Upstream ChangeLog: 2010-11-20 ludovic.rousseau * [r475] configure.in: release 0.6.6 2010-11-18 ludovic.rousseau * [r474] src/tools/Makefile.am, src/tools/card_eventmgr.c, src/tools/pkcs11_eventmgr.c: Use daemon implementation from daemon.c when needed (for example on Solaris 10) See http://www.opensc-project.org/pipermail/opensc-user/2010-November/004331.html * [r473] src/tools/daemon.c: Use config.h instead of includes.h Define _PATH_DEVNULL if needed. It was defined in includes.h in OpenSSH * [r472] src/tools/daemon.c: new file from OpenSSH version 5.6p1 openssh-5.6p1/openbsd-compat/daemon.c The licence is BSD 3-clause so compatible with the LGPL v2+ used by pam_pkcs11 2010-10-25 ludovic.rousseau * [r471] configure.in: Fix the change in revision 470 Thanks (again) to Arfrever Frehtes Taifersar Arahesis http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015175.html * [r470] configure.in: Default is to use pcsc-lite. The argument is --without-pcsclite to disable pcsc-lite use/support Thanks to Arfrever Frehtes Taifersar Arahesis for the bug report http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015172.html 2010-10-23 ludovic.rousseau * [r469] doc/pam_pkcs11.xml: rename make_hash_link.sh in pkcs11_make_hash_link * [r468] configure.in: Display ${libdir} value * [r467] tools/Makefile.am, tools/make_hash_link.sh, tools/pkcs11_make_hash_link: rename make_hash_link.sh to pkcs11_make_hash_link to match the manpage name 2010-10-19 ludovic.rousseau * [r465] src/pam_pkcs11/pam_pkcs11.c: Unload the mapper also on success Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015150.html * [r464] doc/doxygen.conf.in: Update from doxygen version 1.5.6 to 1.7.1 * [r463] configure.in: release 0.6.5 * [r462] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po, po/pt_br.po, po/ru.po: regenerate * [r461] src/common/Makefile.am: Add the missing strndup.h file * [r460] src/common/uri.c: get_http(): check if complete message was transmitted Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html * [r459] src/common/uri.c: get_http(): allocate enough memory to fit http-request Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html * [r458] src/common/uri.c: get_http(): add missing return statement Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015137.html * [r457] configure.in: If dlopen() is not found in libdl we try to find it without specifying a library before exiting in error. I don't remember why I used this code. Maybe dlopen() is not in libdl on some systems. 2010-10-16 ludovic.rousseau * [r456] po/fr.po: Translate a string * [r455] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po, po/pt_br.po, po/ru.po: Regenerate * [r454] src/pam_pkcs11/pam_pkcs11.c: Replace "Found the %s." by "%s found." Thanks to Mr Dash Four for the bug report http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015135.html 2010-10-15 ludovic.rousseau * [r453] src/common/pkcs11_lib.c: crypto_init(): fix a typo in log message 2010-09-22 ludovic.rousseau * [r452] src/common/pkcs11_lib.c: pkcs11_pass_login(): check if the PIN returned by getpass is NULL Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014976.html * [r451] src/common/pkcs11_lib.c: pkcs11_pass_login(): log an error if pkcs11_login() fails Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html * [r450] src/common/pkcs11_lib.c: pkcs11_pass_login(): do not clean a zero length PIN Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html * [r449] src/common/pkcs11_lib.c, src/pam_pkcs11/pam_pkcs11.c: Show PIN code in debug output only if DEBUG_SHOW_PASSWORD is defined (not defined by default) Thanks to Andre Zepezauer for the bug report http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014964.html 2010-09-21 ludovic.rousseau * [r448] src/pam_pkcs11/pam_config.c: parse_config_file(): get the debug value from the configuration file Thanks to Andre Zepezauer for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014949.html 2010-08-25 ludovic.rousseau * [r447] src/tools/card_eventmgr.c: Do not call SCardEstablishContext() before daemonize since pcsc-lite handles are invalid after a fork. Thanks to Patrik Martinsson for the patch http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014632.html 2010-08-19 ludovic.rousseau * [r446] src/tools/card_eventmgr.c: Use SCARD_READERSTATE instead of SCARD_READERSTATE_A since it was removed in pcsc-lite >= 1.6.2 2010-08-14 ludovic.rousseau * [r445] src/mappers/cn_mapper.c, src/mappers/digest_mapper.c, src/mappers/generic_mapper.c, src/mappers/krb_mapper.c, src/mappers/ldap_mapper.c, src/mappers/mail_mapper.c, src/mappers/mapper.c, src/mappers/mapper.h, src/mappers/ms_mapper.c, src/mappers/null_mapper.c, src/mappers/opensc_mapper.c, src/mappers/openssh_mapper.c, src/mappers/pwent_mapper.c, src/mappers/subject_mapper.c, src/mappers/uid_mapper.c, src/pam_pkcs11/mapper_mgr.c, src/tools/pklogin_finder.c: Patch for #239 and #240 (handle more than one cert/pattern matching) Thanks to Wolf Geldmacher for the patch. http://www.opensc-project.org/pipermail/opensc-devel/2010-June/014405.html " Here's a patch to solve the issues I've encountered using pam_pkcs11. In regards to #239 (pam_pkcs11 only looks at first certificate on token): The fix for this turns out to be somewhat problematic, and I'm not at all sure, whether my implementation of the fix is a valid one. The basic problem (as I understood it from analyzing the code) is that finder functions of the mappers return a char*, allowing for a single value (NULL) to signalize failure and return the key if no mapping (i.e. no value associated with the key) was found (cf. comment for mapfile_find in src/mappers/mapper.c). Thus a caller (i.e. find_user in src/pam_pkcs11/mapper_mgr.c) cannot distinguish between a mapping or a key being returned and thus will prematurely terminate on the first certificate that passes the other validity tests. The fix provided changes the finder function interface by requiring an additional out parameter that is set to 1, if a real mapping value was returned and remains unchanged otherwise. This fix breaks existing loadable mappers. I considered overloading of the value returned (e.g. having a byte/substring as first character of the value returned to be able to distinguish between a value and a key being returned) which would preserve the interface to the mappers, but refrained from implementing it that way as I believe this to be unclean and prone to difficult to track errors. Another solution I considered was the addition of another entry to the structure encapsulating the mappers (e.g. a finder2 method), but as this is no better in breaking the interface for loadable mappers and duplicates code I forfeited this solution, too. If somebody could look into the problem and come up with a solution that preserves the interface to external mappers while allowing the distinction between keys and values, I'd be more than happy to implement it. It might also may make sense to add a new configuration parameter for the new behaviour of find_user, allowing existing applications to continue to work with keys being returned instead of values (Feedback anyone? The comment for find_user actually states that a mapping value is returned). In regards to #240 (Allow pattern matching in pam_pkcs11): I restricted this to only work for mapfiles and the implementation turned out to be quite simple - it's essentially an 11 line change in src/mappers/mapper.c - and is triggered by the specification of a fully anchored (i.e. *must* have initial "^" and *must* end in "$") pattern as key in a mapfile. This now allows syntax like ^.*/serialNumber=xxx-xxx-xxx-xxx$ -> username in all mapfiles. The patch attached contains the changes for both issues. Cheers, Wolf " 2010-08-13 ludovic.rousseau * [r444] src/pam_pkcs11/pam_pkcs11.c: Do not use a variadic parameter for pam_prompt. It is not supported on FreeBSD. 2010-08-12 ludovic.rousseau * [r443] src/common/strndup.h, src/tools/pkcs11_setup.c: Add a new header file to define strndup if needed. pkcs11_setup.c: In function ‘scconf_replace_str_list’: pkcs11_setup.c:73: warning: implicit declaration of function ‘strndup’ pkcs11_setup.c:73: warning: incompatible implicit declaration of built-in function ‘strndup’ * [r441] src/pam_pkcs11/pam_config.c, src/tools/pkcs11_inspect.c, src/tools/pkcs11_listcerts.c, src/tools/pklogin_finder.c: Revert changeset 301 parsing arguments in pam_config.c but skip the first argument in command line tools. Thanks to halfline for the patch. Closes ticket #29