Mailinglist Archive: opensuse-commit (2092 mails)

< Previous Next >
commit pam_pkcs11
  • From: root@xxxxxxxxxxxxxxx (h_root)
  • Date: Fri, 03 Aug 2007 22:28:43 +0200
  • Message-id: <20070803202843.8201D678336@xxxxxxxxxxxxxxx>

Hello community,

here is the log from the commit of package pam_pkcs11
checked in at Fri Aug 3 22:28:43 CEST 2007.

--------
--- pam_pkcs11/pam_pkcs11.changes       2007-07-26 14:41:12.000000000 +0200
+++ /mounts/work_src_done/STABLE/pam_pkcs11/pam_pkcs11.changes  2007-08-01 16:51:04.000000000 +0200
@@ -1,0 +2,8 @@
+Tue Jul 31 17:34:21 CEST 2007 - sbrabec@xxxxxxx
+
+- Build with NSS instead of openssl.
+- Applied patches from Jacob Berkman: MS UPN OID and NSS
+  configuration.
+- Fixed implicit declaration.
+
+-------------------------------------------------------------------

New:
----
  pam_pkcs11-0.5.3-nss-conf.patch
  pam_pkcs11-0.6.0-ms-upn-oid.patch
  pam_pkcs11-0.6.0-nss-autoconf.patch
  pam_pkcs11-common-auth-smartcard.pam
  pam_pkcs11-implicit-declaration.patch
  pam_pkcs11-mapfile-syntax.patch
  pam_pkcs11-msnickname.patch
  secutil.h

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pam_pkcs11.spec ++++++
--- /var/tmp/diff_new_pack.EQ2216/_old  2007-08-03 22:28:10.000000000 +0200
+++ /var/tmp/diff_new_pack.EQ2216/_new  2007-08-03 22:28:10.000000000 +0200
@@ -12,13 +12,21 @@
 
 Name:           pam_pkcs11
 Version:        0.6.0
-Release:        1
+Release:        4
 URL:            http://www.opensc-project.org/pam_pkcs11/
 Group:          Productivity/Security
 License:        LGPL v2 or later
 Summary:        PKCS #11 PAM Module
 Source:         %{name}-%{version}.tar.bz2
-BuildRequires:  curl-devel libxslt openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config
+Source1:        pam_pkcs11-common-auth-smartcard.pam
+Source2:        secutil.h
+Patch:          %{name}-mapfile-syntax.patch
+Patch1:         %{name}-0.5.3-nss-conf.patch
+Patch2:         %{name}-0.6.0-ms-upn-oid.patch
+Patch3:         %{name}-0.6.0-nss-autoconf.patch
+Patch4:         %{name}-msnickname.patch
+Patch5:         %{name}-implicit-declaration.patch
+BuildRequires:  curl-devel libopenssl-devel libxslt mozilla-nss-devel openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -54,13 +62,23 @@
 
 %prep
 %setup -q
+%patch
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5
+cp -a %{S:1} common-auth-smartcard
+cp -a %{S:2} src/common/
 
 %build
 # LDAP_DEPRECATED required for for ldap_simple_bind_s(), ldap_search_s(), ldap_unbind_s()
 # -fno-strict-aliasing required for pam_pkcs11-0.6.0:
 export CFLAGS="$RPM_OPT_FLAGS -DLDAP_DEPRECATED -fno-strict-aliasing"
+export CPPFLAGS="`pkg-config --cflags xulrunner-xpcom | sed 's:  *:/system_wrappers&:g'`"
 %configure\
        --datadir=%{_docdir}\
+       --with-nss\
        --with-curl
 make %{?jobs:-j%jobs}
 
@@ -78,7 +96,9 @@
 done
 cd ..
 mkdir -p $RPM_BUILD_ROOT%{_docdir}/%{name}
-cp -a AUTHORS COPYING ChangeLog ChangeLog.svn NEWS README TODO doc/pam_pkcs11.html doc/mappers_api.html doc/README.autologin doc/README.mappers $RPM_BUILD_ROOT%{_docdir}/%{name}
+cp -a AUTHORS COPYING ChangeLog ChangeLog.svn NEWS README TODO doc/pam_pkcs11.html doc/mappers_api.html doc/api doc/README.autologin doc/README.mappers $RPM_BUILD_ROOT%{_docdir}/%{name}
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
+cp common-auth-smartcard $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/
 %find_lang %{name}
 
 %clean
@@ -95,8 +115,14 @@
 %dir %{_sysconfdir}/pam_pkcs11/cacerts
 %dir %{_sysconfdir}/pam_pkcs11/crls
 %config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf
+%config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard
 
 %changelog
+* Tue Jul 31 2007 - sbrabec@xxxxxxx
+- Build with NSS instead of openssl.
+- Applied patches from Jacob Berkman: MS UPN OID and NSS
+  configuration.
+- Fixed implicit declaration.
 * Thu Jul 26 2007 - sbrabec@xxxxxxx
 - Updated to version 0.6.0:
   * compiler warning fixes

++++++ pam_pkcs11-0.5.3-nss-conf.patch ++++++
--- pam_pkcs11-0.5.3/etc/pam_pkcs11.conf.example~       2005-09-12 05:12:55.000000000 -0400
+++ pam_pkcs11-0.5.3/etc/pam_pkcs11.conf.example        2007-03-01 10:42:20.000000000 -0500
@@ -9,7 +9,7 @@ pam_pkcs11 {
   nullok = true;
 
   # Enable debugging support.
-  debug = true; 
+  debug = false; 
 
   # Do not prompt the user for the passwords but take them from the
   # PAM_ items instead.
@@ -24,7 +24,12 @@ pam_pkcs11 {
   use_authtok = false;
 
   # Filename of the PKCS #11 module. The default value is "default"
-  use_pkcs11_module = opensc;
+  use_pkcs11_module = nss;
+
+  pkcs11_module nss {
+    nss_dir = /etc/pki/nssdb;
+    crl_policy = none;
+  }
 
   pkcs11_module opensc {
     module = /usr/lib/opensc-pkcs11.so;
@@ -112,7 +112,7 @@
   # If used null mapper should be the last in the list :-)
   # Also you should select at least one mapper, otherwise
   # certificate will not match :-)
-  use_mappers = digest, cn, pwent, uid, mail, subject, null;
+  use_mappers = ms;
 
   # When no absolute path or module info is provided, use this
   # value as module search path
++++++ pam_pkcs11-0.6.0-ms-upn-oid.patch ++++++
--- pam_pkcs11-0.6.0/src/common/cert_info.c~    2007-06-06 05:28:08.000000000 -0400
+++ pam_pkcs11-0.6.0/src/common/cert_info.c     2007-07-18 12:48:08.000000000 -0400
@@ -52,7 +52,7 @@ static const SECOidData kerberosPN_Entry
 SECOidTag CERT_MicrosoftUPN_OID = SEC_OID_UNKNOWN;
 /* { 1.3.6.1.4.1.311 } */
 static const unsigned char microsoftUPNOID[] =  
-        { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 }; /*, xxxx  */
+{ 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0x14, 0x2, 0x3 };
 static const SECOidData microsoftUPN_Entry = 
         { TO_ITEM(microsoftUPNOID), SEC_OID_UNKNOWN, 
         "Microsoft Universal Priniciple", CKM_INVALID_MECHANISM, 
@@ -127,6 +127,75 @@ static char **cert_info_digest(X509 *x50
   return entries;
 }
 
+static char **
+cert_info_upn (X509 *x509)
+{
+    SECItem alt_name;
+    SECStatus status;
+    PRArenaPool *arena = NULL;
+    CERTGeneralName *nameList;
+    CERTGeneralName *current;
+    SECOidTag tag;
+    static char *results[CERT_INFO_SIZE] = { NULL };
+    int result = 0;
+    SECItem decoded;
+
+    DBG("Looking for ALT_NAME");
+
+    status = CERT_FindCertExtension (x509, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
+    if (status != SECSuccess) {
+        DBG("Not found");
+        goto no_upn;
+    }
+    
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+        DBG("Could not allocate arena");
+        goto no_upn;
+    }
+
+    nameList = current = CERT_DecodeAltNameExtension (arena, &alt_name);
+    if (!nameList) {
+        DBG("Could not decode name");
+        goto no_upn;
+    }
+
+    cert_fetchOID(&CERT_MicrosoftUPN_OID, &microsoftUPN_Entry);
+    do {
+        if (current->type == certOtherName) {
+            tag = SECOID_FindOIDTag (&current->name.OthName.oid);
+            DBG1("got other name with tag %#x", tag);
+            if (tag == CERT_MicrosoftUPN_OID) {
+                status = SEC_ASN1DecodeItem (arena, &decoded,
+                                             SEC_UTF8StringTemplate,
+                                             &current->name.OthName.name);
+                if (status == SECSuccess) {
+                    results[result] = malloc (decoded.len + 1);
+                    memcpy (results[result], decoded.data, decoded.len);
+                    results[result][decoded.len] = '\0';
+                    DBG1("Got upn: %s", results[result]);
+                    result++;
+                } else {
+                    DBG("Could not decode upn...");
+                }
+            }
+        } else {
+            DBG("not other name...");
+        }
+        current = CERT_GetNextGeneralName (current);
+    } while (current != nameList && result < CERT_INFO_MAX_ENTRIES);
+
+no_upn:
+    if (arena) {
+        PORT_FreeArena (arena, PR_FALSE);
+    }
+
+    if (alt_name.data) {
+        SECITEM_FreeItem (&alt_name, PR_FALSE);
+    }
+
+    return results;
+}
 
 /**
 * request info on certificate
@@ -174,8 +243,7 @@ char **cert_info(X509 *x509, int type, A
       break;
     /* need oid tag. */
     case CERT_UPN     : /* Microsoft's Universal Principal Name */
-      cert_fetchOID(&CERT_MicrosoftUPN_OID ,& microsoftUPN_Entry);
-      return cert_GetNameElements(&x509->subject, CERT_MicrosoftUPN_OID);
+      return cert_info_upn (x509);
     case CERT_UID     : /* Certificate Unique Identifier */
       return cert_GetNameElements(&x509->subject, SEC_OID_RFC1274_UID);
       break;
--- pam_pkcs11-0.6.0/src/mappers/ms_mapper.c~   2007-07-18 12:48:41.000000000 -0400
+++ pam_pkcs11-0.6.0/src/mappers/ms_mapper.c    2007-07-18 13:21:02.000000000 -0400
@@ -70,7 +70,7 @@ static char *check_upn(char *str) {
            return NULL;
        }
        if (ignoredomain) return str;
-       if (!strcmp(domainname,domain)) {
+       if (strcmp(domainname,domain)) {
            DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
            return NULL;
        }
++++++ pam_pkcs11-0.6.0-nss-autoconf.patch ++++++
--- pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c~       2007-07-16 16:41:27.000000000 -0400
+++ pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c        2007-07-16 16:41:44.000000000 -0400
@@ -42,7 +42,7 @@ struct configuration_st configuration = 
         0,                             /* int card_only; */
         0,                             /* int wait_for_card; */
         "default",                   /* const char *pkcs11_module; */
-        "/etc/pam_pkcs11/pkcs11_module.so",/* const char *pkcs11_module_path; */
+        NULL,                           /* const char *pkcs11_module_path; */
         NULL,                           /* screen savers */
         0,                             /* int slot_num; */
        0,                              /* support threads */
++++++ pam_pkcs11-implicit-declaration.patch ++++++
ldap_mapper.c: In function 'ldap_get_certificate':
ldap_mapper.c:757: warning: implicit declaration of function 'd2i_X509'
ldap_mapper.c:757: warning: assignment makes pointer from integer without a cast
ldap_mapper.c: In function 'ldap_mapper_match_user':
ldap_mapper.c:871: warning: implicit declaration of function 'X509_cmp'
================================================================================
--- src/mappers/ldap_mapper.c
+++ src/mappers/ldap_mapper.c
@@ -36,6 +36,7 @@
 
 #include <ldap.h>
 #include <pwd.h>
+#include <ssl/x509.h>
 
 #include "../common/cert_st.h"
 #include "../common/debug.h"
++++++ pam_pkcs11-mapfile-syntax.patch ++++++
https://bugzilla.novell.com/show_bug.cgi?id=293026
http://www.opensc-project.org/opensc/ticket/154
================================================================================
--- etc/pam_pkcs11.conf.example
+++ etc/pam_pkcs11.conf.example
@@ -131,7 +131,7 @@
         # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
         cert_item  = cn;
         # Define mapfile if needed, else select "none"
-        mapfile = file:///etc/pam_pkcs11/generic_mapping
+        mapfile = file:///etc/pam_pkcs11/generic_mapping;
         # Decide if use getpwent() to map login
         use_getpwent = false;
   }
++++++ pam_pkcs11-msnickname.patch ++++++
--- pam_pkcs11-0.5.3/src/mappers/ms_mapper.c~   2005-09-12 05:12:55.000000000 -0400
+++ pam_pkcs11-0.5.3/src/mappers/ms_mapper.c    2007-01-17 14:27:52.000000000 -0500
@@ -52,6 +52,7 @@
 static int ignorecase = 0;
 static int ignoredomain =0;
 static const char *domainname="";
+static const char *domainnickname="";
 static int debug =0;
 
 /* check syntax and domain match on provided string */
@@ -73,6 +74,16 @@
            DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
            return NULL;
        }
+        if (domainnickname && domainnickname[0]) {
+            char *tmp;
+            size_t tmp_len;
+            DBG1("Adding domain nick name '%s'",domainnickname);
+            tmp_len = strlen (str) + strlen (domainnickname) + 2;
+            tmp = malloc (tmp_len);
+            snprintf (tmp, tmp_len, "%s\\%s", domainnickname, str);
+            free (str);
+            str = tmp;
+        }
        return str;
 }
 
@@ -179,6 +190,7 @@
        ignorecase = scconf_get_bool(blk,"ignorecase",ignorecase);
        ignoredomain = scconf_get_bool(blk,"ignoredomain",ignoredomain);
        domainname = scconf_get_str(blk,"domainname",domainname);
+        domainnickname = scconf_get_str(blk,"domainnickname",domainnickname);
        } else {
                DBG1("No block declaration for mapper '%s'",mapper_name);
        }

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages