Accepting request 670003 from home:sbrabec:branches:security:chipcard

- Update to version 0.6.10:
  * Fix some security issues (thx @frankmorgner):
    https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/
    (drop 0001-verify-using-a-nonce-from-the-system-not-the-card.patch,
    0002-fixed-buffer-overflow-with-long-home-directory.patch,
    0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch).
  * Fix buffer overflow with long home directory.
  * Fix wiping secrets (now using OpenSSL_cleanse()).
  * Verify using a nonce from the system, not the card.
  * Fix segfalt when checking CRLs
    (drop pam_pkcs11-crl-check.patch).
- Add rcpkcs11_eventmgr service symlink.

OBS-URL: https://build.opensuse.org/request/show/670003
OBS-URL: https://build.opensuse.org/package/show/security:chipcard/pam_pkcs11?expand=0&rev=26

0001-verify-using-a-nonce-from-the-system-not-the-card.patch

@@ -1,103 +0,0 @@
-From cc51b3e2720ea862d500cab2ea517518ff39a497 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner@gmail.com>
-Date: Fri, 25 May 2018 23:46:41 +0200
-Subject: [PATCH 1/3] verify using a nonce from the system, not the card
-
-Thanks to Eric Sesterhenn from X41 D-SEC GmbH
-for reporting the problem.
----
- src/common/pkcs11_lib.c | 66 +++++++++++++++++------------------------
- 1 file changed, 28 insertions(+), 38 deletions(-)
-
-diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c
-index 46a93bd..d4433f2 100644
---- a/src/common/pkcs11_lib.c
-+++ b/src/common/pkcs11_lib.c
-@@ -131,6 +131,34 @@ memcmp_pad_max(void *d1, size_t d1_len, void *d2, size_t d2_len,
- 	return (0);
- }
- 
-+int get_random_value(unsigned char *data, int length)
-+{
-+  static const char *random_device = "/dev/urandom";
-+  int rv, fh, l;
-+
-+  DBG2("reading %d random bytes from %s", length, random_device);
-+  fh = open(random_device, O_RDONLY);
-+  if (fh == -1) {
-+    set_error("open() failed: %s", strerror(errno));
-+    return -1;
-+  }
-+
-+  l = 0;
-+  while (l < length) {
-+    rv = read(fh, data + l, length - l);
-+    if (rv <= 0) {
-+      close(fh);
-+      set_error("read() failed: %s", strerror(errno));
-+      return -1;
-+    }
-+    l += rv;
-+  }
-+  close(fh);
-+  DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
-+      data[1], data[2], data[length - 1]);
-+  return 0;
-+}
-+
- 
- #ifdef HAVE_NSS
- /*
-@@ -834,16 +862,6 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data,
-   return 0;
- }
- 
--int get_random_value(unsigned char *data, int length)
--{
--  SECStatus rv = PK11_GenerateRandom(data,length);
--  if (rv != SECSuccess) {
--    DBG1("couldn't generate random number: %s", SECU_Strerror(PR_GetError()));
--  }
--  return (rv == SECSuccess) ? 0 : -1;
--}
--
--
- struct tuple_str {
-     PRErrorCode	 errNum;
-     const char * errString;
-@@ -1778,32 +1796,4 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data,
-       (*signature)[0], (*signature)[1], (*signature)[2], (*signature)[*signature_length - 1]);
-   return 0;
- }
--
--int get_random_value(unsigned char *data, int length)
--{
--  static const char *random_device = "/dev/urandom";
--  int rv, fh, l;
--
--  DBG2("reading %d random bytes from %s", length, random_device);
--  fh = open(random_device, O_RDONLY);
--  if (fh == -1) {
--    set_error("open() failed: %s", strerror(errno));
--    return -1;
--  }
--
--  l = 0;
--  while (l < length) {
--    rv = read(fh, data + l, length - l);
--    if (rv <= 0) {
--      close(fh);
--      set_error("read() failed: %s", strerror(errno));
--      return -1;
--    }
--    l += rv;
--  }
--  close(fh);
--  DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
--      data[1], data[2], data[length - 1]);
--  return 0;
--}
- #endif /* HAVE_NSS */
--- 
-2.18.0
-

0002-fixed-buffer-overflow-with-long-home-directory.patch

@@ -1,36 +0,0 @@
-From a37fe986997b2d2fefc350c43650cc8193389235 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner@gmail.com>
-Date: Fri, 25 May 2018 23:53:44 +0200
-Subject: [PATCH 2/3] fixed buffer overflow with long home directory
-
-Thanks to Eric Sesterhenn from X41 D-SEC GmbH
-for reporting the issue.
----
- src/mappers/openssh_mapper.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/mappers/openssh_mapper.c b/src/mappers/openssh_mapper.c
-index b9e09f7..ed0a409 100644
---- a/src/mappers/openssh_mapper.c
-+++ b/src/mappers/openssh_mapper.c
-@@ -311,7 +311,7 @@ _DEFAULT_MAPPER_END
- */
- static int openssh_mapper_match_user(X509 *x509, const char *user, void *context) {
-         struct passwd *pw;
--	char filename[512];
-+	char filename[PATH_MAX];
-         if (!x509) return -1;
-         if (!user) return -1;
-         pw = getpwnam(user);
-@@ -333,7 +333,7 @@ static char * openssh_mapper_find_user(X509 *x509, void *context, int *match) {
-         /* parse list of users until match */
-         setpwent();
-         while((pw=getpwent()) != NULL) {
--	    char filename[512];
-+	    char filename[PATH_MAX];
-             DBG1("Trying to match certificate with user: '%s'",pw->pw_name);
-             if ( is_empty_str(pw->pw_dir) ) {
-                 DBG1("User '%s' has no home directory",pw->pw_name);
--- 
-2.18.0
-

0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch

@@ -1,124 +0,0 @@
-From a0c9b6ffc020944f03f57e7de66ad4363d52125d Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner@gmail.com>
-Date: Sat, 26 May 2018 00:10:49 +0200
-Subject: [PATCH 3/3] fixed wiping secrets with OpenSSL_cleanse()
-
-Thanks to Eric Sesterhenn from X41 D-SEC GmbH
-for reporting the problems.
----
- src/common/pkcs11_lib.c     | 15 ++++++++++++---
- src/common/pkcs11_lib.h     |  1 +
- src/pam_pkcs11/pam_pkcs11.c | 10 +++++-----
- 3 files changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c
-index d4433f2..912de05 100644
---- a/src/common/pkcs11_lib.c
-+++ b/src/common/pkcs11_lib.c
-@@ -63,7 +63,7 @@ int pkcs11_pass_login(pkcs11_handle_t *h, int nullok)
- 
-   /* perform pkcs #11 login */
-   rv = pkcs11_login(h, pin);
--  memset(pin, 0, strlen(pin));
-+  cleanse(pin, strlen(pin));
-   if (rv != 0) {
-     set_error("pkcs11_login() failed: %s", get_error());
-     return -1;
-@@ -159,6 +159,15 @@ int get_random_value(unsigned char *data, int length)
-   return 0;
- }
- 
-+void cleanse(void *ptr, size_t len)
-+{
-+#ifdef HAVE_OPENSSL
-+  OPENSSL_cleanse(ptr, len);
-+#else
-+  memset(ptr, 0, len);
-+#endif
-+}
-+
- 
- #ifdef HAVE_NSS
- /*
-@@ -637,7 +646,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
-   if (h->module) {
-     SECMOD_DestroyModule(h->module);
-   }
--  memset(h, 0, sizeof(pkcs11_handle_t));
-+  cleanse(h, sizeof(pkcs11_handle_t));
-   free(h);
- 
-   /* if we initialized NSS, then we need to shut it down */
-@@ -1199,7 +1208,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
-   /* release all allocated memory */
-   if (h->slots != NULL)
-     free(h->slots);
--  memset(h, 0, sizeof(pkcs11_handle_t));
-+  cleanse(h, 0, sizeof(pkcs11_handle_t));
-   free(h);
- }
- 
-diff --git a/src/common/pkcs11_lib.h b/src/common/pkcs11_lib.h
-index 27ed910..637a0c1 100644
---- a/src/common/pkcs11_lib.h
-+++ b/src/common/pkcs11_lib.h
-@@ -67,6 +67,7 @@ PKCS11_EXTERN int sign_value(pkcs11_handle_t *h, cert_object_t *,
-                unsigned char *data, unsigned long length,
-                unsigned char **signature, unsigned long *signature_length);
- PKCS11_EXTERN int get_random_value(unsigned char *data, int length);
-+PKCS11_EXTERN void cleanse(void *ptr, size_t len);
- 
- #undef PKCS11_EXTERN
- 
-diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c
-index d6ca475..3f2b6ab 100644
---- a/src/pam_pkcs11/pam_pkcs11.c
-+++ b/src/pam_pkcs11/pam_pkcs11.c
-@@ -108,7 +108,7 @@ static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt,
-      *response = strdup(resp[0].resp);
-   }
-   /* overwrite memory and release it */
--  memset(resp[0].resp, 0, strlen(resp[0].resp));
-+  cleanse(resp[0].resp, strlen(resp[0].resp));
-   free(&resp[0]);
-   return PAM_SUCCESS;
- }
-@@ -191,7 +191,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in
-       return PAM_CRED_INSUFFICIENT;
-     *pwd = strdup(resp[0].resp);
-     /* overwrite memory and release it */
--    memset(resp[0].resp, 0, strlen(resp[0].resp));
-+    cleanse(resp[0].resp, strlen(resp[0].resp));
-     free(&resp[0]);
-     /* save password if variable nitem is set */
-     if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) {
-@@ -517,7 +517,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
- 		/* check password length */
- 		if (!configuration->nullok && strlen(password) == 0) {
- 			release_pkcs11_module(ph);
--			memset(password, 0, strlen(password));
-+			cleanse(password, strlen(password));
- 			free(password);
- 			pam_syslog(pamh, LOG_ERR,
- 					"password length is zero but the 'nullok' argument was not defined.");
-@@ -543,7 +543,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
-     /* erase and free in-memory password data asap */
- 	if (password)
- 	{
--		memset(password, 0, strlen(password));
-+		cleanse(password, strlen(password));
- 		free(password);
- 	}
-     if (rv != 0) {
-@@ -831,7 +831,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
-   return PAM_SUCCESS;
- 
-     /* quick and dirty fail exit point */
--    memset(password, 0, strlen(password));
-+    cleanse(password, strlen(password));
-     free(password); /* erase and free in-memory password data */
- 
- auth_failed_nopw:
--- 
-2.18.0
-

pam_pkcs11-0.6.10.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3bce6b184ce054c2a752e96e36646ea8dd545a52f3025ca32b3e705302bc9152
+size 270819

pam_pkcs11-crl-check.patch

@@ -1,131 +0,0 @@
-https://github.com/OpenSC/pam_pkcs11/pull/26
-https://github.com/gkloepfer/pam_pkcs11/commit/94325a2c2b03a10b7618375f828c90063881227e
-
-From 94325a2c2b03a10b7618375f828c90063881227e Mon Sep 17 00:00:00 2001
-From: Gil Kloepfer <ghub0216@kloepfer.org>
-Date: Thu, 17 Aug 2017 07:51:25 -0500
-Subject: [PATCH] Fixed segfault and fetch problems when checking CRLs
-
-Fixed segfault issue in src/common/cert_vfy.c that occurs when
-an attempt is made to check a certificate's CRL.  This seems to
-be caused by changes that happened in the OpenSSL API, and got
-overlooked during updates to the code.
-
-Also fixed a problem in src/common/uri.c in the builtin URI fetch
-via HTTP where an extra newline (and missing carriage-returns) were
-sent, causing the HTTP request to fail.
----
- src/common/cert_vfy.c | 29 ++++++++++++++---------------
- src/common/uri.c      |  2 +-
- 2 files changed, 15 insertions(+), 16 deletions(-)
-
-diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c
-index 7efb0cb..6016ca0 100644
---- a/src/common/cert_vfy.c
-+++ b/src/common/cert_vfy.c
-@@ -143,21 +143,20 @@ static X509_CRL *download_crl(const char *uri)
- static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx)
- {
-   int rv;
--  X509_OBJECT *obj = NULL;
-+  X509_OBJECT obj;
-   EVP_PKEY *pkey = NULL;
-   X509 *issuer_cert;
- 
-   /* get issuer certificate */
--  rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj);
-+  rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj);
-   if (rv <= 0) {
-     set_error("getting the certificate of the crl-issuer failed");
-     return -1;
-   }
-   /* extract public key and verify signature */
--  issuer_cert = X509_OBJECT_get0_X509(obj);
-+  issuer_cert = X509_OBJECT_get0_X509((&obj));
-   pkey = X509_get_pubkey(issuer_cert);
--  if (obj)
--	X509_OBJECT_free(obj);
-+  X509_OBJECT_free_contents(&obj);
-   if (pkey == NULL) {
-     set_error("getting the issuer's public key failed");
-     return -1;
-@@ -203,13 +202,14 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx)
- static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy)
- {
-   int rv, i, j;
--  X509_OBJECT *obj = NULL;
-+  X509_OBJECT obj;
-   X509_REVOKED *rev = NULL;
-   STACK_OF(DIST_POINT) * dist_points;
-   DIST_POINT *point;
-   GENERAL_NAME *name;
-   X509_CRL *crl;
-   X509 *x509_ca = NULL;
-+  EVP_PKEY crl_pkey;
- 
-   DBG1("crl policy: %d", policy);
-   if (policy == CRLP_NONE) {
-@@ -227,28 +227,27 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t
-   } else if (policy == CRLP_OFFLINE) {
-     /* OFFLINE */
-     DBG("looking for an dedicated local crl");
--    rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj);
-+    rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj);
-     if (rv <= 0) {
-       set_error("no dedicated crl available");
-       return -1;
-     }
--    crl = X509_OBJECT_get0_X509_CRL(obj);
--    if (obj)
--        X509_OBJECT_free(obj);
-+    crl = X509_OBJECT_get0_X509_CRL((&obj));
-+    X509_OBJECT_free_contents(&obj);
-   } else if (policy == CRLP_ONLINE) {
-     /* ONLINE */
-     DBG("extracting crl distribution points");
-     dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL);
-     if (dist_points == NULL) {
-       /* if there is not crl distribution point in the certificate hava a look at the ca certificate */
--      rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj);
-+      rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj);
-       if (rv <= 0) {
-         set_error("no dedicated ca certificate available");
-         return -1;
-       }
--      x509_ca = X509_OBJECT_get0_X509(obj);
-+      x509_ca = X509_OBJECT_get0_X509((&obj));
-       dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL);
--      X509_OBJECT_free(obj);
-+      X509_OBJECT_free_contents(&obj);
-       if (dist_points == NULL) {
-         set_error("neither the user nor the ca certificate does contain a crl distribution point");
-         return -1;
-@@ -296,10 +295,10 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t
-   } else if (rv == 0) {
-     return 0;
-   }
-+  DBG("checking revocation");
-   rv = X509_CRL_get0_by_cert(crl, &rev, x509);
-   X509_CRL_free(crl);
--  X509_REVOKED_free(rev);
--  return (rv == -1);
-+  return (rv == 0);
- }
- 
- static int add_hash( X509_LOOKUP *lookup, const char *dir) {
-diff --git a/src/common/uri.c b/src/common/uri.c
-index 2d74c04..8e65884 100644
---- a/src/common/uri.c
-+++ b/src/common/uri.c
-@@ -407,7 +407,7 @@ static int get_http(uri_t *uri, unsigned char **data, size_t *length, int rec_le
-     set_error("not enough free memory available");
-     return -1;
-   }
--  sprintf(request, "GET %s HTTP/1.0\nHost: %s\n\n\n", uri->http->path, uri->http->host);
-+  sprintf(request, "GET %s HTTP/1.0\r\nHost: %s\r\n\r\n", uri->http->path, uri->http->host);
-   len = strlen(request);
-   rv = send(sock, request, len, 0);
-   free(request);
--- 
-2.18.0
-

pam_pkcs11-pam_pkcs11-0.6.9.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e867631b43ec52db934a9f691ea5dbde7514118cda5576e799b669fed9ffd2b4
-size 269444

pam_pkcs11.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Jan 29 22:45:28 CET 2019 - sbrabec@suse.com
+
+- Update to version 0.6.10:
+  * Fix some security issues (thx @frankmorgner):
+    https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/
+    (drop 0001-verify-using-a-nonce-from-the-system-not-the-card.patch,
+    0002-fixed-buffer-overflow-with-long-home-directory.patch,
+    0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch).
+  * Fix buffer overflow with long home directory.
+  * Fix wiping secrets (now using OpenSSL_cleanse()).
+  * Verify using a nonce from the system, not the card.
+  * Fix segfalt when checking CRLs
+    (drop pam_pkcs11-crl-check.patch).
+- Add rcpkcs11_eventmgr service symlink.
+
 -------------------------------------------------------------------
 Fri Aug 17 10:12:31 UTC 2018 - vcizek@suse.com
 

pam_pkcs11.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package pam_pkcs11
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,33 +12,28 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 # It seems to be an upstream naming bug:
 %define _name pam_pkcs11-pam_pkcs11
 Name:           pam_pkcs11
-Version:        0.6.9
+Version:        0.6.10
 Release:        0
 Summary:        PKCS #11 PAM Module
 License:        LGPL-2.1-or-later
 Group:          Productivity/Security
 Url:            https://github.com/OpenSC/pam_pkcs11
-Source:         %{_name}-%{version}.tar.gz
+Source:         https://github.com/OpenSC/pam_pkcs11/archive/%{name}-%{version}.tar.gz
 Source1:        pam_pkcs11-common-auth-smartcard.pam
 Source2:        baselibs.conf
 # make dist was not called.
-Source3:        pam_pkcs11-0.6.9-ChangeLog.git
+Source3:        pam_pkcs11-0.6.10-ChangeLog.git
 Source4:        pkcs11_eventmgr.service
 Patch0:         %{name}-fsf-address.patch
 Patch1:         %{name}-0.5.3-nss-conf.patch
 Patch3:         %{name}-0.6.0-nss-autoconf.patch
-# PATCH-FIX-UPSTEAM-PENDING pam_pkcs11-crl-check.patch https://github.com/OpenSC/pam_pkcs11/pull/26 -- Fix segfault and fetch problems when checking CRLs.
-Patch4:         %{name}-crl-check.patch
-Patch5:         0001-verify-using-a-nonce-from-the-system-not-the-card.patch
-Patch6:         0002-fixed-buffer-overflow-with-long-home-directory.patch
-Patch7:         0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch
 BuildRequires:  curl-devel
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  doxygen
@@ -93,10 +88,6 @@ authentication.
 %patch0 -p1
 %patch1 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
 cp -a %{SOURCE1} common-auth-smartcard
 sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example
 # make dist was not called and cannot be called on a non git snapshot.
@@ -132,6 +123,8 @@ cp -a AUTHORS COPYING ChangeLog ChangeLog.git NEWS README README.md TODO doc/pam
 mkdir -p %{buildroot}%{_sysconfdir}/pam.d
 cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/
 install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
+mkdir -p %{buildroot}%{_sbindir}
+ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr
 %find_lang %{name}
 %fdupes -s %{buildroot}%{_docdir}/%{name}
 
@@ -160,6 +153,7 @@ install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
 %config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf
 %config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard
 %{_prefix}/lib/systemd/system/pkcs11_eventmgr.service
+%{_sbindir}/*
 
 %files devel-doc
 %doc %{_docdir}/%{name}/api