Re: [opensc-devel] Slot/token selection changes to the pam_pkcs11 module

Fri, 12 Sep 2008 02:07:45 -0700 

On Tue, Sep 9, 2008 at 3:45 AM, Huie-Ying Lee <[EMAIL PROTECTED]> wrote:
> I have completed the source changes and tested it successfully on Solaris
> OS.  Besides the major slot_description/slot_num changes for the default
> implementation, the source changes also include
>
>  1. slot_description/slot_num changes are also updated for the NSS
> implementation in the src/common/pkcs11_lib.c file.    Therefore, the new
> scheme will work as well if it is built with "--with-nss=yes".

You can also just use "--with-nss" instead of "--with-nss=yes"

>  2. A bug fix in src/common/pam_config.c:  in  line 259, "slot_nume=" should
> be "slot_num="

Fix committed in revision 329.

>  3. A bug fix in src/common/pkcs11_lib.c:  in  line 290 and 291, slots[i]
> should be slots[slot_num]

Fix committed in revision 330.

>  4. In the original pkcs11_lib.c, all the places in the ORIIGINAL code that
> use "slot_label" actually refer to a token label, so their names are changed
> to token_label.  With the same reason, the function get_slot_label() is
> renamed to get_slot_tokenlabel().

Patch committed in revision 332

>  5. Some platform specific changes to compile and build On OpenSolaris OS.
>  These changes are guarded with "ifdef SUN_SOLARIS".

They are just casts. Maybe they should also be used on the other platforms?
Without these modifications, do you get a compiler warning or error?

I did NOT apply these changes. I would like to know why they are
Solaris specific.

The non-applied patches are attached.
You also declare SECU_Strerror() in src/common/pkcs11_lib.c but this
function is already declared in src/common/secutil.h. Maybe a #include
"secutil.h" is missing instead?

> Attached is the source patch, please review it and let me know if you have
> any questions or comments.

Please, provide a different patch for each problem you solve. I had to
split your patch in different independent patches. This is time
consuming and error prone.

Thanks a lot for your efforts. Please continue :-)

Bye

-- 
 Dr. Ludovic Rousseau

Index: src/pam_pkcs11/pam_pkcs11.c
===================================================================
--- src/pam_pkcs11/pam_pkcs11.c (révision 332)
+++ src/pam_pkcs11/pam_pkcs11.c (copie de travail)
@@ -83,12 +83,20 @@ static int pam_prompt(pam_handle_t *pamh
 
   msg.msg_style = style;
   msg.msg = text;
+#ifdef SUN_SOLARIS
+  rv = pam_get_item(pamh, PAM_CONV, (void **) &conv);
+#else
   rv = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
+#endif
   if (rv != PAM_SUCCESS)
     return rv;
   if ((conv == NULL) || (conv->conv == NULL))
     return PAM_CRED_INSUFFICIENT;
+#ifdef SUN_SOLARIS
+  rv = conv->conv(1, (struct pam_message **)msgp, &resp, conv->appdata_ptr);
+#else
   rv = conv->conv(1, (const struct pam_message **)msgp, &resp, 
conv->appdata_ptr);
+#endif
   if (rv != PAM_SUCCESS)
     return rv;
   if ((resp == NULL) || (resp[0].resp == NULL))
@@ -132,7 +140,11 @@ static int pam_get_pwd(pam_handle_t *pam
   /* use stored password if variable oitem is set */
   if ((oitem == PAM_AUTHTOK) || (oitem == PAM_OLDAUTHTOK)) {
     /* try to get stored item */
+#ifdef SUN_SOLARIS
+    rv = pam_get_item(pamh, oitem, (void **) &old_pwd);
+#else 
     rv = pam_get_item(pamh, oitem, (const void **) &old_pwd);
+#endif
     if (rv != PAM_SUCCESS)
       return rv;
     if (old_pwd != NULL) {
@@ -145,12 +157,20 @@ static int pam_get_pwd(pam_handle_t *pam
   if (text != NULL) {
     msg.msg_style = PAM_PROMPT_ECHO_OFF;
     msg.msg = text;
+#ifdef SUN_SOLARIS
+    rv = pam_get_item(pamh, PAM_CONV, (void **) &conv);
+#else
     rv = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
+#endif
     if (rv != PAM_SUCCESS)
       return rv;
     if ((conv == NULL) || (conv->conv == NULL))
       return PAM_CRED_INSUFFICIENT;
+#ifdef SUN_SOLARIS
+    rv = conv->conv(1, (struct pam_message **)msgp, &resp, conv->appdata_ptr);
+#else
     rv = conv->conv(1, (const struct pam_message **)msgp, &resp, 
conv->appdata_ptr);
+#endif
     if (rv != PAM_SUCCESS)
       return rv;
     if ((resp == NULL) || (resp[0].resp == NULL))
@@ -263,7 +283,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
        char *service;
        if (configuration->screen_savers) {
            DBG("Is it a screen saver?");
+#ifdef SUN_SOLARIS
+           rv = pam_get_item(pamh, PAM_SERVICE, (void **) &service);
+#else
            rv = pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
+#endif
            for (i=0; configuration->screen_savers[i]; i++) {
                if (strcmp(configuration->screen_savers[i], service) == 0) {
                    is_a_screen_saver = 1;
@@ -275,7 +299,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
        pkcs11_pam_fail = PAM_CRED_INSUFFICIENT;
         
        /* look to see if username is already set */
+#ifdef SUN_SOLARIS
+       rv = pam_get_item(pamh, PAM_USER, (void **) &user);
+#else
        rv = pam_get_item(pamh, PAM_USER, (const void **) &user);
+#endif
        if (user) {
            DBG1("explicit username = [%s]", user);
        } 
@@ -391,6 +419,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
   } else {
       pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Smart card inserted. "));
   }
+
   rv = open_pkcs11_session(ph, slot_num);
   if (rv != 0) {
     release_pkcs11_module(ph);
Index: src/tools/pkcs11_inspect.c
===================================================================
--- src/tools/pkcs11_inspect.c  (révision 332)
+++ src/tools/pkcs11_inspect.c  (copie de travail)
@@ -127,7 +127,7 @@ int main(int argc, const char **argv) {
   /* find valid certificates and look for contents */
   DBG1("Found '%d' certificate(s)", cert_count);
   for (i = 0; i < cert_count; i++) {
-    X509 *x509 = get_X509_certificate(certs[i]);
+    X509 *x509 = (X509 *)get_X509_certificate(certs[i]);
     if (x509 != NULL) {
       DBG1("verifing the certificate #%d", i + 1);
       /* verify certificate (date, signature, CRL, ...) */
Index: src/tools/pkcs11_eventmgr.c
===================================================================
--- src/tools/pkcs11_eventmgr.c (révision 332)
+++ src/tools/pkcs11_eventmgr.c (copie de travail)
@@ -431,6 +431,7 @@ int main(int argc, char *argv[]) {
        }
     }
 
+#ifndef SUN_SOLARIS
     if (daemonize) {
        DBG("Going to be daemon...");
        if ( daemon(0,debug)<0 ) {
@@ -441,6 +442,7 @@ int main(int argc, char *argv[]) {
                return 1;
        }
     }
+#endif
 
     /* 
      * Wait endlessly for all events in the list of readers
@@ -513,6 +515,7 @@ int main(int argc, char *argv[]) {
     }
 
     /* put my self into background if flag is set */
+#ifndef SUN_SOLARIS
     if (daemonize) {
        DBG("Going to be daemon...");
        if ( daemon(0,debug)<0 ) {
@@ -522,6 +525,7 @@ int main(int argc, char *argv[]) {
                return 1;
        }
     }
+#endif
 
     /* open pkcs11 sesion */
     DBG("initialising pkcs #11 module...");
Index: src/tools/pklogin_finder.c
===================================================================
--- src/tools/pklogin_finder.c  (révision 332)
+++ src/tools/pklogin_finder.c  (copie de travail)
@@ -126,7 +126,7 @@ int main(int argc, const char **argv) {
   /* find a valid and matching certificates */
   DBG1("Found '%d' certificate(s)", cert_count);
   for (i = 0; i < cert_count; i++) {
-    X509 *x509 = get_X509_certificate(certs[i]);
+    X509 *x509 = (X509 *)get_X509_certificate(certs[i]);
     if (x509 != NULL) {
       DBG1("verifing the certificate #%d", i + 1);
       /* verify certificate (date, signature, CRL, ...) */
Index: src/common/pkcs11_lib.c
===================================================================
--- src/common/pkcs11_lib.c     (révision 332)
+++ src/common/pkcs11_lib.c     (copie de travail)
@@ -148,6 +148,8 @@ memcmp_pad_max(void *d1, size_t d1_len, 
 
 #include "cert_vfy.h"
 
+const char * SECU_Strerror(PRErrorCode errNum);
+
 #ifndef PAM_PKCS11_POLL_TIME
 #define PAM_PKCS11_POLL_TIME 500 /* ms */
 #endif
@@ -964,7 +966,11 @@ int load_pkcs11_module(char *module, pkc
   DBG3("module permissions: uid = %d, gid = %d, mode = %o",
       module_stat.st_uid, module_stat.st_gid, module_stat.st_mode & 0777);
   if (module_stat.st_mode & S_IWGRP || module_stat.st_mode & S_IWOTH
+#ifdef SUN_SOLARIS
+      || module_stat.st_uid != 0) {
+#else 
       || module_stat.st_uid != 0 || module_stat.st_gid != 0) {
+#endif
     set_error("the pkcs #11 module MUST be owned by root and MUST NOT "
               "be writeable by the group or others");
     free(h);
@@ -1501,7 +1507,12 @@ cert_object_t **get_certificate_list(pkc
     /* Pass 3: store certificate */
 
     /* convert to X509 data structure */
+#ifdef SUN_SOLARIS
+      x509 = d2i_X509(NULL, (const uchar_t **)&cert_template[3].pValue, 
cert_template[3].ulValueLen);
+#else
       x509 = d2i_X509(NULL, (CK_BYTE **)&cert_template[3].pValue, 
cert_template[3].ulValueLen);
+#endif
+
       if (x509 == NULL) {
         free(id_value);
         free(cert_value);

_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to