From 9d8c8b207c41a58db700c75cabb5730d232f5bce91e9564f306480ed49cddcf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 17:40:07 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main pam_pkcs11 revision 0f15d71ea5160c385d58ba1c7fa078f8 --- .gitattributes | 23 + baselibs.conf | 2 + pam_pkcs11-0.5.3-nss-conf.patch | 36 + pam_pkcs11-0.6.0-nss-autoconf.patch | 11 + pam_pkcs11-0.6.10-ChangeLog.git | 4973 ++++++++++++++++++++++++++ pam_pkcs11-0.6.12.tar.gz | 3 + pam_pkcs11-common-auth-smartcard.pam | 3 + pam_pkcs11-fsf-address.patch | 13 + pam_pkcs11.changes | 183 + pam_pkcs11.spec | 184 + pkcs11_eventmgr.service | 22 + 11 files changed, 5453 insertions(+) create mode 100644 .gitattributes create mode 100644 baselibs.conf create mode 100644 pam_pkcs11-0.5.3-nss-conf.patch create mode 100644 pam_pkcs11-0.6.0-nss-autoconf.patch create mode 100644 pam_pkcs11-0.6.10-ChangeLog.git create mode 100644 pam_pkcs11-0.6.12.tar.gz create mode 100644 pam_pkcs11-common-auth-smartcard.pam create mode 100644 pam_pkcs11-fsf-address.patch create mode 100644 pam_pkcs11.changes create mode 100644 pam_pkcs11.spec create mode 100644 pkcs11_eventmgr.service diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..d487032 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,2 @@ +pam_pkcs11 + supplements "packageand(pam_pkcs11:pam-)" diff --git a/pam_pkcs11-0.5.3-nss-conf.patch b/pam_pkcs11-0.5.3-nss-conf.patch new file mode 100644 index 0000000..6e58dcc --- /dev/null +++ b/pam_pkcs11-0.5.3-nss-conf.patch @@ -0,0 +1,36 @@ +Index: pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in +=================================================================== +--- pam_pkcs11-pam_pkcs11-0.6.12.orig/etc/pam_pkcs11.conf.example.in ++++ pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in +@@ -9,7 +9,7 @@ pam_pkcs11 { + nullok = true; + + # Enable debugging support. +- debug = true; ++ debug = false; + + # Do not prompt the user for the passwords but take them from the + # PAM_ items instead. +@@ -48,7 +48,12 @@ pam_pkcs11 { + screen_savers = xfce4-screensaver, mate-screensaver, gnome-screensaver, kde4-kscreensaver, kscreensaver, xscreensaver; + + # Filename of the PKCS #11 module. The default value is "default" +- use_pkcs11_module = opensc; ++ use_pkcs11_module = nss; ++ ++ pkcs11_module nss { ++ nss_dir = /etc/pki/nssdb; ++ crl_policy = none; ++ } + + pkcs11_module opensc { + module = /usr/lib/opensc-pkcs11.so; +@@ -162,7 +167,7 @@ pam_pkcs11 { + # If used null mapper should be the last in the list :-) + # Also you should select at least one mapper, otherwise + # certificate will not match :-) +- use_mappers = digest, cn, pwent, uid, mail, subject, null; ++ use_mappers = ms; + + # When no absolute path or module info is provided, use this + # value as module search path diff --git a/pam_pkcs11-0.6.0-nss-autoconf.patch b/pam_pkcs11-0.6.0-nss-autoconf.patch new file mode 100644 index 0000000..faad7a6 --- /dev/null +++ b/pam_pkcs11-0.6.0-nss-autoconf.patch @@ -0,0 +1,11 @@ +--- pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c ++++ pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c +@@ -45,7 +45,7 @@ + 0, /* int card_only; */ + 0, /* int wait_for_card; */ + "default", /* const char *pkcs11_module; */ +- CONFDIR "/pkcs11_module.so",/* const char *pkcs11_module_path; */ ++ NULL, /* const char *pkcs11_module_path; */ + NULL, /* screen savers */ + NULL, /* slot_description */ + -1, /* int slot_num; */ diff --git a/pam_pkcs11-0.6.10-ChangeLog.git b/pam_pkcs11-0.6.10-ChangeLog.git new file mode 100644 index 0000000..f1e3039 --- /dev/null +++ b/pam_pkcs11-0.6.10-ChangeLog.git @@ -0,0 +1,4973 @@ +commit b606e3bf72e3c6ab02d3e3bfd886b078b224eace +Author: Paul Wolneykien +Date: Tue Sep 11 20:57:39 2018 +0300 + + 0.6.10 + + - Fixed some security issues (thx @frankmorgner): + (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/) + -- fixed buffer overflow with long home directory; + -- fixed wiping secrets (now using OpenSSL_cleanse()); + -- verify using a nonce from the system, not the card. + +commit ce2839db418132f330a7276f68c31d6d2714fdc6 +Author: Paul Wolneykien +Date: Tue Sep 11 20:53:21 2018 +0300 + + Fixed extra "0" argument passed to `cleanse()` + +commit 0f686d278f670b15fe27ec4c17b7b7a014a0efb8 +Author: Frank Morgner +Date: Mon Aug 27 13:12:08 2018 +0200 + + README.md: removed license section + + ... we have a COPYING file anyway + + fixes some formatting + +commit 8d27a4f7ae9b00484fc9b10ffb1230e157730693 +Author: Frank Morgner +Date: Mon Aug 27 13:02:56 2018 +0200 + + Update README.md + + - project is maintained + - as wiki is empty, we use its main description (converted to MD) here + +commit 1e048875e7fd5e230d8e45cd4b15d6386087f9b1 +Merge: a0c9b6f 94325a2 +Author: Paul Wolneykien +Date: Mon Aug 20 11:13:30 2018 +0300 + + Merge pull request #26 from gkloepfer/master + + Fixed segfault and fetch problems when checking CRLs + +commit a0c9b6ffc020944f03f57e7de66ad4363d52125d +Author: Frank Morgner +Date: Sat May 26 00:10:49 2018 +0200 + + fixed wiping secrets with OpenSSL_cleanse() + + Thanks to Eric Sesterhenn from X41 D-SEC GmbH + for reporting the problems. + +commit a37fe986997b2d2fefc350c43650cc8193389235 +Author: Frank Morgner +Date: Fri May 25 23:53:44 2018 +0200 + + fixed buffer overflow with long home directory + + Thanks to Eric Sesterhenn from X41 D-SEC GmbH + for reporting the issue. + +commit cc51b3e2720ea862d500cab2ea517518ff39a497 +Author: Frank Morgner +Date: Fri May 25 23:46:41 2018 +0200 + + verify using a nonce from the system, not the card + + Thanks to Eric Sesterhenn from X41 D-SEC GmbH + for reporting the problem. + +commit 94325a2c2b03a10b7618375f828c90063881227e +Author: Gil Kloepfer +Date: Thu Aug 17 07:51:25 2017 -0500 + + Fixed segfault and fetch problems when checking CRLs + + Fixed segfault issue in src/common/cert_vfy.c that occurs when + an attempt is made to check a certificate's CRL. This seems to + be caused by changes that happened in the OpenSSL API, and got + overlooked during updates to the code. + + Also fixed a problem in src/common/uri.c in the builtin URI fetch + via HTTP where an extra newline (and missing carriage-returns) were + sent, causing the HTTP request to fail. + +commit 8a3e8c667ed615ca2608c04414de69fdae5b6787 +Author: Ludovic Rousseau +Date: Wed Sep 28 13:44:52 2016 +0200 + + Fix typo + + Thanks to Debian lintian + I: libpam-pkcs11: spelling-error-in-binary lib/pam_pkcs11/ldap_mapper.so + enought enough + +commit 1ce1f92b0a5fa56e46b240e1eeff9081915266dd +Author: Ludovic Rousseau +Date: Wed Sep 28 13:42:09 2016 +0200 + + Fix typo + + Thanks to Debian lintian: + I: libpam-pkcs11: spelling-error-in-binary + lib/pam_pkcs11/opensc_mapper.so allways always + I: libpam-pkcs11: spelling-error-in-binary lib/pam_pkcs11/ldap_mapper.so + allways always + +commit 8b2d4f3f5c74426578c6d971829e441bcfcb3d55 +Author: Ludovic Rousseau +Date: Wed Sep 28 13:39:30 2016 +0200 + + manpage: fix typo + + Thanks to Debian lintian: + I: libpam-pkcs11: spelling-error-in-manpage + usr/share/man/man1/pkcs11_eventmgr.1.gz Alternativly Alternatively + +commit 79f351c3a84743b8b691050725db84ddb95bdc63 +Author: Ludovic Rousseau +Date: Wed Sep 28 10:56:06 2016 +0200 + + Release 0.6.9 + +commit fad145e2169877ef50667dadaa9b5a93b4c22c69 +Author: Ludovic Rousseau +Date: Wed Sep 28 10:36:54 2016 +0200 + + Distribute pam-pkcs11-ossl-compat.h + + The file pam-pkcs11-ossl-compat.h was introduced in + df45f3e9cd6b2d990a9fbcd862e32a096644325 but was not present in any + Makefile.am + +commit e3ffb2f8f6a7e66ee31b771f6d15871b5bcea160 +Author: Ludovic Rousseau +Date: Tue Sep 27 15:55:06 2016 +0200 + + pkcs11_listcerts: do not fail on certificate error + + If the verification of a certificates fails then display an error and + continue with the next certificate instead of exiting. + + A certificate verification failure may be expected (certificate expired + or not able to find the CA root certificate). And the valid certificate + that we want to use may be the next in the list. + +commit 78a2eb372829ffb9fc8fb35c10b0bf9c5c59d5fa +Author: Doug Engert +Date: Sun Sep 25 14:54:39 2016 -0500 + + Use i2d_ASN1_INTEGER to get serial number + + OpenSSL-1.1 does not support i2c_ASN1_INTEGER. + + Changes to be committed: + modified: cert_info.c + +commit 367e78710b6e8a14a62d27b8c069e8a09d117533 +Author: Ludovic Rousseau +Date: Fri Sep 23 16:58:20 2016 +0200 + + Upgrade gettext from 0.17 to 0.19 + +commit 0907bc9894a1302a6fc34ff67b24335cf7c04e07 +Author: Ludovic Rousseau +Date: Fri Sep 23 16:31:22 2016 +0200 + + Fix compilation using NSS + + configure.ac was bogus and the argument -DHAVE_NSS was not correctly + used. + So the compilation was using OpenSSL library instead of NSS library. + +commit df45f3e9cd6b2d990a9fbcd862e332a096644325 +Author: Doug Engert +Date: Wed Aug 24 18:49:33 2016 -0500 + + Build with OpenSSL-1.1.0 + + Add support to build with OpenSSL-1.1.0-pre6 + + Many of the OpenSSL routines have changed, and many structures are now hidden. + The OpenSSL-1.1 API is now being used. The common/pam-pkcs11-ossl-compat.h + header implements an OpenSSL-API interface to older versions using #defines + and inline code. + + The code has bee compiled using OpenSSL-1.1.0-pre6, OpenSSL-1.0.1 and OpenSSL-1.0.2 + + IT HAS NOT BEEN TESTED, I expect anyone interested in using this code can + do the testing. + + Changes to be committed: + modified: common/cert_info.c + modified: common/cert_st.h + modified: common/cert_vfy.c + new file: common/pam-pkcs11-ossl-compat.h + modified: mappers/openssh_mapper.c + +commit b236a776e741082703893e2b2bb909cbc87878e2 +Author: Ludovic Rousseau +Date: Fri Sep 23 16:05:14 2016 +0200 + + TODO: Debian packaging is available + + Remove this task from the TODO list. + The Debian package exists since 2008. Thanks to Daniel Baumann. + +commit adaef9133dd6da33a6cd4a2d2ca214a6f94d0bb8 +Author: Ludovic Rousseau +Date: Mon Aug 22 11:06:38 2016 +0200 + + Create README.md + + The project is no more maintained + +commit 8bdd8195de6318ad575a73d8ce0f9f787d461c0c +Author: Steve Vickruck +Date: Sun Nov 15 14:58:38 2015 +0000 + + Fixed src/pam_pkcs11/Makefile.am: libintl not linked properly + +commit 57578eb3d96522f008163abfd46aa875487a986b +Author: Steve Vickruck +Date: Fri Nov 13 13:37:58 2015 +0000 + + Typo fix: debuging -> debugging + +commit ae68bd5de36a83e62e47430ac134411d5fc42872 +Author: Steve Vickruck +Date: Wed Nov 11 13:43:06 2015 +0000 + + modified src/pam_pkcs11/pam_pkcs11.c: OpenPAM support for *BSD/OS X; provide wrapper for pam_prompt to fix SIGSEGV due to OpenPAM pam_prompt not accepting NULL resp arg + +commit 0a8d61cf4040787e07bdff963049ae51a07f23a4 +Author: Ludovic Rousseau +Date: Wed Nov 18 10:24:58 2015 +0100 + + src/common/pkcs11_lib.c: code reformat + + reindent Steve Vickruck code + +commit 75e01766827a8ef14b9f15ec10ca16e4ed120dfa +Author: Steve Vickruck +Date: Wed Nov 11 13:40:38 2015 +0000 + + modified src/common/pkcs11_lib.c: check for changed slot count and update slot list + +commit 90c6062871b01491c6dc900cafe196f39db19f1b +Merge: afea9be 425ecee +Author: Ludovic Rousseau +Date: Tue Nov 10 17:34:19 2015 +0100 + + Merge pull request #16 from stevev1/master + + improper use of free() + +commit 425eceed822a40d182cb4a63541159cc7fb3076b +Author: Steve Vickruck +Date: Tue Nov 10 11:29:05 2015 +0000 + + modified src/common/pkcs11_lib.c: don't free() static buffer from getpass() + +commit afea9be620d675b1afc1b2eef119e9f6afb42872 +Merge: a64a4e6 1094af0 +Author: Ludovic Rousseau +Date: Fri Oct 23 22:34:59 2015 +0200 + + Merge pull request #15 from r3pek/master + + Update documentation referring generic mapper + + Add documentation for "serial" match + +commit 1094af09e070a1fdf1a86f3a5b4bd451fe432e80 +Author: Carlos Silva +Date: Fri Oct 23 21:19:09 2015 +0100 + + Update documentation refering generic mapper + + Add the "serial" match + +commit a64a4e65440ac8ce63c10a9115ed15ff5bd7297a +Merge: b24848e 386f38f +Author: Ludovic Rousseau +Date: Fri Oct 23 20:28:32 2015 +0200 + + Merge pull request #14 from r3pek/master + + Add serialNumber as a valid search option for generic_mapper + +commit 386f38f1ae69b495a82fc3ad42457f9a46398265 +Author: Carlos Silva +Date: Fri Oct 23 16:38:12 2015 +0100 + + Add "serial" as a valid option + +commit 98712f4f02b999791ce2f36b3f3acdf63b814646 +Author: Carlos Silva +Date: Fri Oct 23 16:36:40 2015 +0100 + + Add CERT_SERIAL as a valid option + +commit b24848eb42bafee3d61101794a27a9bdaf3eb2a2 +Merge: cad9413 39701be +Author: Ludovic Rousseau +Date: Fri Oct 2 09:42:23 2015 +0200 + + Merge pull request #13 from madscientist159/master + + Do not fail if card was already unlocked, e.g. by a previous PAM module + +commit 39701be2812d30c8e323046b18c4067207d1a035 +Author: Timothy Pearson +Date: Thu Oct 1 15:16:01 2015 -0500 + + Do not fail if card was already unlocked, e.g. by a previous PAM module + +commit cad9413a3585cfa13eb4cc590e98c3d044b20bc3 +Author: Ludovic Rousseau +Date: Sun Sep 27 16:24:40 2015 +0200 + + .gitignore: ignore some other files + +commit 054f7fc7b0d6ff2ddd1c805def22bbda65a8bb0c +Author: Ludovic Rousseau +Date: Sun Sep 27 16:19:34 2015 +0200 + + Doxygen: update .conf from 1.7.1 to 1.8.9.1 + + Some tags were obsolete. + Upgrade using "doxygen -u doxygen.conf.in" + +commit 81ec0726eaacc89fbc316f8eb646860f0136b86a +Author: Ludovic Rousseau +Date: Sun Sep 27 16:07:21 2015 +0200 + + Makefile.am: generate ChangeLog.git + + The code repository moved from subversion to git. + We now generate ChangeLog.git instead of ChangeLog.svn. + +commit 2a1b4dda9d50c67641c8c43a22a2469aeac9b356 +Author: Ludovic Rousseau +Date: Sun Sep 27 15:54:18 2015 +0200 + + configure: document --disable-debug + + The debugging code is used by default. + The provided ./configure option is to _disable_ debugging so the + possible option is --disable-debug not --enable-debug. + +commit 06bc42a848617402c8df8b5b3b84f0f1039531bc +Author: Ludovic Rousseau +Date: Sat Sep 26 21:24:20 2015 +0200 + + Make --disable-debug work again + + Thanks to Marcus Ilgner fro the patch. + +commit d4352d32c08764fe5be787b3fdb0a7cb011ab8ac +Author: Marcus Ilgner +Date: Sat Sep 26 00:56:58 2015 +0200 + + Add .gitignore for generated files + +commit e401dd7959f338914ed7d7cae98de9eff7b7c0a0 +Merge: 324cb8a 0586364 +Author: Ludovic Rousseau +Date: Fri Aug 28 20:50:53 2015 +0200 + + Merge pull request #11 from alexandreaguiar/master + + Update portuguese translation + +commit 0586364ca7933664e6113101b11ae2c1f53753f9 +Author: Alexandre Souza Aguiar +Date: Fri Aug 28 15:38:53 2015 -0300 + + Update portuguese translation + +commit 324cb8aa6b694d7347bfaaf3576d9fdffc55ac76 +Merge: 800de01 32ff511 +Author: Ludovic Rousseau +Date: Thu Aug 27 16:28:26 2015 +0200 + + Merge pull request #10 from alexandreaguiar/master + + Fix translation of line 208 "Smartcard authentication starts" + +commit 32ff511504dc88fc28e5968ae54d7422b7712232 +Author: Alexandre Souza Aguiar +Date: Wed Aug 26 14:07:11 2015 -0300 + + Fix translation of line 208 "Smartcard authentication starts" + +commit 800de010b19587c3b83168005e2a666baf445018 +Merge: 40e1c99 afec6ff +Author: Ludovic Rousseau +Date: Wed Aug 26 17:25:18 2015 +0200 + + Merge pull request #9 from alexandreaguiar/master + + Fix language pt_br to pt_BR + +commit afec6ff345bcd080d3f94a7bd413dadee66b3601 +Author: Alexandre Souza Aguiar +Date: Wed Aug 26 11:48:26 2015 -0300 + + Change configure.ac to fix language from pt_br to pt_BR + +commit 06f1d135eed976197dd85449e310b8129886b818 +Author: Alexandre Souza Aguiar +Date: Wed Aug 26 11:43:38 2015 -0300 + + Rename pt_br.po to enable translation + +commit 40e1c99041455e5aff6484b06b6bf5bd49526689 +Author: Ludovic Rousseau +Date: Fri Apr 3 16:09:01 2015 +0200 + + Revert the previous patch. + + The code was correct and should continue to check the next certificate. + +commit 4ef003ac43405f6391bf965a043f9fe4c4704f1d +Author: Ludovic Rousseau +Date: Fri Apr 3 15:00:16 2015 +0200 + + pam_sm_authenticate(): ignore invalid certificates + + The code stopped on the first invalid certificate. This is problematic + if the card contains certificates that have expired or are not yet + valid. + + Thanks to 建明 for the bug report + https://sourceforge.net/p/opensc/mailman/message/33698763/ + +commit 1cbb55e3d4154715de191a44df76ae92810c8598 +Author: Ludovic Rousseau +Date: Thu Aug 28 10:43:11 2014 +0200 + + Update po/it.po + +commit 422727e0c0402dea46f0dde31a97bd3172cb44e0 +Author: Ludovic Rousseau +Date: Thu Aug 28 10:31:28 2014 +0200 + + Update ax_pthread.m4 + + The macro has a new name + +commit c370dbf40499d83c33c4c35777c62d89b91a6bcf +Author: Ludovic Rousseau +Date: Thu Aug 28 10:26:08 2014 +0200 + + Add AM_PROG_AR + + /usr/share/automake-1.14/am/ltlibrary.am: warning: 'libcommon.la': linking libtool libraries using a non-POSIX + /usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' + src/common/Makefile.am:16: while processing Libtool library 'libcommon.la' + +commit bf2a2232019e8f342335e58a3490d6b4dd18e02e +Author: Ludovic Rousseau +Date: Thu Aug 28 10:23:24 2014 +0200 + + Update configure.ac + + Run autoupdate + +commit d73e0070d683309f7719ef3cf9f764fd86a84048 +Author: Ludovic Rousseau +Date: Thu Aug 28 10:10:20 2014 +0200 + + Fix field precision specifier + + ldap_mapper.c: In function `ldap_build_partial_cert_filter': + ldap_mapper.c:731:3: warning: field precision specifier `.*' expects argument of type `int', but argument 5 has type `long int' [-Wformat=] + DBG2("ldap_build_cert_filter(): unrecognized certificate " + ^ + ldap_mapper.c:736:3: warning: field precision specifier `.*' expects argument of type `int', but argument 5 has type `long int' [-Wformat=] + DBG2("ldap_build_cert_filter(): no values for certificate " + ^ + ldap_mapper.c:740:2: warning: field precision specifier `.*' expects argument of type `int', but argument 5 has type `long int' [-Wformat=] + DBG4("ldap_build_cert_filter(): building subfilter '%.*s'='%.*s'", + ^ + ldap_mapper.c:740:2: warning: field precision specifier `.*' expects argument of type `int', but argument 7 has type `long int' [-Wformat=] + +commit bcba14aafc53f4850386101b0124a91f36881ff0 +Author: Ludovic Rousseau +Date: Thu Aug 28 10:06:59 2014 +0200 + + Fix format error + + ldap_mapper.c: In function `ldap_get_certificate': + ldap_mapper.c:1079:4: warning: format `%s' expects a matching `char *' argument [-Wformat=] + DBG("ldap_first_entry() failed: %s"); + ^ + +commit ce0cd5a186ce57278f2fbc2af2176d8ddd59cf39 +Author: Ludovic Rousseau +Date: Thu Aug 28 10:03:59 2014 +0200 + + Remove unused variables + + ldap_mapper.c: In function `ldap_mapper_match_user': + ldap_mapper.c:1210:6: warning: unused variable `i' [-Wunused-variable] + int i=0; + ^ + +commit dd11d505a3425c2272285b942588d601b3aacade +Author: Ludovic Rousseau +Date: Thu Aug 28 10:02:31 2014 +0200 + + Remove unused variables + + ldap_mapper.c:906:8: warning: unused variable `bv_val' [-Wunused-variable] + void *bv_val; + ^ + ldap_mapper.c:902:14: warning: unused variable `ber' [-Wunused-variable] + BerElement *ber = NULL; + ^ + +commit b4229fa07c253c0f74cf3fff1868b89b4207b586 +Author: Ludovic Rousseau +Date: Thu Aug 28 10:01:01 2014 +0200 + + Remove unused variables + + ldap_mapper.c:842:15: warning: unused variable `i' [-Wunused-variable] + unsigned int i; + ^ + ldap_mapper.c:841:35: warning: unused variable `der_len' [-Wunused-variable] + size_t buf_len, user_filter_len, der_len; + ^ + ldap_mapper.c:840:17: warning: unused variable `der' [-Wunused-variable] + unsigned char *der; + ^ + +commit c7f4a9a6dda7dc10287f489d9cba1b39e852cbeb +Merge: 97855e8 c42da2a +Author: Ludovic Rousseau +Date: Thu Aug 28 09:58:38 2014 +0200 + + Merge pull request #6 from nalind/master + + Changes (most of them optional) to how the LDAP mapper does matching + +commit 97855e85a8b5766063667e858671472169048887 +Author: Ludovic Rousseau +Date: Thu Aug 28 09:55:06 2014 +0200 + + Update po/remove-potcdate.sin + +commit bde79c585c1e64a59a6e9817e79b6f47bb1ff631 +Author: Ludovic Rousseau +Date: Thu Aug 28 09:53:01 2014 +0200 + + Rename po/remove-potcdate.sin + +commit c42da2ab7832e7e935fdc0493effd420a00b299d +Author: Nalin Dahyabhai +Date: Tue Aug 26 18:07:51 2014 -0400 + + Treat "attribute_map" as a list of ANDed clauses + + As before, an "attribute_map" entry can specify a single LDAP attribute + and type of certificate data to compare it with. Modify this so that a + list entry can include multiple clauses joined by an '&' character. + +commit 75f819358dd7ffed0cc5e5738d64cdf8c8619c50 +Author: Nalin Dahyabhai +Date: Tue Aug 26 17:36:01 2014 -0400 + + Add "attribute_map" to LDAP mapping + + Add an "attribute_map" list setting. Items in the list take the form + "ldap_attribute_name=cert_attribute", where "ldap_attribute_name" is an + attribute that we'll name in a search filter, and cert_attribute is one + of "cn", "subject", "kpn", "email", "upn", "uid", or "cert". + + When searching the directory, we'll try the configured map attribute + pairs before falling back to the traditional map: the attribute named by + the "attribute" configuration setting should contain the certificate. + +commit 3f1f9adb32475cc1bfc9016d5c8f723cef8d8d3d +Author: Nalin Dahyabhai +Date: Tue Aug 26 15:24:51 2014 -0400 + + Add an LDAP "uid_attribute", use it to speed up + + Add an option to name an attribute of a user entry in the directory + server which contains the user name. If it's specified, search for + entries that just match the certificate, and read the user name from a + matching entry. If not, fall back to the old method of iterating + through all user names to find an entry that matches both the user name + and the certificate. The first method should be faster. + +commit 95fdf12d66cee3af0cdcc8ff9704f220b7317c08 +Author: Nalin Dahyabhai +Date: Tue Aug 26 14:37:08 2014 -0400 + + Skip reading user certificates from LDAP + + Since we're letting the server handle matching the user's certificate, + we don't need to bother with caching certificates that we've read from + the directory server. + +commit e4e023e6710c7e1ed4a7390aa0e66dc12df6422a +Author: Nalin Dahyabhai +Date: Tue Aug 26 14:13:05 2014 -0400 + + When searching LDAP, filter on the certificate + + When searching LDAP for an entry for a user, incorporate the contents of + the certificate in the filter that we send to the directory server. Now + that we let the directory server look for entries with the certificate + in them, we don't need to walk the list of certificates in the retrieved + entry to check for matches, because the server says they're there. + +commit f7e4ef273f22c514591d8fb35b2adfb72fdf8c48 +Author: Nalin Dahyabhai +Date: Tue Aug 26 13:23:12 2014 -0400 + + Move building the LDAP filter into a subfunction + + Move building the filter that we use to find the user's entry into a + subfunction, in preparation for giving it more capabilities. + +commit 4c4eaede5b71441ccab7918ecd21e38ee5e6a632 +Merge: 809b788 80a2c6d +Author: Ludovic Rousseau +Date: Sat Mar 8 11:05:59 2014 +0100 + + Merge pull request #5 from maxxer/master + + libpam-pkcs11 Italian translation + +commit 809b7889c58434abd0d00bb9d229ffb24d1440aa +Merge: a1689f8 7354b2b +Author: Ludovic Rousseau +Date: Sat Mar 8 11:05:00 2014 +0100 + + Merge pull request #4 from logich/patch-1 + + pam_pkcs11.conf options doc update + +commit 80a2c6d6e60480abd84f2745dc3e79b4112f7703 +Author: Lorenzo Milesi +Date: Wed Mar 5 17:31:52 2014 +0100 + + Italian translation + +commit 7354b2bba6acc766d8ea08b8258af114616e8979 +Author: logich +Date: Wed Mar 5 08:10:13 2014 -0800 + + pam_pkcs11.conf options doc update + + I’d like to suggest adding the two options card_only and wait_for_card to the README file just after line 102: + + card_only + Always try to get the userid from the certificate, don't prompt for the user name if + the card is present, and if the token is present, then we must use it to authenticate. + + wait_for_card + This option needs card_only to be set. This will make the system wait for the + token to be inserted on login, or after login it will require the same token be + inserted to unlock the system. + +commit a1689f8cc26254766c01d5b34ce257bc257c3039 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:52:37 2014 +0100 + + Fix compiler warnings + + pkcs11_lib.c: In function `refresh_slots': + pkcs11_lib.c:1037:5: warning: format `%d' expects argument of type `int', but argument 5 has type `CK_ULONG' [-Wformat] + pkcs11_lib.c: In function `init_pkcs11_module': + pkcs11_lib.c:1118:3: warning: format `%d' expects argument of type `int', but argument 5 has type `CK_ULONG' [-Wformat] + pkcs11_lib.c:1141:3: warning: format `%d' expects argument of type `int', but argument 5 has type `CK_ULONG' [-Wformat] + pkcs11_lib.c: In function `get_certificate_list': + pkcs11_lib.c:1579:5: warning: format `%x' expects argument of type `unsigned int', but argument 5 has type `CK_CERTIFICATE_TYPE' [-Wformat] + pkcs11_lib.c: In function `sign_value': + pkcs11_lib.c:1725:3: warning: format `%d' expects argument of type `int', but argument 5 has type `long unsigned int' [-Wformat] + pkcs11_lib.c:1747:7: warning: format `%d' expects argument of type `int', but argument 5 has type `CK_ULONG' [-Wformat] + pkcs11_lib.c:1755:3: warning: format `%d' expects argument of type `int', but argument 5 has type `CK_ULONG' [-Wformat] + +commit 1f8eab1fc0fcac720d8fce05f9290f0bfc6f298b +Author: Ludovic Rousseau +Date: Mon Feb 24 11:49:50 2014 +0100 + + Fix compiler warnings + + base64.c: In function `base64_encode': + base64.c:92:2: warning: format `%d' expects argument of type `int', but argument 5 has type `size_t' [-Wformat] + base64.c:92:2: warning: format `%d' expects argument of type `int', but argument 6 has type `size_t' [-Wformat] + base64.c:92:2: warning: format `%d' expects argument of type `int', but argument 7 has type `size_t' [-Wformat] + +commit 476b49da51de1754c01c6f00c85ee7b1635234a3 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:38:33 2014 +0100 + + Fix bug and compiler warning + + subject_mapper.c: In function `subject_mapper_module_init': + subject_mapper.c:112:3: warning: conversion lacks type at end of format [-Wformat] + subject_mapper.c:112:3: warning: too many arguments for format [-Wformat-extra-args] + +commit 6fe97a457df9d4d719e0922053ea74e1c5c09ce9 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:37:54 2014 +0100 + + Fix bug and compiler warning + + uid_mapper.c: In function `uid_mapper_module_init': + uid_mapper.c:134:3: warning: conversion lacks type at end of format [-Wformat] + uid_mapper.c:134:3: warning: too many arguments for format [-Wformat-extra-args] + +commit 3fd81878a506d2e27189f1b3ea1090fdfdf9b462 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:37:12 2014 +0100 + + Fix bug and compiler warning + + openssh_mapper.c: In function `mapper_module_init': + openssh_mapper.c:384:3: warning: conversion lacks type at end of format [-Wformat] + openssh_mapper.c:384:3: warning: too many arguments for format [-Wformat-extra-args] + +commit 73e4fabd398fbb6be82dd6ce9a2f82300d93f714 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:36:10 2014 +0100 + + Fix bug and compiler warning + + null_mapper.c: In function `null_mapper_module_init': + null_mapper.c:93:3: warning: conversion lacks type at end of format [-Wformat] + null_mapper.c:93:3: warning: too many arguments for format [-Wformat-extra-args] + +commit a7bc9e59ef568818a23c35314580d14a49699c95 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:35:00 2014 +0100 + + Fix bug and compiler warning + + pwent_mapper.c: In function `pwent_mapper_module_init': + pwent_mapper.c:170:3: warning: conversion lacks type at end of format [-Wformat] + pwent_mapper.c:170:3: warning: too many arguments for format [-Wformat-extra-args] + +commit 00dbebf4452072050fcb1b8365cafc438baf10a3 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:33:05 2014 +0100 + + Fix compiler warning + + card_eventmgr.c:77:9: warning: format ‘%lX’ expects argument of type ‘long unsigned int’, but argument 5 has type ‘int’ [-Wformat] + +commit 2ea408a0c4d210979290ea510711fa36521e52b0 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:26:43 2014 +0100 + + Fix compiler warning + + pkcs11_eventmgr.c:439:2: warning: format ‘%d’ expects argument of type ‘int’, but argument 5 has type ‘long unsigned int’ [-Wformat] + +commit f619569be0869507325b55e0d518d67505134d3a +Author: Ludovic Rousseau +Date: Mon Feb 24 11:18:26 2014 +0100 + + Check debug_print() format and arguments + + Use GCC format (archetype, string-index, first-to-check) to check the + arguments correspond to the format string + http://gcc.gnu.org/onlinedocs/gcc-3.1/gcc/Function-Attributes.html + +commit 616d7ad9160123f021c7da414d83e7c075b89848 +Merge: dd7fa2f 8aa5cf8 +Author: Ludovic Rousseau +Date: Mon Feb 24 11:13:24 2014 +0100 + + Merge pull request #3 from tuxmania87/master + + unlogical string comparison resolved, wrong debug pointer cast resolved + +commit 8aa5cf87846ed716ed9a127a8ad583f8dbcbdce0 +Author: Robert Hartmann +Date: Mon Feb 24 09:40:20 2014 +0100 + + Fixed mapping error in find_user() for generic_mapper + +commit ac2de77ba1a612958074664dcd64ad1a051da508 +Author: Robert Hartmann +Date: Tue Feb 18 11:30:37 2014 +0100 + + unlogical string comparison resolved, wrong debug pointer cast resolved + +commit dd7fa2fe691cb66d7779951b5c5763be130730a9 +Merge: ed5daac caecdc7 +Author: Ludovic Rousseau +Date: Wed Jun 12 05:40:17 2013 -0700 + + Merge pull request #2 from tcatm/master + + Fix pam_pkcs11.xsl + +commit caecdc74faea8ab4b7fc315c69bbe5b8bb4c6904 +Author: Nils Schneider +Date: Wed Jun 12 14:24:41 2013 +0200 + + Fix pam_pkcs11.xsl + + Let /etc/xml/catalog resolve docbook.xsl instead of + using a hardcoded path. + +commit ed5daacfd5a51c57b79d8cfa8f4784e28c521095 +Merge: 75613e3 2b16129 +Author: Martin Paljak +Date: Sun Feb 24 06:46:18 2013 -0800 + + Merge pull request #1 from Flameeyes/master + + A few build system fixes + + Tested as working on Debian wheezy. + +commit 2b16129e9c9e685b6aaaa80d740096353d95ab7a +Author: Diego Elio Pettenò +Date: Sat Feb 23 16:10:56 2013 -0800 + + build: remove an outdated reference to INCLUDE in favour of AM_CFLAGS. + +commit 9c0b922227897d889d939871f64a1a0bd9427e56 +Author: Diego Elio Pettenò +Date: Sat Feb 23 16:06:55 2013 -0800 + + build: do not search for a target. + + This is not a compiler, so it should not have a target. + +commit 353fecb2ba508a3b8696ea83afcf120ab7e8e117 +Author: Diego Elio Pettenò +Date: Sat Feb 23 16:05:10 2013 -0800 + + build: rename configure.in for compatibility with new autoconf/automake. + +commit 11de1146685e7933795d5083c9c51595d60d2200 +Author: Diego Elio Pettenò +Date: Sat Feb 23 16:03:17 2013 -0800 + + build: only export PAM interface symbols. + +commit 75613e32dfc49e1174d55ed37c18ce84cabadb47 +Author: Frédéric Combeau +Date: Wed Dec 12 11:26:18 2012 +0100 + + pam_sm_authenticate: support many certificates + + " I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works + fine but they can contain 4 or 5 certificates (with corresponding rsa + keys). + + My certificates are not all from the same PKI, so they are not certified + by the same ACs. + + The problem I encounter with pam_pkcs11 is that if the first certificate + it tries to verify is not certified by ACs I installed on my + workstation, I got an error 2328 because verify_certificate() return -4 + and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto + auth_failed_nopw;), not trying to verify others certificates in my + token. I do not really want to install all ACs (including CRLs, ...) of + my certificates of my token on every workstations. + + I tried to add a "continue;" in pam_pkcs11.c in the switch test for the + error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the + error message "error 2328: ..." and with the continue command, + pam_pkcs11 continues to process the next certificates and everything + works great. + + Maybe I missed something that explains why pam_pkcs11 stops processing + certificates if the verification of a certificate returns -4. " + + Thanks to Frédéric Combeau for the bug report and patch + http://www.opensc-project.org/pipermail/opensc-devel/2012-December/018723.html + +commit 5ebe9d09fe35165c61ca08267be6d6f0594a686a +Author: Ludovic Rousseau +Date: Sun Jul 1 15:48:51 2012 +0000 + + - Licence is GPL v2+ (a line was missing) + - update FSF address + +commit e3c5693883c56a12ee53b1f05665a6f0378d05cc +Author: Ludovic Rousseau +Date: Tue Apr 24 13:44:19 2012 +0000 + + Fix log message + + Use "%d token(s)" instead of "%d tokens" since we may have less than 2 + tokens + +commit bbd60c82ce51921f728e8d378fdf8c3b23d368b2 +Author: Ludovic Rousseau +Date: Tue Apr 24 13:37:45 2012 +0000 + + Major reformat using indent(1) + + --blank-lines-after-declarations + --blank-lines-after-procedures + --brace-indent0 + --continuation-indentation4 + --dont-break-procedure-type + --dont-line-up-parentheses + --indent-level4 + --tab-size4 + --no-blank-lines-after-declarations + --no-space-after-function-call-names + +commit 5dfaaefb75e1889bbd86e56d977542e4ef6d82c1 +Author: Ludovic Rousseau +Date: Tue Apr 24 13:33:17 2012 +0000 + + Log error of C_Initialize/C_Initialize if any + +commit 54c5db08f433aa9d213f9d1fed17a05139af10d8 +Author: Ludovic Rousseau +Date: Tue Apr 24 13:26:02 2012 +0000 + + Reformat and remove extra white spaces + +commit ea9db83baab55fd88b5c57f203e961affea47c95 +Author: Ludovic Rousseau +Date: Sat Apr 7 18:32:48 2012 +0000 + + regenerate + +commit d1f5862d6cfcc6f7390ee8552910fc795b9058b3 +Author: Ludovic Rousseau +Date: Sat Apr 7 18:31:50 2012 +0000 + + Fix typo: authentification -> authentication + +commit 63451e9499aa32163337d4f6982ff6924cccd36e +Author: Ludovic Rousseau +Date: Sat Apr 7 17:09:21 2012 +0000 + + Release 0.6.8 + +commit b19910b563605411ef00bf3bd246933db74285d2 +Author: Ludovic Rousseau +Date: Sat Apr 7 17:08:42 2012 +0000 + + Fix typo: writeable -> writable + + Reported by Debian lintian tool + +commit 2f4779a88f1d3ff018aba5dd9891cf5d977214a9 +Author: Ludovic Rousseau +Date: Sat Apr 7 17:04:42 2012 +0000 + + Update + +commit b481aefbd553dbd3be2c4a311f017c81557ed766 +Author: Ludovic Rousseau +Date: Sat Apr 7 16:55:20 2012 +0000 + + Use a direct string instead of a variable + + Fix compiler error when Debian hardening is used: + pam_pkcs11.c:810:4: error: format not a string literal and no format + arguments [-Werror=format-security] + +commit 7e033f1c19937d768242ccd35a5e4f9fe1a6eae6 +Author: Ludovic Rousseau +Date: Sat Apr 7 16:48:37 2012 +0000 + + Add support of variadic parameters for pam_prompt() + + Systems without pam_prompt() and using our own version of pam_prompt() + can now use a variable number of parameters as on GNU/Linux. + +commit 68ab0f27696cfc7f71e567f59595ad1c7c9eb3fb +Author: Ludovic Rousseau +Date: Sat Apr 7 16:29:34 2012 +0000 + + Use a direct string instead of variable + + Fix compiler errors when Debian hardening is used: + pam_pkcs11.c:198:3: error: format not a string literal and no format + arguments [-Werror=format-security] + +commit 2415e80f023ff69746d756a272af73853cd46664 +Author: Ludovic Rousseau +Date: Sat Apr 7 16:06:52 2012 +0000 + + Fix compiler warning + + pam_pkcs11.c:154:5: warning: passing argument 2 of `conv->conv' from + incompatible pointer type [enabled by default] + pam_pkcs11.c:154:5: note: expected `const struct pam_message **' but + argument is of type `struct pam_message **' + +commit 77a3a814e8745ac45075d763058577e795f6e09a +Author: Ludovic Rousseau +Date: Sat Apr 7 16:01:36 2012 +0000 + + Remove extra spaces + +commit 0329729aa28a97ab045df536cee0e0932ad75793 +Author: Ludovic Rousseau +Date: Tue Nov 8 21:35:33 2011 +0000 + + Check for HAVE_CURL_CURL_H instead of HAVE_CURL + + This define is set by configure.in test AC_CHECK_HEADERS([curl/curl.h]) + Thanks to Hannu Kotipalo for the bug report + +commit 733135f420684136df05902d698944ed7bcd71b0 +Author: Ludovic Rousseau +Date: Tue Oct 18 12:51:47 2011 +0000 + + get_private_key(): search for a specific ID if any + + Fixes bug #392 "pam_pkcs11 uses first found private key for signing, not one matching certificate" + http://www.opensc-project.org/opensc/ticket/392 + +commit dc5401da54e27718d61a30b78b68a9407359181a +Author: Ludovic Rousseau +Date: Tue Oct 18 12:46:57 2011 +0000 + + get_private_key(): remove unused CKA_KEY_TYPE template attribute. + + See bug #392 "pam_pkcs11 uses first found private key for signing, not one matching certificate" + http://www.opensc-project.org/opensc/ticket/392 + +commit 76609d1163620c3717261f5a38f49e1d3b408662 +Author: Ludovic Rousseau +Date: Tue Oct 18 11:50:56 2011 +0000 + + Fix spelling error + +commit 3d86830e6efa463f8fddb555ee6b477e2c07efea +Author: Ludovic Rousseau +Date: Tue Oct 18 11:50:10 2011 +0000 + + Fix spelling error + +commit baaa1862c80e03f32d94f3c6a5fc8fa279963c08 +Author: Ludovic Rousseau +Date: Tue Oct 18 11:42:47 2011 +0000 + + Login in all cases, not just for NSS + + Fixes Ticket #393 "pkcs11_inspect does not ask for card PIN" + http://www.opensc-project.org/opensc/ticket/393 + +commit 82c4cee45a1122982e615f0cfe6ea1089467809f +Author: Ludovic Rousseau +Date: Thu Aug 18 19:39:44 2011 +0000 + + Update from Jakub Bogusz + +commit e4878715bbef0dd2e62e0599d96256c851bef025 +Author: Ludovic Rousseau +Date: Sat Aug 6 13:31:09 2011 +0000 + + Release 0.6.7 + +commit fae6e86a186c8b2c36910d8c3c1a750c5c1f4a76 +Author: Ludovic Rousseau +Date: Sat Aug 6 13:30:37 2011 +0000 + + Update + +commit 30a5b2909c3b1d3f2582d342b23f1d922378bc5d +Author: Ludovic Rousseau +Date: Sun Jul 17 15:48:28 2011 +0000 + + Add Turkish l18n file + + Thanks to Ozan Çağlayan + http://www.opensc-project.org/pipermail/opensc-devel/2011-July/016952.html + +commit 056207700a709c95fd7eef83997e0fe308d20406 +Author: Ludovic Rousseau +Date: Thu Jun 30 09:07:55 2011 +0000 + + silent build by default + +commit a34c48c9b15a4b437a562326e23af3d8b9ad37b1 +Author: Ludovic Rousseau +Date: Fri Jun 10 11:52:48 2011 +0000 + + Remove useless cast + +commit 72e4fe5732a3b2c7349d71d63f3171d2b006ad1e +Author: Ludovic Rousseau +Date: Fri Jun 10 11:50:10 2011 +0000 + + Fix compiler warning + + pwent_mapper.c: In function 'pwent_mapper_find_user': + pwent_mapper.c:75: warning: 'str' is used uninitialized in this function + +commit cb5e1d2442c4652a589513d07a9b78cf3b5cd922 +Author: Ludovic Rousseau +Date: Fri May 27 07:16:53 2011 +0000 + + Use "domainname" instead of "domain" + + Fix Ticket #363 "fix ms mapper example" + +commit 9213284e96229e9b6985a55926ebbcf81285a6ce +Author: Ludovic Rousseau +Date: Thu Apr 7 09:08:03 2011 +0000 + + Clarify between CA and CA root certificate + +commit 1c6b88ca0955f5848cdf6f339f4e74a8a6f98d8d +Author: Ludovic Rousseau +Date: Thu Apr 7 08:00:40 2011 +0000 + + Rename make_hash_link into pkcs11_make_hash_link + +commit 1b6cca93df1a39c29599dd20cf95edfecfb9dae6 +Author: Ludovic Rousseau +Date: Tue Mar 22 08:30:44 2011 +0000 + + Improved error messages + Thanks to Dominik Fischer for the patch + + " It adds displaying error messages to the user via pam_prompt. Because in + GDM the messages disappear so quick, I've added a new option + "err_display_time". After a message is shown with pam_prompt, a + "sleep(err_display_time)" is called. This gives the user a chance to + read the message. Also I prepend every message with an error number, + because this number is easier to remember, if a user reports a problem. + + The messages can be disabled via the "quiet" option. " + + http://www.opensc-project.org/pipermail/opensc-devel/2011-March/016184.html + +commit 2c2fcce568a73a6d9358925619b16725d3d40876 +Author: Ludovic Rousseau +Date: Sun Mar 20 14:57:08 2011 +0000 + + pwent_mapper_find_user(): add a missing line for the previous patch + + Thanks to Dominik Fischer + http://www.opensc-project.org/pipermail/opensc-devel/2011-March/016173.html + +commit 286610a6933c7b3797691a8d9a7e580771729d9e +Author: Ludovic Rousseau +Date: Sun Mar 20 11:04:57 2011 +0000 + + pwent_mapper_find_user() searches through all available passwd db + entries to find an user. This takes a very long time, if you have many + users (10000). Additionally, if you have nss-ldap configured, it + transfers a large amount of data (which is expensive on mobile + connections...). + + Included you find a patch to speed up user finding for the pwent_mapper. + It first tries to find a user directly by calling getpwnam() with the + found CN. If this fails, the old mechanism is used. (I think the second + step could probably even be removed: I can't find a situation where the + getpwnam() does not work.) + + Please have a look at the patch. If it's OK please include it in further + pam_pkcs11 releases (so I don't have to patch every new pam_pkcs11 + release on my own ;-) ). + + Kind regards + Dominik Fischer + + http://www.opensc-project.org/pipermail/opensc-devel/2011-March/016167.html + +commit 36e757ffa2976ca7f9cd71d33fd66509abacc249 +Author: Ludovic Rousseau +Date: Sat Jan 22 18:00:46 2011 +0000 + + Remove useless code + + pam_pkcs11.c:281:6: warning: Value stored to 'rv' is never read + rv = pam_get_item(pamh, PAM_USER, &user); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + pam_pkcs11.c:269:10: warning: Value stored to 'rv' is never read + rv = pam_get_item(pamh, PAM_SERVICE, &service); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +commit 85a31346945f2906fbf5ddcc9dd1699d82507a85 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:59:32 2011 +0000 + + Remove useless code + + pam_config.c:302:3: warning: Value stored to 'res' is never read + res=sscanf(argv[i],"slot_num=%d",&configuration.slot_num); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +commit 4c4af5bd747a6ad42f168298073634e37803d0b6 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:58:16 2011 +0000 + + Fix a clang warning without changing the code semantic + + mapper_mgr.c:201:10: warning: Field access results in a dereference of a null + pointer (loaded from variable 'last') + last->next= item; + ~~~~ ^ + +commit 5227d1a36b66b90b290bcce56512ebb3e613e101 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:50:48 2011 +0000 + + Remove usless code + + pkcs11_eventmgr.c:268:17: warning: Value stored to 'res' is never read + res=sscanf(argv[i],"expire_time=%d",&expire_time); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + pkcs11_eventmgr.c:264:17: warning: Value stored to 'res' is never read + res=sscanf(argv[i],"polling_time=%d",&polling_time); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + pkcs11_eventmgr.c:595:7: warning: Value stored to 'rv' is never read + rv = ph->fl->C_Initialize(NULL); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~ + pkcs11_eventmgr.c:594:7: warning: Value stored to 'rv' is never read + rv = ph->fl->C_Finalize(NULL); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~ + pkcs11_eventmgr.c:569:3: warning: Value stored to 'rv' is never read + rv = ph->fl->C_Initialize(NULL); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~ + pkcs11_eventmgr.c:568:3: warning: Value stored to 'rv' is never read + rv = ph->fl->C_Finalize(NULL); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~ + +commit 59bbd4728d3451105ce932af8191cdf3e83ef7d7 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:48:57 2011 +0000 + + Remove useless code + + card_eventmgr.c:231:17: warning: Value stored to 'res' is never read + res=sscanf(argv[i],"timeout_limit=%d",&timeout_limit); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + card_eventmgr.c:227:17: warning: Value stored to 'res' is never read + res=sscanf(argv[i],"timeout=%d",&timeout); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + card_eventmgr.c:271:5: warning: Value stored to 'res' is never read + res=fscanf(fd, "%ld", &temp); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~ + card_eventmgr.c:301:5: warning: Value stored to 'res' is never read + res=write(fd, tmp, strlen(tmp)); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +commit dd163e205e51855760239f3a2467b1e62ea685d6 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:46:10 2011 +0000 + + Remove useless code + + scconf.c:195:2: warning: Value stored to 'ret' is never read + ret = scconf_put_str(block, option, !value ? "false" : "true"); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + scconf.c:585:3: warning: Value stored to 'r' is never read + r = 0; + ^ ~ + scconf.c:711:3: warning: Value stored to 'r' is never read + r = 0; + ^ ~ + +commit 97b1715855f10c3685916fe0cd7e6c7cde5da00d +Author: Ludovic Rousseau +Date: Sat Jan 22 17:43:27 2011 +0000 + + Remove useless code + + ldap_mapper.c:800:13: warning: Although the value stored to 'ret' is used in the + enclosing expression, the value is never actually read from 'ret' + if ( 0 != (ret = ldap_unbind_s(ldap_connection))) { + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ldap_mapper.c:668:3: warning: Value stored to 'rv' is never read + rv = ldap_add_uri (uris, uri, &buffer, &buflen); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +commit 5a738a654d8e868e4cd94d14b13b3fe88ca4e569 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:40:34 2011 +0000 + + BN_append(): remove useless code + + cert_info.c:654:2: warning: Value stored to 'res' is never read + res=BN_bn2bin(bn,buff+1); + ^ ~~~~~~~~~~~~~~~~~~~~ + cert_info.c:649:25: warning: Value stored to 'pt' is never read + res= int_append(pt,0);pt+=res; + ^ ~~~ + +commit 43603c125e618c20a57ac21c2db187bd64721eb7 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:39:25 2011 +0000 + + int_append(): remove useless code + + cert_info.c:631:3: warning: Value stored to 'pt' is never read + *pt++= (n&0x000000ff) >>0; + ^~~~ + +commit a45744d262f6d25964644577af49b776e4421059 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:37:43 2011 +0000 + + free_uri(): fix a memory leak + + uri.c:175:14: warning: Field access results in a dereference of a null pointer + (loaded from variable 'uri') + if(!uri->file) free(uri->file->data); + ~~~ ^ + +commit 317d0b53e12e6c811079a80166c2511a1396f4f9 +Author: Ludovic Rousseau +Date: Sat Jan 22 17:33:07 2011 +0000 + + Fix to clang warnings + + pkcs11_lib.c:1323:3: warning: Value stored to 'rv' is never read + rv = -1; + ^ ~~ + pkcs11_lib.c:1346:3: warning: Value stored to 'rv' is never read + rv = -1; + ^ ~~ + +commit 7e381ee5ace3af210568818b30e03fd168368f3d +Author: Ludovic Rousseau +Date: Sat Jan 22 14:37:58 2011 +0000 + + close_pkcs11_session(): CKR_FUNCTION_NOT_SUPPORTED is a valid error code + and not an error. + + Closes ticket #30 "pam_pkcs11 cert_vfy failed with Feitian card" + +commit 63c40e048b10eb041b31261273ef8f61728aeb1a +Author: Ludovic Rousseau +Date: Sat Nov 20 19:46:50 2010 +0000 + + release 0.6.6 + +commit 74732dfa6309a359cd39820d31b992438d26c826 +Author: Ludovic Rousseau +Date: Thu Nov 18 09:17:38 2010 +0000 + + Use daemon implementation from daemon.c when needed (for example on + Solaris 10) + + See http://www.opensc-project.org/pipermail/opensc-user/2010-November/004331.html + +commit 389dc9a7d113b0547b9d430dce8ef562d1cb76b9 +Author: Ludovic Rousseau +Date: Thu Nov 18 09:13:11 2010 +0000 + + Use config.h instead of includes.h + + Define _PATH_DEVNULL if needed. It was defined in includes.h in OpenSSH + +commit 6638e73774109c3644f1aafe316348f366704677 +Author: Ludovic Rousseau +Date: Thu Nov 18 09:10:49 2010 +0000 + + new file from OpenSSH version 5.6p1 openssh-5.6p1/openbsd-compat/daemon.c + + The licence is BSD 3-clause so compatible with the LGPL v2+ used by + pam_pkcs11 + +commit f13b0ece6747475525cf1b93d666ced52792d1fe +Author: Ludovic Rousseau +Date: Mon Oct 25 12:44:17 2010 +0000 + + Fix the change in revision 470 + + Thanks (again) to Arfrever Frehtes Taifersar Arahesis + http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015175.html + +commit ca9d081270954ee50c00a048f3c5313c9426cead +Author: Ludovic Rousseau +Date: Mon Oct 25 08:47:31 2010 +0000 + + Default is to use pcsc-lite. The argument is --without-pcsclite to + disable pcsc-lite use/support + + Thanks to Arfrever Frehtes Taifersar Arahesis for the bug report + http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015172.html + +commit 018023c450500c4fc5221778337c0ad4ddb9cf62 +Author: Ludovic Rousseau +Date: Sat Oct 23 20:52:39 2010 +0000 + + rename make_hash_link.sh in pkcs11_make_hash_link + +commit 3428e53e6bfc59d0889d8ffb362e239bf76e515c +Author: Ludovic Rousseau +Date: Sat Oct 23 20:27:59 2010 +0000 + + Display ${libdir} value + +commit 8cc4d7512aa6b2df56b00712698c77624c3b219b +Author: Ludovic Rousseau +Date: Sat Oct 23 20:18:47 2010 +0000 + + rename make_hash_link.sh to pkcs11_make_hash_link to match the manpage + name + +commit a6d2e47642a2eacbadd34fe509bad7d21906818b +Author: Ludovic Rousseau +Date: Tue Oct 19 14:50:26 2010 +0000 + + Unload the mapper also on success + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015150.html + +commit 21762db1366ae159553d208a6a090097a103b78f +Author: Ludovic Rousseau +Date: Tue Oct 19 08:05:03 2010 +0000 + + Update from doxygen version 1.5.6 to 1.7.1 + +commit e4c0d6b0c8d8db44338bfe801ee762de929a95ed +Author: Ludovic Rousseau +Date: Tue Oct 19 07:58:23 2010 +0000 + + release 0.6.5 + +commit 11f6fd558cd81bcafa6180bbb3b952108b4afe8b +Author: Ludovic Rousseau +Date: Tue Oct 19 07:51:02 2010 +0000 + + regenerate + +commit 46a85a6fccddf029f5128daf62e2c436a87f46c1 +Author: Ludovic Rousseau +Date: Tue Oct 19 07:46:14 2010 +0000 + + Add the missing strndup.h file + +commit d9e71851ad14476821a2327684ed82b552b1408d +Author: Ludovic Rousseau +Date: Tue Oct 19 07:40:03 2010 +0000 + + get_http(): check if complete message was transmitted + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html + +commit 220cc82188efda14cbdde741281a7baeb0dcad49 +Author: Ludovic Rousseau +Date: Tue Oct 19 07:36:49 2010 +0000 + + get_http(): allocate enough memory to fit http-request + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html + +commit 97680d3fcb8f7102bb3a6e1663e9d9ba6efae446 +Author: Ludovic Rousseau +Date: Tue Oct 19 07:35:54 2010 +0000 + + get_http(): add missing return statement + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html + +commit 70b9b47f48492d88f51073152271fd6a7bd11ec8 +Author: Ludovic Rousseau +Date: Tue Oct 19 07:31:02 2010 +0000 + + If dlopen() is not found in libdl we try to find it without specifying a + library before exiting in error. + + I don't remember why I used this code. Maybe dlopen() is not in libdl on + some systems. + +commit debd195986f83154ac08acd43bcb71436c652bce +Author: Ludovic Rousseau +Date: Sat Oct 16 13:21:36 2010 +0000 + + Translate a string + +commit 8d824399788f376113dcd027591df011c42e657b +Author: Ludovic Rousseau +Date: Sat Oct 16 13:20:54 2010 +0000 + + Regenerate + +commit 77a4423ff6f4f4c8fbda8c00109eefa2d96a80ee +Author: Ludovic Rousseau +Date: Sat Oct 16 13:19:42 2010 +0000 + + Replace "Found the %s." by "%s found." + + Thanks to Mr Dash Four for the bug report + http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015135.html + +commit 9edd2c4728aa009c861ad7f42b4ff645e00af91b +Author: Ludovic Rousseau +Date: Fri Oct 15 07:34:12 2010 +0000 + + crypto_init(): fix a typo in log message + +commit 76a7b07e0ca65df9a8d9e1021ec1aa548518a9e1 +Author: Ludovic Rousseau +Date: Wed Sep 22 11:28:55 2010 +0000 + + pkcs11_pass_login(): check if the PIN returned by getpass is NULL + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014976.html + +commit 9c4a86b2fb22d44ee0ee08f07329561c832299a3 +Author: Ludovic Rousseau +Date: Wed Sep 22 07:12:11 2010 +0000 + + pkcs11_pass_login(): log an error if pkcs11_login() fails + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html + +commit f886c31fecb1862e4a060e9a30fb3620544d0a88 +Author: Ludovic Rousseau +Date: Wed Sep 22 07:10:21 2010 +0000 + + pkcs11_pass_login(): do not clean a zero length PIN + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html + +commit 7941cabe438cbdb5b7cb8b3b33640b6dcdc5e917 +Author: Ludovic Rousseau +Date: Wed Sep 22 07:05:17 2010 +0000 + + Show PIN code in debug output only if DEBUG_SHOW_PASSWORD is defined + (not defined by default) + + Thanks to Andre Zepezauer for the bug report + http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html + +commit 877babd43fb911574d9b64796f8b1216eb0e3c9c +Author: Ludovic Rousseau +Date: Tue Sep 21 09:53:51 2010 +0000 + + parse_config_file(): get the debug value from the configuration file + + Thanks to Andre Zepezauer for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014949.html + +commit caea4fec05672d0c672ed4cc31ccc89b999cbc8e +Author: Ludovic Rousseau +Date: Wed Aug 25 08:26:39 2010 +0000 + + Do not call SCardEstablishContext() before daemonize since pcsc-lite + handles are invalid after a fork. + + Thanks to Patrik Martinsson for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014632.html + +commit e5c5efe271fa1f4d297dfaedaebeb910f65664a6 +Author: Ludovic Rousseau +Date: Thu Aug 19 22:09:18 2010 +0000 + + Use SCARD_READERSTATE instead of SCARD_READERSTATE_A since it was + removed in pcsc-lite >= 1.6.2 + +commit 9b7cfcd2258e8b8eb0d38021f08d66fdf9732a1d +Author: Ludovic Rousseau +Date: Sat Aug 14 16:19:36 2010 +0000 + + Patch for #239 and #240 (handle more than one cert/pattern matching) + + Thanks to Wolf Geldmacher for the patch. + http://www.opensc-project.org/pipermail/opensc-devel/2010-June/014405.html + + " Here's a patch to solve the issues I've encountered using pam_pkcs11. + + In regards to #239 (pam_pkcs11 only looks at first certificate on + token): + + The fix for this turns out to be somewhat problematic, and I'm not at + all sure, whether my implementation of the fix is a valid one. + + The basic problem (as I understood it from analyzing the code) is that + finder functions of the mappers return a char*, allowing for a single + value (NULL) to signalize failure and return the key if no mapping (i.e. + no value associated with the key) was found (cf. comment for + mapfile_find in src/mappers/mapper.c). Thus a caller (i.e. find_user in + src/pam_pkcs11/mapper_mgr.c) cannot distinguish between a mapping or a + key being returned and thus will prematurely terminate on the first + certificate that passes the other validity tests. + + The fix provided changes the finder function interface by requiring an + additional out parameter that is set to 1, if a real mapping value was + returned and remains unchanged otherwise. This fix breaks existing + loadable mappers. + + I considered overloading of the value returned (e.g. having a + byte/substring as first character of the value returned to be able to + distinguish between a value and a key being returned) which would + preserve the interface to the mappers, but refrained from implementing + it that way as I believe this to be unclean and prone to difficult to + track errors. + + Another solution I considered was the addition of another entry to the + structure encapsulating the mappers (e.g. a finder2 method), but as this + is no better in breaking the interface for loadable mappers and + duplicates code I forfeited this solution, too. + + If somebody could look into the problem and come up with a solution that + preserves the interface to external mappers while allowing the + distinction between keys and values, I'd be more than happy to implement + it. + + It might also may make sense to add a new configuration parameter for + the new behaviour of find_user, allowing existing applications to + continue to work with keys being returned instead of values (Feedback + anyone? The comment for find_user actually states that a mapping value + is returned). + + In regards to #240 (Allow pattern matching in pam_pkcs11): + + I restricted this to only work for mapfiles and the implementation + turned out to be quite simple - it's essentially an 11 line change in + src/mappers/mapper.c - and is triggered by the specification of a fully + anchored (i.e. *must* have initial "^" and *must* end in "$") pattern as + key in a mapfile. + + This now allows syntax like + ^.*/serialNumber=xxx-xxx-xxx-xxx$ -> username + in all mapfiles. + + The patch attached contains the changes for both issues. + + Cheers, + Wolf " + +commit 564355857ed49a7b6ff8eb646388e944bf36d359 +Author: Ludovic Rousseau +Date: Fri Aug 13 16:44:58 2010 +0000 + + Do not use a variadic parameter for pam_prompt. It is not supported on + FreeBSD. + +commit 3b237ade4109fa0d345d3d684b86ab2dc93bb20b +Author: Ludovic Rousseau +Date: Thu Aug 12 22:07:51 2010 +0000 + + Add a new header file to define strndup if needed. + + pkcs11_setup.c: In function ‘scconf_replace_str_list’: + pkcs11_setup.c:73: warning: implicit declaration of function ‘strndup’ + pkcs11_setup.c:73: warning: incompatible implicit declaration of built-in function ‘strndup’ + +commit 5b52cebb4dc133c23f82a04acf947cc57a3a9aad +Author: Ludovic Rousseau +Date: Thu Aug 12 21:45:03 2010 +0000 + + Revert changeset 301 parsing arguments in pam_config.c but skip the + first argument in command line tools. + + Thanks to halfline for the patch. Closes ticket #29 + +commit 203e101db638c17a455efc6f951aabedcd9d286f +Author: Ludovic Rousseau +Date: Sat Jun 12 15:43:46 2010 +0000 + + release 0.6.4 + +commit dc7c23a0e2244151784eb6c5b67d2db8b020d731 +Author: Ludovic Rousseau +Date: Sat Jun 12 15:30:46 2010 +0000 + + translate a string + +commit 94ac80b4b132c6005a739513d3b974b2445f36a3 +Author: Ludovic Rousseau +Date: Sat Jun 12 15:29:04 2010 +0000 + + regenerate + +commit 22e498d5d75bd88f2e09abd0ffc9aa1cac4af514 +Author: Ludovic Rousseau +Date: Tue Jun 8 08:01:32 2010 +0000 + + Fixes Ticket #26 "Additional check for local X11 Display" + +commit fb66d1b73d3cbf121cdd87d88c7926442d1cd2e7 +Author: Ludovic Rousseau +Date: Tue Jun 8 07:54:09 2010 +0000 + + Revert revision 422 since Solaris 10 does not support pam_prompt() with + a variable number of parameters (like printf) + + Also remove some cast since Solaris 10 does not have the same prototype + for pam_* functions + GNU/Linux uses "const" parameters but Solaris does not. + +commit e2adcb89d6cdc881c6f5a51cea46275395520744 +Author: Ludovic Rousseau +Date: Mon Jun 7 14:53:17 2010 +0000 + + Add support of CKF_PROTECTED_AUTHENTICATION_PATH for pinpad readers. + If a pinpad is present the PIN/password is not asked by PAM but by the + pinpad only. + + Closes: Ticket #19 "enabled pinpad: confusing keyboard interaction" + +commit 31e1d26c35c8af8c8e6a45a00d4cd14c5274582c +Author: Ludovic Rousseau +Date: Sun May 30 12:08:11 2010 +0000 + + Add dutch translation + + Thanks to Guy Zelck + +commit 0f1581b1e89fb687660901e0badc9c1ca5bcd91f +Author: Ludovic Rousseau +Date: Tue Apr 20 19:05:17 2010 +0000 + + add Brazilian Portuguese Translation + + Thanks to Anderson Goulart + +commit 2473998fb38d045c5511893c63820e9e02aab2f4 +Author: Ludovic Rousseau +Date: Sat Apr 10 21:02:43 2010 +0000 + + use #ifdef instead of #if + + Fix + pam_pkcs11.c:46:5: warning: "ENABLE_NLS" is not defined + +commit 159c471a6c50d0388fa7731742eff7bb228d37b1 +Author: Ludovic Rousseau +Date: Sat Apr 10 20:53:10 2010 +0000 + + Use stdlib.h instead of malloc.h (not present on Mac OS X for example) + +commit 30ca76abe4a700e177b74a40c3aa27e457d04f78 +Author: Ludovic Rousseau +Date: Sat Apr 10 15:21:46 2010 +0000 + + Closes: Ticket #22 "get_slot_login_required missing from NSS side." + +commit 9bff4ad0c7e84d2ccf8a843cf2f1243d013a6633 +Author: Ludovic Rousseau +Date: Sat Apr 10 15:17:34 2010 +0000 + + Fix compiler when used with NSS + + algorithm.c:54: error: conflicting types for ‘Alg_get_digest_by_name’ + ./alg_st.h:50: note: previous declaration of ‘Alg_get_digest_by_name’ was here + +commit 5b516d03e217abdc8ff1ade38ae3b01a33e6d570 +Author: Ludovic Rousseau +Date: Sat Apr 10 15:10:28 2010 +0000 + + Closes: Ticket #21 "Update for German translation" + +commit c908faef26b2afbbed19209b9c0d87626f373ad4 +Author: Ludovic Rousseau +Date: Sat Apr 10 15:07:28 2010 +0000 + + regenerate + +commit c7e5ed37e6dd2e40b99a964766d2cf7aac2e4a62 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:54:58 2010 +0000 + + Release 0.6.3 + +commit 6e79c826244e5af805181d56ce28690f4e661da7 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:52:33 2010 +0000 + + Fix + uri.c: In function ‘get_from_uri’: + uri.c:595: warning: enumeration value ‘unknown’ not handled in switch + +commit 4e8df5e2de9fdc05a0ec7e4dce1126459c1092e6 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:49:49 2010 +0000 + + Fix a potential bug + + ldap_mapper.c: In function ‘ldap_get_certificate’: + ldap_mapper.c:601: warning: ‘rv’ may be used uninitialized in this function + +commit 182896cb07b4944eb5f8a913a36bf95158652c91 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:47:04 2010 +0000 + + Directly use pam_prompt() to format the string instead of sprintf() + + Fix + pam_pkcs11.c: In function ‘pam_sm_authenticate’: + pam_pkcs11.c:289: warning: format not a string literal and no format arguments + pam_pkcs11.c:358: warning: format not a string literal and no format arguments + pam_pkcs11.c:386: warning: format not a string literal and no format arguments + pam_pkcs11.c:407: warning: format not a string literal and no format arguments + pam_pkcs11.c:428: warning: format not a string literal and no format arguments + +commit 8f7a2f239353886dfd6eaca51c7743ff78f0dfcd +Author: Ludovic Rousseau +Date: Sat Apr 10 14:41:23 2010 +0000 + + Fix compiler warnings + + pam_pkcs11.c: In function ‘pam_sm_authenticate’: + pam_pkcs11.c:622: warning: field precision should have type ‘int’, but argument 4 has type ‘long unsigned int’ + pam_pkcs11.c:622: warning: field precision should have type ‘int’, but argument 4 has type ‘long unsigned int’ + pam_pkcs11.c:639: warning: field precision should have type ‘int’, but argument 4 has type ‘long unsigned int’ + pam_pkcs11.c:639: warning: field precision should have type ‘int’, but argument 4 has type ‘long unsigned int’ + pam_pkcs11.c:661: warning: field precision should have type ‘int’, but argument 4 has type ‘long unsigned int’ + pam_pkcs11.c:661: warning: field precision should have type ‘int’, but argument 4 has type ‘long unsigned int’ + +commit 38330a6e6bad47857cd39dda74651e210c3846f0 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:38:23 2010 +0000 + + Fix compiler warning + + card_eventmgr.c: In function ‘signal_trap’: + card_eventmgr.c:302: warning: unused parameter ‘sig’ + +commit 13e1abd2b2d09008d91daa9797894df7054a7185 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:35:14 2010 +0000 + + Fix compiler warning + + pkcs11_lib.c: In function ‘crypto_init’: + pkcs11_lib.c:934: warning: unused parameter ‘policy’ + +commit b7422928730153a133a9042c7d76458c91ed5001 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:33:38 2010 +0000 + + Update a cast to fix a compiler warning + + pkcs11_lib.c: In function ‘get_certificate_list’: + pkcs11_lib.c:1520: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer type + /usr/include/openssl/x509.h:940: note: expected ‘const unsigned char **’ but argument is of type ‘CK_BYTE **’ + +commit 7bd62b8110e63d21b595a4034dbb40429e5cb0f2 +Author: Ludovic Rousseau +Date: Sat Apr 10 14:31:12 2010 +0000 + + Use a cast to fix compilers warnings + + pkcs11_lib.c: In function ‘find_slot_by_slotlabel_and_tokenlabel’: + pkcs11_lib.c:1264: warning: pointer targets in passing argument 1 of ‘strlen’ differ in signedness + /usr/include/string.h:397: note: expected ‘const char *’ but argument is of type ‘CK_UTF8CHAR *’ + pkcs11_lib.c:1264: warning: pointer targets in passing argument 2 of ‘__builtin_strcmp’ differ in signedness + pkcs11_lib.c:1264: note: expected ‘const char *’ but argument is of type ‘CK_UTF8CHAR *’ + pkcs11_lib.c:1264: warning: pointer targets in passing argument 2 of ‘__builtin_strcmp’ differ in signedness + pkcs11_lib.c:1264: note: expected ‘const char *’ but argument is of type ‘CK_UTF8CHAR *’ + pkcs11_lib.c:1264: warning: pointer targets in passing argument 1 of ‘strlen’ differ in signedness + /usr/include/string.h:397: note: expected ‘const char *’ but argument is of type ‘CK_UTF8CHAR *’ + pkcs11_lib.c:1264: warning: pointer targets in passing argument 2 of ‘__builtin_strcmp’ differ in signedness + pkcs11_lib.c:1264: note: expected ‘const char *’ but argument is of type ‘CK_UTF8CHAR *’ + pkcs11_lib.c:1264: warning: pointer targets in passing argument 2 of ‘__builtin_strcmp’ differ in signedness + pkcs11_lib.c:1264: note: expected ‘const char *’ but argument is of type ‘CK_UTF8CHAR *’ + +commit 5eaebe5ed52dcafc4caa9db6768c0202ac4acee6 +Author: Ludovic Rousseau +Date: Thu Apr 8 07:28:32 2010 +0000 + + Fix typos in comments + +commit 3178f05f50fd60bbb2d6aefa1152ba1ac3f0853d +Author: Ludovic Rousseau +Date: Wed Apr 7 14:32:52 2010 +0000 + + generate the example files pam_pkcs11.conf.example and + pam.d_login.example with the correct libdir path + + Closes: Ticket #213 "pam-pkcs11: wrong path in + /etc/pam_pkcs11/pam_pkcs11.conf for mappers" + +commit f024ddf0baaf3830e9cfbb52015c6161cc0b9786 +Author: Ludovic Rousseau +Date: Wed Apr 7 14:09:42 2010 +0000 + + Add a "quiet" configuration option + + Closes: Ticket #25 "Quiet Mode for pam_pkcs11" + +commit f0a9a1d16e69dcb290512c24180a163f967949e6 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:55:49 2010 +0000 + + Fix + cert_vfy.c: In function ‘download_crl’: + cert_vfy.c:125: warning: passing argument 2 of ‘d2i_X509_CRL’ from incompatible pointer type + cert_vfy.c:131: warning: passing argument 2 of ‘d2i_X509_CRL’ from incompatible pointer type + +commit f857b5bce1abf5f4a0f256e71e70f69e7d1884d6 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:54:26 2010 +0000 + + Fix + cert_vfy.c: In function ‘setup_store’: + cert_vfy.c:347: warning: initialization discards qualifiers from pointer target type + cert_vfy.c:354: warning: initialization discards qualifiers from pointer target type + cert_vfy.c:373: warning: initialization discards qualifiers from pointer target type + cert_vfy.c:380: warning: initialization discards qualifiers from pointer target type + +commit d9d2e15afffffab349d1d2548aea4a2ab24ddcaa +Author: Ludovic Rousseau +Date: Wed Apr 7 13:52:14 2010 +0000 + + Fix + debug.c: In function ‘debug_print’: + debug.c:63: warning: format not a string literal and no format arguments + +commit b65049680d70601180d30008a94276c99c68ae0d +Author: Ludovic Rousseau +Date: Wed Apr 7 13:47:30 2010 +0000 + + Fix + pkcs11_eventmgr.c: In function ‘parse_args’: + pkcs11_eventmgr.c:231: warning: assignment discards qualifiers from pointer target type + +commit 8a3e00a2524de30e5de724f35d82014d344e7c5f +Author: Ludovic Rousseau +Date: Wed Apr 7 13:46:35 2010 +0000 + + Fix + card_eventmgr.c: In function ‘parse_args’: + card_eventmgr.c:189: warning: assignment discards qualifiers from pointer target type + +commit cfaabb84138787d6ac9b7841869bf3f91267d022 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:43:39 2010 +0000 + + module argument of load_pkcs11_module() is now a (const char *) + + Fix + pkcs11_inspect.c: In function ‘main’: + pkcs11_inspect.c:70: warning: passing argument 1 of ‘load_pkcs11_module’ discards qualifiers from pointer target type + pkcs11_listcerts.c: In function ‘main’: + pkcs11_listcerts.c:70: warning: passing argument 1 of ‘load_pkcs11_module’ discards qualifiers from pointer target type + pklogin_finder.c: In function ‘main’: + pklogin_finder.c:72: warning: passing argument 1 of ‘load_pkcs11_module’ discards qualifiers from pointer target type + etc. + +commit 2ee11e7fabb63fc3e702ec91a9b08c667aae1256 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:36:19 2010 +0000 + + Fix + cert_info.c: In function ‘cert_key_alg’: + cert_info.c:815: warning: initialization discards qualifiers from pointer target type + +commit 7b9fa6b09c8caa762478b67a0b45cd376e54df4e +Author: Ludovic Rousseau +Date: Wed Apr 7 13:32:07 2010 +0000 + + Fix + cert_info.c: In function ‘cert_info_sshpuk’: + cert_info.c:694: warning: passing argument 2 of ‘str_append’ discards qualifiers from pointer target type + cert_info.c:708: warning: passing argument 2 of ‘str_append’ discards qualifiers from pointer target type + +commit fe4d146b1031d17d270397739321990284752665 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:31:04 2010 +0000 + + cert_info_sshpuk(): use (const char *) for type to avoid compiler + warning + + cert_info.c: In function ‘cert_info_sshpuk’: + cert_info.c:690: warning: assignment discards qualifiers from pointer target type + cert_info.c:705: warning: assignment discards qualifiers from pointer target type + +commit 345f104b804c88ab71a106708e186796b273a508 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:28:37 2010 +0000 + + Change return type of Alg_get_digest_by_name() to avoid a compiler + warning + + algorithm.c: In function ‘Alg_get_digest_by_name’: + algorithm.c:74: warning: return discards qualifiers from pointer target type + +commit 654e5a82d150b4bdf558d918ace2c0db860b21fd +Author: Ludovic Rousseau +Date: Wed Apr 7 13:25:49 2010 +0000 + + Use (const char *) for configuration strings instead of (char *) + +commit 3179751e7e1b5f9fff32c189f94e530cb9928500 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:15:16 2010 +0000 + + Do not use sscanf() to not overwrite the buffers + +commit 97771cd0b86d5ae8f96206b5c179a0f85ddd44d9 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:11:25 2010 +0000 + + Use DEBUG_CONFIG to trace the configuration + +commit 37f678fb4363b8dd2a1a7960d1e0a2412e7af429 +Author: Ludovic Rousseau +Date: Wed Apr 7 13:01:23 2010 +0000 + + pam_sm_authenticate(): also log the module name that failed to load + +commit 43c7cbd53d55700c2af4b03632cba3ff3dc25409 +Author: Ludovic Rousseau +Date: Wed Apr 7 12:49:53 2010 +0000 + + Do not cast malloc return value + +commit 57b42caedd9619755d4ecb8fce2ca2983e1bf401 +Author: Ludovic Rousseau +Date: Fri Apr 2 16:47:22 2010 +0000 + + Correctly initialize initArgs and .pReserved in particular + + Fixes Ticket #24 "PKCS#11 Module initialized with incomplete data." + +commit ae4aee202086a9711a8a7cae6484f39e9d053345 +Author: Ludovic Rousseau +Date: Fri Apr 2 13:27:26 2010 +0000 + + Do not prompt for a username if one is already available. + + Fixes Ticket #23 + +commit d9f0a266849cf7bfef9ccd1215c2b03da039ad10 +Author: Ludovic Rousseau +Date: Wed Feb 3 17:41:41 2010 +0000 + + opensc_mapper_match_certs(): PATH_MAX is not defined (unlimited) on Hurd + The correct solution would be to use a dynamic allocation + +commit db8ce9747c189637acccb6f08520334b34986f37 +Author: Ludovic Rousseau +Date: Wed Feb 3 17:39:21 2010 +0000 + + release 0.6.2 + +commit 2989c7fb7b1eceb600c427c7a06b46fcf18c193c +Author: Ludovic Rousseau +Date: Sun Jan 3 16:32:48 2010 +0000 + + fix hyphen-used-as-minus-sign + See http://lintian.debian.org/tags/hyphen-used-as-minus-sign.html + +commit 869184d64c04f5d14ece76a36eb0cdb80ae80004 +Author: Ludovic Rousseau +Date: Sun Jan 3 16:30:39 2010 +0000 + + fix spelling error + +commit 71b360534a6b843116f756fe04f22f6aecb214ca +Author: Ludovic Rousseau +Date: Sun Jan 3 16:29:46 2010 +0000 + + fix spelling error + +commit 9dea81ba5276c366bca139a11f7efbbcb6816fe6 +Author: Ludovic Rousseau +Date: Thu Dec 17 11:00:11 2009 +0000 + + document use_module + +commit 47fa4bc41ae620cab934c4284150475ec7f11829 +Author: Ludovic Rousseau +Date: Thu Dec 17 10:59:49 2009 +0000 + + use ERR1() instead of DBG1() in case of error + +commit a570325060f0c35831cb8ae9b1cf7bdd948ab05f +Author: Ludovic Rousseau +Date: Thu Dec 17 10:44:59 2009 +0000 + + use printf() instead of DBG1() to display the certificates even if debug + mode is not used + +commit 7670889710515c610f67cbfa013b696d3e77225d +Author: Ludovic Rousseau +Date: Thu Dec 17 10:33:12 2009 +0000 + + add an EXAMPLE section + +commit d79f79376153e53bf335420e6c1275f8c76f7b17 +Author: Ludovic Rousseau +Date: Thu Dec 17 09:59:13 2009 +0000 + + use @PACKAGE_VERSION@ so that configure replaces it by the correct value + +commit c59b2ca24869ac8432b36b62c2f43a6939a6e5b5 +Author: Ludovic Rousseau +Date: Thu Dec 17 09:58:33 2009 +0000 + + generate doc/doxygen.conf + +commit 86e8f6d8e6b812adee8534f27c5d2442516db99d +Author: Ludovic Rousseau +Date: Wed Dec 16 16:46:18 2009 +0000 + + add missing man pages + +commit e822dfc39cca7edd474a707ca93d943e8de42f2a +Author: Ludovic Rousseau +Date: Wed Dec 16 16:45:46 2009 +0000 + + add support of "debug" argument + +commit 681befb84c3387588104dae12c91dd40bcf682e7 +Author: Ludovic Rousseau +Date: Wed Dec 16 15:50:49 2009 +0000 + + The manpages do not use #PKGVERSION# any more. No need to convert them + +commit 84a42f4eebdf603de4f8b58228647fe90e83dc6c +Author: Ludovic Rousseau +Date: Wed Dec 16 15:38:10 2009 +0000 + + link with $(LIBDL) + +commit d8a1dae86460aa9bbeba71d27a833186e96aeabd +Author: Ludovic Rousseau +Date: Wed Dec 16 15:37:40 2009 +0000 + + add a check for dlopen() in libdl + +commit 5b64c0ac3255a095b0ff7ea62544dcc25b737892 +Author: Ludovic Rousseau +Date: Thu Dec 3 08:40:22 2009 +0000 + + "pam_pkcs11 doesn't work with cards with no PIN installed. It tries to + C_Login() whenever PIN is really needed and fails with "C_Login() + failed: 0x00000102". + + I've made a patch which corrects this behavior: + + * implements get_slot_login_required() function what checks whether + current slot requires login + * makes pam_pkcs11 ask for PIN only if it is needed" + + Thanks to Oleg Smirnov for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2009-December/012929.html + +commit 547c1b9de63ad016cd88257a14ad10ee687b433c +Author: Ludovic Rousseau +Date: Tue Oct 6 11:51:09 2009 +0000 + + use -shared to avoid builing the useless static libraries + + Thanks to Diego Elio Pettenò for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2009-October/012598.html + +commit e08f826e8076ef39681f63e753263edf60ceba48 +Author: Ludovic Rousseau +Date: Tue Oct 6 08:08:33 2009 +0000 + + do not define static library in configure.in but use the .la files in + the Makefile.am + +commit 553e4085ee63d03f8becc69aec9ce1a809f73b00 +Author: Ludovic Rousseau +Date: Tue Oct 6 07:57:54 2009 +0000 + + Do not use a custom install override rule + + Thanks to Diego Elio Pettenò for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2009-October/012587.html + +commit 8a2ecec8857452a5471060e3d6c56610cf8f8297 +Author: Ludovic Rousseau +Date: Tue Oct 6 07:53:19 2009 +0000 + + use ../pam_pkcs11/libfinder.la instead of directly pointing to .o files + +commit 557d0802d40ca91ecd9b4be79fc5814410753c74 +Author: Ludovic Rousseau +Date: Tue Oct 6 07:52:57 2009 +0000 + + create a libfinder.la library for tools in src/tools/ + +commit ab1d8e674de5efba3625d9f7c26f2be7e68ff4f5 +Author: Ludovic Rousseau +Date: Tue Oct 6 07:23:31 2009 +0000 + + install examples in doc dir instead of pkgdata dir. + + Thanks to Diego Elio Pettenò for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2009-October/012587.html + +commit a49f1fc3fdd431d0f09890735a3a88badb746ed1 +Author: Ludovic Rousseau +Date: Mon Sep 21 12:08:21 2009 +0000 + + sync with scconf from OpenSC + +commit e3ec22e4ca7092b9abc2bf67f47631ebb5cec4f8 +Author: Ludovic Rousseau +Date: Thu Sep 17 07:55:14 2009 +0000 + + find_slot_by_slotlabel(): also check the slot is present + + Thanks to Aro RANAIVONDRAMBOLA for the patch + http://www.opensc-project.org/pipermail/opensc-user/2009-August/003231.html + +commit c829e240997315448b6d249c27533330533d793b +Author: Ludovic Rousseau +Date: Wed Sep 2 12:32:55 2009 +0000 + + card_eventmgr.c:80: warning: nested extern declaration of ‘environ’ + +commit 5ebce8eb6f053f568fccb69e590e51deb7cc2fa8 +Author: Ludovic Rousseau +Date: Wed Sep 2 12:32:18 2009 +0000 + + pkcs11_eventmgr.c:118: warning: nested extern declaration of ‘environ’ + +commit 506d4876df4de8f62347436dce447e66ece18788 +Author: Ludovic Rousseau +Date: Wed Sep 2 12:28:36 2009 +0000 + + use the standard format for NAME section + + W: libpam-pkcs11: manpage-has-bad-whatis-entry usr/share/man/man1/pkcs11_eventmgr.1.gz + +commit 2948a2e5d1185016525d7ef4a5de45c200bc028f +Author: Ludovic Rousseau +Date: Mon Jul 6 07:49:46 2009 +0000 + + cert_info_sshpuk(): avoid a buffer overflow followed by a crash + + Thanks to Joshua Kinard for the bug report + +commit a97547ec12e0ea680c372bcb49def0a963bd708c +Author: Ludovic Rousseau +Date: Fri Jul 3 07:52:56 2009 +0000 + + correct typos and remove spaces at end of lines + +commit b1a4745ac82effea1d0a6c62f1e643b82f103d85 +Author: Ludovic Rousseau +Date: Fri Jun 12 08:09:46 2009 +0000 + + release 0.6.1 + +commit 2c1104cbc052859044b5f7ac77a08f60c8404ffb +Author: Ludovic Rousseau +Date: Fri Jun 12 08:05:29 2009 +0000 + + update Doxygen comments + +commit 2427543a679d7af6ed3d006bb34048e77e312680 +Author: Ludovic Rousseau +Date: Fri Jun 12 07:55:51 2009 +0000 + + updated using doxygen -u + +commit 9819302be7820701a0c87d8cdff9a1e10251c5d5 +Author: Ludovic Rousseau +Date: Fri Jun 12 07:51:38 2009 +0000 + + update + +commit f8402014596d0014d98c5fb1e5df83bedb9fc9c8 +Author: Ludovic Rousseau +Date: Fri Dec 19 10:21:48 2008 +0000 + + BN_append(): avoid a possible memory leak (detected by cppcheck tool) + +commit 8d87a3373ecc57aada7b5749cee2eda64cdd045e +Author: Ludovic Rousseau +Date: Thu Nov 6 14:48:39 2008 +0000 + + ldap_get_certificate(): in case NSS is used + - use CERT_NewTempCertificate() to create a certificate + - use CERT_DestroyCertificate() to free a certificate + + thanks to Robert Relyea for the idea + http://www.opensc-project.org/pipermail/opensc-devel/2008-November/011418.html + +commit fba80e606c8d355a9076d20e9d41f0a52d0eeac9 +Author: Ludovic Rousseau +Date: Thu Nov 6 14:28:46 2008 +0000 + + remove trailing tab and space characters + +commit 0d9ba2c8b9001fbee4dcc64a193fbbd2702b6da7 +Author: Ludovic Rousseau +Date: Thu Nov 6 13:41:43 2008 +0000 + + ldap_get_certificate(): check the value of ldap_x509[rv] instead of + ldap_x509. The previous test was never true + +commit 439975cd2678fe5d9cd0cbe7be3462635f2770fa +Author: Ludovic Rousseau +Date: Thu Nov 6 13:39:37 2008 +0000 + + ldap_get_certificate(): typo in log message + +commit d20232a09aedeb556bca933c26da2923b4101f4d +Author: Ludovic Rousseau +Date: Thu Nov 6 13:39:05 2008 +0000 + + ldap_get_certificate(): check returned value of malloc() + +commit 9c46072511f4a4095be77a1eba047d7237d189d6 +Author: Ludovic Rousseau +Date: Tue Nov 4 10:08:49 2008 +0000 + + use == instead of CERT_CompareCerts() to compare two NSS certificates. + + Thanks to Robert Relyea for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2008-October/011406.html + +commit c2b45fd31cbabb730e93595e23caf07f26f40a02 +Author: Ludovic Rousseau +Date: Fri Oct 24 08:22:13 2008 +0000 + + common/cert_st.h: define CERT_cmp to be either CERT_CompareCerts for NSS + or X509_cmp for OpenSSL + + mappers/ldap_mapper.c: use CERT_cmp() instead of X509_cmp() the same + code should work with NSS or OpenSSL + +commit b787757b1aa7cb9d0e7e7e5d25254df73d270373 +Author: Ludovic Rousseau +Date: Thu Oct 16 08:08:05 2008 +0000 + + declare local function password_passthrough() static + + pkcs11_lib.c:169: warning: no previous prototype for 'password_passthrough' + +commit 13f79b66962ce74fd6e56b771c2d10759a94a1d4 +Author: Ludovic Rousseau +Date: Thu Oct 16 08:05:49 2008 +0000 + + find_slot_by_number(): slot_num is unsigned int so to not check for + slot_num >= 0 + + pkcs11_lib.c:353: warning: comparison of unsigned expression >= 0 is always true + +commit 946a97f2434fc37c83fbc9fdbc95a5c18950c869 +Author: Ludovic Rousseau +Date: Thu Oct 16 08:03:48 2008 +0000 + + opensc_mapper_match_certs(): local variables are only used if NSS is not + used + +commit 8df09c90db50b713340f6521803e2ebe68a00f37 +Author: Ludovic Rousseau +Date: Thu Oct 16 07:59:25 2008 +0000 + + declare two functions static to avoid no previous prototype warnings + +commit e3c1d397acf4fec69bbedc90df3e2b986b759867 +Author: Ludovic Rousseau +Date: Thu Oct 16 07:56:01 2008 +0000 + + include .h files to avoid implicit declaration warnings + + Thanks to Stanislav Brabec for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2008-October/011390.html + +commit 7b622e68138ce8c2b99157b0aa62a16dacb34c6a +Author: Ludovic Rousseau +Date: Thu Oct 16 07:47:48 2008 +0000 + + pkcs11_lib.c:295: error: conflicting types for 'find_slot_by_number' + pkcs11_lib.h:34: error: previous declaration of 'find_slot_by_number' was here + +commit a1909a1e3f5ea2d336c8d3d938519fef43248124 +Author: Ludovic Rousseau +Date: Tue Oct 14 07:59:25 2008 +0000 + + pkcs11_lib.c: In function 'find_slot_by_number': + pkcs11_lib.c:1143: warning: comparison between signed and unsigned + pkcs11_lib.c:1150: warning: comparison between signed and unsigned + +commit 4d131e190fd45e0ad4c944d888a408f9e9cf4dc5 +Author: Ludovic Rousseau +Date: Tue Oct 14 07:56:38 2008 +0000 + + rename index in idx + + pkcs11_lib.c:1212: warning: declaration of 'index' shadows a global declaration + /usr/include/string.h:304: warning: shadowed declaration is here + +commit 5484e5e2f648091d0f548654038dd12b9e164935 +Author: Ludovic Rousseau +Date: Tue Oct 14 07:52:56 2008 +0000 + + cert_info.c:841: warning: pointer targets in passing argument 1 of + 'bin2hex' differ in signedness + +commit 46454e9674e7ba5f919d9986046731efb88be50b +Author: Ludovic Rousseau +Date: Tue Oct 14 07:47:15 2008 +0000 + + Passing slot_description= and token_type= on the command line was not + handled correctly (crash) + +commit 3cc71f802802692c836342c12c6b55609d5fcc9c +Author: Ludovic Rousseau +Date: Tue Oct 14 07:42:10 2008 +0000 + + pkcs11_lib.c:124: warning: implicit declaration of function 'isspace' + +commit bfa342290d0b9b55419881b96bbd0884fa8ad0e1 +Author: Ludovic Rousseau +Date: Tue Oct 14 07:36:46 2008 +0000 + + Allow to configure the token name in the different PAM prompts. Default + value is "Smart card". See token_type= configuration in + etc/pam_pkcs11.conf + + Thanks to Huie-Ying Lee for the patch. + +commit ce8c3f762977400f1f144d62b22d6a72e3e1c5c6 +Author: Ludovic Rousseau +Date: Fri Sep 26 08:38:11 2008 +0000 + + add missing secutil.h + + Thanks to Stanislav Brabec for the patch + +commit a6897e175541ae4b5a008908c6194265d99c8350 +Author: Ludovic Rousseau +Date: Fri Sep 26 08:34:00 2008 +0000 + + correctly close ] and ) + +commit 4c0e0d472c41f3285823643e2ef39ef341d25224 +Author: Ludovic Rousseau +Date: Fri Sep 26 08:10:46 2008 +0000 + + Patch from Jacob Berkman improves Microsoft UPN OID support. + + Thanks to Stanislav Brabec + http://www.opensc-project.org/pipermail/opensc-devel/2008-September/011336.html + +commit 708322cd9d51aff3515658d48f35c0831ce4f3f7 +Author: Ludovic Rousseau +Date: Fri Sep 26 08:00:41 2008 +0000 + + add NSS (Network Security Service) config sample + +commit 98b7d19a26338cc1ae0e7cdc24df6063f8cf0b24 +Author: Ludovic Rousseau +Date: Fri Sep 26 07:55:26 2008 +0000 + + Add support of domainnickname. + + Thanks to Jacob Berkman for the patch and Stanislav Brabec for the + forward + +commit 4e6d2a5b55f119917193f4ee728a671468ead2a6 +Author: Ludovic Rousseau +Date: Fri Sep 26 07:50:41 2008 +0000 + + add a missing ; at end of line + + Thanks to Stanislav Brabec for the patch + Closes OpenSC ticket #154 + +commit a89a253e54da2d807434dd0cd9eea1045e990a93 +Author: Ludovic Rousseau +Date: Thu Sep 25 07:53:26 2008 +0000 + + load_pkcs11_module(): do not check that the group ownership of + libpkcs11.so is 0. It is 2 on Solaris. + + Thanks to Huie-Ying Lee for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2008-September/011334.html + +commit 11d74021770ab4b1d6d1772b841d69f2afce31de +Author: Ludovic Rousseau +Date: Tue Sep 16 08:33:56 2008 +0000 + + Use daemon() only if supported by the platform (it is not available on + Solaris) + + Thanks to Huie-Ying Lee for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2008-September/011326.html + +commit fe2b6d06b36d1cbe5469db9612811dd09ec1b8d1 +Author: Ludovic Rousseau +Date: Fri Sep 12 08:47:01 2008 +0000 + + Patch to use identify a token by its slot description instead of slot number + + Thanks to Huie-Ying Lee for the patch + http://www.opensc-project.org/pipermail/opensc-devel/2008-September/011317.html + + ====================================== + Problem + ====================================== + Currently, the pam_pkcs11 module uses slot_num for the slot/token selection. + However, this is not safe because there is no guaranteed ordering of slots + returned from the PKCS#11 C_GetSlotList() function, according to the RSA + PKCS#11 specification. + + On Solaris OS, the libpkcs11 library uses plug-ins to provide the slots. An + administrator can install or uninstall a plug-in by using a utility command + called "cryptoadm" on Solaris. Therefore, a particular slot may be associated + with different slot numbers on different systems or even on the same system on + different runs. + + ====================================== + Solution + ====================================== + To address the above issue, our solution is to replace the "slot_num" entry + with a "slot_description" entry in the "pam_pkcs11.conf" configuration file for + the slot/token selection as illustrated below. + + - pam_pkcs11.conf - + + pkcs11_module default { + + module = /usr/lib/libpkcs11.so; + description = "Solaris PKCS#11 Cryptographic Framework library"; + # + # Which slot to use. The slot is specified by the slot description. + # For example, slot_description = "Sun Crypto Softtoken". + # + # An administrator can use the "cryotoadm list -v" command to find + # all the available slots and their slot descriptions. For more + # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages. + # + # The default value is "none" which means to use the first slot with + # an available token. + # + slot_description = "none" + + ... + + } + + The slot_description field will be used to specify the slot to be used. Its + value should be the slot label for the slot, which is basically the same as the + slotDescription string in the CK_SLOT_INFO structure returned from the + C_GetSlotInfo() function. + + In the original slot_num design, when slot_num is 0, it means to use the first + slot with an available token. To provide a similar functionality, an + administrator can specify slot_description to be "none", which also means to + use the first slot with an available token. + +commit d3c17dfcd2f7a8b89c479d2d5a2ca0a6589cc67a +Author: Ludovic Rousseau +Date: Tue Sep 9 15:09:19 2008 +0000 + + find_slot_by_number: complete patch in revision 330 + +commit 92d9f8cf0cb50cff39ec6e92c4247e02e7234afe +Author: Ludovic Rousseau +Date: Tue Sep 9 15:07:11 2008 +0000 + + find_slot_by_number(): BUG: the slot index is slot_num and not i + + thanks to Huie-Ying Lee for the patch + +commit bce462ddaba01a66cff4f1712acb23c272ba7741 +Author: Ludovic Rousseau +Date: Tue Sep 9 15:04:00 2008 +0000 + + pk_configure(): correct a typo "slot_nume" -> "slot_num" + + Thanks to Huie-Ying Lee for the patch + +commit d3dc1e567911b29fb276b56414c45e057704e744 +Author: Ludovic Rousseau +Date: Tue Sep 9 14:56:44 2008 +0000 + + upgrade (copy from OpenSC) + +commit 883cf989203c5579aedddecfd9cf2b582a65cb05 +Author: Andreas Jellinghaus +Date: Wed Aug 27 09:27:34 2008 +0000 + + fix script for wiki export. + +commit b09e9d1c86d5415c13209dd3795cf02f3a60691b +Author: Ludovic Rousseau +Date: Tue Aug 19 07:48:58 2008 +0000 + + Provide strndup for platforms without this function (Solaris) + +commit 6a72d499e32efafd79a02137d6d00362b7f12cd7 +Author: Ludovic Rousseau +Date: Tue Aug 12 06:38:36 2008 +0000 + + do_init(): typo: use ldapdefport instead of defport + + Patch from Huie-Ying Lee + http://www.opensc-project.org/pipermail/opensc-devel/2008-August/011239.html + +commit 18d5c805bd1b2500837f4b1d391611ae9d4b756b +Author: Ludovic Rousseau +Date: Tue Aug 12 06:32:52 2008 +0000 + + protect variables with "" before checking the variable length + + Patch from Huie-Ying Lee + http://www.opensc-project.org/pipermail/opensc-devel/2008-August/011239.html + +commit 4970a1fba971add72874c09f54061d58422fe602 +Author: Ludovic Rousseau +Date: Fri May 30 13:50:27 2008 +0000 + + avoir a double free error when a reader is disconnected and reconnected. + + Thanks to Frédéric Combeau for the patch + +commit 53b48080da7f605ccdaf7362e513e6413c455e17 +Author: Ludovic Rousseau +Date: Mon Mar 31 09:22:31 2008 +0000 + + use confdir instead of the hardcoded value /etc/pam_pkcs11 + +commit 9e3d1952e510cceb73412f26636852e63ce79be5 +Author: Ludovic Rousseau +Date: Mon Mar 31 09:16:55 2008 +0000 + + parse_config_file(): also log the error message + +commit 33dc24a35bc675c7493776480dd2fbf84dfca38b +Author: Ludovic Rousseau +Date: Tue Mar 25 14:48:35 2008 +0000 + + add support of CONFDIR instead of the hardcoded "/etc/pam_pkcs11/" + +commit 7ca97ae5870708c87f00394ff60a8da4c3d5f189 +Author: Ludovic Rousseau +Date: Tue Mar 25 14:48:00 2008 +0000 + + add --with-confdir=DIR to configure the directory containing + pam_pkcs11.conf, card_eventmgr.conf and pkcs11_eventmgr.conf (default + /etc/pam_pkcs11) + +commit 9a8f1bcee82800b1e71853ea1fa7b0db32cb5b4f +Author: Ludovic Rousseau +Date: Thu Mar 20 09:11:20 2008 +0000 + + use 0x%08lX instead of %x to format a PKCS#11 error code + +commit 817a878905d739a3b8ffecab1d071863df2f71c6 +Author: Ludovic Rousseau +Date: Mon Feb 25 10:23:40 2008 +0000 + + doxygen.conf is used by generate-api.sh so api/index.html target must + depends on it + +commit c9a5127159f5f6df31881f6f5375fb263ce812af +Author: Ludovic Rousseau +Date: Mon Feb 25 10:16:11 2008 +0000 + + add po/remove-potcdate.sin + +commit ef6038dca4bc5eeed3697067082cc5939f9eeb1c +Author: Ludovic Rousseau +Date: Mon Feb 25 10:10:49 2008 +0000 + + add gettext M4 macros + +commit ca603dc4cc96accf3ea22449ecc9cb98a2ab927f +Author: Ludovic Rousseau +Date: Mon Feb 25 10:08:55 2008 +0000 + + use gettext 0.17 instead of 0.16.1 + +commit db2e965359014d5836d4f1ec957ba9bddb5d564a +Author: Ludovic Rousseau +Date: Mon Feb 25 10:03:09 2008 +0000 + + add po/remove-potcdate.sed + +commit 9c4e9d039c970d04b08a6858a0be3129fef6c424 +Author: Ludovic Rousseau +Date: Mon Feb 25 10:00:43 2008 +0000 + + add po/Makefile.in.in from gettext 0.17-2 + +commit 6ea5cd0e31cbbcc1c4f68cb9233651b7cf5a2e52 +Author: Ludovic Rousseau +Date: Mon Feb 25 09:59:36 2008 +0000 + + add config.rpath from gettext 0.17-2 + +commit f05f31013fc1d7f2b426d97e64991de8fa4478b9 +Author: Ludovic Rousseau +Date: Mon Feb 25 09:54:32 2008 +0000 + + add void as parameter for thats_all_folks() definition + card_eventmgr.c:64: warning: old-style function definition + +commit a2529e6e4cd00d01ecde7a2f97a0896f1277d466 +Author: Ludovic Rousseau +Date: Mon Feb 25 09:53:37 2008 +0000 + + add void as parameter for parse_config_file() and get_a_token() + pkcs11_eventmgr.c:193: warning: old-style function definition + pkcs11_eventmgr.c:354: warning: old-style function definition + +commit 80a404b54e5d91ed8561dff474c1ae5426214cd5 +Author: Ludovic Rousseau +Date: Mon Feb 25 09:51:08 2008 +0000 + + add void as parameter in parse_config_file() definition + card_eventmgr.c:157: warning: old-style function definition + +commit 20f84af6581b2a7309ec982bfdb9c018614ec22a +Author: Ludovic Rousseau +Date: Mon Feb 25 09:39:21 2008 +0000 + + #define LDAP_DEPRECATED 1 so that deprecated functions are declared. + The code should be updated to avoid the deprecated functions. + See ticket #18 + +commit 992ea49e96535ed6ac227d5a6da612ccde324afc +Author: Ludovic Rousseau +Date: Mon Feb 25 09:17:13 2008 +0000 + + declare is_spaced_str() as static + pam_pkcs11.c:62: warning: no previous prototype for ‘is_spaced_str’ + +commit f37fb04d37a99973efaa191693e802fd7f2cfaf3 +Author: Ludovic Rousseau +Date: Mon Feb 25 09:13:00 2008 +0000 + + add void in the declaration of get_debug_level + debug.c:31: warning: old-style function definition + +commit c5eb2a47d7d6ded2c76175068f1a8e5b8f7a6f3e +Author: Ludovic Rousseau +Date: Thu Sep 13 09:00:31 2007 +0000 + + add German (de) l10n + + Thanks to Peter Winterer + +commit 0bd19f3469b0fe025f9a230d01dbb68afe0ddd24 +Author: Ludovic Rousseau +Date: Thu Sep 13 08:59:52 2007 +0000 + + update using "make update-po" + +commit 7803181c768fb9656f13fa338e464db6ffbf4aba +Author: Ludovic Rousseau +Date: Tue Sep 11 09:14:54 2007 +0000 + + add Russian l10n + + Thanks to Sergio + +commit 31a687dc136f134353e64d01bd4cb56c5de3597b +Author: Ludovic Rousseau +Date: Mon Aug 13 08:55:52 2007 +0000 + + arguments starts at argv[1] and not argv[0] + Avoids a warning message: "argument pkcs11_inspect is not supported + by this module" + +commit 81e32c5ce8069a3496393277ffbbb725e6fdc937 +Author: Ludovic Rousseau +Date: Thu Jun 14 21:28:40 2007 +0000 + + add Polish (.pl) translation + + Thanks to Jakub Bogusz + +commit f77275bff18086ba30d7903b9cda64a877b5196f +Author: Ludovic Rousseau +Date: Thu Jun 14 21:27:51 2007 +0000 + + remove a duplicate config.rpath in EXTRA_DIST + +commit a2780245292de5f6132f1117a8299eceb719b96a +Author: Ludovic Rousseau +Date: Mon Jun 11 12:19:59 2007 +0000 + + release 0.6.0 + +commit 4688e38b3c7404256091c608973438d32b4375cc +Author: Ludovic Rousseau +Date: Mon Jun 11 12:19:25 2007 +0000 + + update to version 0.6.0 + +commit d4843f20a684eb89fb4c87c06838fb9e603a2571 +Author: Ludovic Rousseau +Date: Wed Jun 6 11:22:25 2007 +0000 + + declare pname as unsigned to avoid: + pkcs11_setup.c:436: warning: comparison between signed and unsigned + pkcs11_setup.c:454: warning: comparison between signed and unsigned + +commit bd590d3d00da885f36a9f648a41ebecc0868fac2 +Author: Ludovic Rousseau +Date: Wed Jun 6 11:20:44 2007 +0000 + + declare local functions static + +commit 5caf97e7444a3683a300deebb7c3a38a10ed8637 +Author: Ludovic Rousseau +Date: Wed Jun 6 11:18:20 2007 +0000 + + pkcs11_setup.c:44: attention : duplicate ‘const’ + +commit e8688309c86474e75baa12c13de79d4081248ff0 +Author: Ludovic Rousseau +Date: Wed Jun 6 11:17:05 2007 +0000 + + execute_event(): change parameter type from char * to const char * + +commit 708df71c5da101386a9193de18961bed6cd4362b +Author: Ludovic Rousseau +Date: Wed Jun 6 11:15:57 2007 +0000 + + remove unused (and duplicate) global variable expire_count + +commit 0468c20d561ea44f2b3b8cbe98492d6b1a484efc +Author: Ludovic Rousseau +Date: Wed Jun 6 11:05:46 2007 +0000 + + declare local functions static + +commit 2156720a381e529b23501dbf7aafbd5c49b57bba +Author: Ludovic Rousseau +Date: Wed Jun 6 10:02:23 2007 +0000 + + pklogin_finder.c:37: attention : ‘user’ may be used uninitialized in this function + +commit a01af4d9a393b720c02ecfd3d7830be23eb5c5a7 +Author: Ludovic Rousseau +Date: Wed Jun 6 09:55:45 2007 +0000 + + opensc_mapper_match_certs(): #include to avoid: + opensc_mapper.c:103: warning: implicit declaration of function 'PEM_read_bio_X509' + opensc_mapper.c:103: warning: initialization makes pointer from integer without + a cast + +commit 4f9044be10f9eaf84913e2b0fc0095e8c26001fa +Author: Ludovic Rousseau +Date: Wed Jun 6 09:50:11 2007 +0000 + + warning: ISO C90 forbids mixed declarations and code + +commit f5332c4cd3a67d5935981652c63e46cf9fd91fad +Author: Ludovic Rousseau +Date: Wed Jun 6 09:43:53 2007 +0000 + + ldap_add_uri(): declare the function static + ldap_mapper.c:549: warning: no previous prototype for 'ldap_add_uri' + +commit 4d76b3c777e65da386b8630c55b62aef6ee59ea6 +Author: Ludovic Rousseau +Date: Wed Jun 6 09:42:22 2007 +0000 + + do_open(): rename parameter ssl_on to ssl_on_local to avoid: + ldap_mapper.c:373: warning: declaration of 'ssl_on' shadows a global + declarationldap_mapper.c:108: warning: shadowed declaration is here + +commit d62087db4e6ba0b3a53adc679ca84e22cb4c2a39 +Author: Ludovic Rousseau +Date: Wed Jun 6 09:39:25 2007 +0000 + + use C instead of C++ comments + warning: C++ style comments are not allowed in ISO C90 + +commit 024ed3c7a62c399f89f96cdca45a9a086fbd75b7 +Author: Ludovic Rousseau +Date: Wed Jun 6 09:29:45 2007 +0000 + + BN_append(): only free(data) if data has been allocated + +commit 55c807d9f3276b529fae6379f784bd9865dd84cd +Author: Ludovic Rousseau +Date: Tue May 22 08:47:26 2007 +0000 + + add french l10n + +commit dcc267b8f3a8977f8244a2818803f4dca407afc6 +Author: Ludovic Rousseau +Date: Tue May 22 08:28:40 2007 +0000 + + sync two texts to use the same l10n string + +commit a33358b54f1f6fb60dda9983f74e364b3f460a0a +Author: Ludovic Rousseau +Date: Tue May 22 08:26:38 2007 +0000 + + set svn:ignore property + +commit cbba717e77001672cc0949d17a104932ddec5445 +Author: Ludovic Rousseau +Date: Tue May 22 08:25:21 2007 +0000 + + update + +commit c1ab2e8c426fe4db846d60cea924711b5d29917d +Author: Ludovic Rousseau +Date: Tue May 22 08:19:34 2007 +0000 + + distribute config.rpath + +commit 3424181b2161a35c7e597e6d0abd58af6528885d +Author: Ludovic Rousseau +Date: Tue May 22 08:09:14 2007 +0000 + + NSS patch part 3 of 3 from Robert Relyea: l10n support + +commit 1e45aca5f36e6593f04e8625ece03e6096db2427 +Author: Ludovic Rousseau +Date: Tue May 22 07:09:32 2007 +0000 + + generate a distribute ChangeLog.svn + +commit 934f8762669b87ae7d46f05d8d90f4321d250f0b +Author: Ludovic Rousseau +Date: Tue May 22 07:04:41 2007 +0000 + + update svn:ignore + +commit 7e0449035c51c47783896a4f1212d0d2d9e5c6b6 +Author: Ludovic Rousseau +Date: Tue May 22 06:59:56 2007 +0000 + + set svn:ignore properties + +commit 2199d1762238918ddcb634d24d0eb87e11a99384 +Author: Ludovic Rousseau +Date: Tue May 22 06:48:56 2007 +0000 + + new file from pam_pkcs11 NSS patch part 2/3 + + I just forgot to commit it with revision 270 + +commit 0e9be16e47207456b625caf8816fc69b21bc0884 +Author: Ludovic Rousseau +Date: Mon May 21 08:22:00 2007 +0000 + + pam_prompt() is only available on recent PAM versions. + + check if security/pam_ext.h exists and provide our own pam_prompt() + function if not. + + Thanks to Robert Relyea for the patch + +commit f067b4f61cab2de2fb68340117140d38a7a218de +Author: Ludovic Rousseau +Date: Mon May 21 08:19:49 2007 +0000 + + typos in comments + +commit 7dd9466105f30c7b6fe9c4b7de936c04a2fcaf24 +Author: Ludovic Rousseau +Date: Mon May 21 08:13:00 2007 +0000 + + pam_pkcs11 NSS patch part 2/3 from Robert Relyea + http://www.opensc-project.org/pipermail/opensc-devel/2007-April/009751.html + + Here's patch installment 2 of 3. + + This patch adds some new semantics to allow pam_pkcs11 to play nice in + both command line and gui applications. The heart of this change adds + three new configuration options. + + card_only: + 1. If card only is set, pam_pkcs11 does not prompt for the user name + if the token is inserted, but gets the user name from the token. + 2. If a token is inserted, it must be used to log in with, failure to + unlock the token, or validate the certs will cause login to fail. + 3. If we logged in using a smart card, we must now authenticate using + that same smart card. + 4. card_only is required to activate the remaining 2 options. If + card_only is not set, the current pam_pkcs11 semantics apply (with the + exception of some prompt name changes and the environment variables + described below). + + wait_for_token: + wait_for_token is only meaningful if card_only is set. + if wait_for_token is set, then pam_pkcs11 will block waiting for an + appropriate token to be inserted. An appropriate token is: + 1) a token that is inserted in the slot specified for login in the config + file (if no slot is specified a token inserted in any slot). + 2) a token which matches the token used to log in initially. (only applies + if you are logged in and you used a token to do so). + + screen_savers: + is a list of screen saver services. This list is only parsed if card_only is + set. Basically the screen saver will bypass pam_pkcs11 if a token was not + used to login (The basic idea is you always unlock the screen saver with + the same mechanism you used to login). + + The other major change is the addition of new environment variables: + PKCS11_LOGIN_TOKEN_NAME - the name of the token used to log into the system. + PKCS11_LOGIN_CERT_ISSUER - the issuer of the cert used to log in + (rendered as a human readable string). + PKCS11_LOGIN_CERT_SERIAL - the serial number of the cert used to log in + (rendered as colon separated hex value). + + These environment variables are set at initial login. + + pam_pkcs11 uses PKCS_LOGIN_TOKEN_NAME to determine whether or not it + needs to use a specific token to log into. + + screen savers use this environment variable to determine + if it needs to kick in on token removal (this allows screen savers to be + picky about when to kick in -- they don't have to kick in if you insert or + remove a token that wasn't used to log into). + + pam_krb uses the PKCS11_LOGIN_CERT_ISSUER and PKCS11_LOGIN_CERT_SERIAL to + determine which specific certificate was used to login in (issuer/serial + number uniquely identifies a certificate). + + Typical usage for the patch: + + For a normal (card_only) case, your pam line would look like: + + auth [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so + + For the case where you want to require the smart card as part of the + authentication, your pam config line would look like: + + auth [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card + + If you share your pam_config file with all our services, you can restrict + which services require smart card login with a pam_succeed_if before your + pam_pkcs11 line: + + auth [success=3 default=ignore] pam_succeed_if.so service notin + login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid + + -------------------------------------------------- + + The patch itself, file by file: + + src/pam_pkcs11/pam_pkcs11.c - + + Most of the patch is in here. The implementation of the environment + variables and new options are in this patch. In addition to the these, + the patch has the following change: + + 1) a bug fix for passing the password on in the pam_stack (required to + pam_krb to successfully implement pkinit). + 2) use the pam_syslog() function instead of syslog(). + 3) use of pam_prompt to allow gui apps to display important information. + + src/pam_pkcs11/pam_config.[ch] - + + parse the new options in pam_pkcs11.conf. + + src/tools/pkcs11_setup.c - + src/tools/Makefile.am + + This is a new tool to allow command line editting of pam_pkcs11.conf and + pkcs11_eventmgr.conf. It only supports adding insertion/removal actions and + changing the default token. We don't actually use it any more, but it + may have utility to others. I think the command may need some work to be more + general. + It's purpose is to allow perl/python/your favorite scripting language access + to display and modify portions of the pam_pkcs11.conf file. (Feel free + to drop it if you like, I've included it for completeness). + + src/tools/pkcs11_eventmgr.c - + + bug fix for a crash if module loading fails. + + src/common/cert_info.c + + Add the ability to fetch the certificate serial number when using the + open ssl library. + + src/common/pkcs11_lib.[ch] + + Add find_slot_by_number_and_label() which optionally adds the token name as + part of the slot selection criteria. Used by pam_pkcs11 in the case we are + authenticating after we have already logged in. + + Add wait_for_token() which waits until an approriate token is inserted. Used + to implement the wait_for_token option. + + src/common/strings.c + + Fix bug in bin2hex where it would trash the heap if asked to output a string + for a zero length buffer. + +commit ab63c91ff71a4c9cdb576fed0abc7dcf5ee37186 +Author: Ludovic Rousseau +Date: Tue May 15 07:18:24 2007 +0000 + + C_Initalize should be called after each fork + + The pkcs11_eventmgr first C_Initialize then becomes a daemon... The + PKCS#11 standard states that after fork the user must call C_Initialize + again, in order to allow proper library initialization at new process. + + Also, don't quit on major errors... try to reinitialize. + + Closes ticket #14. Thanks to Alon Bar-Lev for the patch + +commit d04a309b01ebf839d4717151ddc3c6d32600ba4b +Author: Ludovic Rousseau +Date: Wed May 9 08:48:00 2007 +0000 + + ldap-patches from Sandro Wefel + http://www.opensc-project.org/pipermail/opensc-devel/2007-April/009764.html + + which offers: + - support for more than one LDAP server as fallback system + - support of secure connection (SSL+TLS) because someone may use simple + authentication with username and password + - multiple certificates per attribute + - LDAP-URI support + - selection of base, one-level or subtree search + - timeout support and a somewhat enhanced documentation. + +commit 659537846a75bfdecf6be2466a077364bad7b3b5 +Author: Ludovic Rousseau +Date: Wed May 9 08:15:07 2007 +0000 + + typo in debug message + +commit 9d67858a6c5ea083a978c0e10f1e87762d0ae4c6 +Author: Ludovic Rousseau +Date: Wed May 9 08:13:38 2007 +0000 + + typo: command line argument was checked against "pcs11_module=" instead + of "pkcs11_module=" + +commit 95ce60653d29b6e5adad3b1e2ca90934f2636c0a +Author: Ludovic Rousseau +Date: Wed May 9 08:11:47 2007 +0000 + + typo in a debug message + +commit c1e98700c31ebea6a69c05252e22df6f43cd75b3 +Author: Ludovic Rousseau +Date: Thu Apr 12 14:14:49 2007 +0000 + + #include de declare sprintf() and sscanf() + +commit 83375ac3459d30dcf9756eaaf5f635a71656fa86 +Author: Ludovic Rousseau +Date: Thu Apr 12 14:12:19 2007 +0000 + + use ERR() instead of DBG() to log errors so they are displayed (in red) + even if debug is not used + +commit f338dc63a65ace8981ed5ad14e5514af4f82ac99 +Author: Ludovic Rousseau +Date: Thu Apr 12 14:11:12 2007 +0000 + + log the error "Remote login (from %s) is not (yet) supported if DISPLAY + is not local" + +commit 11f016aa0a746b39c5ee6abc4f2991d5c802e983 +Author: Ludovic Rousseau +Date: Thu Apr 12 13:53:12 2007 +0000 + + use #ifdef instead of #if to avoid a + pkcs11_inspect.c:96:5: warning: "HAVE_NSS" is not defined + +commit 53696c8ebbd017f14de2fa0869fc12e89f28dded +Author: Ludovic Rousseau +Date: Thu Apr 12 13:45:17 2007 +0000 + + declare local functions as static + +commit 7839fee0fc9c13de8b752399c86d94dbd2dd5610 +Author: Ludovic Rousseau +Date: Thu Apr 12 13:41:32 2007 +0000 + + display_config() is defined but its use is commented so also comments its + definition + +commit 9d74ad25d550a9deeaab951e0df10dabbf6af810 +Author: Ludovic Rousseau +Date: Thu Apr 12 13:40:05 2007 +0000 + + declare display_config() and parse_config_file() as static + +commit 293b73ac2f84e2c823bfeb06c952d01b3136e1b6 +Author: Ludovic Rousseau +Date: Thu Apr 12 13:32:49 2007 +0000 + + get_mapped_entries(): remove a duplicate variable declaration + generic_mapper.c:75: warning: declaration of 'res' shadows a previous local + +commit b043c04f4b673f928b7c8342eba3e2f04d3b066e +Author: Ludovic Rousseau +Date: Thu Apr 12 13:31:04 2007 +0000 + + digest_mapper_module_init(): initialise a variable + digest_mapper.c:111: warning: 'hash_alg_string' may be used + uninitialized in this function + +commit 1b5ee12f9d1edcc2968c6ae67f0a334acb1a5bca +Author: Ludovic Rousseau +Date: Thu Apr 12 13:22:28 2007 +0000 + + crypto_init(): add a missing return value + +commit 784c970ba13fcf460744307d9c5415aaa835b4b3 +Author: Ludovic Rousseau +Date: Thu Apr 12 13:21:49 2007 +0000 + + remove 3 unused variables + +commit 3e564e713dffcedbff9a8ff5e995cefaf3841ba0 +Author: Ludovic Rousseau +Date: Thu Apr 12 13:20:44 2007 +0000 + + load_pkcs11_module(): rename variable C_GetFunctionList to + C_GetFunctionList_ptr to avoid a compiler warning + pkcs11_lib.c:640: warning: declaration of 'C_GetFunctionList' shadows a global declaration + rsaref/pkcs11f.h:59: warning: shadowed declaration is here + +commit ec7226fd157e7c53f3cd3d752f7cf43bfa05d7ef +Author: Ludovic Rousseau +Date: Thu Apr 12 13:15:07 2007 +0000 + + add a const to avoid compiler warnings + +commit d2beb7be3f82198d714918f5cef7a3f06b3e412b +Author: Ludovic Rousseau +Date: Thu Apr 12 13:09:52 2007 +0000 + + debug_print(): declare t as (const char *) to avoid a compiler warning + +commit 28b456ecc398131da85d8a7e3725a57d77d5f277 +Author: Ludovic Rousseau +Date: Thu Apr 12 13:08:50 2007 +0000 + + #include + debug.c:38: warning: implicit declaration of function 'isatty' + +commit fc90533aed7be1fe1661720e9f3c1d8dab8f0ec1 +Author: Ludovic Rousseau +Date: Thu Apr 12 12:55:33 2007 +0000 + + cert_info_upn(): remove two unused variables + +commit 702a647345c2fc6b07d051ceea29b24dbbfb186b +Author: Ludovic Rousseau +Date: Thu Apr 12 12:54:04 2007 +0000 + + setup_store(): declare the function static to avoid a compiler warning + cert_vfy.c:321: warning: no previous prototype for 'setup_store' + +commit 82c2bcf96011b894edd7ebfe3e433f1bbbd7421a +Author: Ludovic Rousseau +Date: Thu Apr 12 12:51:16 2007 +0000 + + set_error(): use const char * to avoid compiler warnings + +commit 59b04dd5b34fa69320e93947ce978e91b913a8a1 +Author: Ludovic Rousseau +Date: Thu Apr 12 10:09:12 2007 +0000 + + debug_print(): use const char * for file and format arguments to avoid + compiler warnings + +commit 00c0416cbf834ef0ba51955aeef84504494cee11 +Author: Ludovic Rousseau +Date: Thu Apr 12 10:07:57 2007 +0000 + + buf_eat_till(): change third argument to const char * instead of char * + to avoid sclex.c:128: warning: passing argument 3 of 'buf_eat_till' + discards qualifiers from pointer target type + +commit bee3b51174bb3291c10a7b1f338891ebe028a513 +Author: Ludovic Rousseau +Date: Thu Apr 12 07:13:53 2007 +0000 + + add missing new files for the NSS patch included in revision 238 + +commit 5085d1dcff514e59a03c72e017b13187f230dbb7 +Author: Ludovic Rousseau +Date: Wed Apr 11 13:58:19 2007 +0000 + + #include to avoid compiler warnings + +commit fbe49aed331f6c34aebb148797086c32fd94995b +Author: Ludovic Rousseau +Date: Wed Apr 11 13:51:20 2007 +0000 + + use AC_HELP_STRING() to format the help message + +commit fb43163bb851931f4a367a4e369bb6d8ed551df6 +Author: Ludovic Rousseau +Date: Wed Apr 11 07:22:08 2007 +0000 + + pkcs11_eventmgr.c:502: attention : passing argument 2 of + ‘load_pkcs11_module’ from incompatible pointer type + + use &ph instead of ph + +commit 657395da143ce8c532c66a53741bad2c77732366 +Author: Ludovic Rousseau +Date: Wed Apr 11 07:16:04 2007 +0000 + + pam_pkcs11.c:393: warning: label 'auth_failed' defined but not used + +commit c4af4deec50a024bca17285807c3d7789ff66d1c +Author: Ludovic Rousseau +Date: Wed Apr 11 07:13:56 2007 +0000 + + digest_mapper.c:114: warning: assignment discards qualifiers from + pointer target type + +commit 3b77e81207c6102bd5997c1137afc4e087312d96 +Author: Ludovic Rousseau +Date: Wed Apr 11 07:04:53 2007 +0000 + + NSS patch from Robert Relyea + http://www.opensc-project.org/pipermail/opensc-devel/2007-April/009724.html + + ------------------------------------------------------------------------ + Introduction to the pam_pkcs11-nss.patch + + This patch adds compile time support for the NSS crypto libraries. It + optionally replaces the raw PKCS #11 operations and open SSL certificate + processing with functionsprovided by the NSS crypto libraries. This change is + controlled by a configure option, '--with-nss' or '--without-nss'. + --without-nss is the default. This package requires nss 3.10 as a minimum. + + When --with-nss is selected, pam_pkcs11 can support the following: + + 1) multiple simultaeous pkcs #11 modules used for authentication. NSS already + handles multiple smart card handlers running at the same time. This means you + can configure your box to log in with both CAC and pkcs #12 tokens by loading + both sets of modules. This support must be configured in pam_pkcs11, otherwise + NSS will only use the user selected pkcs11 module, same as the current direct + to pkcs #11 support. + + 2) Optional OCSP support. This support is built into NSS already. If you + compile --with-nss, you can simply turn it on. + + 3) with --with-nss, pkcs11_eventmgr automatically uses C_WaitForSlotEvent for + those tokens that support it, and pull for those that don't. (NSS has this + support built in). + + 4) with --with-nss, any cert key type NSS supports will work correctly (RSA, + DSA, ECDSA, etc). + + 5) nss automatically supports part of the certificate chain stored on the smart + card. This allows you to store a single root certificate in the database and + keep the intermediates on the token itself. + + 6) src/common/rsaref is not need to build any of pam_pkcs11 (if --with-nss is + used). + + Other differences when --with-nss and --without-nss: + + 1) The crl policy is ignored. NSS handles crls automatically already. It + uses standard external tools to keep crls up-to-date. + + 2) The tools will only display user certs, that is certificates for which the + token claims to hold the private key for. + + The patch itself + + The changes in this patch can be categorized in the following broad categories: + + 1) build changes. + 2) interface changes to make the crypto operations more generic. + 3) implement the NSS versions of the base crypto functions. + + Changes by file + + ./configure.in: + 1. switch between the nss module and the openssl depending on the state of + --with-nss. (openssl is the default). + 2. added environment variables CRYPO_CFLAGS and CRYPTO_LIBS + 3. added the AM conditional HAVE_NSS + + ./src/common -- This is where most of the NSS specific code lives. Basically + the following interface changes were made: + + ./src/common/pkcs11_lib.c ./src/common/pkcs11_lib.h + cert_object_t and pkcs11_handle_t were made opaque handles. Applications no + longer have direct access to their member functions members are accessed + through accessor functions. These new accessor functions are: + + find_slot_by_number: Takes a pkcs11_handle_t, an input slot number, and + returns a generic slot number and success for failure. The input slot number + is the same 'ones' based index into the SlotList. The generic slot number is + library specific (NSS now returns the slotID, the non-NSS code returns the + 'zero' based index into the SlotList). If the input slot number is zero, the + first present smart card is returned. + + get_slot_label: takes a pkcs11_handle_t and returns the label for the + currently opened slot. + + get_X509_certificate: takes a cert_object_t and returns the X509 Cert. NOTE: + the X509 certificate itself has been made into a generic handle which could + be either an openssl X509 or an NSS CERTCertificate. see cert_st.h for more + info. + + crypto_init: This function is called to set up the crypto system. It takes + a pointer to the cert policy to help setup. While not exactly an accessor + function, it is new. + + In addition to these accessors, the following existing functions have changed: + + load_pkcs11_module: now allocates a pkcs11_handle_t and returns it. Since + pkcs11_handle_t's are opaque, applications no longer know how big they are, + and therefore can't allocate them from the stack. + + get_certificate_list (was get_certificate): returns an array of pointers to + cert_object_t's. unlike the short-lived get_certificate_list in the branch, + this function actually operates as an accessor function. The returned + certificate list is still 'owned' by the pkcs11_handle_t. Subsequent calls to + get_certificate_list will return the same array as the previous calls. The + array is freed automatically when the pkcs11_handle_t is closed (just as it + is in the original base code). This change was necessary because + pkcs11_handle_t is no longer accessible (it no longer holds the same data in + the different implementations). + + get_private_key: takes a handle to a cert_object_t. It looks up the private + key for that object and returns failure if it can't find it. This change is + because the patch gets rid of the chosen cert field. Applications chose the + cert and pass the cert directly into this and the sign function. + + sign_value: takes a cert_object_t. If the cert_object_t does not have a + private key, then sign_value will fail. If get_private_key was not called on + cert_object_t at some time in the past, sign_value will automatically call + it. This change was also motivated by the removal of the chosen_cert field. + + Another way of implementing the get_private_key/sign_value is to create an + new chosen cert accessor function and reverting the implementation for these + two functions. The new APIs, however, allow for multiple certs to sign in a + single pkcs11_handle_t context. + + ./src/common/cert_st.h ./src/common/cert_info.h ./src/common/cert_vfy.h + The only interface changes here are: + 1) adding nss_dir and ocsp_policy to cert_policy_st. + 2) changing the definition of X509 depending on whether which cert library + we are using (X509 for openSSL, CERTCertificate or NSS). The use of a + #define here limitted the extent of the patch in other modules. + 3) generic defines for algorithm types. + 4) addition of 3 new CERT_Info types. (Issuer, serial number, key algorithm). + + cert_st.h is a new function, which other files can include in place of + + + ./src/common/cert_info.c ./src/common/cert_vfy.c + These basically accepted the new NSS implementations for the certificate + verify and info functions. These patches are relatively straight forward. + The original API did not need any tweaking. + + ./src/common/algorithm.c ./src/common/alg_st.h + These new files provide generic API's to do access the hash algorithm to + pass to cert_info. If access to actual hashing or crypto were + needed, the new functions could be added here. Like cert_st.h, alg_st.h + replaces the use of + + ./src/common/NSPRerrs.h ./src/common/SECerrs.h ./src/common/secutil.h + ./src/common/SSLerrs.h + These new files provide the NSS error message mappings. + + Changes in ./src/common make up about 65% of the patch. + + + ./src/mappers/*.c + The mapper functions were changes to use the generic form of hashing defined + in alg_st.h. (mostly replacing with cert_st.h and NULL + in cert_info with ALGORITHM_NULL). + + exceptions: opensc_mapper.c and oopenssh_mapper.c are not implemented for + NSS because of the use of BIO directly. + + These changes make up less than 10 % of the patch. + + ./src/pam_pkcs11/pam_config.c + Added support to fetch nss_dir and ocsp_policy. + + ./src/pam_pkcs11/pam_pkcs11.c + Change to use the new API. These changes include: + 1) calling the new crypto_init function instead of the various openSSL + init functions. + 2) pam_pkcs11 now holds a pointer to the pkcs11_handle_t rather than a static + version. A large number of diffs are simply changing &ph to ph. + 3) Use the accessor functions to get the slotnum and the cert list. + 4) chosen_cert is now a local variable rather than a field in pkcs11_handle_t + 5) move pkcs11_login back before the get_certificate_list. Some tokens need + be to authenticated before we can read the certificates. More importantly, + the NSS cert code is only returning user certificates (certificates with the + private keys). Only a small number of tokens know now to identify user + certificates if you aren't logged in. Since this change is a reversion of + a previous change in this version of pam_pkcs11, we may need to do more + to reconcile it. Perhaps putting explicit #ifdef HAVE_NSS around the early + login, adding a later login with #ifndef HAVE_NSS. + 6) the get_private_key call was moved into sign_value, so it's removed + from pam_pkcs11 itself. It would be easy to revert this change and continue + to call get_private_key directly. + + + ./src/tools/pkcs11_eventmgr.c + pkcs11_eventmgr is basically 2 implementations of the pkcs11_eventmgr + stitched together with ifdefs. A reasonable todo would be to build the + proper generic interfaces to have a 'clean' pkcs11_eventmgr and hide the + details in src/common/pkcs11_lib.c like we do with all the rest. The existing + code doesn't even use the generic init calls that already exist. + + ./src/tools/*.c [the rest] + The same type of generic changes made to pam_pkcs11.c + +commit b71688df42b044634556faedec6a3bdb13d232b0 +Author: Ludovic Rousseau +Date: Wed Apr 4 13:50:05 2007 +0000 + + svn propset svn:keywords Id + +commit c426014f85ad9be6d40ea8000be2dcdb85cf1a57 +Author: Ludovic Rousseau +Date: Wed Apr 4 13:49:14 2007 +0000 + + use $Id:$ instead of $Id$ + +commit b2edf872f9943837c1f972d2c7559d7f295601ec +Author: Ludovic Rousseau +Date: Wed Apr 4 13:45:13 2007 +0000 + + use ERR() (instead of DBG()) in case of errors + +commit 12f9a2c39478e3cee558e95ff0d4cd8520b04d40 +Author: Ludovic Rousseau +Date: Wed Apr 4 13:44:44 2007 +0000 + + add support for ERR?() macros + +commit 2048fe4745525de878e14ce0c893ecf5812b2b8a +Author: Ludovic Rousseau +Date: Wed Apr 4 09:52:54 2007 +0000 + + Set svn:keywords Id property to replace $Id$ + +commit dd28746e5522a93021b0171263013bc2dafbf7ac +Author: Ludovic Rousseau +Date: Wed Apr 4 09:47:38 2007 +0000 + + display the lib name in case of loading error + +commit a2e07b453e5ef046d8cbd166f12c2a7bb849f474 +Author: Ludovic Rousseau +Date: Wed Apr 4 09:43:44 2007 +0000 + + use $(FOO) instead of @FOO@ + +commit f8504ef7510b406a4f43a8c6419d6ae1d295f5df +Author: Andreas Jellinghaus +Date: Thu Mar 16 21:38:05 2006 +0000 + + simply the revision, drop the m4 code. + it didn't turn out the way I wanted it + (does not contain the _repository_/_branch_ revision). + +commit e7bb9409b8c25979bdc4840bc2469e7ea99d73f4 +Author: Andreas Jellinghaus +Date: Sun Jan 22 21:16:22 2006 +0000 + + change to opensc-project till opensc.org dns is back. + +commit 08f5f6b444e8ecdca71f138a1fcad3420776d434 +Author: Andreas Jellinghaus +Date: Sun Jan 22 21:09:37 2006 +0000 + + move to opensc-project till opensc.org dns is back. + +commit 9954fac2e76677b834fc6c19ee80805f07b31286 +Author: Ludovic Rousseau +Date: Tue Jan 3 08:20:40 2006 +0000 + + substitute Revision keyword + +commit 8b4dd4b85e67f7bb979c54e3bcf3fdbfa9ee0f22 +Author: Juan Antonio Martinez +Date: Mon Jan 2 17:19:16 2006 +0000 + + use svn revision based version numbers + +commit 64c1af0f1d32c5d1c7dfd7e88b4c28879b2e6a28 +Author: Juan Antonio Martinez +Date: Fri Dec 23 12:27:09 2005 +0000 + + Add either file or hashdir support for CACerts and local CRL's + +commit 72d89f0fee93ced44e2e84692aaa4e89711379b0 +Author: Juan Antonio Martinez +Date: Fri Dec 23 10:04:54 2005 +0000 + + Add comodity functions for pathname checks + +commit e5abc45c1511c4d9939c0309839d22b3fe4d84df +Author: Juan Antonio Martinez +Date: Thu Dec 15 15:10:34 2005 +0000 + + Make pkcs11_listcerts more verbose + +commit 59eca33a0cfb4552cecd081ec2c20aa92be9b5c1 +Author: Juan Antonio Martinez +Date: Thu Dec 15 13:34:52 2005 +0000 + + Improved extraction of Certificates and Private Keys + +commit f9b6d68af5d788687ad45ac6452a05b2fffcb2c0 +Author: Juan Antonio Martinez +Date: Thu Dec 15 10:24:05 2005 +0000 + + move key_object_t, slot_t and pkcs11_handle_t to pkcs11_lib.h as they are not part of standard RSA headers + +commit 6800828cac0673014c7c21846e8aec7b7eb837a5 +Author: Juan Antonio Martinez +Date: Mon Dec 12 16:13:02 2005 +0000 + + Runtime config option for non-null C_Initialize() argument + +commit 6b83a3e671cfd6c1f37a0857d332f6f5078439e7 +Author: Ludovic Rousseau +Date: Mon Dec 12 14:55:25 2005 +0000 + + do not redefine LIBS and CFLAGS in configure.in but use PTHREAD_LIBS and + PTHREAD_CFLAGS in Makefile.am when needed instead + +commit ab84aa319cc42409229325dd6edd77f44e4860cc +Author: Ludovic Rousseau +Date: Mon Dec 12 14:49:09 2005 +0000 + + do not use AC_DEFINE(HAVE_PTHREAD, 1, ...) since it is already done by + ACX_PTHREAD() if its first argument is not defined + +commit 12307185f73de51e1d7ed32576402d3fd4c1515e +Author: Juan Antonio Martinez +Date: Mon Dec 12 13:44:17 2005 +0000 + + Add native thread support for C_Initialize + +commit 637c2abef33ee819e0d4deae7d176286fb046620 +Author: Juan Antonio Martinez +Date: Sat Dec 10 16:08:21 2005 +0000 + + Bugfixes + make pkcs11_listcerts behaviour closer to pam module to ease debug + +commit 103e9df9310ade275790b56c968f6a548aa542b6 +Author: Juan Antonio Martinez +Date: Sat Dec 10 13:03:27 2005 +0000 + + pam module only calls C_Login when really needed + +commit e40df308439f42f950a75128c91d85b9c157c1dc +Author: Juan Antonio Martinez +Date: Sat Dec 10 13:01:41 2005 +0000 + + Stupid bug in dbg output at pkcs11_listcerts + +commit d1ad2e04d3ffb969e83e3a504287ae34093abd17 +Author: Juan Antonio Martinez +Date: Fri Dec 9 13:23:07 2005 +0000 + + pkcs11_inspect now uses get_certificate_list() + +commit 75ee29484e03f355651db939ddb0085fe37262c6 +Author: Juan Antonio Martinez +Date: Fri Dec 9 13:06:33 2005 +0000 + + pklogin_finder now uses get_certificate_list() + +commit 70049e8389f0ea5a98269fbc3dd967669fedc333 +Author: Juan Antonio Martinez +Date: Fri Dec 9 12:34:26 2005 +0000 + + Add pkcs11_listcerts tool to enumerate card certificates + +commit 9bfc2b765dc4b5275f3787fc033ecceee22a0e8b +Author: Juan Antonio Martinez +Date: Fri Dec 9 12:32:49 2005 +0000 + + Add get_certificate_list() to common/pkcs11_lib.c + +commit 8ad3722bfa8e3fa36045dcf1acd94a2473205f00 +Author: Juan Antonio Martinez +Date: Fri Dec 9 12:31:09 2005 +0000 + + Move add_cert() from mappers/opensc_mapper.c to common/cert_info.c + +commit e496762b6f040b851a2a0142e6926579a6095cd2 +Author: Juan Antonio Martinez +Date: Mon Dec 5 14:17:35 2005 +0000 + + Documentation updates + +commit 098ff6138d7cb985f2efc62126e87675dabcda52 +Author: Juan Antonio Martinez +Date: Mon Dec 5 13:56:47 2005 +0000 + + Perform/skip CA check acording to configuration file + +commit e79e44ae023b7a7f59112a8c0e745e3f4e8364c4 +Author: Juan Antonio Martinez +Date: Mon Dec 5 12:51:53 2005 +0000 + + Perform/Skip signature check according configuration file + +commit 6638576892b59a99389043c90a1e7dd4d783b921 +Author: Juan Antonio Martinez +Date: Mon Dec 5 11:59:30 2005 +0000 + + Prepare for configurable ca,crl,and signature verification + +commit c9ad90f8b781694a11df59dbb836cef9e0d019c4 +Author: Juan Antonio Martinez +Date: Mon Dec 5 10:33:21 2005 +0000 + + Get tools using pkcs11_pass_login() + +commit 00112585039f8f9b8aa0c100405ac0ced89d59a3 +Author: Juan Antonio Martinez +Date: Mon Dec 5 10:14:44 2005 +0000 + + Add pkcs11_pass_login() method to pkcs11_lib + +commit 1b2ec1cff3705f2253a51b94f18285d112d10b56 +Author: Juan Antonio Martinez +Date: Thu Dec 1 12:34:06 2005 +0000 + + Comment libp11 stuff in configure.in + +commit 170e4d71074e70369dbc5c629ca7110ff8be37c3 +Author: Juan Antonio Martinez +Date: Thu Dec 1 12:30:34 2005 +0000 + + Rename pkcs11.c to pkcs11_lib.c and add hheader file + +commit 0c25c10416a1e665279fdc9c3fb4c028927e1b0b +Author: Juan Antonio Martinez +Date: Wed Nov 30 10:46:23 2005 +0000 + + Minor change to rsaref/pkcs11_readme + +commit c415f2fe31ba4c200023939af1185de82e3c89f3 +Author: Juan Antonio Martinez +Date: Wed Nov 30 10:41:41 2005 +0000 + + Move rsaref files to an independent directory + +commit d8768f41058c5cd78dd4efa5eca5209b9de7b571 +Author: Juan Antonio Martinez +Date: Wed Nov 30 09:55:11 2005 +0000 + + Add libp11 support to configure.in + +commit af0120e5c5a5c3f51a524e6ac6096d3a101b4381 +Author: Ludovic Rousseau +Date: Mon Nov 14 15:51:17 2005 +0000 + + debug_print(): use syslog(3) instead of printf() when stdout is not a + tty, for example when using gdm. + +commit 2320ac96df427bb99379db1945fc3f179ea7be9a +Author: Ludovic Rousseau +Date: Mon Oct 3 13:00:16 2005 +0000 + + rephrase the a "Secure your PAM configuration" paragraph + +commit f667a212b038369004e9adb4db7b10b2fecd4340 +Author: Ludovic Rousseau +Date: Thu Sep 29 13:43:58 2005 +0000 + + create an empty aclocal directory + +commit aec4e90100b26891fec15dc834ab259893cbd7c4 +Author: Ludovic Rousseau +Date: Thu Sep 29 13:35:51 2005 +0000 + + use AC_HELP_STRING + +commit 924f72562f2a9c6b191db48f0c93a629ad804d18 +Author: Ludovic Rousseau +Date: Thu Sep 29 13:15:55 2005 +0000 + + files in aclocal/ are not used + +commit df695e161404f2620b5a20e6b1804b6be8037aab +Author: Ludovic Rousseau +Date: Thu Sep 29 13:13:09 2005 +0000 + + check for OPENSSL before PCSC since the first PKG_CHECK_MODULES() shall + not be in an if or some variables will not be initialized + +commit 9881a25dd2b3ad0591afb1c4c9647cbd89ff24ec +Author: Ludovic Rousseau +Date: Thu Sep 29 11:56:27 2005 +0000 + + improve detection code for PCSC + +commit 870eb8bf6275d71a68479768b5e8b3bc90d2b487 +Author: Ludovic Rousseau +Date: Thu Sep 29 08:15:19 2005 +0000 + + The generic_mapper.so is not a external lib anymore (by default) but is + internal. Update the configuration sample file to reflect that. + + Closes ticket #9 "Generic mapper is statically linked by default - + config not in sync". Thanks to Ville Skyttä for the bug and patch. + +commit 717e668e0c925db675588c199d05e47bb8bdc8d9 +Author: Ludovic Rousseau +Date: Thu Sep 29 08:08:56 2005 +0000 + + comment out example configuration lines so the files can be directly + installed by distribution packages. + + Closes ticket #10. Thanks to Ville Skyttä for the bug report and patch + +commit 103b21ae474d81f2ed50a6fc829b6de75a1da5a6 +Author: Ludovic Rousseau +Date: Thu Sep 29 08:05:25 2005 +0000 + + removed since they are generated from the .xml version and are available + from http://www.opensc.org/doc/pam_pkcs11/pam_pkcs11.html and + http://www.opensc.org/doc/pam_pkcs11/mappers_api.html + +commit 9a1fe83bf17edd54d1d9cf69eadf49f5b65e6522 +Author: Ludovic Rousseau +Date: Thu Sep 29 07:58:29 2005 +0000 + + remove a ' ' before ']' + +commit ce07f7ca0a2e7887c76fef5ef152cfcfdbce9286 +Author: Ludovic Rousseau +Date: Tue Sep 27 12:41:23 2005 +0000 + + play with colors + +commit e2caedca58ba4b02df51f53effd68016c6fc9f5b +Author: Ludovic Rousseau +Date: Tue Sep 27 12:40:51 2005 +0000 + + regenerate + +commit 89e3e05fd70c817b85f057c6e5a0ae64d13ed13c +Author: Ludovic Rousseau +Date: Tue Sep 27 12:40:33 2005 +0000 + + corrections + +commit d23d1b35519642e7fbaf25bff3860bf0f57e5389 +Author: Ludovic Rousseau +Date: Mon Sep 26 06:48:22 2005 +0000 + + Use LPSTR instead of LPTSTR to compile with pcsc-lite 1.2.0 + + Thanks to Ville Skytta for the bug report + +commit a661f530be02d12e381404c2bdfa18be2cea75d3 +Author: Ludovic Rousseau +Date: Wed Sep 14 09:51:41 2005 +0000 + + use -nv instead of --non-verbose since wget 1.10 now uses --no-verbose + instead. Grr! + +commit c18c8574a08311cce942a305a31f1f4310c08c09 +Author: Ludovic Rousseau +Date: Tue Sep 13 12:49:06 2005 +0000 + + Do not just use PKG_CHECK_MODULES() to test the presence of pcsc-lite + but also check for winscard.h and libpcsclite + + Some distributions do not provide libpcsclite.pc (like SuSE 9.3) + +commit fa5b394b0523fd9254ddc2a8dea7a984699bceac +Author: Juan Antonio Martinez +Date: Sat Sep 10 07:59:49 2005 +0000 + + Many fixes to get 'gcc -Wall -pedantic' friendly + +commit 57bfc5a119ae7dc75d63c72b0c0811a28c262c6f +Author: Juan Antonio Martinez +Date: Thu Sep 8 18:23:53 2005 +0000 + + Patches from AJ to sync to all others OpenSC projects + +commit bd9e12c89f2af0169adf50e697e60473031eb82b +Author: Juan Antonio Martinez +Date: Thu Sep 8 15:41:18 2005 +0000 + + Changelog NEWS and README's updates + +commit beb72ab61a169e929b92dd9dfdf432c1a4e2fa2c +Author: Juan Antonio Martinez +Date: Wed Sep 7 19:54:10 2005 +0000 + + Add Ville Skytta to AUTHORS (original pam_pkcs11.spec file) + +commit 13b4aee6cff9afdf7db8c724e1c9690a3785f065 +Author: Juan Antonio Martinez +Date: Wed Sep 7 18:59:33 2005 +0000 + + More changes to 'pam_pkcs11.spec' from FC4 team + +commit 5ce450c32e11501dff5b3ee47da2aac97f0419aa +Author: Juan Antonio Martinez +Date: Wed Sep 7 17:35:24 2005 +0000 + + Fix license to be LGPL in pam_pkcs11.spec file + +commit f245dc04e46038fdd281856b6d94b74a651de7b0 +Author: Juan Antonio Martinez +Date: Wed Sep 7 16:58:52 2005 +0000 + + pam_pkcs11.spec: create independent 'pam_pkcs11-ldap' package + +commit abc6ec9b93d2d567f6f283212cad3c9931fd8dab +Author: Juan Antonio Martinez +Date: Wed Sep 7 12:52:57 2005 +0000 + + Changed 'LDAP_SCOPE_SUB' to 'LDAP_SCOPE_SUBTREE' in ldap_mapper.c + +commit a337ea4920f5da879e08303865cdcee3bab99680 +Author: Ludovic Rousseau +Date: Wed Sep 7 12:22:19 2005 +0000 + + regenerate + +commit 12c1f27257eeac1f235cd058bcb2e6c1602676e4 +Author: Ludovic Rousseau +Date: Wed Sep 7 12:22:07 2005 +0000 + + regenerate + +commit ffac13ee9d153150e99efd317d1ee13813c46a81 +Author: Juan Antonio Martinez +Date: Wed Sep 7 11:17:52 2005 +0000 + + More 'TODO' updates + +commit 337e6e427a5e1e84f6e06d934091a526158cf044 +Author: Juan Antonio Martinez +Date: Wed Sep 7 10:48:06 2005 +0000 + + Changelog updates + +commit 44f457d1b554d56379cc22e147b57ea7dcdff22f +Author: Juan Antonio Martinez +Date: Wed Sep 7 10:40:48 2005 +0000 + + 'TODO' roadmap updated + +commit 0728158f1e038eea65ceb735923d17b0c760c794 +Author: Juan Antonio Martinez +Date: Wed Sep 7 10:21:14 2005 +0000 + + ldap_mapper.c: add finder() and entries() methods. Update AUTHORS file + +commit 3374f26ef68e5b551aa6655ff7195c7dafa52cf2 +Author: Juan Antonio Martinez +Date: Wed Sep 7 10:02:50 2005 +0000 + + opensc_mapper.c: Fixes in comments and debug output + +commit 13e403c802afa7bb415cd698fc9e6723877c5a4a +Author: Juan Antonio Martinez +Date: Wed Sep 7 09:13:07 2005 +0000 + + configure.in: Add '-lldap' and '-lcurl' to LIBS when needed + +commit 858643bda6f6f9b29bc4029206fa6b71e7c00409 +Author: Juan Antonio Martinez +Date: Wed Sep 7 08:44:12 2005 +0000 + + rename 'docs' to 'doc' + +commit 0f39d761c01a7dfd5f3ec0463d65d8f319a19d61 +Author: Juan Antonio Martinez +Date: Wed Sep 7 08:09:55 2005 +0000 + + Change files to use directory 'doc' instead of 'docs' + +commit 1cb4dc73888e30a867752e3ffc7910972e179b5a +Author: Juan Antonio Martinez +Date: Wed Sep 7 07:50:08 2005 +0000 + + missing #endif in ldap_mapper.c + +commit 8044846b88bcbedf6de2dc0f90a8770b13f263c4 +Author: Juan Antonio Martinez +Date: Wed Sep 7 07:11:59 2005 +0000 + + Set cURL,LDAP,DocBook as configure options in configure.in + +commit 2133fb4ed87d1020622c85ed98a75f381af5f881 +Author: Juan Antonio Martinez +Date: Wed Sep 7 07:08:32 2005 +0000 + + Update ldap mapper configuration data in pam_pkcs11.conf.example + +commit 066dba842bd0ff5f933a0a0b4f3e54c1578d430e +Author: Juan Antonio Martinez +Date: Wed Sep 7 07:06:17 2005 +0000 + + Add src/common/uri.c conditional compilation of cURL and LDAP support + +commit c65add405976f9428e22cbac928f48fac3fe094b +Author: Juan Antonio Martinez +Date: Wed Sep 7 07:03:04 2005 +0000 + + Preliminary version of LDAP mapper + +commit 98e8b56e98bdc9d54cbcc339ef9f07609c565592 +Author: Juan Antonio Martinez +Date: Wed Sep 7 06:56:24 2005 +0000 + + Compile LDAP mapper only if ldap support is included + +commit 030ff822b9e1df40b62c3ddad83ff9092b9622cf +Author: Juan Antonio Martinez +Date: Wed Sep 7 06:53:52 2005 +0000 + + Fix /home/jantonio/.ssh/authorized_keys filename generation + +commit a4ebc79d5430d66130556977730effd8fe9d132d +Author: Juan Antonio Martinez +Date: Wed Sep 7 06:52:10 2005 +0000 + + Add header files to libscconf_la_SOURCES in src/scconf/Makefile.am + +commit d9860224a6f198c0c1f7ba95c371a732d6cee64b +Author: Juan Antonio Martinez +Date: Tue Sep 6 09:41:40 2005 +0000 + + Add README.ldap_mapper documentation file + +commit 95a5dad8f182d85f3133c005cbcff00e99eed51e +Author: Juan Antonio Martinez +Date: Tue Sep 6 07:37:55 2005 +0000 + + OpenSSH mapper: move auth_keys filename composition out of key parsing routines + +commit 41d208792809fb69c1af12217021d77104818cfd +Author: Juan Antonio Martinez +Date: Tue Sep 6 07:10:22 2005 +0000 + + Add email if found to ssh-pubk output of openssh_mapper::inspect() + +commit d426b9b9c259561bd23dc9686d8b995cf8e897b9 +Author: Juan Antonio Martinez +Date: Mon Sep 5 17:26:21 2005 +0000 + + cert_info.c::cert_info_sshpuk() fixed. OpenSSH mapper written + +commit dd0247be4b0ac5571858ac689b4b008d105193e9 +Author: Juan Antonio Martinez +Date: Mon Sep 5 09:00:41 2005 +0000 + + Remove redundant base64_to_bin() at cert_vfy.c + +commit 13fc275e7e8d7266d713ae31d432d771fab2fbed +Author: Ludovic Rousseau +Date: Mon Sep 5 06:46:34 2005 +0000 + + make export-wiki.sh and generate-api.sh executable + +commit a75b3d645ee37c295602d063bb8bd20b3901c6dc +Author: Juan Antonio Martinez +Date: Sat Sep 3 11:18:16 2005 +0000 + + Add base64 API encoding functions to properly handle rsa-ssh keys + +commit 5fd43505d092abd44a090e9ef9edb90a19ccd20c +Author: Juan Antonio Martinez +Date: Sat Sep 3 10:24:53 2005 +0000 + + mapper.h cert_vfy.[ch] doxygen updates. Mapper api doc updates + +commit e85a3d5e00689ab6d516038259aece0e0894609a +Author: Juan Antonio Martinez +Date: Sat Sep 3 09:27:11 2005 +0000 + + Make cert_info.[ch] and uri.[ch] doxygen aware + +commit 25a2c7fef37482667c75f39b903a954d3873f94b +Author: Juan Antonio Martinez +Date: Sat Sep 3 08:48:27 2005 +0000 + + Make error.[ch] and debug.[ch] doxygen aware + +commit 92749f6681ab5c7cbd912f0408544976520a0d22 +Author: Juan Antonio Martinez +Date: Fri Sep 2 19:47:49 2005 +0000 + + Make src/common/string.h doxygen friendly + +commit 85051c62eb204d73a4880e9d40f6e10ec0366004 +Author: Juan Antonio Martinez +Date: Fri Sep 2 12:19:01 2005 +0000 + + added doxygen API documentation at 'make dist' + +commit bdd1792fcdd5d569678fd5c7ee1c5bc534d01624 +Author: Juan Antonio Martinez +Date: Fri Sep 2 10:11:47 2005 +0000 + + Do 'make maintainer-clean' work according OpenSC Team convention + +commit 0ff3a6c7342fcd4758f8767bef960f9189cbd9ff +Author: Juan Antonio Martinez +Date: Thu Sep 1 20:02:09 2005 +0000 + + Revert install path of pam_pkcs11.so as broke some 'make distcheck' + +commit 48ce4a5a8d32917c94ee4ae91c9ba4069f43a1dd +Author: Juan Antonio Martinez +Date: Thu Sep 1 13:20:51 2005 +0000 + + ChangeLog updated + +commit 6d733103867e3142005f2fd2dc3d52a28544216e +Author: Juan Antonio Martinez +Date: Thu Sep 1 13:04:10 2005 +0000 + + OpenSC mapper implementation based on AJ's pam_opensc source code + +commit 9312274c3d9daa4920159af8342430548100a50e +Author: Juan Antonio Martinez +Date: Thu Sep 1 11:17:41 2005 +0000 + + Do not install pam_pkcs11.la and pam_pkcs11.a + +commit a7f44ef43f960a4b9f9fbaf841cc580cdb1afc36 +Author: Juan Antonio Martinez +Date: Thu Sep 1 11:13:38 2005 +0000 + + pam_pkcs11.so to be installed under /lib/security instead of /usr/lib/security + +commit 1c4e8fcc9d56fcdb7bcc3f735710d3ea8184e5e4 +Author: Juan Antonio Martinez +Date: Thu Sep 1 10:22:28 2005 +0000 + + pam_pkcs11.spec updates: create pam_pkcs11 and pam_pkcs11-pcsc RPM packages + +commit 7cf2db381bfd277cc7bfdb3f26bea4ce0d6c86ee +Author: Juan Antonio Martinez +Date: Wed Aug 31 18:44:36 2005 +0000 + + Updated pam_pkcs11.xml to reflect changes in mapper API and doc + +commit d14ce7d2dbe1cdfbe2126ba162d8fe607728a022 +Author: Juan Antonio Martinez +Date: Wed Aug 31 18:23:22 2005 +0000 + + Set to be statically linked those mappers that no depends on external libraries + +commit 8881fbf013e66b686755b0c8e716cca6987bdc13 +Author: Juan Antonio Martinez +Date: Wed Aug 31 18:05:16 2005 +0000 + + Mapper API documentation writting finished + +commit c17351a7f736f3f8d5e329c7ed8e9f9fb5caa90f +Author: Juan Antonio Martinez +Date: Wed Aug 31 16:12:55 2005 +0000 + + Fixed sample code in Mapper API doc + +commit 9e167c0d2b9e27e991b591a1b2c588976e1ac5d0 +Author: Juan Antonio Martinez +Date: Wed Aug 31 16:05:31 2005 +0000 + + More work in Mapper API documentation... + +commit 1ae9989fd02e6d0258ab981bd498ce107ec1db9a +Author: Juan Antonio Martinez +Date: Wed Aug 31 14:50:41 2005 +0000 + + Assume static mapper with default settings when no mapper configuration block is provided + +commit 9489443fab849b648877db29e7322ed88b7a6abe +Author: Juan Antonio Martinez +Date: Wed Aug 31 14:33:19 2005 +0000 + + Proper handling of debug_level on enter/exit mapper(s) code + +commit fa96e9d5432b9a59432a4661fb370fe105b05b89 +Author: Ludovic Rousseau +Date: Wed Aug 31 14:18:44 2005 +0000 + + add a HOWTO chapter + +commit f4f14888f76f3a54d2a99a9494ba283e276407a9 +Author: Ludovic Rousseau +Date: Wed Aug 31 14:04:45 2005 +0000 + + remove paths from the executed commands + +commit b818fc085dd2eea0afa6ec0cb0e9b8e35376b6d7 +Author: Ludovic Rousseau +Date: Wed Aug 31 12:53:35 2005 +0000 + + pam_sm_authenticate(): check if DISPLAY is defined before checking if it + is a local or remote login + +commit ce740492e6b59d1906819514323d99dcdd5623b5 +Author: Juan Antonio Martinez +Date: Wed Aug 31 12:31:16 2005 +0000 + + Mapper API documentation update + +commit ffbbcc1bb70d0c8c0c64965997d358db4a04abab +Author: Ludovic Rousseau +Date: Wed Aug 31 12:14:40 2005 +0000 + + inspect_certificate(): print "Printing data for mapper %s" on stdout + instead of debug output. + +commit 5fe3ecc67e912cf2e5bb9d62f590745195119e4b +Author: Ludovic Rousseau +Date: Wed Aug 31 12:09:22 2005 +0000 + + add definition of DBG5 if no debug is used + +commit 70960ad47752deec4a9a5a8c684fdc38a9781ee6 +Author: Juan Antonio Martinez +Date: Wed Aug 31 11:33:26 2005 +0000 + + Set default values in mappers. Config file fixes + +commit a88ad948008a6cae29db1f6a36b248f360480050 +Author: Ludovic Rousseau +Date: Wed Aug 31 11:27:48 2005 +0000 + + @LIBMAPPERS@ already includes @LIBSCCONF@ @LIBCOMMON@ and @OPENSSL_LIBS@ + +commit 0df126ca1bce6c8b095cc94604647afe0790af64 +Author: Ludovic Rousseau +Date: Wed Aug 31 09:59:53 2005 +0000 + + @LIBMAPPERS@ alredy include @LIBSCCONF@ @LIBCOMMON@ so we can remove + them here + +commit 4108afe52eee08615ac006b95cf46590f221e8f4 +Author: Ludovic Rousseau +Date: Wed Aug 31 09:59:17 2005 +0000 + + libmappers.la uses functions from scconf/ and common/ so we link with + these libraries + +commit 507455555cc89ac6ff3dc120b94e945037d99cfb +Author: Ludovic Rousseau +Date: Wed Aug 31 09:57:39 2005 +0000 + + libcommon_la_LIBADD = @OPENSSL_LIBS@ + + We use OpenSSL so we link with it + +commit 9f155d5985f8617b1f514384dfe3ee42b3769496 +Author: Ludovic Rousseau +Date: Wed Aug 31 09:54:52 2005 +0000 + + load_module(): initialise res variable to NULL to avoid a compiler warning + +commit e4ea513d74baef0e48610163a4816cfb3dc450da +Author: Ludovic Rousseau +Date: Wed Aug 31 07:59:36 2005 +0000 + + default OpenSC module is now /usr/lib/opensc-pkcs11.so + +commit 7511285cbb3c96ac8632a6c99a1ac4fb71ac997d +Author: Ludovic Rousseau +Date: Wed Aug 31 07:37:10 2005 +0000 + + improve comments + +commit 03398541bac2b2bde85addea6651d5af57898666 +Author: Juan Antonio Martinez +Date: Tue Aug 30 18:40:28 2005 +0000 + + Mapper API manual update + +commit 6ccc2aad50b606e8bcf74942325bfa963fff6266 +Author: Juan Antonio Martinez +Date: Tue Aug 30 17:20:11 2005 +0000 + + Simplify and optimize mapper interface + +commit 9bdf7add3ae2a8ee1474c5da38fec406af1e0d5c +Author: Ludovic Rousseau +Date: Tue Aug 30 14:58:57 2005 +0000 + + update + +commit d5165313017ffbf7692dda97aec33fea8d573054 +Author: Juan Antonio Martinez +Date: Tue Aug 30 13:15:54 2005 +0000 + + add mappers_api.html to svn tarball + +commit ef789abef756aedf807f86f8dcf8a0d111535e5c +Author: Juan Antonio Martinez +Date: Tue Aug 30 12:49:51 2005 +0000 + + stupid bug in docs/Makefile.am + +commit 8a2cd6d85121b468cf7cab13a498067b9b32a09a +Author: Juan Antonio Martinez +Date: Tue Aug 30 12:46:27 2005 +0000 + + Add Mappers API documentation (wip) + +commit 9e222b8cf6e7903337c008386c7317ed3c2266e5 +Author: Juan Antonio Martinez +Date: Tue Aug 30 09:28:34 2005 +0000 + + Fixes for some '-Wall -pedantic' warnings + +commit 92feeae30c4b759bf0fc7fa26eac0e3130f6baf2 +Author: Juan Antonio Martinez +Date: Mon Aug 29 19:30:55 2005 +0000 + + Bugfixes on compiling some static mappers + +commit 2432b3fafd03ec7a5ba1e3a190104c7a1734a808 +Author: Juan Antonio Martinez +Date: Mon Aug 29 18:13:23 2005 +0000 + + Mappers now supports static linking + +commit 7b2e0bae2bcdd38cd2ddc60a8357e4f6fea0001e +Author: Juan Antonio Martinez +Date: Mon Aug 29 17:26:37 2005 +0000 + + Adding mappers header files + +commit 7244cc9e41e6c1643d0be574a39b7225e3175641 +Author: Juan Antonio Martinez +Date: Mon Aug 29 16:51:12 2005 +0000 + + Move mapper.[ch] to libmapper + +commit 32cc86d5e04f1e170ee791aa1da8cbaf99bae7dc +Author: Ludovic Rousseau +Date: Mon Aug 29 14:08:38 2005 +0000 + + change official site URL to http://www.opensc.org/pam_pkcs11/ + +commit b7a0e5d90ff6f4be376980149090cb22ded43e0c +Author: Ludovic Rousseau +Date: Mon Aug 29 14:05:02 2005 +0000 + + remove empty lines in parts + +commit c9a05b8eac9e10becea2711b6e707d3f7a112d80 +Author: Ludovic Rousseau +Date: Mon Aug 29 14:02:23 2005 +0000 + + chapter 3. Fundamentals: include the reference in the text instead as a + footnote + +commit 35c45d522a57f1ec0b9e25747cb76149452d7521 +Author: Ludovic Rousseau +Date: Mon Aug 29 13:59:47 2005 +0000 + + add section numbering + +commit d0a6c82bf25d1e5e8105643955971bb2c9c06033 +Author: Ludovic Rousseau +Date: Mon Aug 29 13:51:56 2005 +0000 + + chapter 2. Introduction: include the references in the text instead as + footnote + +commit b4633eeb267d4ccd87fea53eb6ebb6c138e2e169 +Author: Ludovic Rousseau +Date: Mon Aug 29 13:16:31 2005 +0000 + + use instead of < > for emails + +commit 0ca73ec6724c77a5596bc80b1abfef680e8a1601 +Author: Juan Antonio Martinez +Date: Mon Aug 29 13:15:26 2005 +0000 + + Preliminary work on statically linked mappers + +commit 0e287bc5ef633ab4e089f89e28590246e2b2bdbe +Author: Ludovic Rousseau +Date: Mon Aug 29 13:02:30 2005 +0000 + + minor editing + +commit 214b92fb4369666a5fcaf205f2c9730d3370ef68 +Author: Ludovic Rousseau +Date: Mon Aug 29 12:49:29 2005 +0000 + + minor editing + +commit 3fe7df692e6f8492f3ce568d078f15c7225e262f +Author: Ludovic Rousseau +Date: Mon Aug 29 12:42:48 2005 +0000 + + minor editing + +commit 6d2d1ac2520602b9867b04e6a9683c968d9e8c9d +Author: Ludovic Rousseau +Date: Mon Aug 29 12:31:12 2005 +0000 + + remove the NOTE about running the lib as root using a suid bit. + You should not do that. + +commit da41417143766a0e909eab44e1699f61797dbe87 +Author: Ludovic Rousseau +Date: Mon Aug 29 12:28:40 2005 +0000 + + improve style + +commit efa86a2aaf392ab64280a7179b917af95ad7b377 +Author: Ludovic Rousseau +Date: Mon Aug 29 11:27:07 2005 +0000 + + OpenSC PKCS#11 lib is now /usr/lib/opensc-pkcs11.so instead of + /usr/lib/pkcs11/opensc-pkcs11.so + +commit 3eba554f7e66ffabd9d54353350b7c36e202693f +Author: Ludovic Rousseau +Date: Tue Jul 5 12:17:46 2005 +0000 + + remove 'MAINTAINERCLEANFILES = pam_pkcs11.html' as pam_pkcs11.html is + stored in subversion and should not be removed + +commit 6e962e9780e559b5839c6b19178b63fee56e9945 +Author: Ludovic Rousseau +Date: Tue Jul 5 11:59:32 2005 +0000 + + use @OPENSSL_CFLAGS@ and @OPENSSL_LIBS@ + +commit e72bbf2c0126489d8c113cb66d8de5904bbd969a +Author: Ludovic Rousseau +Date: Tue Jul 5 11:58:42 2005 +0000 + + use @OPENSSL_CFLAGS@ and @OPENSSL_LIBS@ + +commit 39faebf84718350c6f1d3cddb93ce7c742f263fb +Author: Ludovic Rousseau +Date: Tue Jul 5 11:58:21 2005 +0000 + + use PKG_CHECK_MODULES to find OpenSSL + +commit 9f05513ecc484cccb198a15fe771d48a16a6d6b5 +Author: Ludovic Rousseau +Date: Tue Jul 5 10:10:33 2005 +0000 + + remove test on HAVE_PCSC_OLD, old pcsc-lite is not more supported + +commit 215729e34694843f199a96df8b5fa915aa444b6d +Author: Ludovic Rousseau +Date: Tue Jul 5 10:09:58 2005 +0000 + + do not compile card_eventmgr if pcsc-lite is not installed + +commit 22c7712e2c0037a290021f95713c821b28028298 +Author: Ludovic Rousseau +Date: Tue Jul 5 10:09:01 2005 +0000 + + greatly simplify the detection of pcsc-lite + + define HAVE_PCSC to allow conditional compilation (do not compile tools + using pcsc-lite if pcsc-lite is not installed) + +commit 4094bb366168ebac2bbb69a9c9b99e7857fbb786 +Author: Ludovic Rousseau +Date: Tue Jul 5 09:37:22 2005 +0000 + + pam_sm_authenticate(): fail if the user is remote (XMDCP) + +commit aa5884b26dbb9e06a2cf43a0a4363fa97b581ec3 +Author: Juan Antonio Martinez +Date: Mon Jun 13 10:28:31 2005 +0000 + + Support for nonstandard openssl paths (openssl.m4 missing) + +commit fb2e02e982762ef059446b809e7c9cb1b0740819 +Author: Juan Antonio Martinez +Date: Mon Jun 13 10:27:54 2005 +0000 + + Support for nonstandard openssl paths + +commit 8649e6bacaa56ed41cdb9886468f5c863d1276ad +Author: Juan Antonio Martinez +Date: Thu Jun 9 20:07:22 2005 +0000 + + Preliminary work on OpenSC mapper + +commit d1f26ec5f75803aedc2e5d279f51301c7fdc70ea +Author: Juan Antonio Martinez +Date: Thu Jun 9 10:52:43 2005 +0000 + + Updated User Manual + +commit ad67938afb5281d1707423221453ee2ef28527e4 +Author: Juan Antonio Martinez +Date: Thu Jun 9 10:47:37 2005 +0000 + + Updated ChangeLog + +commit 8bde44089362af53e0c77abe42a5e123e239dd05 +Author: Juan Antonio Martinez +Date: Thu Jun 9 10:44:59 2005 +0000 + + Implemented cert(PEM),pubk(PEM),pubk(SSH) data entries + +commit ea1a66a2e8eed435d6927f12f2dce40f4ea750a6 +Author: Juan Antonio Martinez +Date: Thu Jun 9 10:40:47 2005 +0000 + + Finished openssh-mapper.c coding + +commit 395a02b50c78aff1b835b69ed436a86ebf36ef5b +Author: Juan Antonio Martinez +Date: Thu Jun 9 07:43:30 2005 +0000 + + pkcs11_inspect: print correct certificate number + +commit 6753eb0557b18d3492c3f4ff831cf7824290aca4 +Author: Juan Antonio Martinez +Date: Wed Jun 8 11:13:46 2005 +0000 + + more work on extracting certificate's public key + +commit 4f38d16944997cb24b712b7596899707a2605478 +Author: Juan Antonio Martinez +Date: Tue Jun 7 12:23:26 2005 +0000 + + Add openssh_mapper.c to svn :-) + +commit 3b14b432b94e633230ae65bb6ff3d369f477521e +Author: Juan Antonio Martinez +Date: Tue Jun 7 12:15:07 2005 +0000 + + OpenSSH mapper documentation typos + +commit 7835f2202965e15bcc5410582b1fbf745f03b073 +Author: Juan Antonio Martinez +Date: Tue Jun 7 12:10:20 2005 +0000 + + OpenSSH mapper documentation + +commit f1fd3d39481569eaa641abec6feccbd0e9167a3b +Author: Juan Antonio Martinez +Date: Tue Jun 7 11:39:09 2005 +0000 + + Adding OpenSSH mapper (work-in-progress) + +commit 30f70eed5edd73ece7928dbd567bed74de077877 +Author: Juan Antonio Martinez +Date: Tue Jun 7 09:07:56 2005 +0000 + + Added new methods for string mgmt + +commit 0d47edc5eda86970e94a01df06c3fa4004066414 +Author: Martin Paljak +Date: Mon Jun 6 14:14:39 2005 +0000 + + Correct name + +commit 0908c49d44e8d2f8c02b4e5873106c4219408c53 +Author: Ludovic Rousseau +Date: Mon Jun 6 14:10:06 2005 +0000 + + english grammar correction + +commit ce796f4309b18525ce1b386f4eb5592f581564d4 +Author: Ludovic Rousseau +Date: Mon Jun 6 14:09:57 2005 +0000 + + english grammar corrections + +commit 40abafec35cc70f8b9f0ddf7ca31669fa7913641 +Author: Ludovic Rousseau +Date: Mon Jun 6 13:19:47 2005 +0000 + + do not call tidy since it modifies the generated html in a bad way + +commit 766fa99f0a8a7595ba4933014b6909f2e0b91bba +Author: Ludovic Rousseau +Date: Mon Jun 6 13:14:51 2005 +0000 + + correct some punctuation (end of phrase dot, extra space in parenthesis) + +commit 45e6a2df5a7d09e62b6326fe5c99b78d49c3405a +Author: Ludovic Rousseau +Date: Mon Jun 6 12:59:12 2005 +0000 + + remove tags and reformat data + +commit b67ce9d1c0b44fb3d4e47da862feb7e6409a5fdb +Author: Ludovic Rousseau +Date: Mon Jun 6 12:18:48 2005 +0000 + + use firstname & surname instead of the invalid name tag + +commit 50b0770f147f5af81a1ee877e88ac44efcb8e84e +Author: Ludovic Rousseau +Date: Mon Jun 6 08:25:29 2005 +0000 + + re-add this generated file since it is displayed by the website + +commit d71704dc4a7655e43e0901948163eb96ac2510ff +Author: Ludovic Rousseau +Date: Mon Jun 6 08:19:35 2005 +0000 + + Declare the DTD using so that rxp (XML validator) can + find it + +commit b3ef7b67c902a33f881720ccef2b85e3a65be9a5 +Author: Ludovic Rousseau +Date: Mon Jun 6 08:11:05 2005 +0000 + + file generated from pam_pkcs11.xml so should not be in subversion + +commit 8264c0288234bca32afb09704d45b0e93c8b8439 +Author: Ludovic Rousseau +Date: Mon Jun 6 08:09:39 2005 +0000 + + remove shade.verbatim declaration since it is useless(?) and generates + warnings: + The shade.verbatim parameter is deprecated. Use CSS instead, + +commit 3ff5dcbae5cfeafe82a4b13e53f421c1b83a496d +Author: Ludovic Rousseau +Date: Mon Jun 6 08:05:08 2005 +0000 + + do not use a hard coded path for docbook.xsl + +commit d22413d60037922acdb7d185d350121f66815565 +Author: Ludovic Rousseau +Date: Mon Jun 6 08:04:43 2005 +0000 + + use --path to specify different locations to find docbook.xsl + +commit cf4178750ab092817ee4b24c37e8fcbc1cc6c21d +Author: Ludovic Rousseau +Date: Mon Jun 6 07:56:41 2005 +0000 + + remove the definition of MAINTAINERCLEANFILES since the indicated files + are already removed by the implicit 'make maintainer-clean' + +commit ce057da0187d6bec6af30803f022d7f61bad78b9 +Author: Ludovic Rousseau +Date: Mon Jun 6 07:54:55 2005 +0000 + + do not use 'MAINTAINERCLEANFILES = Makefile.in' since is it implicit + 'make maintainer-clean' can be used to remove Makefile.in files + +commit 18e0e479c5864b5b35dc2dd696e6e05d7dc9de01 +Author: Ludovic Rousseau +Date: Mon Jun 6 07:48:13 2005 +0000 + + get_mapent(): skip comment lines + +commit 650169add0b8764409e659c79aee33b1b3333bbe +Author: Ludovic Rousseau +Date: Mon Jun 6 07:32:54 2005 +0000 + + get_mapent(): allocate len+1 instead of len bytes to store a + NULL-terminated string + +commit 16b08e798112d81dcd2b59bf55ab486564e16088 +Author: Ludovic Rousseau +Date: Mon Jun 6 07:27:28 2005 +0000 + + add a \n for a printf() + +commit b03b046afa939475ac9243440dbc3123f5670f79 +Author: Ludovic Rousseau +Date: Mon Jun 6 07:26:27 2005 +0000 + + add pam_pkcs11.html to MAINTAINERCLEANFILES (make maintainer-clean) + +commit 736564007898e38018531a47a5e7a2de67cb8d90 +Author: Ludovic Rousseau +Date: Mon Jun 6 07:24:42 2005 +0000 + + the html files also depends on $(STYLESHEET) + +commit 4cc89290ac6e6102f299272a0e4d2b4803aa5d42 +Author: Ludovic Rousseau +Date: Mon Jun 6 07:18:55 2005 +0000 + + use * instead of "*" to match the files + +commit cb49a45f1f90fece3d8c922a10c52362ccb46061 +Author: Ludovic Rousseau +Date: Tue May 24 13:29:57 2005 +0000 + + only set first_loop = FALSE; after looping on all readers + +commit 9593b23f4a005a19bb3077af8f95a1282be3d85d +Author: Ludovic Rousseau +Date: Tue May 24 13:24:41 2005 +0000 + + cleanly exit in case of error (remove pidfile) + +commit e7a64ad0130094e65a76fcd4c18227f625d0e8dd +Author: Ludovic Rousseau +Date: Tue May 24 13:22:01 2005 +0000 + + cleanly exit in case of error (remove pidfile) + +commit 8546e5addbdf64567445fd95cdc9e74ccd7b4a00 +Author: Ludovic Rousseau +Date: Tue May 24 13:18:19 2005 +0000 + + exit if no reader is found at startup + +commit 61429f54204f7d4e060e2a15ea5a58b9d58ba9f6 +Author: Ludovic Rousseau +Date: Tue May 24 09:49:03 2005 +0000 + + remove card state parsing debug + +commit e026099a8e404b659f49c83c87a6fd7560d90dd5 +Author: Ludovic Rousseau +Date: Tue May 24 09:43:18 2005 +0000 + + remove \n in debug strings + +commit 9edde5ff05ac3b8e8a23b93f9855a4d395bb7b38 +Author: Ludovic Rousseau +Date: Tue May 24 09:41:42 2005 +0000 + + trap signals even if pidfile=<> argument is not used so we always have a + clean exit + +commit 48a9b4a2005f293fd5ca9430a26a59b104be22ce +Author: Ludovic Rousseau +Date: Tue May 24 09:35:28 2005 +0000 + + remove the timestamp information + +commit fc6cfad1959d0076afb4d91aba1cd51574438531 +Author: Ludovic Rousseau +Date: Tue May 24 09:28:40 2005 +0000 + + main(): remove a useless call to fflush(stdout); that was directly + imported from pcsc_scan + +commit 380a9b578a79d5e1b14d5febb2b7a59c2b913e09 +Author: Ludovic Rousseau +Date: Mon May 23 12:41:57 2005 +0000 + + document kill and pidfile= arguments + +commit 2b53dffef77bac2fbc1339b68b562d941f91e54d +Author: Ludovic Rousseau +Date: Mon May 23 09:10:49 2005 +0000 + + add support for kill and pidfile= + +commit 389f87e55581563851683be54eae153baa4f6ce3 +Author: Juan Antonio Martinez +Date: Thu May 19 09:31:35 2005 +0000 + + Add Ludovic to author's list + +commit cf63bb1543d9055431a7f1000626ce7af2cea577 +Author: Juan Antonio Martinez +Date: Thu May 19 09:27:26 2005 +0000 + + Generic mapper documentation + +commit 7221762803862997dec22a9b71831287c18681db +Author: Ludovic Rousseau +Date: Wed May 18 13:51:13 2005 +0000 + + add two missing \n with fprintf(stderr,..) + +commit 4e9ed9e9d449b3ea4a7d7859a2f8933f7ca92b83 +Author: Ludovic Rousseau +Date: Wed May 18 08:51:16 2005 +0000 + + convert spaces in tab + +commit bb958681d46f1beae6aa68af502e157d8c048ba7 +Author: Ludovic Rousseau +Date: Wed May 18 08:16:26 2005 +0000 + + add two missing \n with fprintf(stderr,..) + +commit d8c862c79eb5e2693ea098d23b6ae636068a8a5e +Author: Ludovic Rousseau +Date: Wed May 18 07:02:56 2005 +0000 + + generic_mapper_find_user()/generic_mapper_match_user(): remove two + unused variables + +commit 95472f9ef98317e011cacfc457ff8b43722fcbaa +Author: Ludovic Rousseau +Date: Wed May 18 06:54:53 2005 +0000 + + do not use `ls *` to get the list of files but "*" to correctly manage + files with spaces in their name + +commit 66a7a2ce428bf973bf9008327d8640bd5e785899 +Author: Ludovic Rousseau +Date: Wed May 18 06:48:30 2005 +0000 + + do not save/restore the current directory since we do not need to + +commit c4de0eb6426c43264aa88078e28824414ace662b +Author: Ludovic Rousseau +Date: Wed May 18 06:46:28 2005 +0000 + + remove space characters at end of lines + +commit 1d8069eb72ea901f41771b2ede872b3b8377e4f9 +Author: Ludovic Rousseau +Date: Wed May 18 06:44:35 2005 +0000 + + display the filename of files we can't do anything with. Maybe it is + because the format is wrong or they can't be read or whatever. + +commit 545a0250c810f8a2db8b4a6e0bbf7af4ea85f849 +Author: Ludovic Rousseau +Date: Wed May 18 06:40:42 2005 +0000 + + revert my previous patch. We need to redirect stderr since the + certificate may not be in pem format and openssl will shout + +commit fbb45351658f0d925ab1e762a111798d47df3d76 +Author: Ludovic Rousseau +Date: Wed May 18 06:31:25 2005 +0000 + + do not redirect stderr to /dev/null in the hash generation to get errors + like "Permission denied" if the certificate can't be read + +commit bdf6d23b9d01e9a6f2f2496e0b8b5b8cd52a67a4 +Author: Ludovic Rousseau +Date: Wed May 18 06:29:47 2005 +0000 + + in the test of the presence of openssl we escape the result string to + have only one strings even with space characters + +commit 9c5a4f597769ca82150c4fb82ff92e279176c8fc +Author: Juan Antonio Martinez +Date: Tue May 17 19:18:32 2005 +0000 + + typos in generic_mapper.c + +commit 8fb67f7b3e24197d35760c9e310466e79897fc46 +Author: Ludovic Rousseau +Date: Tue May 17 15:14:27 2005 +0000 + + check that openssl is installed + +commit 90dda8b87f756f7b6cda64dd6f9b28a9f1b73110 +Author: Ludovic Rousseau +Date: Tue May 17 14:19:09 2005 +0000 + + add _DEFAULT_MAPPER_FIND_USER to avoid an undefined symbol: + mapper_find_user + +commit 67c8b98056680202dafde5b9c083bfd050dd88a2 +Author: Ludovic Rousseau +Date: Tue May 17 13:33:45 2005 +0000 + + add @LIBCOMMON@ to ldap_mapper_la_LIBADD and opensc_mapper_la_LIBADD to + avoid missing symbols at link time + +commit 9c9af4d8f629622a79bd78f619052e3b8de32765 +Author: Ludovic Rousseau +Date: Thu May 12 08:19:03 2005 +0000 + + reformat + +commit afa60c7625b7de96c5a22687f3ecb6b6f57ae374 +Author: Ludovic Rousseau +Date: Thu May 12 07:52:12 2005 +0000 + + rephrase and reformat + +commit ac2e94646e2f60b6964c35c054a777cfa9b1f486 +Author: Ludovic Rousseau +Date: Thu May 12 07:47:29 2005 +0000 + + reformat + +commit 9c860737d42b8a14e7864adab9d1e73a0175e1a1 +Author: Ludovic Rousseau +Date: Thu May 12 07:39:41 2005 +0000 + + rephrase and reformat + +commit 87bbd531cf34a4fa77f8c10482ef663c8b446ec4 +Author: Ludovic Rousseau +Date: Thu May 12 06:27:46 2005 +0000 + + reformat + +commit 7a7db2ee0a50c247b13ec48828167ebdbd46fdc6 +Author: Ludovic Rousseau +Date: Thu May 12 06:21:15 2005 +0000 + + rephrase and reformat + +commit 9a69f99253834303309503a7d549e22651ade7eb +Author: Ludovic Rousseau +Date: Wed May 11 17:57:55 2005 +0000 + + rephrase and reformat + +commit 94a86e3663085fba70862134adae59b25ae586aa +Author: Juan Antonio Martinez +Date: Fri May 6 07:54:20 2005 +0000 + + Makefile fix for x64 arch + +commit 6cecad47a42a1f27fb932d5d595ceea9b690b92d +Author: Juan Antonio Martinez +Date: Thu Apr 14 16:21:22 2005 +0000 + + generic_mapper coding finished + +commit 7001592858ea471a3f360807f8c9bf22bbec3471 +Author: Juan Antonio Martinez +Date: Wed Apr 13 11:06:18 2005 +0000 + + preliminary works on generic mapper + +commit 21cd7094abb97fae6efabf22e4dee15ddb604313 +Author: Andreas Jellinghaus +Date: Tue Apr 12 21:09:07 2005 +0000 + + add bootstrap script for developers and the snapshot mechanism. + +commit a4d1f27c5ca0ec26dbf9199a2371774c17ab1ab2 +Author: Andreas Jellinghaus +Date: Tue Apr 12 20:46:52 2005 +0000 + + set the version to "WIP" (work in progress) for the snapshot script. + +commit b85b032f2906e9a949284beb99dc0045a4b63744 +Author: Andreas Jellinghaus +Date: Tue Apr 12 19:41:29 2005 +0000 + + remove a few Makefile.in on make maintainer-clean + +commit d9803c13a26203b8d7680ed279f99ba5a82636d4 +Merge: 0f8590b 5ed63ba +Author: Andreas Jellinghaus +Date: Tue Apr 12 19:40:26 2005 +0000 + + copy release 0.5.2 to trunk. + +commit 5ed63ba934aec5e82416f8eb29d556250505a673 +Author: Andreas Jellinghaus +Date: Tue Apr 12 19:37:31 2005 +0000 + + import current version 0.5.2 + +commit 0f8590b5ebc082ff1e79454b984b75dd121d8267 +Author: Andreas Jellinghaus +Date: Tue Apr 12 19:33:29 2005 +0000 + + add minimal structure. diff --git a/pam_pkcs11-0.6.12.tar.gz b/pam_pkcs11-0.6.12.tar.gz new file mode 100644 index 0000000..0930210 --- /dev/null +++ b/pam_pkcs11-0.6.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c29cfd021fd3793263f1784b039f166f0e751996bada656a0f9470005eb0c093 +size 272762 diff --git a/pam_pkcs11-common-auth-smartcard.pam b/pam_pkcs11-common-auth-smartcard.pam new file mode 100644 index 0000000..76b914a --- /dev/null +++ b/pam_pkcs11-common-auth-smartcard.pam @@ -0,0 +1,3 @@ +auth required pam_env.so +auth required pam_pkcs11.so +auth required pam_unix2.so use_first_pass diff --git a/pam_pkcs11-fsf-address.patch b/pam_pkcs11-fsf-address.patch new file mode 100644 index 0000000..614508e --- /dev/null +++ b/pam_pkcs11-fsf-address.patch @@ -0,0 +1,13 @@ +Index: pam_pkcs11-pam_pkcs11-0.6.9/COPYING +=================================================================== +--- pam_pkcs11-pam_pkcs11-0.6.9.orig/COPYING ++++ pam_pkcs11-pam_pkcs11-0.6.9/COPYING +@@ -2,7 +2,7 @@ + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. +- 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + diff --git a/pam_pkcs11.changes b/pam_pkcs11.changes new file mode 100644 index 0000000..9908ba0 --- /dev/null +++ b/pam_pkcs11.changes @@ -0,0 +1,183 @@ +------------------------------------------------------------------- +Mon Jan 16 09:31:59 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Fri Jul 29 08:49:15 UTC 2022 - pgajdos@suse.com + +- use pam rpm macros [bsc#1190957] + +------------------------------------------------------------------- +Sat Jan 15 10:26:28 UTC 2022 - Andreas Stieger + +- update to 0.6.12: + * Limit signature length to 65536 bytes + * A number of bug fixes and OpenSSL compatibility updates + * console output color updates + * Add support of ECDSA signature in addition to RSA + +------------------------------------------------------------------- +Thu Oct 14 10:34:54 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * pkcs11_eventmgr.service + +------------------------------------------------------------------- +Tue Jan 29 22:45:28 CET 2019 - sbrabec@suse.com + +- Update to version 0.6.10: + * Fix some security issues (thx @frankmorgner): + https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/ + (drop 0001-verify-using-a-nonce-from-the-system-not-the-card.patch, + 0002-fixed-buffer-overflow-with-long-home-directory.patch, + 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch). + * Fix buffer overflow with long home directory. + * Fix wiping secrets (now using OpenSSL_cleanse()). + * Verify using a nonce from the system, not the card. + * Fix segfalt when checking CRLs + (drop pam_pkcs11-crl-check.patch). +- Add rcpkcs11_eventmgr service symlink. + +------------------------------------------------------------------- +Fri Aug 17 10:12:31 UTC 2018 - vcizek@suse.com + +- Address security issues found by X41 D-Sec audit (bsc#1105012) + * Authentication Replay + * Buffer Overflow + * Memory not cleaned properly before free() +- add patches: + * 0001-verify-using-a-nonce-from-the-system-not-the-card.patch + * 0002-fixed-buffer-overflow-with-long-home-directory.patch + * 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch + +------------------------------------------------------------------- +Mon Jul 23 17:36:18 CEST 2018 - sbrabec@suse.com + +- Fix segfault and fetch problems when checking CRLs + (pam_pkcs11-crl-check.patch). + +------------------------------------------------------------------- +Sun Sep 10 00:08:17 UTC 2017 - jengelh@inai.de + +- Repair bulletpoint that skidded in description. + Trim description of %name-devel-doc, it does not cotain + the programs. + +------------------------------------------------------------------- +Wed Aug 9 15:08:07 UTC 2017 - astieger@suse.com + +- add service file bsc#1049219 + +------------------------------------------------------------------- +Thu Jul 20 18:02:57 CEST 2017 - sbrabec@suse.com + +- Updated to version 0.6.9: + * Upstream web moved. + * pkcs11_listcerts: Do not fail on certificate error. + * Do not fail if card was already unlocked. + * Other bug fixes. + * Translation updates. +- Drop upstreamed pam_pkcs11-0.6.8-fix-crypto-cflags.patch. +- Work around incorrect upstream release process not calling + "make dist". +- Split API documentation into a separate package + pam_pkcs11-devel-doc. +- Add pam_pkcs11-fsf-address.patch. + +------------------------------------------------------------------- +Tue Feb 9 19:02:43 UTC 2016 - antoine.belvire@laposte.net + +- Fix build for Tumbleweed: + * Add pam_pkcs11-0.6.8-fix-crypto-cflags.patch + * Rebuild configure with the bootstrap script (add libtool as + build dependency) + +------------------------------------------------------------------- +Tue Jul 10 17:24:56 CEST 2012 - sbrabec@suse.cz + +- Updated to version 0.6.8: + * Code cleanup. + * Bug fixes. + * Translation updates. + +------------------------------------------------------------------- +Tue Feb 28 19:54:16 CET 2012 - sbrabec@suse.cz + +- Change nssdb path to /etc/pki/nssdb (bnc#463469). +- Make libdir paths in pam_pkcs11.conf biarch-wise. + +------------------------------------------------------------------- +Wed Jan 5 18:40:44 CET 2011 - sbrabec@suse.cz + +- Updated to version 0.6.6: + * Compatible with pcsc-lite-1.6. + * New mapper API. + * Minor fixes. + * Translaton updates. + +------------------------------------------------------------------- +Mon Feb 1 12:20:03 UTC 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Wed Aug 5 15:55:31 CEST 2009 - sbrabec@suse.cz + +- Updated to version 0.6.1: + * Added functions to API. + * Fixes from openSUSE packages upstreamed. + * Minor fixes. + * Translaton updates. + +------------------------------------------------------------------- +Thu Jun 25 12:41:19 CEST 2009 - sbrabec@suse.cz + +- Supplement pam-32bit/pam-64bit in baselibs.conf (bnc#354164). + +------------------------------------------------------------------- +Wed Oct 15 18:30:29 CEST 2008 - sbrabec@suse.cz + +- Fixed all implicit declarations. + +------------------------------------------------------------------- +Tue Sep 23 17:49:42 CEST 2008 - sbrabec@suse.cz + +- Fixed uninitialized variable (bnc#351207). + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Sep 6 21:08:43 CEST 2007 - jberkman@novell.com + +- use the same directory for nssdb as the kerberos pkinit plugin + +------------------------------------------------------------------- +Tue Jul 31 17:34:21 CEST 2007 - sbrabec@suse.cz + +- Build with NSS instead of openssl. +- Applied patches from Jacob Berkman: MS UPN OID and NSS + configuration. +- Fixed implicit declaration. + +------------------------------------------------------------------- +Thu Jul 26 14:32:24 CEST 2007 - sbrabec@suse.cz + +- Updated to version 0.6.0: + * compiler warning fixes + * I18N support + * new configuration options + * support for new environment variables + * new tool pkcs11_setup + * support for the NSS crypto libraries (off by default) + * for more changes see ChangeLog.svn + +------------------------------------------------------------------- +Fri May 12 16:18:38 CEST 2006 - sbrabec@suse.cz + +- New SuSE package, version 0.5.3. + diff --git a/pam_pkcs11.spec b/pam_pkcs11.spec new file mode 100644 index 0000000..af5a253 --- /dev/null +++ b/pam_pkcs11.spec @@ -0,0 +1,184 @@ +# +# spec file for package pam_pkcs11 +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# It seems to be an upstream naming bug: +%define _name pam_pkcs11-pam_pkcs11 +Name: pam_pkcs11 +Version: 0.6.12 +Release: 0 +Summary: PKCS #11 PAM Module +License: LGPL-2.1-or-later +Group: Productivity/Security +URL: https://github.com/OpenSC/pam_pkcs11 +Source: https://github.com/OpenSC/pam_pkcs11/archive/%{name}-%{version}.tar.gz +Source1: pam_pkcs11-common-auth-smartcard.pam +Source2: baselibs.conf +# make dist was not called. +Source3: pam_pkcs11-0.6.10-ChangeLog.git +Source4: pkcs11_eventmgr.service +Patch0: %{name}-fsf-address.patch +Patch1: %{name}-0.5.3-nss-conf.patch +Patch3: %{name}-0.6.0-nss-autoconf.patch +BuildRequires: curl-devel +BuildRequires: docbook-xsl-stylesheets +BuildRequires: doxygen +BuildRequires: fdupes +BuildRequires: flex +BuildRequires: libtool +BuildRequires: libxslt +BuildRequires: mozilla-nss-devel +BuildRequires: openldap2-devel +BuildRequires: openssl-devel +BuildRequires: pam-devel +BuildRequires: pcsc-lite-devel +BuildRequires: pkgconfig +%{?systemd_requires} +%if 0%{?suse_version} >= 1210 +BuildRequires: systemd-rpm-macros +%endif + +%description +This Linux PAM module allows X.509 a certificate-based user +authentication. The certificate and its dedicated private key are +thereby accessed by means of an appropriate PKCS #11 module. For the +verification of the users' certificates, locally stored CA certificates +as well as online or locally accessible CRLs are used. + +Additionally, the package includes pam_pkcs11-related tools: + +* pkcs11_eventmgr: Generates actions on card insert, removal, or + time-out events + +* pklogin_finder: Gets the login name that maps to a certificate + +* pkcs11_inspect: Inspects the contents of a certificate + +* make_hash_links: Creates hash link directories for storing CAs and +CRLs + +%package devel-doc +Summary: PKCS #11 API PAM Documentation +# File conflict. devel-doc split was done with 0.6.9 upgrade, after SLE 12 SP3, Leap 42.3. +Group: Documentation/HTML +Conflicts: pam_pkcs11 < 0.6.9 + +%description devel-doc +API documentation for pam_pkcs11 + +This Linux PAM module allows X.509 a certificate-based user +authentication. + +%prep +%setup -q -n %{_name}-%{version} +%patch0 -p1 +%patch1 -p1 +%patch3 -p1 +cp -a %{SOURCE1} common-auth-smartcard +sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example +# make dist was not called and cannot be called on a non git snapshot. +cp -a %{SOURCE3} ChangeLog.git +sed -i "/git log/d" Makefile.am +sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in + +%build +./bootstrap +%configure\ + --docdir=%{_docdir}/%{name}\ + --with-nss\ + --with-curl +%make_build +# Generate documentation: This sounds like an upstream bug while making an upstream source tarball. +%make_build dist + +%install +%make_install +%if 0%{?suse_version} <= 1500 +mkdir -p %{buildroot}%{_pam_moduledir} +mv %{buildroot}%{_libdir}/security/* %{buildroot}%{_pam_moduledir} +%endif +rm %{buildroot}%{_pam_moduledir}/*.la %{buildroot}%{_libdir}/pam_pkcs11/*.la +# Hardcoded defaults... no sysconfdir +install -dm 755 %{buildroot}%{_sysconfdir}/pam_pkcs11/cacerts +install -dm 755 %{buildroot}%{_sysconfdir}/pam_pkcs11/crls +cd etc +for conf in *.conf.example ; do + install -m 644 ${conf} %{buildroot}%{_sysconfdir}/pam_pkcs11/${conf%.example} +done +cd .. +mkdir -p %{buildroot}%{_docdir}/%{name} +cp -a AUTHORS COPYING ChangeLog ChangeLog.git NEWS README README.md TODO doc/pam_pkcs11.html doc/mappers_api.html doc/api doc/README.autologin doc/README.mappers %{buildroot}%{_docdir}/%{name} +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_pam_vendordir} +cp common-auth-smartcard %{buildroot}%{_pam_vendordir} +%else +mkdir -p %{buildroot}%{_sysconfdir}/pam.d +cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/ +%endif +install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service +mkdir -p %{buildroot}%{_sbindir} +ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr +%find_lang %{name} +%fdupes -s %{buildroot}%{_docdir}/%{name} + +%pre +%service_add_pre pkcs11_eventmgr.service +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/lib; save any old .rpmsave +for i in pam.d/common-auth-smartcard ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done + +%posttrans +# Migration to /usr/lib, restore just created .rpmsave +for i in pam.d/common-auth-smartcard ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%post +%service_add_post pkcs11_eventmgr.service + +%preun +%service_del_preun pkcs11_eventmgr.service + +%postun +%service_del_postun pkcs11_eventmgr.service + +%files -f %{name}.lang +%doc %{_docdir}/%{name} +%exclude %{_docdir}/%{name}/api +%{_bindir}/* +%{_libdir}/pam_pkcs11 +/%{_pam_moduledir}/*.so +%{_mandir}/man?/*%{ext_man} +%dir %{_sysconfdir}/pam_pkcs11 +%dir %{_sysconfdir}/pam_pkcs11/cacerts +%dir %{_sysconfdir}/pam_pkcs11/crls +%config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf +%if 0%{?suse_version} > 1500 +%{_pam_vendordir}/common-auth-smartcard +%else +%config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard +%endif +%{_prefix}/lib/systemd/system/pkcs11_eventmgr.service +%{_sbindir}/* + +%files devel-doc +%doc %{_docdir}/%{name}/api + +%changelog diff --git a/pkcs11_eventmgr.service b/pkcs11_eventmgr.service new file mode 100644 index 0000000..790f9de --- /dev/null +++ b/pkcs11_eventmgr.service @@ -0,0 +1,22 @@ +[Unit] +Description=pkcs11 event manager + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=read-only +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=forking +ExecStart=/usr/bin/pkcs11_eventmgr +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=multi-user.target