.000000000 +0100
@@ -1,9 +1,9 @@
#! /bin/sh
# Common wrapper for a few potentially missing GNU programs.
-scriptversion=2013-10-28.13; # UTC
+scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1996-2014 Free Software Foundation, Inc.
+# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard , 1996.
# This program is free software; you can redistribute it and/or modify
@@ -17,7 +17,7 @@
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
-# along with this program. If not, see http://www.gnu.org/licenses/.
+# along with this program. If not, see https://www.gnu.org/licenses/.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@@ -101,9 +101,9 @@
exit $st
fi
-perl_URL=http://www.perl.org/
-flex_URL=http://flex.sourceforge.net/
-gnu_software_URL=http://www.gnu.org/software
+perl_URL=https://www.perl.org/
+flex_URL=https://github.com/westes/flex
+gnu_software_URL=https://www.gnu.org/software
program_details ()
{
@@ -207,9 +207,9 @@
exit $st
# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
+# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:
Binary files old/pam_p11-0.3.1/po/de.gmo and new/pam_p11-0.5.0/po/de.gmo differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/po/de.po new/pam_p11-0.5.0/po/de.po
--- old/pam_p11-0.3.1/po/de.po 2019-09-11 22:42:23.000000000 +0200
+++ new/pam_p11-0.5.0/po/de.po 2023-08-03 01:43:58.000000000 +0200
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: pam_p11 0.1.7_git\n"
"Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"
-"POT-Creation-Date: 2019-09-11 22:42+0200\n"
+"POT-Creation-Date: 2023-08-03 01:39+0200\n"
"PO-Revision-Date: 2018-04-05 11:14+0200\n"
"Last-Translator: Frank Morgner \n"
"Language-Team: German\n"
@@ -17,98 +17,98 @@
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-#: src/pam_p11.c:205
+#: src/pam_p11.c:194
msgid "Error loading PKCS#11 module"
msgstr "Fehler beim Laden des PKCS#11-Moduls"
-#: src/pam_p11.c:213 src/pam_p11.c:265
+#: src/pam_p11.c:202 src/pam_p11.c:254
msgid "Error initializing PKCS#11 module"
msgstr "Fehler beim Initialisieren des PKCS#11-Moduls"
-#: src/pam_p11.c:333
+#: src/pam_p11.c:322
msgid " (last try)"
msgstr " (letzter Versuch)"
-#: src/pam_p11.c:340
+#: src/pam_p11.c:329
#, c-format
msgid "Login on PIN pad with %s%s"
msgstr "Login auf dem PIN-Pad mit %s%s"
-#: src/pam_p11.c:346
+#: src/pam_p11.c:335
#, c-format
msgid "Login with %s%s: "
msgstr "Login mit %s%s: "
-#: src/pam_p11.c:370
+#: src/pam_p11.c:359
msgid "Invalid PIN"
msgstr ""
-#: src/pam_p11.c:378
+#: src/pam_p11.c:367
msgid "PIN not verified; PIN locked"
msgstr "PIN nicht verifiziert; PIN gesperrt"
-#: src/pam_p11.c:380
+#: src/pam_p11.c:369
msgid "PIN not verified; one try remaining"
msgstr "PIN nicht verifiziert; ein Versuch verbleibend"
-#: src/pam_p11.c:382
+#: src/pam_p11.c:371
msgid "PIN not verified"
msgstr "PIN nicht verifiziert"
-#: src/pam_p11.c:424
+#: src/pam_p11.c:413
#, c-format
msgid "Change PIN with PUK on PIN pad for %s"
msgstr "Ändere PIN mit PUK auf dem PIN-Pad für %s"
-#: src/pam_p11.c:428
+#: src/pam_p11.c:417
#, c-format
msgid "Change PIN on PIN pad for %s"
msgstr "Ändere PIN auf dem PIN-Pad für %s"
-#: src/pam_p11.c:435
+#: src/pam_p11.c:424
#, c-format
msgid "PUK for %s: "
msgstr "PUK für %s: "
-#: src/pam_p11.c:446
+#: src/pam_p11.c:435
msgid "Current PIN: "
msgstr "Aktuelle PIN: "
-#: src/pam_p11.c:464
+#: src/pam_p11.c:453
msgid "Enter new PIN: "
msgstr "Neue PIN eingeben: "
-#: src/pam_p11.c:467
+#: src/pam_p11.c:456
msgid "Retype new PIN: "
msgstr "Neue PIN wiederholen: "
-#: src/pam_p11.c:471
+#: src/pam_p11.c:460
msgid "PINs don't match"
msgstr "PINs verschieden"
-#: src/pam_p11.c:478
+#: src/pam_p11.c:467
#, fuzzy
msgid "PIN not changed; PIN locked"
msgstr "PIN nicht verifiziert; PIN gesperrt"
-#: src/pam_p11.c:480
+#: src/pam_p11.c:469
#, fuzzy
msgid "PIN not changed; one try remaining"
msgstr "PIN nicht verifiziert; ein Versuch verbleibend"
-#: src/pam_p11.c:482
+#: src/pam_p11.c:471
#, fuzzy
msgid "PIN not changed"
msgstr "PIN nicht verifiziert"
-#: src/pam_p11.c:610
+#: src/pam_p11.c:596
msgid "No token found"
msgstr "Kein Token gefunden"
-#: src/pam_p11.c:612
-msgid "No authorized keys on token"
-msgstr "Keine autorisierten Schlüssel auf dem Token"
+#: src/pam_p11.c:599
+msgid "Could not find authorized keys on any of the tokens."
+msgstr "Auf keinem der Token konnten autorisierte Schlüssel gefunden werden."
-#: src/pam_p11.c:674
+#: src/pam_p11.c:660
msgid "Error verifying key"
msgstr "Fehler beim Verifizieren des Schlüssels"
Binary files old/pam_p11-0.3.1/po/it.gmo and new/pam_p11-0.5.0/po/it.gmo differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/po/it.po new/pam_p11-0.5.0/po/it.po
--- old/pam_p11-0.3.1/po/it.po 2019-09-11 22:42:23.000000000 +0200
+++ new/pam_p11-0.5.0/po/it.po 2023-08-03 01:43:58.000000000 +0200
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: pam-p11\n"
"Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"
-"POT-Creation-Date: 2019-09-11 22:42+0200\n"
+"POT-Creation-Date: 2023-08-03 01:39+0200\n"
"PO-Revision-Date: 2019-02-28 14:03+0000\n"
"Last-Translator: Milo Casagrande \n"
"Language-Team: Italian \n"
@@ -16,95 +16,95 @@
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
-#: src/pam_p11.c:205
+#: src/pam_p11.c:194
msgid "Error loading PKCS#11 module"
msgstr "Errore nel caricare il modulo PKCS#11"
-#: src/pam_p11.c:213 src/pam_p11.c:265
+#: src/pam_p11.c:202 src/pam_p11.c:254
msgid "Error initializing PKCS#11 module"
msgstr "Errore nell'inizializzare il modulo PKCS#11"
-#: src/pam_p11.c:333
+#: src/pam_p11.c:322
msgid " (last try)"
msgstr " (ultimo tentativo)"
-#: src/pam_p11.c:340
+#: src/pam_p11.c:329
#, c-format
msgid "Login on PIN pad with %s%s"
msgstr "Accesso su dispositivo inserimento PIN con %s%s"
-#: src/pam_p11.c:346
+#: src/pam_p11.c:335
#, c-format
msgid "Login with %s%s: "
msgstr "Accesso con %s%s: "
-#: src/pam_p11.c:370
+#: src/pam_p11.c:359
msgid "Invalid PIN"
msgstr ""
-#: src/pam_p11.c:378
+#: src/pam_p11.c:367
msgid "PIN not verified; PIN locked"
msgstr "PIN non verificato; PIN bloccato"
-#: src/pam_p11.c:380
+#: src/pam_p11.c:369
msgid "PIN not verified; one try remaining"
msgstr "PIN non verificato; un tentativo rimasto"
-#: src/pam_p11.c:382
+#: src/pam_p11.c:371
msgid "PIN not verified"
msgstr "PIN non verificato"
-#: src/pam_p11.c:424
+#: src/pam_p11.c:413
#, c-format
msgid "Change PIN with PUK on PIN pad for %s"
msgstr "Modifica del PIN con PUK su dispositivo inserimento PIN per %s"
-#: src/pam_p11.c:428
+#: src/pam_p11.c:417
#, c-format
msgid "Change PIN on PIN pad for %s"
msgstr "Modifica del PIN su dispositivo inserimento PIN per %s"
-#: src/pam_p11.c:435
+#: src/pam_p11.c:424
#, c-format
msgid "PUK for %s: "
msgstr "PUK per %s: "
-#: src/pam_p11.c:446
+#: src/pam_p11.c:435
msgid "Current PIN: "
msgstr "PIN attuale: "
-#: src/pam_p11.c:464
+#: src/pam_p11.c:453
msgid "Enter new PIN: "
msgstr "Inserire nuovo PIN: "
-#: src/pam_p11.c:467
+#: src/pam_p11.c:456
msgid "Retype new PIN: "
msgstr "Ripetere nuovo PIN: "
-#: src/pam_p11.c:471
+#: src/pam_p11.c:460
msgid "PINs don't match"
msgstr "I PIN non sono uguali"
-#: src/pam_p11.c:478
+#: src/pam_p11.c:467
msgid "PIN not changed; PIN locked"
msgstr "PIN non modificato; PIN bloccato"
-#: src/pam_p11.c:480
+#: src/pam_p11.c:469
msgid "PIN not changed; one try remaining"
msgstr "PIN non modificato; un tentativo rimasto"
-#: src/pam_p11.c:482
+#: src/pam_p11.c:471
msgid "PIN not changed"
msgstr "PIN non modificato"
-#: src/pam_p11.c:610
+#: src/pam_p11.c:596
msgid "No token found"
msgstr "Nessun token trovato"
-#: src/pam_p11.c:612
-msgid "No authorized keys on token"
-msgstr "Nessuna chiave autorizzata sul token"
+#: src/pam_p11.c:599
+msgid "Could not find authorized keys on any of the tokens."
+msgstr "Impossibile trovare chiavi autorizzate su nessuno dei token."
-#: src/pam_p11.c:674
+#: src/pam_p11.c:660
msgid "Error verifying key"
msgstr "Errore nel verificare la chiave"
Binary files old/pam_p11-0.3.1/po/ru.gmo and new/pam_p11-0.5.0/po/ru.gmo differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/po/ru.po new/pam_p11-0.5.0/po/ru.po
--- old/pam_p11-0.3.1/po/ru.po 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_p11-0.5.0/po/ru.po 2023-08-03 23:15:52.000000000 +0200
@@ -0,0 +1,104 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: pam_p11 0.5.0\n"
+"Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"
+"POT-Creation-Date: 2023-08-03 01:39+0200\n"
+"Last-Translator: Mikhail Novosyolov = (int)sizeof(bin_table))
+ if (k < 0)
return -1;
if (k == 0 && c == 0)
return 0;
@@ -75,8 +75,8 @@
int sc_base64_decode(const char *in, unsigned char *out, size_t outlen)
{
- int len = 0, r, skip;
- unsigned int i;
+ int len = 0, r = 0, skip = 0;
+ unsigned int i = 0;
while ((r = from_base64(in, &i, &skip)) > 0) {
int finished = 0, s = 16;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/match_opensc.c new/pam_p11-0.5.0/src/match_opensc.c
--- old/pam_p11-0.3.1/src/match_opensc.c 2019-04-17 01:28:53.000000000 +0200
+++ new/pam_p11-0.5.0/src/match_opensc.c 2023-05-17 14:30:54.000000000 +0200
@@ -48,9 +48,15 @@
if (key == NULL)
continue;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (1 == EVP_PKEY_cmp(authkey, key)) {
found = 1;
}
+#else
+ if (1 == EVP_PKEY_eq(authkey, key)) {
+ found = 1;
+ }
+#endif
EVP_PKEY_free(key);
} while (found == 0);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/match_openssh.c new/pam_p11-0.5.0/src/match_openssh.c
--- old/pam_p11-0.3.1/src/match_openssh.c 2019-04-17 01:28:53.000000000 +0200
+++ new/pam_p11-0.5.0/src/match_openssh.c 2023-06-08 17:05:53.000000000 +0200
@@ -6,6 +6,11 @@
#include
#include
#include
+#include
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include
+#include
+#endif
#include
#include
#include
@@ -17,7 +22,8 @@
#define OPENSSH_LINE_MAX 16384 /* from openssh SSH_MAX_PUBKEY_BYTES */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined (LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3000000L)
void RSA_get0_key(const RSA *r,
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
{
@@ -57,21 +63,133 @@
#endif
-static EVP_PKEY *ssh1_line_to_key(char *line)
+static EVP_PKEY *init_evp_pkey_rsa(BIGNUM *rsa_n, BIGNUM *rsa_e)
{
- EVP_PKEY *key;
- RSA *rsa;
- char *b, *e, *m, *c;
- BIGNUM *rsa_e, *rsa_n;
+ EVP_PKEY *key = NULL;
+ if (!rsa_e || !rsa_n)
+ return NULL;
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
key = EVP_PKEY_new();
if (!key)
return NULL;
- rsa = RSA_new();
+ RSA *rsa = RSA_new();
+ if (!rsa) {
+ EVP_PKEY_free(key);
+ return NULL;
+ }
- if (!rsa)
- goto err;
+ /* set e and n */
+ if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
+ RSA_free(rsa);
+ EVP_PKEY_free(key);
+ return NULL;
+ }
+
+ EVP_PKEY_assign_RSA(key, rsa);
+#else
+ OSSL_PARAM_BLD *bld = NULL;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY_CTX *pctx = NULL;
+
+ if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
+ || (bld = OSSL_PARAM_BLD_new()) == NULL
+ || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, rsa_n)
+ || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, rsa_e)
+ || (params = OSSL_PARAM_BLD_to_param(bld)) == NULL
+ || EVP_PKEY_fromdata_init(pctx) <= 0
+ || EVP_PKEY_fromdata(pctx, &key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+ EVP_PKEY_CTX_free(pctx);
+ OSSL_PARAM_free(params);
+ OSSL_PARAM_BLD_free(bld);
+ return NULL;
+ }
+#endif
+
+ return key;
+}
+
+static EVP_PKEY *init_evp_pkey_ec(int nid_curve, const unsigned char *buf, size_t len)
+{
+ EVP_PKEY *key = NULL;
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+ BIGNUM *x = NULL;
+ BIGNUM *y = NULL;
+ EC_KEY *ec_key = NULL;
+
+ if ((key = EVP_PKEY_new()) == NULL
+ || (x = BN_bin2bn(buf + 1, len >> 1, NULL)) == NULL
+ || (y = BN_bin2bn(buf + 1 + (len >> 1), len >> 1, NULL)) == NULL
+ || ((ec_key = EC_KEY_new_by_curve_name(nid_curve)) == NULL
+ || (1 != EC_KEY_set_public_key_affine_coordinates(ec_key, x, y))
+ || (1 != EVP_PKEY_assign_EC_KEY(key, ec_key)))) {
+ EVP_PKEY_free(key);
+ BN_free(x);
+ BN_free(y);
+ EC_KEY_free(ec_key);
+ EVP_PKEY_free(key);
+ return NULL;
+ }
+#else
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ BN_CTX *ctx = NULL;
+ EC_KEY *ec_key = NULL;
+
+ if ((key = EVP_PKEY_new()) == NULL
+ || (ctx = BN_CTX_new()) == NULL
+ || (ec_key = EC_KEY_new_by_curve_name(nid_curve)) == NULL
+ || (1 != EC_KEY_oct2key(ec_key, buf, len, ctx))
+ || (1 != EVP_PKEY_assign_EC_KEY(key, ec_key))) {
+ EC_KEY_free(ec_key);
+ BN_CTX_free(ctx);
+ EVP_PKEY_free(key);
+ return NULL;
+ }
+#else
+ OSSL_PARAM_BLD *bld = NULL;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY_CTX *pctx = NULL;
+ char *group_name;
+ switch (nid_curve) {
+ case NID_X9_62_prime256v1:
+ group_name = SN_X9_62_prime256v1;
+ break;
+ case NID_secp384r1:
+ group_name = SN_secp384r1;
+ break;
+ case NID_secp521r1:
+ group_name = SN_secp521r1;
+ break;
+ default:
+ return NULL;
+ }
+
+ if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL
+ || (bld = OSSL_PARAM_BLD_new()) == NULL
+ || !OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0)
+ || !OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, buf, len)
+ || (params = OSSL_PARAM_BLD_to_param(bld)) == NULL
+ || EVP_PKEY_fromdata_init(pctx) <= 0
+ || EVP_PKEY_fromdata(pctx, &key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+ EVP_PKEY_CTX_free(pctx);
+ OSSL_PARAM_free(params);
+ OSSL_PARAM_BLD_free(bld);
+ return NULL;
+ }
+#endif
+#endif
+ return key;
+}
+
+static EVP_PKEY *ssh1_line_to_key(char *line)
+{
+ EVP_PKEY *key = NULL;
+ char *b, *e, *m, *c;
+ BIGNUM *rsa_e = NULL, *rsa_n = NULL;
/* first digitstring: the bits */
b = line;
@@ -82,7 +200,7 @@
/* must be a whitespace */
if (*e != ' ' && *e != '\t')
- return NULL;
+ goto err;
/* cut the string in two part */
*e = 0;
@@ -98,7 +216,7 @@
/* must be a whitespace */
if (*m != ' ' && *m != '\t')
- return NULL;
+ goto err;
/* cut the string in two part */
*m = 0;
@@ -113,7 +231,7 @@
/* could be a whitespace or end of line */
if (*c != ' ' && *c != '\t' && *c != '\n' && *c != '\r' && *c != 0)
- return NULL;
+ goto err;
if (*c == ' ' || *c == '\t') {
*c = 0;
@@ -139,24 +257,26 @@
BN_dec2bn(&rsa_e, e);
BN_dec2bn(&rsa_n, m);
- if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL))
- goto err;
- EVP_PKEY_assign_RSA(key, rsa);
- return key;
+ key = init_evp_pkey_rsa(rsa_n, rsa_e);
- err:
- EVP_PKEY_free(key);
- return NULL;
+err:
+ if (!key) {
+ if (rsa_n)
+ BN_free(rsa_n);
+ if (rsa_e)
+ BN_free(rsa_e);
+ }
+
+ return key;
}
extern int sc_base64_decode(const char *in, unsigned char *out, size_t outlen);
static EVP_PKEY *ssh2_line_to_key(char *line)
{
- EVP_PKEY *key;
- RSA *rsa;
- BIGNUM *rsa_e, *rsa_n;
+ EVP_PKEY *key = NULL;
+ BIGNUM *rsa_e = NULL, *rsa_n = NULL;
unsigned char decoded[OPENSSH_LINE_MAX];
int len;
@@ -167,7 +287,7 @@
b = line;
if (!b)
- return NULL;
+ goto err;
/* find the first whitespace */
while (*b && *b != ' ')
@@ -184,7 +304,7 @@
/* decode binary data */
if (sc_base64_decode(b, decoded, OPENSSH_LINE_MAX) < 0)
- return NULL;
+ goto err;
i = 0;
@@ -196,13 +316,13 @@
/* now: key_from_blob */
if (strncmp((char *)&decoded[i], "ssh-rsa", 7) != 0)
- return NULL;
+ goto err;
i += len;
/* to prevent access beyond 'decoded' array, index 'i' must be always checked */
if ( i + 4 > OPENSSH_LINE_MAX )
- return NULL;
+ goto err;
/* get integer from blob */
len =
(decoded[i] << 24) + (decoded[i + 1] << 16) +
@@ -210,13 +330,13 @@
i += 4;
if ( i + len > OPENSSH_LINE_MAX )
- return NULL;
+ goto err;
/* get bignum */
rsa_e = BN_bin2bn(decoded + i, len, NULL);
i += len;
if ( i + 4 > OPENSSH_LINE_MAX )
- return NULL;
+ goto err;
/* get integer from blob */
len =
(decoded[i] << 24) + (decoded[i + 1] << 16) +
@@ -224,31 +344,25 @@
i += 4;
if ( i + len > OPENSSH_LINE_MAX )
- return NULL;
+ goto err;
/* get bignum */
rsa_n = BN_bin2bn(decoded + i, len, NULL);
- key = EVP_PKEY_new();
- rsa = RSA_new();
+ key = init_evp_pkey_rsa(rsa_n, rsa_e);
- /* set e and n */
- if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
- EVP_PKEY_free(key);
- RSA_free(rsa);
- return NULL;
+err:
+ if (!key) {
+ if (rsa_n)
+ BN_free(rsa_n);
+ if (rsa_e)
+ BN_free(rsa_e);
}
- EVP_PKEY_assign_RSA(key, rsa);
return key;
}
static EVP_PKEY *ssh_nistp_line_to_key(char *line)
{
- EVP_PKEY *key;
- EC_KEY *ec_key;
- BIGNUM *x;
- BIGNUM *y;
-
unsigned char decoded[OPENSSH_LINE_MAX];
int len;
int flen;
@@ -332,27 +446,8 @@
/* check uncompressed indicator */
if (decoded[i] != 4 )
return NULL;
- i++;
-
- /* create key */
- ec_key = EC_KEY_new_by_curve_name(nid);
- /* read point coordinates */
- x = BN_bin2bn(decoded + i, flen, NULL);
- i += flen;
- y = BN_bin2bn(decoded + i, flen, NULL);
-
- /* do error checking here: valid x, y, ec_key, point on curve.. */
- if (!EC_KEY_set_public_key_affine_coordinates(ec_key, x, y)) {
- EC_KEY_free(ec_key);
- BN_free(x);
- BN_free(y);
- return NULL;
- }
-
- key = EVP_PKEY_new();
- EVP_PKEY_assign_EC_KEY(key, ec_key);
- return key;
+ return init_evp_pkey_ec(nid, decoded + i, len);
}
extern int match_user_openssh(EVP_PKEY *authkey, const char *login)
@@ -400,9 +495,15 @@
if (key == NULL)
continue;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (1 == EVP_PKEY_cmp(authkey, key)) {
found = 1;
}
+#else
+ if (1 == EVP_PKEY_eq(authkey, key)) {
+ found = 1;
+ }
+#endif
EVP_PKEY_free(key);
} while (found == 0);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/pam_p11.c new/pam_p11-0.5.0/src/pam_p11.c
--- old/pam_p11-0.3.1/src/pam_p11.c 2019-09-08 21:20:21.000000000 +0200
+++ new/pam_p11-0.5.0/src/pam_p11.c 2023-08-03 01:23:19.000000000 +0200
@@ -33,17 +33,6 @@
#include
#include
-/* openssl deprecated API emulation */
-#ifndef HAVE_EVP_MD_CTX_NEW
-#define EVP_MD_CTX_new() EVP_MD_CTX_create()
-#endif
-#ifndef HAVE_EVP_MD_CTX_FREE
-#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy((ctx))
-#endif
-#ifndef HAVE_EVP_MD_CTX_RESET
-#define EVP_MD_CTX_reset(ctx) EVP_MD_CTX_cleanup((ctx))
-#endif
-
#ifdef ENABLE_NLS
#include
#include
@@ -507,7 +496,8 @@
static int key_find(pam_handle_t *pamh, int flags, const char *user,
PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots,
- PKCS11_SLOT **authslot, PKCS11_KEY **authkey)
+ PKCS11_SLOT **authslot, PKCS11_KEY **authkey,
+ EVP_PKEY **authpubkey, PKCS11_CERT **authcert)
{
int token_found = 0;
@@ -517,6 +507,7 @@
*authkey = NULL;
*authslot = NULL;
+ *authcert = NULL;
/* search all valuable slots for a key that is authorized by the user */
while (0 < nslots) {
@@ -532,6 +523,14 @@
break;
}
token_found = 1;
+ /* Update "slots" pointer: PKCS11 slots are implemented as array,
+ * so starting to look at slot + 1 and decrementing nslots accordingly
+ * will search the rest of slots. */
+ nslots -= (slot + 1 - slots);
+ slots = slot + 1;
+
+ if (slot->token->initialized == 0)
+ continue;
if (slot->token->loginRequired && slot->token->userPinLocked) {
pam_syslog(pamh, LOG_DEBUG, "%s: PIN locked",
@@ -551,10 +550,8 @@
if (1 != r) {
r = match_user_openssh(pubkey, user);
}
- if (NULL != pubkey) {
- EVP_PKEY_free(pubkey);
- }
if (1 == r) {
+ *authpubkey = pubkey;
*authkey = keys;
*authslot = slot;
pam_syslog(pamh, LOG_DEBUG, "Found %s",
@@ -577,14 +574,9 @@
if (1 != r) {
r = match_user_openssh(pubkey, user);
}
- if (NULL != pubkey) {
- EVP_PKEY_free(pubkey);
- }
if (1 == r) {
- *authkey = PKCS11_find_key(certs);
- if (NULL == *authkey) {
- continue;
- }
+ *authpubkey = pubkey;
+ *authcert = certs;
*authslot = slot;
pam_syslog(pamh, LOG_DEBUG, "Found %s",
certs->label);
@@ -596,20 +588,15 @@
count--;
}
}
-
- /* Try the next possible slot: PKCS11 slots are implemented as array,
- * so starting to look at slot++ and decrementing nslots accordingly
- * will search the rest of slots. */
- slot++;
- nslots -= (slot - slots);
- slots = slot;
- pam_syslog(pamh, LOG_DEBUG, "No authorized key found");
+ pam_syslog(pamh, LOG_DEBUG, "No authorized key found on token %s",
+ slot->token->label);
}
if (0 == token_found) {
prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("No token found"));
} else {
- prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("No authorized keys on token"));
+ prompt(flags, pamh, PAM_ERROR_MSG, NULL,
+ _("Could not find authorized keys on any of the tokens."));
}
return 0;
@@ -631,7 +618,7 @@
return ok;
}
-static int key_verify(pam_handle_t *pamh, int flags, PKCS11_KEY *authkey)
+static int key_verify(pam_handle_t *pamh, int flags, PKCS11_KEY *authkey, EVP_PKEY *pubkey)
{
int ok = 0;
unsigned char challenge[30];
@@ -640,7 +627,6 @@
const EVP_MD *md = EVP_sha1();
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
EVP_PKEY *privkey = PKCS11_get_private_key(authkey);
- EVP_PKEY *pubkey = PKCS11_get_public_key(authkey);
if (NULL == privkey)
goto err;
@@ -695,6 +681,8 @@
PKCS11_CTX *ctx;
unsigned int nslots;
PKCS11_KEY *authkey;
+ PKCS11_CERT *authcert;
+ EVP_PKEY *authpubkey = NULL;
PKCS11_SLOT *slots, *authslot;
const char *user;
const char *pin_regex;
@@ -706,12 +694,21 @@
}
if (1 != key_find(pamh, flags, user, ctx, slots, nslots,
- &authslot, &authkey)) {
+ &authslot, &authkey, &authpubkey, &authcert)) {
r = PAM_AUTHINFO_UNAVAIL;
goto err;
}
- if (1 != key_login(pamh, flags, authslot, pin_regex)
- || 1 != key_verify(pamh, flags, authkey)) {
+
+ if (1 != key_login(pamh, flags, authslot, pin_regex))
+ goto err;
+
+ if (authkey == NULL && authcert) {
+ if (NULL == (authkey = PKCS11_find_key(authcert))) {
+ r = PAM_AUTHINFO_UNAVAIL;
+ goto err;
+ }
+ }
+ if (1 != key_verify(pamh, flags, authkey, authpubkey)) {
if (authslot->token->userPinLocked) {
r = PAM_MAXTRIES;
} else {
@@ -768,6 +765,8 @@
PKCS11_CTX *ctx;
unsigned int nslots;
PKCS11_KEY *authkey;
+ PKCS11_CERT *authcert;
+ EVP_PKEY *authpubkey = NULL;
PKCS11_SLOT *slots, *authslot;
const char *user, *pin_regex;
@@ -785,7 +784,7 @@
}
if (1 != key_find(pamh, flags, user, ctx, slots, nslots,
- &authslot, &authkey)) {
+ &authslot, &authkey, &authpubkey, &authcert)) {
r = PAM_AUTHINFO_UNAVAIL;
goto err;
}
@@ -809,6 +808,7 @@
r = PAM_SUCCESS;
err:
+ EVP_PKEY_free(authpubkey);
#ifdef TEST
module_data_cleanup(pamh, global_module_data, r);
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/test.c new/pam_p11-0.5.0/src/test.c
--- old/pam_p11-0.3.1/src/test.c 2019-04-17 01:28:53.000000000 +0200
+++ new/pam_p11-0.5.0/src/test.c 2023-06-08 17:05:53.000000000 +0200
@@ -58,8 +58,12 @@
/* initialize default values */
strcpy(module, LIBDIR "/opensc-pkcs11.so");
- if (0 != getlogin_r(user, sizeof user))
- goto err;
+ if (argc < 3) {
+ if (0 != getlogin_r(user, sizeof user)) {
+ perror("getlogin_r");
+ goto err;
+ }
+ }
switch (argc) {
case 3: