* [r474] src/tools/Makefile.am, src/tools/card_eventmgr.c,
src/tools/pkcs11_eventmgr.c: Use daemon implementation from
daemon.c when needed (for example on
Solaris 10)
Define _PATH_DEVNULL if needed. It was defined in includes.h in
OpenSSH
* [r472] src/tools/daemon.c: new file from OpenSSH version 5.6p1
openssh-5.6p1/openbsd-compat/daemon.c
The licence is BSD 3-clause so compatible with the LGPL v2+ used
by
pam_pkcs11
2010-10-25 ludovic.rousseau
* [r471] configure.in: Fix the change in revision 470
* [r469] doc/pam_pkcs11.xml: rename make_hash_link.sh in
pkcs11_make_hash_link
* [r468] configure.in: Display ${libdir} value
* [r467] tools/Makefile.am, tools/make_hash_link.sh,
tools/pkcs11_make_hash_link: rename make_hash_link.sh to
pkcs11_make_hash_link to match the manpage
name
2010-10-19 ludovic.rousseau
* [r465] src/pam_pkcs11/pam_pkcs11.c: Unload the mapper also on
success
Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015150.html
* [r464] doc/doxygen.conf.in: Update from doxygen version 1.5.6 to
1.7.1
* [r463] configure.in: release 0.6.5
* [r462] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
po/pt_br.po, po/ru.po: regenerate
* [r461] src/common/Makefile.am: Add the missing strndup.h file
* [r460] src/common/uri.c: get_http(): check if complete message
was transmitted
" Here's a patch to solve the issues I've encountered using
pam_pkcs11.
In regards to #239 (pam_pkcs11 only looks at first certificate on
token):
The fix for this turns out to be somewhat problematic, and I'm
not at
all sure, whether my implementation of the fix is a valid one.
The basic problem (as I understood it from analyzing the code) is
that
finder functions of the mappers return a char*, allowing for a
single
value (NULL) to signalize failure and return the key if no
mapping (i.e.
no value associated with the key) was found (cf. comment for
mapfile_find in src/mappers/mapper.c). Thus a caller (i.e.
find_user in
src/pam_pkcs11/mapper_mgr.c) cannot distinguish between a mapping
or a
key being returned and thus will prematurely terminate on the
first
certificate that passes the other validity tests.
The fix provided changes the finder function interface by
requiring an
additional out parameter that is set to 1, if a real mapping
value was
returned and remains unchanged otherwise. This fix breaks
existing
loadable mappers.
I considered overloading of the value returned (e.g. having a
byte/substring as first character of the value returned to be
able to
distinguish between a value and a key being returned) which would
preserve the interface to the mappers, but refrained from
implementing
it that way as I believe this to be unclean and prone to
difficult to
track errors.
Another solution I considered was the addition of another entry
to the
structure encapsulating the mappers (e.g. a finder2 method), but
as this
is no better in breaking the interface for loadable mappers and
duplicates code I forfeited this solution, too.
If somebody could look into the problem and come up with a
solution that
preserves the interface to external mappers while allowing the
distinction between keys and values, I'd be more than happy to
implement
it.
It might also may make sense to add a new configuration parameter
for
the new behaviour of find_user, allowing existing applications to
continue to work with keys being returned instead of values
(Feedback
anyone? The comment for find_user actually states that a mapping
value
is returned).
In regards to #240 (Allow pattern matching in pam_pkcs11):
I restricted this to only work for mapfiles and the
implementation
turned out to be quite simple - it's essentially an 11 line
change in
src/mappers/mapper.c - and is triggered by the specification of a
fully
anchored (i.e. *must* have initial "^" and *must* end in "$")
pattern as
key in a mapfile.
This now allows syntax like
^.*/serialNumber=xxx-xxx-xxx-xxx$ -> username
in all mapfiles.
The patch attached contains the changes for both issues.
Cheers,
Wolf "
2010-08-13 ludovic.rousseau
* [r444] src/pam_pkcs11/pam_pkcs11.c: Do not use a variadic
parameter for pam_prompt. It is not supported on
FreeBSD.
2010-08-12 ludovic.rousseau
* [r443] src/common/strndup.h, src/tools/pkcs11_setup.c: Add a new
header file to define strndup if needed.
pkcs11_setup.c: In function ‘scconf_replace_str_list’:
pkcs11_setup.c:73: warning: implicit declaration of function
‘strndup’
pkcs11_setup.c:73: warning: incompatible implicit declaration of
built-in function ‘strndup’
* [r441] src/pam_pkcs11/pam_config.c, src/tools/pkcs11_inspect.c,
src/tools/pkcs11_listcerts.c, src/tools/pklogin_finder.c: Revert
changeset 301 parsing arguments in pam_config.c but skip the
first argument in command line tools.
Thanks to halfline for the patch. Closes ticket #29
Upstream ChangeLog:
2010-11-20 ludovic.rousseau
* [r475] configure.in: release 0.6.6
2010-11-18 ludovic.rousseau
* [r474] src/tools/ Makefile. am, src/tools/ card_eventmgr. c, tools/pkcs11_ eventmgr. c: Use daemon implementation from
src/
daemon.c when needed (for example on
Solaris 10)
See www.opensc- project. org/pipermail/ opensc- user/2010- November/ 004331. html
http://
* [r473] src/tools/daemon.c: Use config.h instead of includes.h
Define _PATH_DEVNULL if needed. It was defined in includes.h in 5.6p1/openbsd- compat/ daemon. c
OpenSSH
* [r472] src/tools/daemon.c: new file from OpenSSH version 5.6p1
openssh-
The licence is BSD 3-clause so compatible with the LGPL v2+ used
by
pam_pkcs11
2010-10-25 ludovic.rousseau
* [r471] configure.in: Fix the change in revision 470
Thanks (again) to Arfrever Frehtes Taifersar Arahesis www.opensc- project. org/pipermail/ opensc- devel/2010- October/ 015175. html pcsclite to
http://
* [r470] configure.in: Default is to use pcsc-lite. The argument is
--without-
disable pcsc-lite use/support
Thanks to Arfrever Frehtes Taifersar Arahesis for the bug report www.opensc- project. org/pipermail/ opensc- devel/2010- October/ 015172. html
http://
2010-10-23 ludovic.rousseau
* [r469] doc/pam_pkcs11.xml: rename make_hash_link.sh in make_hash_ link hash_link. sh, pkcs11_ make_hash_ link: rename make_hash_link.sh to make_hash_ link to match the manpage
pkcs11_
* [r468] configure.in: Display ${libdir} value
* [r467] tools/Makefile.am, tools/make_
tools/
pkcs11_
name
2010-10-19 ludovic.rousseau
* [r465] src/pam_ pkcs11/ pam_pkcs11. c: Unload the mapper also on
success
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- October/ 015150. html conf.in: Update from doxygen version 1.5.6 to Makefile. am: Add the missing strndup.h file
http://
* [r464] doc/doxygen.
1.7.1
* [r463] configure.in: release 0.6.5
* [r462] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
po/pt_br.po, po/ru.po: regenerate
* [r461] src/common/
* [r460] src/common/uri.c: get_http(): check if complete message
was transmitted
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- October/ 015137. html
http://
* [r459] src/common/uri.c: get_http(): allocate enough memory to
fit http-request
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- October/ 015137. html
http://
* [r458] src/common/uri.c: get_http(): add missing return statement
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- October/ 015137. html
http://
* [r457] configure.in: If dlopen() is not found in libdl we try to
find it without specifying a
library before exiting in error.
I don't remember why I used this code. Maybe dlopen() is not in
libdl on
some systems.
2010-10-16 ludovic.rousseau
* [r456] po/fr.po: Translate a string pkcs11/ pam_pkcs11. c: Replace "Found the %s." by
* [r455] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
po/pt_br.po, po/ru.po: Regenerate
* [r454] src/pam_
"%s found."
Thanks to Mr Dash Four for the bug report www.opensc- project. org/pipermail/ opensc- devel/2010- October/ 015135. html
http://
2010-10-15 ludovic.rousseau
* [r453] src/common/ pkcs11_ lib.c: crypto_init(): fix a typo in log
message
2010-09-22 ludovic.rousseau
* [r452] src/common/ pkcs11_ lib.c: pkcs11_ pass_login( ): check if the
PIN returned by getpass is NULL
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- September/ 014976. html pkcs11_ lib.c: pkcs11_ pass_login( ): log an error
http://
* [r451] src/common/
if pkcs11_login() fails
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- September/ 014964. html pkcs11_ lib.c: pkcs11_ pass_login( ): do not clean
http://
* [r450] src/common/
a zero length PIN
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- September/ 014964. html pkcs11_ lib.c, src/pam_ pkcs11/ pam_pkcs11. c: Show
http://
* [r449] src/common/
PIN code in debug output only if DEBUG_SHOW_PASSWORD is defined
(not defined by default)
Thanks to Andre Zepezauer for the bug report www.opensc- project. org/pipermail/ opensc- devel/2010- September/ 014964. html
http://
2010-09-21 ludovic.rousseau
* [r448] src/pam_ pkcs11/ pam_config. c: parse_config_ file(): get the
debug value from the configuration file
Thanks to Andre Zepezauer for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- September/ 014949. html
http://
2010-08-25 ludovic.rousseau
* [r447] src/tools/ card_eventmgr. c: Do not call shContext( ) before daemonize since pcsc-lite
SCardEstabli
handles are invalid after a fork.
Thanks to Patrik Martinsson for the patch www.opensc- project. org/pipermail/ opensc- devel/2010- August/ 014632. html
http://
2010-08-19 ludovic.rousseau
* [r446] src/tools/ card_eventmgr. c: Use SCARD_READERSTATE instead
of SCARD_READERSTATE_A since it was
removed in pcsc-lite >= 1.6.2
2010-08-14 ludovic.rousseau
* [r445] src/mappers/ cn_mapper. c, src/mappers/ digest_ mapper. c, mappers/ generic_ mapper. c, src/mappers/ krb_mapper. c, mappers/ ldap_mapper. c, src/mappers/ mail_mapper. c, mappers/ mapper. c, src/mappers/ mapper. h, mappers/ ms_mapper. c, src/mappers/ null_mapper. c, mappers/ opensc_ mapper. c, src/mappers/ openssh_ mapper. c, mappers/ pwent_mapper. c, src/mappers/ subject_ mapper. c, mappers/ uid_mapper. c, src/pam_ pkcs11/ mapper_ mgr.c, tools/pklogin_ finder. c: Patch for #239 and #240 (handle more
src/
src/
src/
src/
src/
src/
src/
src/
than one cert/pattern matching)
Thanks to Wolf Geldmacher for the patch. www.opensc- project. org/pipermail/ opensc- devel/2010- June/014405. html
http://
" Here's a patch to solve the issues I've encountered using
pam_pkcs11.
In regards to #239 (pam_pkcs11 only looks at first certificate on
token):
The fix for this turns out to be somewhat problematic, and I'm
not at
all sure, whether my implementation of the fix is a valid one.
The basic problem (as I understood it from analyzing the code) is mapper. c). Thus a caller (i.e. pam_pkcs11/ mapper_ mgr.c) cannot distinguish between a mapping
that
finder functions of the mappers return a char*, allowing for a
single
value (NULL) to signalize failure and return the key if no
mapping (i.e.
no value associated with the key) was found (cf. comment for
mapfile_find in src/mappers/
find_user in
src/
or a
key being returned and thus will prematurely terminate on the
first
certificate that passes the other validity tests.
The fix provided changes the finder function interface by
requiring an
additional out parameter that is set to 1, if a real mapping
value was
returned and remains unchanged otherwise. This fix breaks
existing
loadable mappers.
I considered overloading of the value returned (e.g. having a
byte/substring as first character of the value returned to be
able to
distinguish between a value and a key being returned) which would
preserve the interface to the mappers, but refrained from
implementing
it that way as I believe this to be unclean and prone to
difficult to
track errors.
Another solution I considered was the addition of another entry
to the
structure encapsulating the mappers (e.g. a finder2 method), but
as this
is no better in breaking the interface for loadable mappers and
duplicates code I forfeited this solution, too.
If somebody could look into the problem and come up with a
solution that
preserves the interface to external mappers while allowing the
distinction between keys and values, I'd be more than happy to
implement
it.
It might also may make sense to add a new configuration parameter
for
the new behaviour of find_user, allowing existing applications to
continue to work with keys being returned instead of values
(Feedback
anyone? The comment for find_user actually states that a mapping
value
is returned).
In regards to #240 (Allow pattern matching in pam_pkcs11):
I restricted this to only work for mapfiles and the mappers/ mapper. c - and is triggered by the specification of a
implementation
turned out to be quite simple - it's essentially an 11 line
change in
src/
fully
anchored (i.e. *must* have initial "^" and *must* end in "$")
pattern as
key in a mapfile.
This now allows syntax like serialNumber= xxx-xxx- xxx-xxx$ -> username
^.*/
in all mapfiles.
The patch attached contains the changes for both issues.
Cheers,
Wolf "
2010-08-13 ludovic.rousseau
* [r444] src/pam_ pkcs11/ pam_pkcs11. c: Do not use a variadic
parameter for pam_prompt. It is not supported on
FreeBSD.
2010-08-12 ludovic.rousseau
* [r443] src/common/ strndup. h, src/tools/ pkcs11_ setup.c: Add a new
header file to define strndup if needed.
pkcs11_setup.c: In function ‘scconf_ replace_ str_list†™: setup.c: 73: warning: implicit declaration of function setup.c: 73: warning: incompatible implicit declaration of pkcs11/ pam_config. c, src/tools/ pkcs11_ inspect. c, tools/pkcs11_ listcerts. c, src/tools/ pklogin_ finder. c: Revert
pkcs11_
‘strndup’
pkcs11_
built-in function ‘strndup’
* [r441] src/pam_
src/
changeset 301 parsing arguments in pam_config.c but skip the
first argument in command line tools.
Thanks to halfline for the patch. Closes ticket #29