pam pkcs11 version 0.6.5

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

pam pkcs11 version 0.6.5

Ludovic Rousseau

I just released a new version of PAM PKCS#11. This version fixes
problems and adds features.

From ChangeLog.svn:
2010-10-19  ludovic.rousseau

        * [r464] doc/ Update from doxygen version 1.5.6 to
        * [r463] release 0.6.5
        * [r462] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
          po/pt_br.po, po/ru.po: regenerate
        * [r461] src/common/ Add the missing strndup.h file
        * [r460] src/common/uri.c: get_http(): check if complete message
          was transmitted
          Thanks to Andre Zepezauer for the patch

        * [r459] src/common/uri.c: get_http(): allocate enough memory to
          fit http-request
          Thanks to Andre Zepezauer for the patch

        * [r458] src/common/uri.c: get_http(): add missing return statement
          Thanks to Andre Zepezauer for the patch

        * [r457] If dlopen() is not found in libdl we try to
          find it without specifying a
          library before exiting in error.
          I don't remember why I used this code. Maybe dlopen() is not in
          libdl on some systems.

2010-10-16  ludovic.rousseau

        * [r456] po/fr.po: Translate a string
        * [r455] po/de.po, po/fr.po, po/nl.po, po/pam_pkcs11.pot, po/pl.po,
          po/pt_br.po, po/ru.po: Regenerate
        * [r454] src/pam_pkcs11/pam_pkcs11.c: Replace "Found the %s." by
          "%s found."
          Thanks to Mr Dash Four for the bug report

2010-10-15  ludovic.rousseau

        * [r453] src/common/pkcs11_lib.c: crypto_init(): fix a typo in log

2010-09-22  ludovic.rousseau

        * [r452] src/common/pkcs11_lib.c: pkcs11_pass_login(): check if the
          PIN returned by getpass is NULL
          Thanks to Andre Zepezauer for the patch

        * [r451] src/common/pkcs11_lib.c: pkcs11_pass_login(): log an error
          if pkcs11_login() fails
          Thanks to Andre Zepezauer for the patch

        * [r450] src/common/pkcs11_lib.c: pkcs11_pass_login(): do not clean
          a zero length PIN
          Thanks to Andre Zepezauer for the patch

        * [r449] src/common/pkcs11_lib.c, src/pam_pkcs11/pam_pkcs11.c: Show
          PIN code in debug output only if DEBUG_SHOW_PASSWORD is defined
          (not defined by default)
          Thanks to Andre Zepezauer for the bug report

2010-09-21  ludovic.rousseau

        * [r448] src/pam_pkcs11/pam_config.c: parse_config_file(): get the
          debug value from the configuration file
          Thanks to Andre Zepezauer for the patch

2010-08-25  ludovic.rousseau

        * [r447] src/tools/card_eventmgr.c: Do not call
          SCardEstablishContext() before daemonize since pcsc-lite
          handles are invalid after a fork.
          Thanks to Patrik Martinsson for the patch

2010-08-19  ludovic.rousseau

        * [r446] src/tools/card_eventmgr.c: Use SCARD_READERSTATE instead
          of SCARD_READERSTATE_A since it was
          removed in pcsc-lite >= 1.6.2

2010-08-14  ludovic.rousseau

        * [r445] src/mappers/cn_mapper.c, src/mappers/digest_mapper.c,
          src/mappers/generic_mapper.c, src/mappers/krb_mapper.c,
          src/mappers/ldap_mapper.c, src/mappers/mail_mapper.c,
          src/mappers/mapper.c, src/mappers/mapper.h,
          src/mappers/ms_mapper.c, src/mappers/null_mapper.c,
          src/mappers/opensc_mapper.c, src/mappers/openssh_mapper.c,
          src/mappers/pwent_mapper.c, src/mappers/subject_mapper.c,
          src/mappers/uid_mapper.c, src/pam_pkcs11/mapper_mgr.c,
          src/tools/pklogin_finder.c: Patch for #239 and #240 (handle more
          than one cert/pattern matching)
          Thanks to Wolf Geldmacher for the patch.

          " Here's a patch to solve the issues I've encountered using
          In regards to #239 (pam_pkcs11 only looks at first certificate on
          The fix for this turns out to be somewhat problematic, and I'm not
          at all sure, whether my implementation of the fix is a valid one.
          The basic problem (as I understood it from analyzing the code) is
          that finder functions of the mappers return a char*, allowing for
          a single value (NULL) to signalize failure and return the key if
          no mapping (i.e.  no value associated with the key) was found (cf.
          comment for mapfile_find in src/mappers/mapper.c). Thus a caller
          (i.e.  find_user in src/pam_pkcs11/mapper_mgr.c) cannot
          distinguish between a mapping or a key being returned and thus
          will prematurely terminate on the first certificate that passes
          the other validity tests.
          The fix provided changes the finder function interface by
          requiring an additional out parameter that is set to 1, if a real
          mapping value was returned and remains unchanged otherwise. This
          fix breaks existing loadable mappers.
          I considered overloading of the value returned (e.g. having a
          byte/substring as first character of the value returned to be able
          to distinguish between a value and a key being returned) which
          would preserve the interface to the mappers, but refrained from
          implementing it that way as I believe this to be unclean and prone
          to difficult to track errors.
          Another solution I considered was the addition of another entry to
          the structure encapsulating the mappers (e.g. a finder2 method),
          but as this is no better in breaking the interface for loadable
          mappers and duplicates code I forfeited this solution, too.
          If somebody could look into the problem and come up with a
          solution that preserves the interface to external mappers while
          allowing the distinction between keys and values, I'd be more than
          happy to implement it.
          It might also may make sense to add a new configuration parameter
          for the new behaviour of find_user, allowing existing applications
          to continue to work with keys being returned instead of values
          (Feedback anyone? The comment for find_user actually states that a
          mapping value is returned).
          In regards to #240 (Allow pattern matching in pam_pkcs11):
          I restricted this to only work for mapfiles and the implementation
          turned out to be quite simple - it's essentially an 11 line change
          in src/mappers/mapper.c - and is triggered by the specification of
          a fully anchored (i.e. *must* have initial "^" and *must* end in
          "$") pattern as key in a mapfile.
          This now allows syntax like ^.*/serialNumber=xxx-xxx-xxx-xxx$ ->
          username in all mapfiles.
          The patch attached contains the changes for both issues.
          Cheers, Wolf "

2010-08-13  ludovic.rousseau

        * [r444] src/pam_pkcs11/pam_pkcs11.c: Do not use a variadic
          parameter for pam_prompt. It is not supported on

2010-08-12  ludovic.rousseau

        * [r443] src/common/strndup.h, src/tools/pkcs11_setup.c: Add a new
          header file to define strndup if needed.
          pkcs11_setup.c: In function ‘scconf_replace_str_list’:
          pkcs11_setup.c:73: warning: implicit declaration of function
          pkcs11_setup.c:73: warning: incompatible implicit declaration of
          built-in function ‘strndup’
        * [r441] src/pam_pkcs11/pam_config.c, src/tools/pkcs11_inspect.c,
          src/tools/pkcs11_listcerts.c, src/tools/pklogin_finder.c: Revert
          changeset 301 parsing arguments in pam_config.c but skip the
          first argument in command line tools.
          Thanks to halfline for the patch. Closes ticket #29

 Dr. Ludovic Rousseau
opensc-user mailing list
[hidden email]