Here's a patch to solve the issues I've encountered using pam_pkcs11. In regards to #239 (pam_pkcs11 only looks at first certificate on token):
The fix for this turns out to be somewhat problematic, and I'm not at all sure, whether my implementation of the fix is a valid one. The basic problem (as I understood it from analyzing the code) is that finder functions of the mappers return a char*, allowing for a single value (NULL) to signalize failure and return the key if no mapping (i.e. no value associated with the key) was found (cf. comment for mapfile_find in src/mappers/mapper.c). Thus a caller (i.e. find_user in src/pam_pkcs11/mapper_mgr.c) cannot distinguish between a mapping or a key being returned and thus will prematurely terminate on the first certificate that passes the other validity tests. The fix provided changes the finder function interface by requiring an additional out parameter that is set to 1, if a real mapping value was returned and remains unchanged otherwise. This fix breaks existing loadable mappers. I considered overloading of the value returned (e.g. having a byte/substring as first character of the value returned to be able to distinguish between a value and a key being returned) which would preserve the interface to the mappers, but refrained from implementing it that way as I believe this to be unclean and prone to difficult to track errors. Another solution I considered was the addition of another entry to the structure encapsulating the mappers (e.g. a finder2 method), but as this is no better in breaking the interface for loadable mappers and duplicates code I forfeited this solution, too. If somebody could look into the problem and come up with a solution that preserves the interface to external mappers while allowing the distinction between keys and values, I'd be more than happy to implement it. It might also may make sense to add a new configuration parameter for the new behaviour of find_user, allowing existing applications to continue to work with keys being returned instead of values (Feedback anyone? The comment for find_user actually states that a mapping value is returned). In regards to #240 (Allow pattern matching in pam_pkcs11): I restricted this to only work for mapfiles and the implementation turned out to be quite simple - it's essentially an 11 line change in src/mappers/mapper.c - and is triggered by the specification of a fully anchored (i.e. *must* have initial "^" and *must* end in "$") pattern as key in a mapfile. This now allows syntax like ^.*/serialNumber=xxx-xxx-xxx-xxx$ -> username in all mapfiles. The patch attached contains the changes for both issues. Cheers, Wolf -- Just when you discovered the meaning of life IT changed.
patch.gz
Description: GNU Zip compressed data
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
