Accepting request 670003 from home:sbrabec:branches:security:chipcard
- Update to version 0.6.10: * Fix some security issues (thx @frankmorgner): https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/ (drop 0001-verify-using-a-nonce-from-the-system-not-the-card.patch, 0002-fixed-buffer-overflow-with-long-home-directory.patch, 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch). * Fix buffer overflow with long home directory. * Fix wiping secrets (now using OpenSSL_cleanse()). * Verify using a nonce from the system, not the card. * Fix segfalt when checking CRLs (drop pam_pkcs11-crl-check.patch). - Add rcpkcs11_eventmgr service symlink. OBS-URL: https://build.opensuse.org/request/show/670003 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/pam_pkcs11?expand=0&rev=26
This commit is contained in:
parent
d1602a056e
commit
723b74d01c
@ -1,103 +0,0 @@
|
|||||||
From cc51b3e2720ea862d500cab2ea517518ff39a497 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frank Morgner <frankmorgner@gmail.com>
|
|
||||||
Date: Fri, 25 May 2018 23:46:41 +0200
|
|
||||||
Subject: [PATCH 1/3] verify using a nonce from the system, not the card
|
|
||||||
|
|
||||||
Thanks to Eric Sesterhenn from X41 D-SEC GmbH
|
|
||||||
for reporting the problem.
|
|
||||||
---
|
|
||||||
src/common/pkcs11_lib.c | 66 +++++++++++++++++------------------------
|
|
||||||
1 file changed, 28 insertions(+), 38 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c
|
|
||||||
index 46a93bd..d4433f2 100644
|
|
||||||
--- a/src/common/pkcs11_lib.c
|
|
||||||
+++ b/src/common/pkcs11_lib.c
|
|
||||||
@@ -131,6 +131,34 @@ memcmp_pad_max(void *d1, size_t d1_len, void *d2, size_t d2_len,
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
+int get_random_value(unsigned char *data, int length)
|
|
||||||
+{
|
|
||||||
+ static const char *random_device = "/dev/urandom";
|
|
||||||
+ int rv, fh, l;
|
|
||||||
+
|
|
||||||
+ DBG2("reading %d random bytes from %s", length, random_device);
|
|
||||||
+ fh = open(random_device, O_RDONLY);
|
|
||||||
+ if (fh == -1) {
|
|
||||||
+ set_error("open() failed: %s", strerror(errno));
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ l = 0;
|
|
||||||
+ while (l < length) {
|
|
||||||
+ rv = read(fh, data + l, length - l);
|
|
||||||
+ if (rv <= 0) {
|
|
||||||
+ close(fh);
|
|
||||||
+ set_error("read() failed: %s", strerror(errno));
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ l += rv;
|
|
||||||
+ }
|
|
||||||
+ close(fh);
|
|
||||||
+ DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
|
|
||||||
+ data[1], data[2], data[length - 1]);
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
|
|
||||||
#ifdef HAVE_NSS
|
|
||||||
/*
|
|
||||||
@@ -834,16 +862,6 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int get_random_value(unsigned char *data, int length)
|
|
||||||
-{
|
|
||||||
- SECStatus rv = PK11_GenerateRandom(data,length);
|
|
||||||
- if (rv != SECSuccess) {
|
|
||||||
- DBG1("couldn't generate random number: %s", SECU_Strerror(PR_GetError()));
|
|
||||||
- }
|
|
||||||
- return (rv == SECSuccess) ? 0 : -1;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-
|
|
||||||
struct tuple_str {
|
|
||||||
PRErrorCode errNum;
|
|
||||||
const char * errString;
|
|
||||||
@@ -1778,32 +1796,4 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data,
|
|
||||||
(*signature)[0], (*signature)[1], (*signature)[2], (*signature)[*signature_length - 1]);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
-int get_random_value(unsigned char *data, int length)
|
|
||||||
-{
|
|
||||||
- static const char *random_device = "/dev/urandom";
|
|
||||||
- int rv, fh, l;
|
|
||||||
-
|
|
||||||
- DBG2("reading %d random bytes from %s", length, random_device);
|
|
||||||
- fh = open(random_device, O_RDONLY);
|
|
||||||
- if (fh == -1) {
|
|
||||||
- set_error("open() failed: %s", strerror(errno));
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- l = 0;
|
|
||||||
- while (l < length) {
|
|
||||||
- rv = read(fh, data + l, length - l);
|
|
||||||
- if (rv <= 0) {
|
|
||||||
- close(fh);
|
|
||||||
- set_error("read() failed: %s", strerror(errno));
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
- l += rv;
|
|
||||||
- }
|
|
||||||
- close(fh);
|
|
||||||
- DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
|
|
||||||
- data[1], data[2], data[length - 1]);
|
|
||||||
- return 0;
|
|
||||||
-}
|
|
||||||
#endif /* HAVE_NSS */
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From a37fe986997b2d2fefc350c43650cc8193389235 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frank Morgner <frankmorgner@gmail.com>
|
|
||||||
Date: Fri, 25 May 2018 23:53:44 +0200
|
|
||||||
Subject: [PATCH 2/3] fixed buffer overflow with long home directory
|
|
||||||
|
|
||||||
Thanks to Eric Sesterhenn from X41 D-SEC GmbH
|
|
||||||
for reporting the issue.
|
|
||||||
---
|
|
||||||
src/mappers/openssh_mapper.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mappers/openssh_mapper.c b/src/mappers/openssh_mapper.c
|
|
||||||
index b9e09f7..ed0a409 100644
|
|
||||||
--- a/src/mappers/openssh_mapper.c
|
|
||||||
+++ b/src/mappers/openssh_mapper.c
|
|
||||||
@@ -311,7 +311,7 @@ _DEFAULT_MAPPER_END
|
|
||||||
*/
|
|
||||||
static int openssh_mapper_match_user(X509 *x509, const char *user, void *context) {
|
|
||||||
struct passwd *pw;
|
|
||||||
- char filename[512];
|
|
||||||
+ char filename[PATH_MAX];
|
|
||||||
if (!x509) return -1;
|
|
||||||
if (!user) return -1;
|
|
||||||
pw = getpwnam(user);
|
|
||||||
@@ -333,7 +333,7 @@ static char * openssh_mapper_find_user(X509 *x509, void *context, int *match) {
|
|
||||||
/* parse list of users until match */
|
|
||||||
setpwent();
|
|
||||||
while((pw=getpwent()) != NULL) {
|
|
||||||
- char filename[512];
|
|
||||||
+ char filename[PATH_MAX];
|
|
||||||
DBG1("Trying to match certificate with user: '%s'",pw->pw_name);
|
|
||||||
if ( is_empty_str(pw->pw_dir) ) {
|
|
||||||
DBG1("User '%s' has no home directory",pw->pw_name);
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
@ -1,124 +0,0 @@
|
|||||||
From a0c9b6ffc020944f03f57e7de66ad4363d52125d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frank Morgner <frankmorgner@gmail.com>
|
|
||||||
Date: Sat, 26 May 2018 00:10:49 +0200
|
|
||||||
Subject: [PATCH 3/3] fixed wiping secrets with OpenSSL_cleanse()
|
|
||||||
|
|
||||||
Thanks to Eric Sesterhenn from X41 D-SEC GmbH
|
|
||||||
for reporting the problems.
|
|
||||||
---
|
|
||||||
src/common/pkcs11_lib.c | 15 ++++++++++++---
|
|
||||||
src/common/pkcs11_lib.h | 1 +
|
|
||||||
src/pam_pkcs11/pam_pkcs11.c | 10 +++++-----
|
|
||||||
3 files changed, 18 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c
|
|
||||||
index d4433f2..912de05 100644
|
|
||||||
--- a/src/common/pkcs11_lib.c
|
|
||||||
+++ b/src/common/pkcs11_lib.c
|
|
||||||
@@ -63,7 +63,7 @@ int pkcs11_pass_login(pkcs11_handle_t *h, int nullok)
|
|
||||||
|
|
||||||
/* perform pkcs #11 login */
|
|
||||||
rv = pkcs11_login(h, pin);
|
|
||||||
- memset(pin, 0, strlen(pin));
|
|
||||||
+ cleanse(pin, strlen(pin));
|
|
||||||
if (rv != 0) {
|
|
||||||
set_error("pkcs11_login() failed: %s", get_error());
|
|
||||||
return -1;
|
|
||||||
@@ -159,6 +159,15 @@ int get_random_value(unsigned char *data, int length)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+void cleanse(void *ptr, size_t len)
|
|
||||||
+{
|
|
||||||
+#ifdef HAVE_OPENSSL
|
|
||||||
+ OPENSSL_cleanse(ptr, len);
|
|
||||||
+#else
|
|
||||||
+ memset(ptr, 0, len);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
|
|
||||||
#ifdef HAVE_NSS
|
|
||||||
/*
|
|
||||||
@@ -637,7 +646,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
|
|
||||||
if (h->module) {
|
|
||||||
SECMOD_DestroyModule(h->module);
|
|
||||||
}
|
|
||||||
- memset(h, 0, sizeof(pkcs11_handle_t));
|
|
||||||
+ cleanse(h, sizeof(pkcs11_handle_t));
|
|
||||||
free(h);
|
|
||||||
|
|
||||||
/* if we initialized NSS, then we need to shut it down */
|
|
||||||
@@ -1199,7 +1208,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
|
|
||||||
/* release all allocated memory */
|
|
||||||
if (h->slots != NULL)
|
|
||||||
free(h->slots);
|
|
||||||
- memset(h, 0, sizeof(pkcs11_handle_t));
|
|
||||||
+ cleanse(h, 0, sizeof(pkcs11_handle_t));
|
|
||||||
free(h);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/common/pkcs11_lib.h b/src/common/pkcs11_lib.h
|
|
||||||
index 27ed910..637a0c1 100644
|
|
||||||
--- a/src/common/pkcs11_lib.h
|
|
||||||
+++ b/src/common/pkcs11_lib.h
|
|
||||||
@@ -67,6 +67,7 @@ PKCS11_EXTERN int sign_value(pkcs11_handle_t *h, cert_object_t *,
|
|
||||||
unsigned char *data, unsigned long length,
|
|
||||||
unsigned char **signature, unsigned long *signature_length);
|
|
||||||
PKCS11_EXTERN int get_random_value(unsigned char *data, int length);
|
|
||||||
+PKCS11_EXTERN void cleanse(void *ptr, size_t len);
|
|
||||||
|
|
||||||
#undef PKCS11_EXTERN
|
|
||||||
|
|
||||||
diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c
|
|
||||||
index d6ca475..3f2b6ab 100644
|
|
||||||
--- a/src/pam_pkcs11/pam_pkcs11.c
|
|
||||||
+++ b/src/pam_pkcs11/pam_pkcs11.c
|
|
||||||
@@ -108,7 +108,7 @@ static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt,
|
|
||||||
*response = strdup(resp[0].resp);
|
|
||||||
}
|
|
||||||
/* overwrite memory and release it */
|
|
||||||
- memset(resp[0].resp, 0, strlen(resp[0].resp));
|
|
||||||
+ cleanse(resp[0].resp, strlen(resp[0].resp));
|
|
||||||
free(&resp[0]);
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
@@ -191,7 +191,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in
|
|
||||||
return PAM_CRED_INSUFFICIENT;
|
|
||||||
*pwd = strdup(resp[0].resp);
|
|
||||||
/* overwrite memory and release it */
|
|
||||||
- memset(resp[0].resp, 0, strlen(resp[0].resp));
|
|
||||||
+ cleanse(resp[0].resp, strlen(resp[0].resp));
|
|
||||||
free(&resp[0]);
|
|
||||||
/* save password if variable nitem is set */
|
|
||||||
if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) {
|
|
||||||
@@ -517,7 +517,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
||||||
/* check password length */
|
|
||||||
if (!configuration->nullok && strlen(password) == 0) {
|
|
||||||
release_pkcs11_module(ph);
|
|
||||||
- memset(password, 0, strlen(password));
|
|
||||||
+ cleanse(password, strlen(password));
|
|
||||||
free(password);
|
|
||||||
pam_syslog(pamh, LOG_ERR,
|
|
||||||
"password length is zero but the 'nullok' argument was not defined.");
|
|
||||||
@@ -543,7 +543,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
||||||
/* erase and free in-memory password data asap */
|
|
||||||
if (password)
|
|
||||||
{
|
|
||||||
- memset(password, 0, strlen(password));
|
|
||||||
+ cleanse(password, strlen(password));
|
|
||||||
free(password);
|
|
||||||
}
|
|
||||||
if (rv != 0) {
|
|
||||||
@@ -831,7 +831,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
|
|
||||||
/* quick and dirty fail exit point */
|
|
||||||
- memset(password, 0, strlen(password));
|
|
||||||
+ cleanse(password, strlen(password));
|
|
||||||
free(password); /* erase and free in-memory password data */
|
|
||||||
|
|
||||||
auth_failed_nopw:
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
3
pam_pkcs11-0.6.10.tar.gz
Normal file
3
pam_pkcs11-0.6.10.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:3bce6b184ce054c2a752e96e36646ea8dd545a52f3025ca32b3e705302bc9152
|
||||||
|
size 270819
|
@ -1,131 +0,0 @@
|
|||||||
https://github.com/OpenSC/pam_pkcs11/pull/26
|
|
||||||
https://github.com/gkloepfer/pam_pkcs11/commit/94325a2c2b03a10b7618375f828c90063881227e
|
|
||||||
|
|
||||||
From 94325a2c2b03a10b7618375f828c90063881227e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gil Kloepfer <ghub0216@kloepfer.org>
|
|
||||||
Date: Thu, 17 Aug 2017 07:51:25 -0500
|
|
||||||
Subject: [PATCH] Fixed segfault and fetch problems when checking CRLs
|
|
||||||
|
|
||||||
Fixed segfault issue in src/common/cert_vfy.c that occurs when
|
|
||||||
an attempt is made to check a certificate's CRL. This seems to
|
|
||||||
be caused by changes that happened in the OpenSSL API, and got
|
|
||||||
overlooked during updates to the code.
|
|
||||||
|
|
||||||
Also fixed a problem in src/common/uri.c in the builtin URI fetch
|
|
||||||
via HTTP where an extra newline (and missing carriage-returns) were
|
|
||||||
sent, causing the HTTP request to fail.
|
|
||||||
---
|
|
||||||
src/common/cert_vfy.c | 29 ++++++++++++++---------------
|
|
||||||
src/common/uri.c | 2 +-
|
|
||||||
2 files changed, 15 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c
|
|
||||||
index 7efb0cb..6016ca0 100644
|
|
||||||
--- a/src/common/cert_vfy.c
|
|
||||||
+++ b/src/common/cert_vfy.c
|
|
||||||
@@ -143,21 +143,20 @@ static X509_CRL *download_crl(const char *uri)
|
|
||||||
static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx)
|
|
||||||
{
|
|
||||||
int rv;
|
|
||||||
- X509_OBJECT *obj = NULL;
|
|
||||||
+ X509_OBJECT obj;
|
|
||||||
EVP_PKEY *pkey = NULL;
|
|
||||||
X509 *issuer_cert;
|
|
||||||
|
|
||||||
/* get issuer certificate */
|
|
||||||
- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj);
|
|
||||||
+ rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj);
|
|
||||||
if (rv <= 0) {
|
|
||||||
set_error("getting the certificate of the crl-issuer failed");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
/* extract public key and verify signature */
|
|
||||||
- issuer_cert = X509_OBJECT_get0_X509(obj);
|
|
||||||
+ issuer_cert = X509_OBJECT_get0_X509((&obj));
|
|
||||||
pkey = X509_get_pubkey(issuer_cert);
|
|
||||||
- if (obj)
|
|
||||||
- X509_OBJECT_free(obj);
|
|
||||||
+ X509_OBJECT_free_contents(&obj);
|
|
||||||
if (pkey == NULL) {
|
|
||||||
set_error("getting the issuer's public key failed");
|
|
||||||
return -1;
|
|
||||||
@@ -203,13 +202,14 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx)
|
|
||||||
static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy)
|
|
||||||
{
|
|
||||||
int rv, i, j;
|
|
||||||
- X509_OBJECT *obj = NULL;
|
|
||||||
+ X509_OBJECT obj;
|
|
||||||
X509_REVOKED *rev = NULL;
|
|
||||||
STACK_OF(DIST_POINT) * dist_points;
|
|
||||||
DIST_POINT *point;
|
|
||||||
GENERAL_NAME *name;
|
|
||||||
X509_CRL *crl;
|
|
||||||
X509 *x509_ca = NULL;
|
|
||||||
+ EVP_PKEY crl_pkey;
|
|
||||||
|
|
||||||
DBG1("crl policy: %d", policy);
|
|
||||||
if (policy == CRLP_NONE) {
|
|
||||||
@@ -227,28 +227,27 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t
|
|
||||||
} else if (policy == CRLP_OFFLINE) {
|
|
||||||
/* OFFLINE */
|
|
||||||
DBG("looking for an dedicated local crl");
|
|
||||||
- rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj);
|
|
||||||
+ rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj);
|
|
||||||
if (rv <= 0) {
|
|
||||||
set_error("no dedicated crl available");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- crl = X509_OBJECT_get0_X509_CRL(obj);
|
|
||||||
- if (obj)
|
|
||||||
- X509_OBJECT_free(obj);
|
|
||||||
+ crl = X509_OBJECT_get0_X509_CRL((&obj));
|
|
||||||
+ X509_OBJECT_free_contents(&obj);
|
|
||||||
} else if (policy == CRLP_ONLINE) {
|
|
||||||
/* ONLINE */
|
|
||||||
DBG("extracting crl distribution points");
|
|
||||||
dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL);
|
|
||||||
if (dist_points == NULL) {
|
|
||||||
/* if there is not crl distribution point in the certificate hava a look at the ca certificate */
|
|
||||||
- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj);
|
|
||||||
+ rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj);
|
|
||||||
if (rv <= 0) {
|
|
||||||
set_error("no dedicated ca certificate available");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- x509_ca = X509_OBJECT_get0_X509(obj);
|
|
||||||
+ x509_ca = X509_OBJECT_get0_X509((&obj));
|
|
||||||
dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL);
|
|
||||||
- X509_OBJECT_free(obj);
|
|
||||||
+ X509_OBJECT_free_contents(&obj);
|
|
||||||
if (dist_points == NULL) {
|
|
||||||
set_error("neither the user nor the ca certificate does contain a crl distribution point");
|
|
||||||
return -1;
|
|
||||||
@@ -296,10 +295,10 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t
|
|
||||||
} else if (rv == 0) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+ DBG("checking revocation");
|
|
||||||
rv = X509_CRL_get0_by_cert(crl, &rev, x509);
|
|
||||||
X509_CRL_free(crl);
|
|
||||||
- X509_REVOKED_free(rev);
|
|
||||||
- return (rv == -1);
|
|
||||||
+ return (rv == 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int add_hash( X509_LOOKUP *lookup, const char *dir) {
|
|
||||||
diff --git a/src/common/uri.c b/src/common/uri.c
|
|
||||||
index 2d74c04..8e65884 100644
|
|
||||||
--- a/src/common/uri.c
|
|
||||||
+++ b/src/common/uri.c
|
|
||||||
@@ -407,7 +407,7 @@ static int get_http(uri_t *uri, unsigned char **data, size_t *length, int rec_le
|
|
||||||
set_error("not enough free memory available");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- sprintf(request, "GET %s HTTP/1.0\nHost: %s\n\n\n", uri->http->path, uri->http->host);
|
|
||||||
+ sprintf(request, "GET %s HTTP/1.0\r\nHost: %s\r\n\r\n", uri->http->path, uri->http->host);
|
|
||||||
len = strlen(request);
|
|
||||||
rv = send(sock, request, len, 0);
|
|
||||||
free(request);
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:e867631b43ec52db934a9f691ea5dbde7514118cda5576e799b669fed9ffd2b4
|
|
||||||
size 269444
|
|
@ -1,3 +1,19 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 29 22:45:28 CET 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Update to version 0.6.10:
|
||||||
|
* Fix some security issues (thx @frankmorgner):
|
||||||
|
https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/
|
||||||
|
(drop 0001-verify-using-a-nonce-from-the-system-not-the-card.patch,
|
||||||
|
0002-fixed-buffer-overflow-with-long-home-directory.patch,
|
||||||
|
0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch).
|
||||||
|
* Fix buffer overflow with long home directory.
|
||||||
|
* Fix wiping secrets (now using OpenSSL_cleanse()).
|
||||||
|
* Verify using a nonce from the system, not the card.
|
||||||
|
* Fix segfalt when checking CRLs
|
||||||
|
(drop pam_pkcs11-crl-check.patch).
|
||||||
|
- Add rcpkcs11_eventmgr service symlink.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Aug 17 10:12:31 UTC 2018 - vcizek@suse.com
|
Fri Aug 17 10:12:31 UTC 2018 - vcizek@suse.com
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package pam_pkcs11
|
# spec file for package pam_pkcs11
|
||||||
#
|
#
|
||||||
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -12,33 +12,28 @@
|
|||||||
# license that conforms to the Open Source Definition (Version 1.9)
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
# published by the Open Source Initiative.
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
# It seems to be an upstream naming bug:
|
# It seems to be an upstream naming bug:
|
||||||
%define _name pam_pkcs11-pam_pkcs11
|
%define _name pam_pkcs11-pam_pkcs11
|
||||||
Name: pam_pkcs11
|
Name: pam_pkcs11
|
||||||
Version: 0.6.9
|
Version: 0.6.10
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: PKCS #11 PAM Module
|
Summary: PKCS #11 PAM Module
|
||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
Url: https://github.com/OpenSC/pam_pkcs11
|
Url: https://github.com/OpenSC/pam_pkcs11
|
||||||
Source: %{_name}-%{version}.tar.gz
|
Source: https://github.com/OpenSC/pam_pkcs11/archive/%{name}-%{version}.tar.gz
|
||||||
Source1: pam_pkcs11-common-auth-smartcard.pam
|
Source1: pam_pkcs11-common-auth-smartcard.pam
|
||||||
Source2: baselibs.conf
|
Source2: baselibs.conf
|
||||||
# make dist was not called.
|
# make dist was not called.
|
||||||
Source3: pam_pkcs11-0.6.9-ChangeLog.git
|
Source3: pam_pkcs11-0.6.10-ChangeLog.git
|
||||||
Source4: pkcs11_eventmgr.service
|
Source4: pkcs11_eventmgr.service
|
||||||
Patch0: %{name}-fsf-address.patch
|
Patch0: %{name}-fsf-address.patch
|
||||||
Patch1: %{name}-0.5.3-nss-conf.patch
|
Patch1: %{name}-0.5.3-nss-conf.patch
|
||||||
Patch3: %{name}-0.6.0-nss-autoconf.patch
|
Patch3: %{name}-0.6.0-nss-autoconf.patch
|
||||||
# PATCH-FIX-UPSTEAM-PENDING pam_pkcs11-crl-check.patch https://github.com/OpenSC/pam_pkcs11/pull/26 -- Fix segfault and fetch problems when checking CRLs.
|
|
||||||
Patch4: %{name}-crl-check.patch
|
|
||||||
Patch5: 0001-verify-using-a-nonce-from-the-system-not-the-card.patch
|
|
||||||
Patch6: 0002-fixed-buffer-overflow-with-long-home-directory.patch
|
|
||||||
Patch7: 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch
|
|
||||||
BuildRequires: curl-devel
|
BuildRequires: curl-devel
|
||||||
BuildRequires: docbook-xsl-stylesheets
|
BuildRequires: docbook-xsl-stylesheets
|
||||||
BuildRequires: doxygen
|
BuildRequires: doxygen
|
||||||
@ -93,10 +88,6 @@ authentication.
|
|||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
|
||||||
cp -a %{SOURCE1} common-auth-smartcard
|
cp -a %{SOURCE1} common-auth-smartcard
|
||||||
sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example
|
sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example
|
||||||
# make dist was not called and cannot be called on a non git snapshot.
|
# make dist was not called and cannot be called on a non git snapshot.
|
||||||
@ -132,6 +123,8 @@ cp -a AUTHORS COPYING ChangeLog ChangeLog.git NEWS README README.md TODO doc/pam
|
|||||||
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
|
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
|
||||||
cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/
|
cp common-auth-smartcard %{buildroot}%{_sysconfdir}/pam.d/
|
||||||
install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
|
install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
|
||||||
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
|
ln -s service %{buildroot}%{_sbindir}/rcpkcs11_eventmgr
|
||||||
%find_lang %{name}
|
%find_lang %{name}
|
||||||
%fdupes -s %{buildroot}%{_docdir}/%{name}
|
%fdupes -s %{buildroot}%{_docdir}/%{name}
|
||||||
|
|
||||||
@ -160,6 +153,7 @@ install -D -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/pkcs11_eventmgr.service
|
|||||||
%config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf
|
%config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf
|
||||||
%config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard
|
%config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard
|
||||||
%{_prefix}/lib/systemd/system/pkcs11_eventmgr.service
|
%{_prefix}/lib/systemd/system/pkcs11_eventmgr.service
|
||||||
|
%{_sbindir}/*
|
||||||
|
|
||||||
%files devel-doc
|
%files devel-doc
|
||||||
%doc %{_docdir}/%{name}/api
|
%doc %{_docdir}/%{name}/api
|
||||||
|
Loading…
Reference in New Issue
Block a user