Hello community,
here is the log from the commit of package pam_pkcs11 for openSUSE:Factory checked in at 2019-02-01 11:46:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam_pkcs11 (Old)
and /work/SRC/openSUSE:Factory/.pam_pkcs11.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_pkcs11"
Fri Feb 1 11:46:58 2019 rev:32 rq:670213 version:0.6.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam_pkcs11/pam_pkcs11.changes 2018-09-11 17:19:57.311165819 +0200
+++ /work/SRC/openSUSE:Factory/.pam_pkcs11.new.28833/pam_pkcs11.changes 2019-02-01 11:46:59.820456877 +0100
@@ -1,0 +2,16 @@
+Tue Jan 29 22:45:28 CET 2019 - sbrabec@suse.com
+
+- Update to version 0.6.10:
+ * Fix some security issues (thx @frankmorgner):
+ https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/
+ (drop 0001-verify-using-a-nonce-from-the-system-not-the-card.patch,
+ 0002-fixed-buffer-overflow-with-long-home-directory.patch,
+ 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch).
+ * Fix buffer overflow with long home directory.
+ * Fix wiping secrets (now using OpenSSL_cleanse()).
+ * Verify using a nonce from the system, not the card.
+ * Fix segfalt when checking CRLs
+ (drop pam_pkcs11-crl-check.patch).
+- Add rcpkcs11_eventmgr service symlink.
+
+-------------------------------------------------------------------
Old:
----
0001-verify-using-a-nonce-from-the-system-not-the-card.patch
0002-fixed-buffer-overflow-with-long-home-directory.patch
0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch
pam_pkcs11-0.6.9-ChangeLog.git
pam_pkcs11-crl-check.patch
pam_pkcs11-pam_pkcs11-0.6.9.tar.gz
New:
----
pam_pkcs11-0.6.10-ChangeLog.git
pam_pkcs11-0.6.10.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_pkcs11.spec ++++++
--- /var/tmp/diff_new_pack.2lCZ7h/_old 2019-02-01 11:47:01.520455131 +0100
+++ /var/tmp/diff_new_pack.2lCZ7h/_new 2019-02-01 11:47:01.520455131 +0100
@@ -1,7 +1,7 @@
#
# spec file for package pam_pkcs11
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,33 +12,28 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# It seems to be an upstream naming bug:
%define _name pam_pkcs11-pam_pkcs11
Name: pam_pkcs11
-Version: 0.6.9
+Version: 0.6.10
Release: 0
Summary: PKCS #11 PAM Module
License: LGPL-2.1-or-later
Group: Productivity/Security
Url: https://github.com/OpenSC/pam_pkcs11
-Source: %{_name}-%{version}.tar.gz
+Source: https://github.com/OpenSC/pam_pkcs11/archive/%{name}-%{version}.tar.gz
Source1: pam_pkcs11-common-auth-smartcard.pam
Source2: baselibs.conf
# make dist was not called.
-Source3: pam_pkcs11-0.6.9-ChangeLog.git
+Source3: pam_pkcs11-0.6.10-ChangeLog.git
Source4: pkcs11_eventmgr.service
Patch0: %{name}-fsf-address.patch
Patch1: %{name}-0.5.3-nss-conf.patch
Patch3: %{name}-0.6.0-nss-autoconf.patch
-# PATCH-FIX-UPSTEAM-PENDING pam_pkcs11-crl-check.patch https://github.com/OpenSC/pam_pkcs11/pull/26 -- Fix segfault and fetch problems when checking CRLs.
-Patch4: %{name}-crl-check.patch
-Patch5: 0001-verify-using-a-nonce-from-the-system-not-the-card.patch
-Patch6: 0002-fixed-buffer-overflow-with-long-home-directory.patch
-Patch7: 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch
BuildRequires: curl-devel
BuildRequires: docbook-xsl-stylesheets
BuildRequires: doxygen
@@ -93,10 +88,6 @@
%patch0 -p1
%patch1 -p1
%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
cp -a %{SOURCE1} common-auth-smartcard
sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example
# make dist was not called and cannot be called on a non git snapshot.
@@ -132,6 +123,8 @@
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/
install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
+mkdir -p %{buildroot}%{_sbindir}
+ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr
%find_lang %{name}
%fdupes -s %{buildroot}%{_docdir}/%{name}
@@ -160,6 +153,7 @@
%config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf
%config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard
%{_prefix}/lib/systemd/system/pkcs11_eventmgr.service
+%{_sbindir}/*
%files devel-doc
%doc %{_docdir}/%{name}/api
++++++ pam_pkcs11-0.6.9-ChangeLog.git -> pam_pkcs11-0.6.10-ChangeLog.git ++++++
++++ 6284 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/pam_pkcs11/pam_pkcs11-0.6.9-ChangeLog.git
++++ and /work/SRC/openSUSE:Factory/.pam_pkcs11.new.28833/pam_pkcs11-0.6.10-ChangeLog.git
++++++ pam_pkcs11-pam_pkcs11-0.6.9.tar.gz -> pam_pkcs11-0.6.10.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/ChangeLog new/pam_pkcs11-pam_pkcs11-0.6.10/ChangeLog
--- old/pam_pkcs11-pam_pkcs11-0.6.9/ChangeLog 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/ChangeLog 2018-09-11 23:06:08.000000000 +0200
@@ -1,3 +1,11 @@
+12- Sep 2018
+ - Version 0.6.10 is out.
+ - Fixed some security issues (thx @frankmorgner):
+ (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/)
+ -- fixed buffer overflow with long home directory;
+ -- fixed wiping secrets (now using OpenSSL_cleanse());
+ -- verify using a nonce from the system, not the card.
+
08- Sep 2005
- Fixes to pam_pkcs11.spec
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/NEWS new/pam_pkcs11-pam_pkcs11-0.6.10/NEWS
--- old/pam_pkcs11-pam_pkcs11-0.6.9/NEWS 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/NEWS 2018-09-11 23:06:08.000000000 +0200
@@ -1,3 +1,13 @@
+12- Sep 2018
+ - Version 0.6.10 is out.
+ - Fixed some security issues (thx @frankmorgner):
+ (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/)
+ -- fixed buffer overflow with long home directory;
+ -- fixed wiping secrets (now using OpenSSL_cleanse());
+ -- verify using a nonce from the system, not the card.
+
+... 0.6.9 ... 0.6.0 are yet undescribed.
+
12- Sep 2005
- Finally pam_pkcs11-0.5.3 is out.
- New mapper API and Docs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/README new/pam_pkcs11-pam_pkcs11-0.6.10/README
--- old/pam_pkcs11-pam_pkcs11-0.6.9/README 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/README 2018-09-11 23:06:08.000000000 +0200
@@ -1,10 +1,11 @@
This is the README of the PKCS #11 PAM Login Module
======================================================================
-Release: 0.6.1
+Release: 0.6.10
Authors: Mario Strasser
Juan Antonio Martinez
Ludovic Rouseau
+ Frank Morgner
This Linux-PAM login module allows a X.509 certificate based user
login. The certificate and its dedicated private key are thereby
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/README.md new/pam_pkcs11-pam_pkcs11-0.6.10/README.md
--- old/pam_pkcs11-pam_pkcs11-0.6.9/README.md 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/README.md 2018-09-11 23:06:08.000000000 +0200
@@ -1,7 +1,126 @@
-# This project is no more maintained
+PAM-PKCS\#11 Login Tools
+========================
-I @LudovicRousseau do not use this software any more and have no time to take care of it.
-See "Pam-pkcs#11 needs a new maintainer(s) soon, or it will die" https://sourceforge.net/p/opensc/mailman/message/35191905/
+Description
+-----------
-If you want to become the new maintainer just ask me @LudovicRousseau to add you
-in the https://github.com/orgs/OpenSC/teams/pam_pkcs11-maintainers group.
+This Linux-PAM login module allows a X.509 certificate based user login.
+The certificate and its dedicated private key are thereby accessed by
+means of an appropriate PKCS\#11 module. For the verification of the
+users' certificates, locally stored CA certificates as well as either
+online or locally accessible CRLs are used.
+
+Detailed information about the Linux-PAM system can be found in [The
+Linux-PAM System Administrators'
+Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html),
+[The Linux-PAM Module Writers'
+Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html)
+and [The Linux-PAM Application Developers'
+Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_ADG.html)
+The specification of the Cryptographic Token Interface Standard
+(PKCS\#11) is available at [PKCS\#11 - Cryptographic Token Interface
+Standard](https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os...).
+
+PAM-PKCS\#11 package provides:
+
+* A PAM module able to:
+ * Use certificates to get user credentials
+ * Deduce a login based on provided certificate
+* Several tools:
+ * Standalone cert-to-login finder tool
+ * Certificate contents viewer
+ * Card Event status monitor, to trigger actions on card insert/removal
+
+You can read the online [PAM-PKCS\#11 User
+Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) to know
+how to install, configure and use this software.
+
+### PKCS\#11 Module Requirements
+
+The PKCS\#11 modules must fulfill the requirements given by the RSA
+Asymmetric Client Signing Profile, which has been specified in the
+ [PKCS\#11: Conformance Profile
+Specification](http://www.rsa.com/rsalabs/node.asp?id=2133) by RSA
+Laboratories.
+
+### User Matching
+
+To map the ownership of a certificate into a user login, pam-pkcs11 uses
+the concept of *mapper* that is, a list of configurable, stackable
+list of dynamic modules, each one trying to do a specific cert-to-login
+maping. Several mappers are provided:
+
+* the common name of the subject matches the login name
+* the unique identifier of the subject matches the login name
+* the user part of an e-mail subject alternative name extension matches the login name
+* the Microsoft universal principal name extension matches the login name
+* etc...(see documentation on provided mappers)
+
+Many mappers may use also a *mapfile* to translate Certificate
+contents to a login name.
+
+Download
+--------
+
+* [pam\_pkcs11-0.6.9.tar.gz](http://sourceforge.net/projects/opensc/files/pam_pkcs11/)
+
+Packages for [various Linux
+distributions](https://repology.org/metapackage/pam-pkcs11) are
+available through the their standard package management system.
+
+Installation
+------------
+
+Unpack the archive, configure, compile and install it:
+
+```sh
+tar xvzf pkcs11_login-X.Y.Z.tar.gz
+cd pkcs11_login-X.Y.Z
+./configure
+make
+sudo make install
+```
+
+If you want to use [cURL](http://curl.haxx.se/libcurl/) instead of
+our native URI-functions for downloading CRLs, use `./configure --with-curl`
+
+However, up to now cURL is not able to handle binary LDAP replies and
+thus CRL download might not work for all LDAP URIs.
+
+Next, you have to create the needed openssl-hash-links.
+
+```sh
+make_hash_link.sh ${path to the directory with the CA certificates}
+make_hash_link.sh ${path to the directory with the CRLs}
+```
+
+Configuration
+-------------
+
+See [PAM-PKCS\#11 User
+Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) to
+configure and set up pam\_pkcs11.
+
+See [PAM-PKCS\#11 Mappers
+API](http://opensc.github.io/pam_pkcs11/doc/mappers_api.html) to get
+advanced information on mappers (mainly for developers).
+
+Documentation
+-------------
+
+* Online Manuals
+* [PAM-PKCS\#11 User Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html)
+* [PAM-PKCS\#11 Mappers API Reference](http://opensc.github.io/pam_pkcs11/doc/mappers_api.html)
+* [TODO](https://raw.github.com/OpenSC/pam_pkcs11/master/TODO) file (outdated)
+* Man pages
+ * [`pam_pkcs11(8)`](https://linux.die.net/man/8/pam_pkcs11)
+ * [`card_eventmgr(1)`](https://linux.die.net/man/1/card_eventmgr)
+ * [`pkcs11_eventmgr(1)`](https://linux.die.net/man/1/pkcs11_eventmgr)
+ * [`pklogin_finder(1)`](https://linux.die.net/man/1/pklogin_finder)
+ * [`pkcs11_inspect(1)`](https://linux.die.net/man/1/pkcs11_inspect)
+
+Contact
+-------
+
+[Get involved](https://github.com/OpenSC/pam_pkcs11/issues)
+in development! All comments, suggestions and bug reports are welcome.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/configure.ac new/pam_pkcs11-pam_pkcs11-0.6.10/configure.ac
--- old/pam_pkcs11-pam_pkcs11-0.6.9/configure.ac 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/configure.ac 2018-09-11 23:06:08.000000000 +0200
@@ -4,7 +4,7 @@
AC_PREREQ([2.69])
# Process this file with autoconf to produce a configure script.
-AC_INIT([pam_pkcs11],[0.6.9])
+AC_INIT([pam_pkcs11],[0.6.10])
AC_CONFIG_SRCDIR([src/pam_pkcs11/pam_pkcs11.c])
AC_CANONICAL_HOST
AM_INIT_AUTOMAKE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/cert_vfy.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c
--- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/cert_vfy.c 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c 2018-09-11 23:06:08.000000000 +0200
@@ -143,21 +143,20 @@
static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx)
{
int rv;
- X509_OBJECT *obj = NULL;
+ X509_OBJECT obj;
EVP_PKEY *pkey = NULL;
X509 *issuer_cert;
/* get issuer certificate */
- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj);
+ rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj);
if (rv <= 0) {
set_error("getting the certificate of the crl-issuer failed");
return -1;
}
/* extract public key and verify signature */
- issuer_cert = X509_OBJECT_get0_X509(obj);
+ issuer_cert = X509_OBJECT_get0_X509((&obj));
pkey = X509_get_pubkey(issuer_cert);
- if (obj)
- X509_OBJECT_free(obj);
+ X509_OBJECT_free_contents(&obj);
if (pkey == NULL) {
set_error("getting the issuer's public key failed");
return -1;
@@ -203,13 +202,14 @@
static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy)
{
int rv, i, j;
- X509_OBJECT *obj = NULL;
+ X509_OBJECT obj;
X509_REVOKED *rev = NULL;
STACK_OF(DIST_POINT) * dist_points;
DIST_POINT *point;
GENERAL_NAME *name;
X509_CRL *crl;
X509 *x509_ca = NULL;
+ EVP_PKEY crl_pkey;
DBG1("crl policy: %d", policy);
if (policy == CRLP_NONE) {
@@ -227,28 +227,27 @@
} else if (policy == CRLP_OFFLINE) {
/* OFFLINE */
DBG("looking for an dedicated local crl");
- rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj);
+ rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj);
if (rv <= 0) {
set_error("no dedicated crl available");
return -1;
}
- crl = X509_OBJECT_get0_X509_CRL(obj);
- if (obj)
- X509_OBJECT_free(obj);
+ crl = X509_OBJECT_get0_X509_CRL((&obj));
+ X509_OBJECT_free_contents(&obj);
} else if (policy == CRLP_ONLINE) {
/* ONLINE */
DBG("extracting crl distribution points");
dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL);
if (dist_points == NULL) {
/* if there is not crl distribution point in the certificate hava a look at the ca certificate */
- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj);
+ rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj);
if (rv <= 0) {
set_error("no dedicated ca certificate available");
return -1;
}
- x509_ca = X509_OBJECT_get0_X509(obj);
+ x509_ca = X509_OBJECT_get0_X509((&obj));
dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL);
- X509_OBJECT_free(obj);
+ X509_OBJECT_free_contents(&obj);
if (dist_points == NULL) {
set_error("neither the user nor the ca certificate does contain a crl distribution point");
return -1;
@@ -296,10 +295,10 @@
} else if (rv == 0) {
return 0;
}
+ DBG("checking revocation");
rv = X509_CRL_get0_by_cert(crl, &rev, x509);
X509_CRL_free(crl);
- X509_REVOKED_free(rev);
- return (rv == -1);
+ return (rv == 0);
}
static int add_hash( X509_LOOKUP *lookup, const char *dir) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.c
--- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.c 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.c 2018-09-11 23:06:08.000000000 +0200
@@ -63,7 +63,7 @@
/* perform pkcs #11 login */
rv = pkcs11_login(h, pin);
- memset(pin, 0, strlen(pin));
+ cleanse(pin, strlen(pin));
if (rv != 0) {
set_error("pkcs11_login() failed: %s", get_error());
return -1;
@@ -131,6 +131,43 @@
return (0);
}
+int get_random_value(unsigned char *data, int length)
+{
+ static const char *random_device = "/dev/urandom";
+ int rv, fh, l;
+
+ DBG2("reading %d random bytes from %s", length, random_device);
+ fh = open(random_device, O_RDONLY);
+ if (fh == -1) {
+ set_error("open() failed: %s", strerror(errno));
+ return -1;
+ }
+
+ l = 0;
+ while (l < length) {
+ rv = read(fh, data + l, length - l);
+ if (rv <= 0) {
+ close(fh);
+ set_error("read() failed: %s", strerror(errno));
+ return -1;
+ }
+ l += rv;
+ }
+ close(fh);
+ DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
+ data[1], data[2], data[length - 1]);
+ return 0;
+}
+
+void cleanse(void *ptr, size_t len)
+{
+#ifdef HAVE_OPENSSL
+ OPENSSL_cleanse(ptr, len);
+#else
+ memset(ptr, 0, len);
+#endif
+}
+
#ifdef HAVE_NSS
/*
@@ -609,7 +646,7 @@
if (h->module) {
SECMOD_DestroyModule(h->module);
}
- memset(h, 0, sizeof(pkcs11_handle_t));
+ cleanse(h, sizeof(pkcs11_handle_t));
free(h);
/* if we initialized NSS, then we need to shut it down */
@@ -834,16 +871,6 @@
return 0;
}
-int get_random_value(unsigned char *data, int length)
-{
- SECStatus rv = PK11_GenerateRandom(data,length);
- if (rv != SECSuccess) {
- DBG1("couldn't generate random number: %s", SECU_Strerror(PR_GetError()));
- }
- return (rv == SECSuccess) ? 0 : -1;
-}
-
-
struct tuple_str {
PRErrorCode errNum;
const char * errString;
@@ -1181,7 +1208,7 @@
/* release all allocated memory */
if (h->slots != NULL)
free(h->slots);
- memset(h, 0, sizeof(pkcs11_handle_t));
+ cleanse(h, sizeof(pkcs11_handle_t));
free(h);
}
@@ -1778,32 +1805,4 @@
(*signature)[0], (*signature)[1], (*signature)[2], (*signature)[*signature_length - 1]);
return 0;
}
-
-int get_random_value(unsigned char *data, int length)
-{
- static const char *random_device = "/dev/urandom";
- int rv, fh, l;
-
- DBG2("reading %d random bytes from %s", length, random_device);
- fh = open(random_device, O_RDONLY);
- if (fh == -1) {
- set_error("open() failed: %s", strerror(errno));
- return -1;
- }
-
- l = 0;
- while (l < length) {
- rv = read(fh, data + l, length - l);
- if (rv <= 0) {
- close(fh);
- set_error("read() failed: %s", strerror(errno));
- return -1;
- }
- l += rv;
- }
- close(fh);
- DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
- data[1], data[2], data[length - 1]);
- return 0;
-}
#endif /* HAVE_NSS */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.h new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.h
--- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/pkcs11_lib.h 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/pkcs11_lib.h 2018-09-11 23:06:08.000000000 +0200
@@ -67,6 +67,7 @@
unsigned char *data, unsigned long length,
unsigned char **signature, unsigned long *signature_length);
PKCS11_EXTERN int get_random_value(unsigned char *data, int length);
+PKCS11_EXTERN void cleanse(void *ptr, size_t len);
#undef PKCS11_EXTERN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/uri.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/uri.c
--- old/pam_pkcs11-pam_pkcs11-0.6.9/src/common/uri.c 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/common/uri.c 2018-09-11 23:06:08.000000000 +0200
@@ -407,7 +407,7 @@
set_error("not enough free memory available");
return -1;
}
- sprintf(request, "GET %s HTTP/1.0\nHost: %s\n\n\n", uri->http->path, uri->http->host);
+ sprintf(request, "GET %s HTTP/1.0\r\nHost: %s\r\n\r\n", uri->http->path, uri->http->host);
len = strlen(request);
rv = send(sock, request, len, 0);
free(request);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/mappers/openssh_mapper.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/mappers/openssh_mapper.c
--- old/pam_pkcs11-pam_pkcs11-0.6.9/src/mappers/openssh_mapper.c 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/mappers/openssh_mapper.c 2018-09-11 23:06:08.000000000 +0200
@@ -311,7 +311,7 @@
*/
static int openssh_mapper_match_user(X509 *x509, const char *user, void *context) {
struct passwd *pw;
- char filename[512];
+ char filename[PATH_MAX];
if (!x509) return -1;
if (!user) return -1;
pw = getpwnam(user);
@@ -333,7 +333,7 @@
/* parse list of users until match */
setpwent();
while((pw=getpwent()) != NULL) {
- char filename[512];
+ char filename[PATH_MAX];
DBG1("Trying to match certificate with user: '%s'",pw->pw_name);
if ( is_empty_str(pw->pw_dir) ) {
DBG1("User '%s' has no home directory",pw->pw_name);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_pkcs11-pam_pkcs11-0.6.9/src/pam_pkcs11/pam_pkcs11.c new/pam_pkcs11-pam_pkcs11-0.6.10/src/pam_pkcs11/pam_pkcs11.c
--- old/pam_pkcs11-pam_pkcs11-0.6.9/src/pam_pkcs11/pam_pkcs11.c 2016-09-28 13:44:52.000000000 +0200
+++ new/pam_pkcs11-pam_pkcs11-0.6.10/src/pam_pkcs11/pam_pkcs11.c 2018-09-11 23:06:08.000000000 +0200
@@ -108,7 +108,7 @@
*response = strdup(resp[0].resp);
}
/* overwrite memory and release it */
- memset(resp[0].resp, 0, strlen(resp[0].resp));
+ cleanse(resp[0].resp, strlen(resp[0].resp));
free(&resp[0]);
return PAM_SUCCESS;
}
@@ -191,7 +191,7 @@
return PAM_CRED_INSUFFICIENT;
*pwd = strdup(resp[0].resp);
/* overwrite memory and release it */
- memset(resp[0].resp, 0, strlen(resp[0].resp));
+ cleanse(resp[0].resp, strlen(resp[0].resp));
free(&resp[0]);
/* save password if variable nitem is set */
if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) {
@@ -517,7 +517,7 @@
/* check password length */
if (!configuration->nullok && strlen(password) == 0) {
release_pkcs11_module(ph);
- memset(password, 0, strlen(password));
+ cleanse(password, strlen(password));
free(password);
pam_syslog(pamh, LOG_ERR,
"password length is zero but the 'nullok' argument was not defined.");
@@ -543,7 +543,7 @@
/* erase and free in-memory password data asap */
if (password)
{
- memset(password, 0, strlen(password));
+ cleanse(password, strlen(password));
free(password);
}
if (rv != 0) {
@@ -831,7 +831,7 @@
return PAM_SUCCESS;
/* quick and dirty fail exit point */
- memset(password, 0, strlen(password));
+ cleanse(password, strlen(password));
free(password); /* erase and free in-memory password data */
auth_failed_nopw: