Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pam_p11 for openSUSE:Factory checked in at 2023-08-31 13:46:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_p11 (Old) and /work/SRC/openSUSE:Factory/.pam_p11.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_p11" Thu Aug 31 13:46:20 2023 rev:27 rq:1108233 version:0.5.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_p11/pam_p11.changes 2023-02-16 16:56:50.378937506 +0100 +++ /work/SRC/openSUSE:Factory/.pam_p11.new.1766/pam_p11.changes 2023-08-31 13:52:30.562787709 +0200 @@ -1,0 +2,13 @@ +Tue Aug 29 13:36:20 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com> + +- Update to version 0.5.0 + * Add support for tokens that only contain a certificate + (and no public key) + * Fixed never-ending loop if the PIN is locked + +- Update to version 0.4.0 + * Add Russian translation + * Add support for building with LibreSSL + * Add support for building with OpenSSL 3.0 and later + +------------------------------------------------------------------- Old: ---- pam_p11-0.3.1.tar.gz New: ---- pam_p11-0.5.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_p11.spec ++++++ --- /var/tmp/diff_new_pack.RtewwR/_old 2023-08-31 13:52:31.678827599 +0200 +++ /var/tmp/diff_new_pack.RtewwR/_new 2023-08-31 13:52:31.682827742 +0200 @@ -17,7 +17,7 @@ Name: pam_p11 -Version: 0.3.1 +Version: 0.5.0 Release: 0 Summary: PAM Authentication Module for Using Cryptographic Tokens License: LGPL-2.1-or-later ++++++ pam_p11-0.3.1.tar.gz -> pam_p11-0.5.0.tar.gz ++++++ ++++ 5453 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/NEWS new/pam_p11-0.5.0/NEWS --- old/pam_p11-0.3.1/NEWS 2019-09-11 22:36:09.000000000 +0200 +++ new/pam_p11-0.5.0/NEWS 2023-08-03 01:35:31.000000000 +0200 @@ -1,5 +1,14 @@ NEWS for Pam_p11 -- History of user visible changes +New in 0.5.0; 2023-08-03; Frank Morgner +* Add support for tokens that only contain a certificate (and no public key) +* Fixed never-ending loop if the PIN is locked + +New in 0.4.0; 2023-06-08; Frank Morgner +* Add Russian translation +* Add support for building with LibreSSL +* Add support for building with OpenSSL 3.0 and later + New in 0.3.1; 2019-09-11; Frank Morgner * CVE-2019-16058: Fixed buffer overflow when creating signatures longer than 256 bytes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/README.md new/pam_p11-0.5.0/README.md --- old/pam_p11-0.3.1/README.md 2019-09-11 22:29:30.000000000 +0200 +++ new/pam_p11-0.5.0/README.md 2023-08-03 01:38:33.000000000 +0200 @@ -13,16 +13,16 @@ Pam_p11 was written by an international team and is licensed as Open Source software under the LGPL license. -[](https://travis-ci.org/OpenSC/pam_p11) [](https://scan.coverity.com/projects/opensc-pam_p11) +[](https://github.com/OpenSC/pam_p11/actions/workflows/ci.yml?branch=master) [](https://scan.coverity.com/projects/15452) [](https://github.com/OpenSC/pam_p11/actions/workflows/codeql.yml?branch=master) ## Installing pam_p11 Installation is quite easy: ``` -wget https://github.com/OpenSC/pam_p11/releases/download/pam_p11-0.1.6/pam_p11-0.1.6.tar.gz -tar xfvz pam_p11-0.1.6.tar.gz -cd pam_p11-0.1.6 +wget https://github.com/OpenSC/pam_p11/releases/download/pam_p11-0.5.0/pam_p11-0.5.0.tar.gz +tar xfvz pam_p11-0.5.0.tar.gz +cd pam_p11-0.5.0 ./configure --prefix=/usr --libdir=/lib/ make make install diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/compile new/pam_p11-0.5.0/compile --- old/pam_p11-0.3.1/compile 2017-01-25 19:15:10.000000000 +0100 +++ new/pam_p11-0.5.0/compile 2020-02-05 15:31:03.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # Written by Tom Tromey <tro...@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -255,7 +255,8 @@ echo "compile $scriptversion" exit $? ;; - cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac @@ -339,9 +340,9 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/config.h.in new/pam_p11-0.5.0/config.h.in --- old/pam_p11-0.3.1/config.h.in 2019-09-11 22:36:22.000000000 +0200 +++ new/pam_p11-0.5.0/config.h.in 2023-08-03 01:39:01.000000000 +0200 @@ -25,15 +25,6 @@ /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */ #undef HAVE_DOPRNT -/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ -#undef HAVE_EVP_MD_CTX_FREE - -/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -#undef HAVE_EVP_MD_CTX_NEW - -/* Define to 1 if you have the `EVP_MD_CTX_reset' function. */ -#undef HAVE_EVP_MD_CTX_RESET - /* Define to 1 if you have the <fcntl.h> header file. */ #undef HAVE_FCNTL_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/configure.ac new/pam_p11-0.5.0/configure.ac --- old/pam_p11-0.3.1/configure.ac 2019-09-11 22:30:15.000000000 +0200 +++ new/pam_p11-0.5.0/configure.ac 2023-08-03 01:37:50.000000000 +0200 @@ -1,8 +1,8 @@ AC_PREREQ(2.60) define([PACKAGE_VERSION_MAJOR], [0]) -define([PACKAGE_VERSION_MINOR], [3]) -define([PACKAGE_VERSION_FIX], [1]) +define([PACKAGE_VERSION_MINOR], [5]) +define([PACKAGE_VERSION_FIX], [0]) define([PACKAGE_SUFFIX], []) define([PRODUCT_BUGREPORT], [https://github.com/OpenSC/pam_p11/issues]) @@ -50,7 +50,7 @@ AM_GNU_GETTEXT_VERSION(0.18.3) dnl Add the languages which your application supports here. -ALL_LINGUAS="de it" +ALL_LINGUAS="de it ru" dnl Checks for programs. AC_PROG_CPP @@ -70,11 +70,11 @@ PKG_CHECK_MODULES([LIBP11], [libp11 >= 0.2.4],, [AC_MSG_ERROR([libp11 is required])]) PKG_CHECK_MODULES( [OPENSSL], - [libcrypto >= 0.9.7], + [libcrypto >= 1.1.1], , [PKG_CHECK_MODULES( [OPENSSL], - [openssl >= 0.9.7], + [openssl >= 1.1.1], , [AC_CHECK_LIB( [crypto], @@ -85,10 +85,10 @@ )] ) -saved_LIBS="$LIBS" -LIBS="$OPENSSL_LIBS $LIBS" -AC_CHECK_FUNCS(EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset) -LIBS="$saved_LIBS" +#saved_LIBS="$LIBS" +#LIBS="$OPENSSL_LIBS $LIBS" +#AC_CHECK_FUNCS(EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset) +#LIBS="$saved_LIBS" if test -z "${PAM_LIBS}"; then AC_ARG_VAR([PAM_CFLAGS], [C compiler flags for pam]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/m4/libtool.m4 new/pam_p11-0.5.0/m4/libtool.m4 --- old/pam_p11-0.3.1/m4/libtool.m4 2016-08-20 14:34:31.000000000 +0200 +++ new/pam_p11-0.5.0/m4/libtool.m4 2020-03-02 10:35:42.000000000 +0100 @@ -1041,8 +1041,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD - echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD - $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF @@ -1492,7 +1492,7 @@ m4_defun([_LT_PROG_AR], [AC_CHECK_TOOLS(AR, [ar], false) : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} _LT_DECL([], [AR], [1], [The archiver]) _LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive]) @@ -4063,7 +4063,8 @@ if AC_TRY_EVAL(ac_compile); then # Now try to grab the symbols. nlist=conftest.nm - if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then + $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD + if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" @@ -4703,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -6438,7 +6445,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else GXX=no @@ -6813,7 +6820,7 @@ # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -6878,7 +6885,7 @@ # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -7217,7 +7224,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # FIXME: insert proper C++ library support @@ -7301,7 +7308,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # g++ 2.7 appears to require '-G' NOT '-shared' on this # platform. @@ -7312,7 +7319,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/missing new/pam_p11-0.5.0/missing --- old/pam_p11-0.3.1/missing 2017-01-25 19:15:10.000000000 +0100 +++ new/pam_p11-0.5.0/missing 2020-02-05 15:31:03.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2013-10-28.13; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pin...@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -101,9 +101,9 @@ exit $st fi -perl_URL=http://www.perl.org/ -flex_URL=http://flex.sourceforge.net/ -gnu_software_URL=http://www.gnu.org/software +perl_URL=https://www.perl.org/ +flex_URL=https://github.com/westes/flex +gnu_software_URL=https://www.gnu.org/software program_details () { @@ -207,9 +207,9 @@ exit $st # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: Binary files old/pam_p11-0.3.1/po/de.gmo and new/pam_p11-0.5.0/po/de.gmo differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/po/de.po new/pam_p11-0.5.0/po/de.po --- old/pam_p11-0.3.1/po/de.po 2019-09-11 22:42:23.000000000 +0200 +++ new/pam_p11-0.5.0/po/de.po 2023-08-03 01:43:58.000000000 +0200 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: pam_p11 0.1.7_git\n" "Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"; -"POT-Creation-Date: 2019-09-11 22:42+0200\n" +"POT-Creation-Date: 2023-08-03 01:39+0200\n" "PO-Revision-Date: 2018-04-05 11:14+0200\n" "Last-Translator: Frank Morgner <frankmorg...@gmail.com>\n" "Language-Team: German\n" @@ -17,98 +17,98 @@ "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" -#: src/pam_p11.c:205 +#: src/pam_p11.c:194 msgid "Error loading PKCS#11 module" msgstr "Fehler beim Laden des PKCS#11-Moduls" -#: src/pam_p11.c:213 src/pam_p11.c:265 +#: src/pam_p11.c:202 src/pam_p11.c:254 msgid "Error initializing PKCS#11 module" msgstr "Fehler beim Initialisieren des PKCS#11-Moduls" -#: src/pam_p11.c:333 +#: src/pam_p11.c:322 msgid " (last try)" msgstr " (letzter Versuch)" -#: src/pam_p11.c:340 +#: src/pam_p11.c:329 #, c-format msgid "Login on PIN pad with %s%s" msgstr "Login auf dem PIN-Pad mit %s%s" -#: src/pam_p11.c:346 +#: src/pam_p11.c:335 #, c-format msgid "Login with %s%s: " msgstr "Login mit %s%s: " -#: src/pam_p11.c:370 +#: src/pam_p11.c:359 msgid "Invalid PIN" msgstr "" -#: src/pam_p11.c:378 +#: src/pam_p11.c:367 msgid "PIN not verified; PIN locked" msgstr "PIN nicht verifiziert; PIN gesperrt" -#: src/pam_p11.c:380 +#: src/pam_p11.c:369 msgid "PIN not verified; one try remaining" msgstr "PIN nicht verifiziert; ein Versuch verbleibend" -#: src/pam_p11.c:382 +#: src/pam_p11.c:371 msgid "PIN not verified" msgstr "PIN nicht verifiziert" -#: src/pam_p11.c:424 +#: src/pam_p11.c:413 #, c-format msgid "Change PIN with PUK on PIN pad for %s" msgstr "Ãndere PIN mit PUK auf dem PIN-Pad für %s" -#: src/pam_p11.c:428 +#: src/pam_p11.c:417 #, c-format msgid "Change PIN on PIN pad for %s" msgstr "Ãndere PIN auf dem PIN-Pad für %s" -#: src/pam_p11.c:435 +#: src/pam_p11.c:424 #, c-format msgid "PUK for %s: " msgstr "PUK für %s: " -#: src/pam_p11.c:446 +#: src/pam_p11.c:435 msgid "Current PIN: " msgstr "Aktuelle PIN: " -#: src/pam_p11.c:464 +#: src/pam_p11.c:453 msgid "Enter new PIN: " msgstr "Neue PIN eingeben: " -#: src/pam_p11.c:467 +#: src/pam_p11.c:456 msgid "Retype new PIN: " msgstr "Neue PIN wiederholen: " -#: src/pam_p11.c:471 +#: src/pam_p11.c:460 msgid "PINs don't match" msgstr "PINs verschieden" -#: src/pam_p11.c:478 +#: src/pam_p11.c:467 #, fuzzy msgid "PIN not changed; PIN locked" msgstr "PIN nicht verifiziert; PIN gesperrt" -#: src/pam_p11.c:480 +#: src/pam_p11.c:469 #, fuzzy msgid "PIN not changed; one try remaining" msgstr "PIN nicht verifiziert; ein Versuch verbleibend" -#: src/pam_p11.c:482 +#: src/pam_p11.c:471 #, fuzzy msgid "PIN not changed" msgstr "PIN nicht verifiziert" -#: src/pam_p11.c:610 +#: src/pam_p11.c:596 msgid "No token found" msgstr "Kein Token gefunden" -#: src/pam_p11.c:612 -msgid "No authorized keys on token" -msgstr "Keine autorisierten Schlüssel auf dem Token" +#: src/pam_p11.c:599 +msgid "Could not find authorized keys on any of the tokens." +msgstr "Auf keinem der Token konnten autorisierte Schlüssel gefunden werden." -#: src/pam_p11.c:674 +#: src/pam_p11.c:660 msgid "Error verifying key" msgstr "Fehler beim Verifizieren des Schlüssels" Binary files old/pam_p11-0.3.1/po/it.gmo and new/pam_p11-0.5.0/po/it.gmo differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/po/it.po new/pam_p11-0.5.0/po/it.po --- old/pam_p11-0.3.1/po/it.po 2019-09-11 22:42:23.000000000 +0200 +++ new/pam_p11-0.5.0/po/it.po 2023-08-03 01:43:58.000000000 +0200 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: pam-p11\n" "Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"; -"POT-Creation-Date: 2019-09-11 22:42+0200\n" +"POT-Creation-Date: 2023-08-03 01:39+0200\n" "PO-Revision-Date: 2019-02-28 14:03+0000\n" "Last-Translator: Milo Casagrande <m...@milo.name>\n" "Language-Team: Italian <t...@lists.linux.it>\n" @@ -16,95 +16,95 @@ "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_p11.c:205 +#: src/pam_p11.c:194 msgid "Error loading PKCS#11 module" msgstr "Errore nel caricare il modulo PKCS#11" -#: src/pam_p11.c:213 src/pam_p11.c:265 +#: src/pam_p11.c:202 src/pam_p11.c:254 msgid "Error initializing PKCS#11 module" msgstr "Errore nell'inizializzare il modulo PKCS#11" -#: src/pam_p11.c:333 +#: src/pam_p11.c:322 msgid " (last try)" msgstr " (ultimo tentativo)" -#: src/pam_p11.c:340 +#: src/pam_p11.c:329 #, c-format msgid "Login on PIN pad with %s%s" msgstr "Accesso su dispositivo inserimento PIN con %s%s" -#: src/pam_p11.c:346 +#: src/pam_p11.c:335 #, c-format msgid "Login with %s%s: " msgstr "Accesso con %s%s: " -#: src/pam_p11.c:370 +#: src/pam_p11.c:359 msgid "Invalid PIN" msgstr "" -#: src/pam_p11.c:378 +#: src/pam_p11.c:367 msgid "PIN not verified; PIN locked" msgstr "PIN non verificato; PIN bloccato" -#: src/pam_p11.c:380 +#: src/pam_p11.c:369 msgid "PIN not verified; one try remaining" msgstr "PIN non verificato; un tentativo rimasto" -#: src/pam_p11.c:382 +#: src/pam_p11.c:371 msgid "PIN not verified" msgstr "PIN non verificato" -#: src/pam_p11.c:424 +#: src/pam_p11.c:413 #, c-format msgid "Change PIN with PUK on PIN pad for %s" msgstr "Modifica del PIN con PUK su dispositivo inserimento PIN per %s" -#: src/pam_p11.c:428 +#: src/pam_p11.c:417 #, c-format msgid "Change PIN on PIN pad for %s" msgstr "Modifica del PIN su dispositivo inserimento PIN per %s" -#: src/pam_p11.c:435 +#: src/pam_p11.c:424 #, c-format msgid "PUK for %s: " msgstr "PUK per %s: " -#: src/pam_p11.c:446 +#: src/pam_p11.c:435 msgid "Current PIN: " msgstr "PIN attuale: " -#: src/pam_p11.c:464 +#: src/pam_p11.c:453 msgid "Enter new PIN: " msgstr "Inserire nuovo PIN: " -#: src/pam_p11.c:467 +#: src/pam_p11.c:456 msgid "Retype new PIN: " msgstr "Ripetere nuovo PIN: " -#: src/pam_p11.c:471 +#: src/pam_p11.c:460 msgid "PINs don't match" msgstr "I PIN non sono uguali" -#: src/pam_p11.c:478 +#: src/pam_p11.c:467 msgid "PIN not changed; PIN locked" msgstr "PIN non modificato; PIN bloccato" -#: src/pam_p11.c:480 +#: src/pam_p11.c:469 msgid "PIN not changed; one try remaining" msgstr "PIN non modificato; un tentativo rimasto" -#: src/pam_p11.c:482 +#: src/pam_p11.c:471 msgid "PIN not changed" msgstr "PIN non modificato" -#: src/pam_p11.c:610 +#: src/pam_p11.c:596 msgid "No token found" msgstr "Nessun token trovato" -#: src/pam_p11.c:612 -msgid "No authorized keys on token" -msgstr "Nessuna chiave autorizzata sul token" +#: src/pam_p11.c:599 +msgid "Could not find authorized keys on any of the tokens." +msgstr "Impossibile trovare chiavi autorizzate su nessuno dei token." -#: src/pam_p11.c:674 +#: src/pam_p11.c:660 msgid "Error verifying key" msgstr "Errore nel verificare la chiave" Binary files old/pam_p11-0.3.1/po/ru.gmo and new/pam_p11-0.5.0/po/ru.gmo differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/po/ru.po new/pam_p11-0.5.0/po/ru.po --- old/pam_p11-0.3.1/po/ru.po 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_p11-0.5.0/po/ru.po 2023-08-03 23:15:52.000000000 +0200 @@ -0,0 +1,104 @@ +msgid "" +msgstr "" +"Project-Id-Version: pam_p11 0.5.0\n" +"Report-Msgid-Bugs-To: https://github.com/OpenSC/pam_p11/issues\n"; +"POT-Creation-Date: 2023-08-03 01:39+0200\n" +"Last-Translator: Mikhail Novosyolov <m.novosyo...@rosalinux.ru\n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: src/pam_p11.c:194 +msgid "Error loading PKCS#11 module" +msgstr "ÐÑибка пÑи загÑÑзке модÑÐ»Ñ PKCS#11" + +#: src/pam_p11.c:202 src/pam_p11.c:254 +msgid "Error initializing PKCS#11 module" +msgstr "ÐÑибка пÑи иниÑиализаÑии модÑÐ»Ñ PKCS#11" + +#: src/pam_p11.c:322 +msgid " (last try)" +msgstr " (поÑледнÑÑ Ð¿Ð¾Ð¿ÑÑка)" + +#: src/pam_p11.c:329 +#, c-format +msgid "Login on PIN pad with %s%s" +msgstr "ÐойдиÑе на панели ввода Ñ %s%s" + +#: src/pam_p11.c:335 +#, c-format +msgid "Login with %s%s: " +msgstr "ÐÑ Ð¾Ð´ Ñ %s%s: " + +#: src/pam_p11.c:359 +msgid "Invalid PIN" +msgstr "ÐепÑавилÑнÑй PIN" + +#: src/pam_p11.c:367 +msgid "PIN not verified; PIN locked" +msgstr "PIN не пÑоÑел пÑовеÑкÑ; PIN заблокиÑован" + +#: src/pam_p11.c:369 +msgid "PIN not verified; one try remaining" +msgstr "PIN не пÑоÑел пÑовеÑкÑ; оÑÑалаÑÑ Ð¾Ð´Ð½Ð° попÑÑка" + +#: src/pam_p11.c:371 +msgid "PIN not verified" +msgstr "PIN не пÑоÑел пÑовеÑкÑ" + +#: src/pam_p11.c:413 +#, c-format +msgid "Change PIN with PUK on PIN pad for %s" +msgstr "ÐамениÑе PIN вводом PUK-кода на панели ввода %s" + +#: src/pam_p11.c:417 +#, c-format +msgid "Change PIN on PIN pad for %s" +msgstr "ÐамениÑе PIN на панели ввода %s" + +#: src/pam_p11.c:424 +#, c-format +msgid "PUK for %s: " +msgstr "PUK Ð´Ð»Ñ %s: " + +#: src/pam_p11.c:435 +msgid "Current PIN: " +msgstr "ТекÑÑий PIN: " + +#: src/pam_p11.c:453 +msgid "Enter new PIN: " +msgstr "ÐведиÑе новÑй PIN: " + +#: src/pam_p11.c:456 +msgid "Retype new PIN: " +msgstr "ÐÑе Ñаз введиÑе новÑй PIN: " + +#: src/pam_p11.c:460 +msgid "PINs don't match" +msgstr "PIN-ÐºÐ¾Ð´Ñ Ð½Ðµ ÑовпадаÑÑ" + +#: src/pam_p11.c:467 +msgid "PIN not changed; PIN locked" +msgstr "PIN не заменен; PIN заблокиÑован" + +#: src/pam_p11.c:469 +msgid "PIN not changed; one try remaining" +msgstr "PIN не заменен; оÑÑалаÑÑ Ð¾Ð´Ð½Ð° попÑÑка" + +#: src/pam_p11.c:471 +msgid "PIN not changed" +msgstr "PIN не заменен" + +#: src/pam_p11.c:596 +msgid "No token found" +msgstr "Ðе найден ни один Ñокен" + +#: src/pam_p11.c:599 +#, fuzzy +msgid "Could not find authorized keys on any of the tokens." +msgstr "Ðе ÑдалоÑÑ Ð½Ð°Ð¹Ñи авÑоÑизованнÑе клÑÑи ни на одном из Ñокенов." + +#: src/pam_p11.c:660 +msgid "Error verifying key" +msgstr "ÐÑибка пÑи пÑовеÑке клÑÑа" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/base64.c new/pam_p11-0.5.0/src/base64.c --- old/pam_p11-0.3.1/src/base64.c 2019-08-12 23:28:30.000000000 +0200 +++ new/pam_p11-0.5.0/src/base64.c 2023-08-03 16:07:36.000000000 +0200 @@ -50,7 +50,7 @@ unsigned char b; int k = *in; - if (k < 0 || k >= (int)sizeof(bin_table)) + if (k < 0) return -1; if (k == 0 && c == 0) return 0; @@ -75,8 +75,8 @@ int sc_base64_decode(const char *in, unsigned char *out, size_t outlen) { - int len = 0, r, skip; - unsigned int i; + int len = 0, r = 0, skip = 0; + unsigned int i = 0; while ((r = from_base64(in, &i, &skip)) > 0) { int finished = 0, s = 16; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/match_opensc.c new/pam_p11-0.5.0/src/match_opensc.c --- old/pam_p11-0.3.1/src/match_opensc.c 2019-04-17 01:28:53.000000000 +0200 +++ new/pam_p11-0.5.0/src/match_opensc.c 2023-05-17 14:30:54.000000000 +0200 @@ -48,9 +48,15 @@ if (key == NULL) continue; +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (1 == EVP_PKEY_cmp(authkey, key)) { found = 1; } +#else + if (1 == EVP_PKEY_eq(authkey, key)) { + found = 1; + } +#endif EVP_PKEY_free(key); } while (found == 0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/match_openssh.c new/pam_p11-0.5.0/src/match_openssh.c --- old/pam_p11-0.3.1/src/match_openssh.c 2019-04-17 01:28:53.000000000 +0200 +++ new/pam_p11-0.5.0/src/match_openssh.c 2023-06-08 17:05:53.000000000 +0200 @@ -6,6 +6,11 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <openssl/opensslv.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include <openssl/param_build.h> +#include <openssl/core_names.h> +#endif #include <openssl/evp.h> #include <openssl/bn.h> #include <openssl/x509.h> @@ -17,7 +22,8 @@ #define OPENSSH_LINE_MAX 16384 /* from openssh SSH_MAX_PUBKEY_BYTES */ -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined (LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3000000L) void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) { @@ -57,21 +63,133 @@ #endif -static EVP_PKEY *ssh1_line_to_key(char *line) +static EVP_PKEY *init_evp_pkey_rsa(BIGNUM *rsa_n, BIGNUM *rsa_e) { - EVP_PKEY *key; - RSA *rsa; - char *b, *e, *m, *c; - BIGNUM *rsa_e, *rsa_n; + EVP_PKEY *key = NULL; + if (!rsa_e || !rsa_n) + return NULL; + +#if OPENSSL_VERSION_NUMBER < 0x30000000L key = EVP_PKEY_new(); if (!key) return NULL; - rsa = RSA_new(); + RSA *rsa = RSA_new(); + if (!rsa) { + EVP_PKEY_free(key); + return NULL; + } - if (!rsa) - goto err; + /* set e and n */ + if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) { + RSA_free(rsa); + EVP_PKEY_free(key); + return NULL; + } + + EVP_PKEY_assign_RSA(key, rsa); +#else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *pctx = NULL; + + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL + || (bld = OSSL_PARAM_BLD_new()) == NULL + || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, rsa_n) + || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, rsa_e) + || (params = OSSL_PARAM_BLD_to_param(bld)) == NULL + || EVP_PKEY_fromdata_init(pctx) <= 0 + || EVP_PKEY_fromdata(pctx, &key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { + EVP_PKEY_CTX_free(pctx); + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(bld); + return NULL; + } +#endif + + return key; +} + +static EVP_PKEY *init_evp_pkey_ec(int nid_curve, const unsigned char *buf, size_t len) +{ + EVP_PKEY *key = NULL; + +#if defined(LIBRESSL_VERSION_NUMBER) + BIGNUM *x = NULL; + BIGNUM *y = NULL; + EC_KEY *ec_key = NULL; + + if ((key = EVP_PKEY_new()) == NULL + || (x = BN_bin2bn(buf + 1, len >> 1, NULL)) == NULL + || (y = BN_bin2bn(buf + 1 + (len >> 1), len >> 1, NULL)) == NULL + || ((ec_key = EC_KEY_new_by_curve_name(nid_curve)) == NULL + || (1 != EC_KEY_set_public_key_affine_coordinates(ec_key, x, y)) + || (1 != EVP_PKEY_assign_EC_KEY(key, ec_key)))) { + EVP_PKEY_free(key); + BN_free(x); + BN_free(y); + EC_KEY_free(ec_key); + EVP_PKEY_free(key); + return NULL; + } +#else + +#if OPENSSL_VERSION_NUMBER < 0x30000000L + BN_CTX *ctx = NULL; + EC_KEY *ec_key = NULL; + + if ((key = EVP_PKEY_new()) == NULL + || (ctx = BN_CTX_new()) == NULL + || (ec_key = EC_KEY_new_by_curve_name(nid_curve)) == NULL + || (1 != EC_KEY_oct2key(ec_key, buf, len, ctx)) + || (1 != EVP_PKEY_assign_EC_KEY(key, ec_key))) { + EC_KEY_free(ec_key); + BN_CTX_free(ctx); + EVP_PKEY_free(key); + return NULL; + } +#else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *pctx = NULL; + char *group_name; + switch (nid_curve) { + case NID_X9_62_prime256v1: + group_name = SN_X9_62_prime256v1; + break; + case NID_secp384r1: + group_name = SN_secp384r1; + break; + case NID_secp521r1: + group_name = SN_secp521r1; + break; + default: + return NULL; + } + + if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL + || (bld = OSSL_PARAM_BLD_new()) == NULL + || !OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) + || !OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, buf, len) + || (params = OSSL_PARAM_BLD_to_param(bld)) == NULL + || EVP_PKEY_fromdata_init(pctx) <= 0 + || EVP_PKEY_fromdata(pctx, &key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { + EVP_PKEY_CTX_free(pctx); + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(bld); + return NULL; + } +#endif +#endif + return key; +} + +static EVP_PKEY *ssh1_line_to_key(char *line) +{ + EVP_PKEY *key = NULL; + char *b, *e, *m, *c; + BIGNUM *rsa_e = NULL, *rsa_n = NULL; /* first digitstring: the bits */ b = line; @@ -82,7 +200,7 @@ /* must be a whitespace */ if (*e != ' ' && *e != '\t') - return NULL; + goto err; /* cut the string in two part */ *e = 0; @@ -98,7 +216,7 @@ /* must be a whitespace */ if (*m != ' ' && *m != '\t') - return NULL; + goto err; /* cut the string in two part */ *m = 0; @@ -113,7 +231,7 @@ /* could be a whitespace or end of line */ if (*c != ' ' && *c != '\t' && *c != '\n' && *c != '\r' && *c != 0) - return NULL; + goto err; if (*c == ' ' || *c == '\t') { *c = 0; @@ -139,24 +257,26 @@ BN_dec2bn(&rsa_e, e); BN_dec2bn(&rsa_n, m); - if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) - goto err; - EVP_PKEY_assign_RSA(key, rsa); - return key; + key = init_evp_pkey_rsa(rsa_n, rsa_e); - err: - EVP_PKEY_free(key); - return NULL; +err: + if (!key) { + if (rsa_n) + BN_free(rsa_n); + if (rsa_e) + BN_free(rsa_e); + } + + return key; } extern int sc_base64_decode(const char *in, unsigned char *out, size_t outlen); static EVP_PKEY *ssh2_line_to_key(char *line) { - EVP_PKEY *key; - RSA *rsa; - BIGNUM *rsa_e, *rsa_n; + EVP_PKEY *key = NULL; + BIGNUM *rsa_e = NULL, *rsa_n = NULL; unsigned char decoded[OPENSSH_LINE_MAX]; int len; @@ -167,7 +287,7 @@ b = line; if (!b) - return NULL; + goto err; /* find the first whitespace */ while (*b && *b != ' ') @@ -184,7 +304,7 @@ /* decode binary data */ if (sc_base64_decode(b, decoded, OPENSSH_LINE_MAX) < 0) - return NULL; + goto err; i = 0; @@ -196,13 +316,13 @@ /* now: key_from_blob */ if (strncmp((char *)&decoded[i], "ssh-rsa", 7) != 0) - return NULL; + goto err; i += len; /* to prevent access beyond 'decoded' array, index 'i' must be always checked */ if ( i + 4 > OPENSSH_LINE_MAX ) - return NULL; + goto err; /* get integer from blob */ len = (decoded[i] << 24) + (decoded[i + 1] << 16) + @@ -210,13 +330,13 @@ i += 4; if ( i + len > OPENSSH_LINE_MAX ) - return NULL; + goto err; /* get bignum */ rsa_e = BN_bin2bn(decoded + i, len, NULL); i += len; if ( i + 4 > OPENSSH_LINE_MAX ) - return NULL; + goto err; /* get integer from blob */ len = (decoded[i] << 24) + (decoded[i + 1] << 16) + @@ -224,31 +344,25 @@ i += 4; if ( i + len > OPENSSH_LINE_MAX ) - return NULL; + goto err; /* get bignum */ rsa_n = BN_bin2bn(decoded + i, len, NULL); - key = EVP_PKEY_new(); - rsa = RSA_new(); + key = init_evp_pkey_rsa(rsa_n, rsa_e); - /* set e and n */ - if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) { - EVP_PKEY_free(key); - RSA_free(rsa); - return NULL; +err: + if (!key) { + if (rsa_n) + BN_free(rsa_n); + if (rsa_e) + BN_free(rsa_e); } - EVP_PKEY_assign_RSA(key, rsa); return key; } static EVP_PKEY *ssh_nistp_line_to_key(char *line) { - EVP_PKEY *key; - EC_KEY *ec_key; - BIGNUM *x; - BIGNUM *y; - unsigned char decoded[OPENSSH_LINE_MAX]; int len; int flen; @@ -332,27 +446,8 @@ /* check uncompressed indicator */ if (decoded[i] != 4 ) return NULL; - i++; - - /* create key */ - ec_key = EC_KEY_new_by_curve_name(nid); - /* read point coordinates */ - x = BN_bin2bn(decoded + i, flen, NULL); - i += flen; - y = BN_bin2bn(decoded + i, flen, NULL); - - /* do error checking here: valid x, y, ec_key, point on curve.. */ - if (!EC_KEY_set_public_key_affine_coordinates(ec_key, x, y)) { - EC_KEY_free(ec_key); - BN_free(x); - BN_free(y); - return NULL; - } - - key = EVP_PKEY_new(); - EVP_PKEY_assign_EC_KEY(key, ec_key); - return key; + return init_evp_pkey_ec(nid, decoded + i, len); } extern int match_user_openssh(EVP_PKEY *authkey, const char *login) @@ -400,9 +495,15 @@ if (key == NULL) continue; +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (1 == EVP_PKEY_cmp(authkey, key)) { found = 1; } +#else + if (1 == EVP_PKEY_eq(authkey, key)) { + found = 1; + } +#endif EVP_PKEY_free(key); } while (found == 0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/pam_p11.c new/pam_p11-0.5.0/src/pam_p11.c --- old/pam_p11-0.3.1/src/pam_p11.c 2019-09-08 21:20:21.000000000 +0200 +++ new/pam_p11-0.5.0/src/pam_p11.c 2023-08-03 01:23:19.000000000 +0200 @@ -33,17 +33,6 @@ #include <regex.h> #include <stdlib.h> -/* openssl deprecated API emulation */ -#ifndef HAVE_EVP_MD_CTX_NEW -#define EVP_MD_CTX_new() EVP_MD_CTX_create() -#endif -#ifndef HAVE_EVP_MD_CTX_FREE -#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy((ctx)) -#endif -#ifndef HAVE_EVP_MD_CTX_RESET -#define EVP_MD_CTX_reset(ctx) EVP_MD_CTX_cleanup((ctx)) -#endif - #ifdef ENABLE_NLS #include <libintl.h> #include <locale.h> @@ -507,7 +496,8 @@ static int key_find(pam_handle_t *pamh, int flags, const char *user, PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots, - PKCS11_SLOT **authslot, PKCS11_KEY **authkey) + PKCS11_SLOT **authslot, PKCS11_KEY **authkey, + EVP_PKEY **authpubkey, PKCS11_CERT **authcert) { int token_found = 0; @@ -517,6 +507,7 @@ *authkey = NULL; *authslot = NULL; + *authcert = NULL; /* search all valuable slots for a key that is authorized by the user */ while (0 < nslots) { @@ -532,6 +523,14 @@ break; } token_found = 1; + /* Update "slots" pointer: PKCS11 slots are implemented as array, + * so starting to look at slot + 1 and decrementing nslots accordingly + * will search the rest of slots. */ + nslots -= (slot + 1 - slots); + slots = slot + 1; + + if (slot->token->initialized == 0) + continue; if (slot->token->loginRequired && slot->token->userPinLocked) { pam_syslog(pamh, LOG_DEBUG, "%s: PIN locked", @@ -551,10 +550,8 @@ if (1 != r) { r = match_user_openssh(pubkey, user); } - if (NULL != pubkey) { - EVP_PKEY_free(pubkey); - } if (1 == r) { + *authpubkey = pubkey; *authkey = keys; *authslot = slot; pam_syslog(pamh, LOG_DEBUG, "Found %s", @@ -577,14 +574,9 @@ if (1 != r) { r = match_user_openssh(pubkey, user); } - if (NULL != pubkey) { - EVP_PKEY_free(pubkey); - } if (1 == r) { - *authkey = PKCS11_find_key(certs); - if (NULL == *authkey) { - continue; - } + *authpubkey = pubkey; + *authcert = certs; *authslot = slot; pam_syslog(pamh, LOG_DEBUG, "Found %s", certs->label); @@ -596,20 +588,15 @@ count--; } } - - /* Try the next possible slot: PKCS11 slots are implemented as array, - * so starting to look at slot++ and decrementing nslots accordingly - * will search the rest of slots. */ - slot++; - nslots -= (slot - slots); - slots = slot; - pam_syslog(pamh, LOG_DEBUG, "No authorized key found"); + pam_syslog(pamh, LOG_DEBUG, "No authorized key found on token %s", + slot->token->label); } if (0 == token_found) { prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("No token found")); } else { - prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("No authorized keys on token")); + prompt(flags, pamh, PAM_ERROR_MSG, NULL, + _("Could not find authorized keys on any of the tokens.")); } return 0; @@ -631,7 +618,7 @@ return ok; } -static int key_verify(pam_handle_t *pamh, int flags, PKCS11_KEY *authkey) +static int key_verify(pam_handle_t *pamh, int flags, PKCS11_KEY *authkey, EVP_PKEY *pubkey) { int ok = 0; unsigned char challenge[30]; @@ -640,7 +627,6 @@ const EVP_MD *md = EVP_sha1(); EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY *privkey = PKCS11_get_private_key(authkey); - EVP_PKEY *pubkey = PKCS11_get_public_key(authkey); if (NULL == privkey) goto err; @@ -695,6 +681,8 @@ PKCS11_CTX *ctx; unsigned int nslots; PKCS11_KEY *authkey; + PKCS11_CERT *authcert; + EVP_PKEY *authpubkey = NULL; PKCS11_SLOT *slots, *authslot; const char *user; const char *pin_regex; @@ -706,12 +694,21 @@ } if (1 != key_find(pamh, flags, user, ctx, slots, nslots, - &authslot, &authkey)) { + &authslot, &authkey, &authpubkey, &authcert)) { r = PAM_AUTHINFO_UNAVAIL; goto err; } - if (1 != key_login(pamh, flags, authslot, pin_regex) - || 1 != key_verify(pamh, flags, authkey)) { + + if (1 != key_login(pamh, flags, authslot, pin_regex)) + goto err; + + if (authkey == NULL && authcert) { + if (NULL == (authkey = PKCS11_find_key(authcert))) { + r = PAM_AUTHINFO_UNAVAIL; + goto err; + } + } + if (1 != key_verify(pamh, flags, authkey, authpubkey)) { if (authslot->token->userPinLocked) { r = PAM_MAXTRIES; } else { @@ -768,6 +765,8 @@ PKCS11_CTX *ctx; unsigned int nslots; PKCS11_KEY *authkey; + PKCS11_CERT *authcert; + EVP_PKEY *authpubkey = NULL; PKCS11_SLOT *slots, *authslot; const char *user, *pin_regex; @@ -785,7 +784,7 @@ } if (1 != key_find(pamh, flags, user, ctx, slots, nslots, - &authslot, &authkey)) { + &authslot, &authkey, &authpubkey, &authcert)) { r = PAM_AUTHINFO_UNAVAIL; goto err; } @@ -809,6 +808,7 @@ r = PAM_SUCCESS; err: + EVP_PKEY_free(authpubkey); #ifdef TEST module_data_cleanup(pamh, global_module_data, r); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_p11-0.3.1/src/test.c new/pam_p11-0.5.0/src/test.c --- old/pam_p11-0.3.1/src/test.c 2019-04-17 01:28:53.000000000 +0200 +++ new/pam_p11-0.5.0/src/test.c 2023-06-08 17:05:53.000000000 +0200 @@ -58,8 +58,12 @@ /* initialize default values */ strcpy(module, LIBDIR "/opensc-pkcs11.so"); - if (0 != getlogin_r(user, sizeof user)) - goto err; + if (argc < 3) { + if (0 != getlogin_r(user, sizeof user)) { + perror("getlogin_r"); + goto err; + } + } switch (argc) { case 3:
