Hello opensc type persons,

A Debian user has discovered a bug in pam_p11. It uses the syslog
family of functions instead of pam_syslog, which causes segfaults in
some situations. Please apply the attached patch!

-- 
Eric Dorland <[EMAIL PROTECTED]>
ICQ: #61138586, Jabber: [EMAIL PROTECTED]

--- Begin Message ---
reassign 472986 libpam-p11
retitle 472986 libpam-p11 should use pam_syslog for logging instead of 
openlog/syslog/closelog
notfound 472986 1:4.1.0-2
found 472986 0.1.3-1
thanks


Hello,

libpam-p11 uses openlog/syslog/closelog sequences.

The closelog calls will break applications if they wish to report logs
after calling pam functions.

In the case of the original segfault in su, the issue was caused by
openlog. I don't really understand why it is problematic to openlog()
twice, but the attached patch fixed the segfault is su.

pam_syslog will also make the syslog message look prettier (it will
mention the service, not only the name of the module).

Best Regards,
-- 
Nekral
diff -rauN ../orig/pam-p11-0.1.3/src/pam_p11.c ./pam-p11-0.1.3/src/pam_p11.c
--- ../orig/pam-p11-0.1.3/src/pam_p11.c	2007-07-03 18:19:22.000000000 +0200
+++ ./pam-p11-0.1.3/src/pam_p11.c	2008-04-15 02:10:11.300075856 +0200
@@ -31,6 +31,7 @@
 #define PAM_SM_PASSWORD
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
+#include <security/pam_ext.h>
 
 #ifndef PAM_EXTERN
 #define PAM_EXTERN extern
@@ -87,12 +88,9 @@
 	int fd;
 	unsigned siglen;
 
-	/* open log */
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-
 	/* check parameters */
 	if (argc != 1) {
-		syslog(LOG_ERR, "need pkcs11 module as argument");
+		pam_syslog(pamh, LOG_ERR, "need pkcs11 module as argument");
 		return PAM_ABORT;
 	}
 
@@ -105,7 +103,7 @@
 	/* get user name */
 	rv = pam_get_user(pamh, &user, NULL);
 	if (rv != PAM_SUCCESS) {
-		syslog(LOG_ERR, "pam_get_user() failed %s",
+		pam_syslog(pamh, LOG_ERR, "pam_get_user() failed %s",
 		       pam_strerror(pamh, rv));
 		return PAM_USER_UNKNOWN;
 	}
@@ -113,21 +111,21 @@
 	/* load pkcs #11 module */
 	rv = PKCS11_CTX_load(ctx, argv[0]);
 	if (rv) {
-		syslog(LOG_ERR, "loading pkcs11 engine failed");
+		pam_syslog(pamh, LOG_ERR, "loading pkcs11 engine failed");
 		return PAM_AUTHINFO_UNAVAIL;
 	}
 
 	/* get all slots */
 	rv = PKCS11_enumerate_slots(ctx, &slots, &nslots);
 	if (rv) {
-		syslog(LOG_ERR, "listing slots failed");
+		pam_syslog(pamh, LOG_ERR, "listing slots failed");
 		return PAM_AUTHINFO_UNAVAIL;
 	}
 
 	/* search for the first slot with a token */
 	slot = PKCS11_find_token(ctx, slots, nslots);
 	if (!slot || !slot->token) {
-		syslog(LOG_ERR, "no token available");
+		pam_syslog(pamh, LOG_ERR, "no token available");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -135,12 +133,12 @@
 	/* get all certs */
 	rv = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
 	if (rv) {
-		syslog(LOG_ERR, "PKCS11_enumerate_certs failed");
+		pam_syslog(pamh, LOG_ERR, "PKCS11_enumerate_certs failed");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
 	if (ncerts <= 0) {
-		syslog(LOG_ERR, "no certificates found");
+		pam_syslog(pamh, LOG_ERR, "no certificates found");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -152,7 +150,7 @@
 			/* check whether the certificate matches the user */
 			rv = match_user(authcert->x509, user);
 			if (rv < 0) {
-				syslog(LOG_ERR, "match_user() failed");
+				pam_syslog(pamh, LOG_ERR, "match_user() failed");
 				rv = PAM_AUTHINFO_UNAVAIL;
 				goto out;
 			} else if (rv == 0) {
@@ -165,7 +163,7 @@
 	}
 
 	if (!authcert) {
-		syslog(LOG_ERR, "not matching certificate found");
+		pam_syslog(pamh, LOG_ERR, "not matching certificate found");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -218,7 +216,7 @@
 	memset(password, 0, strlen(password));
 	free(password);
 	if (rv != 0) {
-		syslog(LOG_ERR, "PKCS11_login failed");
+		pam_syslog(pamh, LOG_ERR, "PKCS11_login failed");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -227,21 +225,21 @@
 	/* get random bytes */
 	fd = open(RANDOM_SOURCE, O_RDONLY);
 	if (fd < 0) {
-		syslog(LOG_ERR, "fatal: cannot open RANDOM_SOURCE: ");
+		pam_syslog(pamh, LOG_ERR, "fatal: cannot open RANDOM_SOURCE: ");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
 
 	rv = read(fd, rand_bytes, RANDOM_SIZE);
 	if (rv < 0) {
-		syslog(LOG_ERR, "fatal: read from random source failed: ");
+		pam_syslog(pamh, LOG_ERR, "fatal: read from random source failed: ");
 		close(fd);
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
 
 	if (rv < RANDOM_SIZE) {
-		syslog(LOG_ERR, "fatal: read returned less than %d<%d bytes\n",
+		pam_syslog(pamh, LOG_ERR, "fatal: read returned less than %d<%d bytes\n",
 		       rv, RANDOM_SIZE);
 		close(fd);
 		rv = PAM_AUTHINFO_UNAVAIL;
@@ -252,7 +250,7 @@
 
 	authkey = PKCS11_find_key(authcert);
 	if (!authkey) {
-		syslog(LOG_ERR, "no key matching certificate available");
+		pam_syslog(pamh, LOG_ERR, "no key matching certificate available");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -262,7 +260,7 @@
 	rv = PKCS11_sign(NID_sha1, rand_bytes, RANDOM_SIZE, signature, &siglen,
 			 authkey);
 	if (rv != 1) {
-		syslog(LOG_ERR, "fatal: pkcs11_sign failed\n");
+		pam_syslog(pamh, LOG_ERR, "fatal: pkcs11_sign failed\n");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -270,7 +268,7 @@
 	/* verify the signature */
 	pubkey = X509_get_pubkey(authcert->x509);
 	if (pubkey == NULL) {
-		syslog(LOG_ERR, "could not extract public key");
+		pam_syslog(pamh, LOG_ERR, "could not extract public key");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -279,7 +277,7 @@
 	rv = RSA_verify(NID_sha1, rand_bytes, RANDOM_SIZE,
 			signature, siglen, pubkey->pkey.rsa);
 	if (rv != 1) {
-		syslog(LOG_ERR, "fatal: RSA_verify failed\n");
+		pam_syslog(pamh, LOG_ERR, "fatal: RSA_verify failed\n");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -303,40 +301,32 @@
 PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
 				const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_acct_mgmt() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }
 
 PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc,
 				   const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_open_session() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }
 
 PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, int argc,
 				    const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_close_session() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }
 
 PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,
 				const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_chauthtok() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }
 

--- End Message ---

Attachment: signature.asc
Description: Digital signature

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to