SLFO-pool/pam_pkcs11
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: SLFO-pool:main
Branches Tags
SLFO-pool:main
SLFO-pool:1.1
...
pull from: SLFO-pool:1.1
Branches Tags
SLFO-pool:1.1
SLFO-pool:main

1 Commits
main ... 1.1

Author SHA256 Message Date
Adrian Schröter
c65378021d Sync from SUSE:SLFO:1.1 pam_pkcs11 revision 2bb4e8cc2d454a7f17c382b3c64b32f4 2025-02-26 14:32:42 +01:00
4 changed files with 4 additions and 156 deletions
Show Stats Expand all files Collapse all files

29
0001-memory-leak-fixes.patch
View File

@ -1,29 +0,0 @@
--- a/src/mappers/mapper.c
+++ b/src/mappers/mapper.c
@@ -83,7 +83,12 @@
/* get a line from buffer */
from = mfile->pt;
/* set up pointer */
- while( *from && isspace(*from) ) from++;
+ while( *from && isspace(*from)){
+ if(from - mfile->buffer + 1 >= mfile->length){
+ return 0;
+ }
+ from++;
+ }
to = strchr(from,'\n');
/* if no newline, assume string ends at end of buffer */
if (!to) to=mfile->buffer+mfile->length;
--- a/src/pam_pkcs11/pam_pkcs11.c
+++ b/src/pam_pkcs11/pam_pkcs11.c
@@ -208,7 +208,7 @@
{
int i, rv;
const char *user = NULL;
- char *password;
+ char *password = NULL;
unsigned int slot_num = 0;
int is_a_screen_saver = 0;
struct configuration_st *configuration;

105
pam_pkcs11-CVE-2025-24032.patch
View File

@ -1,105 +0,0 @@
From b665b287ff955bbbd9539252ff9f9e2754c3fb48 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 6 Dec 2024 04:39:04 +0100
Subject: [PATCH] fixed possible authentication bypass: Use signatures to
verify authentication by default
If cert_policy is set to none (the default value), then pam_pkcs11 will
only check if the user is capable of logging into the token. An attacker
may create a different token with the user's public data (e.g. the
user's certificate) and a PIN known to the attacker. If no signature
with the private key is required, then the attacker may now login as
user with that created token.
This change, by default, uses the private key to crate a signature. A
new policy, `no_signature` is introduced if the module should really
*not* validate the key's signature
---
src/common/cert_vfy.h | 2 +-
src/pam_pkcs11/pam_config.c | 16 +++++++++++-----
src/pam_pkcs11/pam_pkcs11.c | 2 +-
3 files changed, 13 insertions(+), 7 deletions(-)
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/common/cert_vfy.h
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
@@ -48,7 +48,7 @@ typedef enum {
struct cert_policy_st {
int ca_policy;
int crl_policy;
- int signature_policy;
+ int no_signature_policy;
const char *ca_dir;
const char *crl_dir;
const char *nss_dir;
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
@@ -87,7 +87,7 @@ static void display_config (void) {
DBG1("support_threads %d",configuration.support_threads);
DBG1("ca_policy %d",configuration.policy.ca_policy);
DBG1("crl_policy %d",configuration.policy.crl_policy);
- DBG1("signature_policy %d",configuration.policy.signature_policy);
+ DBG1("no_signature_policy %d",configuration.policy.no_signature_policy);
DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);
DBG1("err_display_time %d", configuration.err_display_time);
}
@@ -180,7 +180,7 @@ static void parse_config_file(void) {
configuration.policy.crl_policy=CRLP_NONE;
configuration.policy.ocsp_policy=OCSP_NONE;
configuration.policy.ca_policy=0;
- configuration.policy.signature_policy=0;
+ configuration.policy.no_signature_policy=0;
break;
} else if ( !strcmp(policy_list->data,"crl_auto") ) {
configuration.policy.crl_policy=CRLP_AUTO;
@@ -193,7 +193,10 @@ static void parse_config_file(void) {
} else if ( !strcmp(policy_list->data,"ca") ) {
configuration.policy.ca_policy=1;
} else if ( !strcmp(policy_list->data,"signature") ) {
- configuration.policy.signature_policy=1;
+ // ignore this setting for legacy reasons
+ } else if ( !strcmp(policy_list->data,"no_signature") ) {
+ // ignore this setting for legacy reasons
+ configuration.policy.no_signature_policy=1;
} else {
DBG1("Invalid CRL policy: %s",policy_list->data);
}
@@ -321,7 +324,7 @@ struct configuration_st *pk_configure( i
if (strstr(argv[i],"none")) {
configuration.policy.crl_policy=CRLP_NONE;
configuration.policy.ca_policy=0;
- configuration.policy.signature_policy=0;
+ configuration.policy.no_signature_policy=0;
configuration.policy.ocsp_policy=OCSP_NONE;
}
if (strstr(argv[i],"crl_online")) {
@@ -340,7 +343,10 @@ struct configuration_st *pk_configure( i
configuration.policy.ca_policy=1;
}
if (strstr(argv[i],"signature")) {
- configuration.policy.signature_policy=1;
+ // ignore this setting for legacy reasons
+ }
+ if (strstr(argv[i],"no_signature")) {
+ configuration.policy.no_signature_policy=1;
}
continue;
}
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_pkcs11.c
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
@@ -618,8 +618,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
/* if signature check is enforced, generate random data, sign and verify */
- if (configuration->policy.signature_policy) {
- pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
+ if (!configuration->policy.no_signature_policy) {
+ pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
#ifdef notdef

15
pam_pkcs11.changes
View File

@ -1,10 +1,3 @@
-------------------------------------------------------------------
Wed Feb 19 13:50:20 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
- Security update fix [bsc#1237062, CVE-2025-24032]
* Fix CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
* Add pam_pkcs11-CVE-2025-24032.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Feb 5 09:28:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com> Wed Feb 5 09:28:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
@ -14,14 +7,6 @@ Wed Feb 5 09:28:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
- Fix RPM warnings - Fix RPM warnings
- Add %check section running test suite - Add %check section running test suite
-------------------------------------------------------------------
Tue Sep 24 21:07:33 UTC 2024 - Simon Vogl <simon.vogl@gmx.net>
- Fix for boo#1230870:
* Add patch 0001-memory-leak-fixes.patch
- Add -Wno-implicit-function-declaration to CFLAGS to fix build
with gcc14 and newer
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 7 15:19:11 UTC 2024 - Davide Benini <davide.benini@suse.com> Tue May 7 15:19:11 UTC 2024 - Davide Benini <davide.benini@suse.com>

11
pam_pkcs11.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package pam_pkcs11 # spec file for package pam_pkcs11
# #
# Copyright (c) 2025 SUSE LLC # Copyright (c) 2023 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -35,12 +35,9 @@ Patch0: %{name}-fsf-address.patch
Patch1: %{name}-0.5.3-nss-conf.patch Patch1: %{name}-0.5.3-nss-conf.patch
Patch3: %{name}-0.6.0-nss-autoconf.patch Patch3: %{name}-0.6.0-nss-autoconf.patch
Patch4: 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch Patch4: 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
# 0001-memory-leak-fixes.patch - Fix memory leaks and issues with kscreenlocker (boo#1230870) - adapted from https://github.com/OpenSC/pam_pkcs11/commit/f8e7d85aa3ca4fd2e2a8c2dfe601d1224debe372.patch
Patch6: 0001-memory-leak-fixes.patch
# PATCH-FIX-UPSTREAM: bsc#1236314 CVE-2025-24531 has a regression returning PAM_IGNORE in many situations with possible authentication bypass # PATCH-FIX-UPSTREAM: bsc#1236314 CVE-2025-24531 has a regression returning PAM_IGNORE in many situations with possible authentication bypass
Patch7: pam_pkcs11-CVE-2025-24531.patch Patch5: pam_pkcs11-CVE-2025-24531.patch
# PATCH-FIX-UPSTREAM: bsc#1237062 CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
Patch8: pam_pkcs11-CVE-2025-24032.patch
BuildRequires: curl-devel BuildRequires: curl-devel
BuildRequires: docbook-xsl-stylesheets BuildRequires: docbook-xsl-stylesheets
BuildRequires: doxygen BuildRequires: doxygen
@ -103,7 +100,6 @@ sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in
%build %build
./bootstrap ./bootstrap
%configure\ %configure\
CFLAGS="${CFLAGS:-%optflags} -Wno-implicit-function-declaration"\
--docdir=%{_docdir}/%{name}\ --docdir=%{_docdir}/%{name}\
--with-nss\ --with-nss\
--with-curl --with-curl
@ -111,6 +107,7 @@ sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in
# Generate documentation: This sounds like an upstream bug while making an upstream source tarball. # Generate documentation: This sounds like an upstream bug while making an upstream source tarball.
%make_build dist %make_build dist
%check %check
%make_build check %make_build check