Compare commits

...

1 Commits

10 changed files with 44 additions and 310 deletions

View File

@@ -1,39 +0,0 @@
From 8da6c472ddcf18a30676bf8f7c55785dd2de91c5 Mon Sep 17 00:00:00 2001
From: Paul Wolneykien <manowar@altlinux.org>
Date: Fri, 26 Apr 2024 18:10:24 +0300
Subject: [PATCH] Set 'slot_num' configuration parameter to 0 by default
See https://github.com/OpenSC/pam_pkcs11/pull/74 for details.
Signed-off-by: Paul Wolneykien <manowar@altlinux.org>
---
src/pam_pkcs11/pam_config.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
--- a/src/pam_pkcs11/pam_config.c
+++ b/src/pam_pkcs11/pam_config.c
@@ -50,7 +50,7 @@ struct configuration_st configuration =
NULL, /* const char *pkcs11_module_path; */
NULL, /* screen savers */
NULL, /* slot_description */
- -1, /* int slot_num; */
+ 0, /* int slot_num; */
0, /* support threads */
/* cert policy; */
{
@@ -167,13 +167,8 @@ static void parse_config_file(void) {
configuration.slot_num =
scconf_get_int(pkcs11_mblk,"slot_num",configuration.slot_num);
- if (configuration.slot_description != NULL && configuration.slot_num != -1) {
- DBG1("Can not specify both slot_description and slot_num in file %s",configuration.config_file);
- return;
- }
-
- if (configuration.slot_description == NULL && configuration.slot_num == -1) {
- DBG1("Neither slot_description nor slot_num found in file %s",configuration.config_file);
+ if (configuration.slot_description != NULL && configuration.slot_num != 0) {
+ DBG1("Can not specify both slot_description and slot_num != 0 in file %s",configuration.config_file);
return;
}

View File

@@ -1,29 +0,0 @@
--- a/src/mappers/mapper.c
+++ b/src/mappers/mapper.c
@@ -83,7 +83,12 @@
/* get a line from buffer */
from = mfile->pt;
/* set up pointer */
- while( *from && isspace(*from) ) from++;
+ while( *from && isspace(*from)){
+ if(from - mfile->buffer + 1 >= mfile->length){
+ return 0;
+ }
+ from++;
+ }
to = strchr(from,'\n');
/* if no newline, assume string ends at end of buffer */
if (!to) to=mfile->buffer+mfile->length;
--- a/src/pam_pkcs11/pam_pkcs11.c
+++ b/src/pam_pkcs11/pam_pkcs11.c
@@ -208,7 +208,7 @@
{
int i, rv;
const char *user = NULL;
- char *password;
+ char *password = NULL;
unsigned int slot_num = 0;
int is_a_screen_saver = 0;
struct configuration_st *configuration;

View File

@@ -1,7 +1,7 @@
Index: pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in
Index: pam_pkcs11-pam_pkcs11-0.6.13/etc/pam_pkcs11.conf.example.in
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/etc/pam_pkcs11.conf.example.in
+++ pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in
--- pam_pkcs11-pam_pkcs11-0.6.13.orig/etc/pam_pkcs11.conf.example.in
+++ pam_pkcs11-pam_pkcs11-0.6.13/etc/pam_pkcs11.conf.example.in
@@ -9,7 +9,7 @@ pam_pkcs11 {
nullok = true;
@@ -24,8 +24,8 @@ Index: pam_pkcs11-pam_pkcs11-0.6.12/etc/pam_pkcs11.conf.example.in
+ }
pkcs11_module opensc {
module = /usr/lib/opensc-pkcs11.so;
@@ -162,7 +167,7 @@ pam_pkcs11 {
module = @libdir@/opensc-pkcs11.so;
@@ -164,7 +169,7 @@ pam_pkcs11 {
# If used null mapper should be the last in the list :-)
# Also you should select at least one mapper, otherwise
# certificate will not match :-)

View File

@@ -1,6 +1,8 @@
--- pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
@@ -45,7 +45,7 @@
Index: pam_pkcs11-pam_pkcs11-0.6.13/src/pam_pkcs11/pam_config.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.13.orig/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-pam_pkcs11-0.6.13/src/pam_pkcs11/pam_config.c
@@ -47,7 +47,7 @@ struct configuration_st configuration =
0, /* int card_only; */
0, /* int wait_for_card; */
"default", /* const char *pkcs11_module; */
@@ -8,4 +10,4 @@
+ NULL, /* const char *pkcs11_module_path; */
NULL, /* screen savers */
NULL, /* slot_description */
-1, /* int slot_num; */
0, /* int slot_num; */

BIN
pam_pkcs11-0.6.12.tar.gz (Stored with Git LFS)

Binary file not shown.

BIN
pam_pkcs11-0.6.13.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@@ -1,105 +0,0 @@
From b665b287ff955bbbd9539252ff9f9e2754c3fb48 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 6 Dec 2024 04:39:04 +0100
Subject: [PATCH] fixed possible authentication bypass: Use signatures to
verify authentication by default
If cert_policy is set to none (the default value), then pam_pkcs11 will
only check if the user is capable of logging into the token. An attacker
may create a different token with the user's public data (e.g. the
user's certificate) and a PIN known to the attacker. If no signature
with the private key is required, then the attacker may now login as
user with that created token.
This change, by default, uses the private key to crate a signature. A
new policy, `no_signature` is introduced if the module should really
*not* validate the key's signature
---
src/common/cert_vfy.h | 2 +-
src/pam_pkcs11/pam_config.c | 16 +++++++++++-----
src/pam_pkcs11/pam_pkcs11.c | 2 +-
3 files changed, 13 insertions(+), 7 deletions(-)
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/common/cert_vfy.h
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
@@ -48,7 +48,7 @@ typedef enum {
struct cert_policy_st {
int ca_policy;
int crl_policy;
- int signature_policy;
+ int no_signature_policy;
const char *ca_dir;
const char *crl_dir;
const char *nss_dir;
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
@@ -87,7 +87,7 @@ static void display_config (void) {
DBG1("support_threads %d",configuration.support_threads);
DBG1("ca_policy %d",configuration.policy.ca_policy);
DBG1("crl_policy %d",configuration.policy.crl_policy);
- DBG1("signature_policy %d",configuration.policy.signature_policy);
+ DBG1("no_signature_policy %d",configuration.policy.no_signature_policy);
DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);
DBG1("err_display_time %d", configuration.err_display_time);
}
@@ -180,7 +180,7 @@ static void parse_config_file(void) {
configuration.policy.crl_policy=CRLP_NONE;
configuration.policy.ocsp_policy=OCSP_NONE;
configuration.policy.ca_policy=0;
- configuration.policy.signature_policy=0;
+ configuration.policy.no_signature_policy=0;
break;
} else if ( !strcmp(policy_list->data,"crl_auto") ) {
configuration.policy.crl_policy=CRLP_AUTO;
@@ -193,7 +193,10 @@ static void parse_config_file(void) {
} else if ( !strcmp(policy_list->data,"ca") ) {
configuration.policy.ca_policy=1;
} else if ( !strcmp(policy_list->data,"signature") ) {
- configuration.policy.signature_policy=1;
+ // ignore this setting for legacy reasons
+ } else if ( !strcmp(policy_list->data,"no_signature") ) {
+ // ignore this setting for legacy reasons
+ configuration.policy.no_signature_policy=1;
} else {
DBG1("Invalid CRL policy: %s",policy_list->data);
}
@@ -321,7 +324,7 @@ struct configuration_st *pk_configure( i
if (strstr(argv[i],"none")) {
configuration.policy.crl_policy=CRLP_NONE;
configuration.policy.ca_policy=0;
- configuration.policy.signature_policy=0;
+ configuration.policy.no_signature_policy=0;
configuration.policy.ocsp_policy=OCSP_NONE;
}
if (strstr(argv[i],"crl_online")) {
@@ -340,7 +343,10 @@ struct configuration_st *pk_configure( i
configuration.policy.ca_policy=1;
}
if (strstr(argv[i],"signature")) {
- configuration.policy.signature_policy=1;
+ // ignore this setting for legacy reasons
+ }
+ if (strstr(argv[i],"no_signature")) {
+ configuration.policy.no_signature_policy=1;
}
continue;
}
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_pkcs11.c
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
@@ -618,8 +618,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
/* if signature check is enforced, generate random data, sign and verify */
- if (configuration->policy.signature_policy) {
- pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
+ if (!configuration->policy.no_signature_policy) {
+ pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
#ifdef notdef

View File

@@ -1,104 +0,0 @@
From 2ecba68d404c3112546a9e802e3776b9f6c50a6a Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 6 Dec 2024 03:08:38 +0100
Subject: [PATCH] Fixed possible authentication bypass: Don't return PAM_IGNORE
Starting with bac6cf8e0b242e508e8b715e7f78d52f1227840a (released with
pam_pkcs11-0.6.12), return codes defaulted to PAM_IGNORE in most cases
where authentication was not possible. This change has not been
anticipated in PAM configurations and may lead to authentication
bypasses. If pam_pkcs11 was configured as the only module which could
provide authentication and would silently fail with PAM_IGNORE, then
this return code may be transformed to PAM_SUCCESS by subsequent PAM
modules that don't actually perform authentication. This change avoids
this situation by *not* returning PAM_IGNORE by default as done in
0.6.11 and before.
If pam_pkcs11 is the only module providing authentication in the PAM
stack, then the following PAM configuration could be used to avoid this
situation as well:
auth [success=ok default=bad] pam_pkcs11.so wait_for_card card_only
In the configuration above, PAM_IGNORE will lead to an authentication
failure even for an unpatched pam_pkcs11-0.6.12 (note the missing
`ignore=ignore`).
Thanks to Matthias Gerstner (@mgerstner) and the SUSE Linux team for
reporting this problem providing analysis and the workaround
configuration of a possibly vulnerable PAM stack.
---
src/pam_pkcs11/pam_pkcs11.c | 35 +++++++----------------------------
1 file changed, 7 insertions(+), 28 deletions(-)
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_pkcs11.c
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
@@ -281,13 +281,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
}
}
- if (!configuration->card_only || !login_token_name) {
- /* Allow to pass to the next module if the auth isn't
- restricted to card only. */
- pkcs11_pam_fail = PAM_IGNORE;
- } else {
- pkcs11_pam_fail = PAM_CRED_INSUFFICIENT;
- }
+ pkcs11_pam_fail = PAM_CRED_INSUFFICIENT;
/* fail if we are using a remote server
* local login: DISPLAY=:0
@@ -366,13 +360,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
}
if (rv != 0) {
- /* No token found */
- if (!configuration->card_only) {
- /* If the login isn't restricted to card-only, then proceed
- to the next auth. module quietly. */
- release_pkcs11_module(ph);
- goto exit_ignore;
- }
+ /* No token found */
ERR("no suitable token available");
if (!configuration->quiet) {
@@ -402,18 +390,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
if (rv != 0) {
release_pkcs11_module(ph);
/* Still no card */
- if (pkcs11_pam_fail != PAM_IGNORE) {
- if (!configuration->quiet) {
- pam_prompt(pamh, PAM_ERROR_MSG,
- NULL, _("Error 2308: No smartcard found"));
- sleep(configuration->err_display_time);
- }
- } else {
- pam_prompt(pamh, PAM_TEXT_INFO,
- NULL, _("No smartcard found"));
- goto exit_ignore;
- }
+ if (!configuration->quiet) {
+ pam_prompt(pamh, PAM_ERROR_MSG,
+ NULL, _("Error 2308: No smart card found."));
+ sleep(configuration->err_display_time);
return pkcs11_pam_fail;
+ }
}
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
@@ -798,10 +780,8 @@ auth_failed:
free( password );
}
- if (PAM_IGNORE == pkcs11_pam_fail)
- goto exit_ignore;
- else
- return pkcs11_pam_fail;
+ return pkcs11_pam_fail;
+
exit_ignore:
pam_prompt( pamh, PAM_TEXT_INFO, NULL,

View File

@@ -1,18 +1,29 @@
-------------------------------------------------------------------
Wed Feb 19 13:50:20 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
Thu Feb 6 16:04:09 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
- Update to 0.6.13
* Added pkcs11-eventmgr systemd service unit.
* Updated Russian translations for pam_pkcs11 (thx Max Kosmach and Andrey Cherepanov).
* Fixed possible authentication bypass (CVE-2025-24032):
* Use signatures to verify authentication by default (thx Frank Morgner).
* Fixed possible authentication bypass (CVE-2025-24531):
* Restoring the original card_only / wait_for_card behavior (thx Matthias Gerstner, Frank Morgner).
* Move pam_securetty.so upward in the example PAM config.
* Set 'slot_num' configuration parameter to 0 by default (thx Jpereyra316).
* Print details about configuration parse errors (thx Jpereyra316).
* Add Chinese (Simplified) translation.
* Capitalize all PAM messages (thx Alynx Zhou).
* Made pkcs11_make_hash_link support whitespaces in file names
* Drop 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
* Drop 0001-memory-leak-fixes.patch
* Rebase pam_pkcs11-0.5.3-nss-conf.patch
* Rebase pam_pkcs11-0.6.0-nss-autoconf.patch
- Security update fix [bsc#1237062, CVE-2025-24032]
* Fix CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
* Add pam_pkcs11-CVE-2025-24032.patch
-------------------------------------------------------------------
Wed Feb 5 09:28:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
Wed Jan 22 16:07:50 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Security fix [bsc#1236314, CVE-2025-24531]
* fix regression returning PAM_IGNORE in many situations with possible authentication bypass
* Add pam_pkcs11-CVE-2025-24531.patch
- Fix RPM warnings
- Add %check section running test suite
- Drop rcFOO symlinks for CODE16 (PED-266).
-------------------------------------------------------------------
Tue Sep 24 21:07:33 UTC 2024 - Simon Vogl <simon.vogl@gmx.net>

View File

@@ -19,7 +19,7 @@
# It seems to be an upstream naming bug:
%define _name pam_pkcs11-pam_pkcs11
Name: pam_pkcs11
Version: 0.6.12
Version: 0.6.13
Release: 0
Summary: PKCS #11 PAM Module
License: LGPL-2.1-or-later
@@ -34,13 +34,7 @@ Source4: pkcs11_eventmgr.service
Patch0: %{name}-fsf-address.patch
Patch1: %{name}-0.5.3-nss-conf.patch
Patch3: %{name}-0.6.0-nss-autoconf.patch
Patch4: 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
# 0001-memory-leak-fixes.patch - Fix memory leaks and issues with kscreenlocker (boo#1230870) - adapted from https://github.com/OpenSC/pam_pkcs11/commit/f8e7d85aa3ca4fd2e2a8c2dfe601d1224debe372.patch
Patch6: 0001-memory-leak-fixes.patch
# PATCH-FIX-UPSTREAM: bsc#1236314 CVE-2025-24531 has a regression returning PAM_IGNORE in many situations with possible authentication bypass
Patch7: pam_pkcs11-CVE-2025-24531.patch
# PATCH-FIX-UPSTREAM: bsc#1237062 CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
Patch8: pam_pkcs11-CVE-2025-24032.patch
BuildRequires: curl-devel
BuildRequires: docbook-xsl-stylesheets
BuildRequires: doxygen
@@ -55,7 +49,6 @@ BuildRequires: pam-devel
BuildRequires: pcsc-lite-devel
BuildRequires: pkgconfig
BuildRequires: systemd-rpm-macros
%{?systemd_requires}
%description
@@ -82,7 +75,7 @@ Summary: PKCS #11 API PAM Documentation
# File conflict. devel-doc split was done with 0.6.9 upgrade, after SLE 12 SP3, Leap 42.3.
Group: Documentation/HTML
Conflicts: pam_pkcs11 < 0.6.9
BuildArch: noarch
BuildArch: noarch
%description devel-doc
API documentation for pam_pkcs11
@@ -139,8 +132,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/pam.d
cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/
%endif
install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
rm %{buildroot}%{_unitdir}/pkcs11-eventmgr.service
%if 0%{?suse_version} < 1600
mkdir -p %{buildroot}%{_sbindir}
ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr
%endif
%find_lang %{name}
%fdupes -s %{buildroot}%{_docdir}/%{name}
@@ -185,7 +181,9 @@ done
%config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard
%endif
%{_prefix}/lib/systemd/system/pkcs11_eventmgr.service
%{_sbindir}/*
%if 0%{?suse_version} < 1600
%{_sbindir}/rc*
%endif
%files devel-doc
%doc %{_docdir}/%{name}/api