From 85bd663909027a21f4e804931e3b2c105d4c9a33 Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Mon, 27 Aug 2018 13:02:56 +0200 Subject: [PATCH 001/111] Update README.md - project is maintained - as wiki is empty, we use its main description (converted to MD) here --- README.md | 150 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 145 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b2b14daa..013f28b1 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,147 @@ -# This project is no more maintained +PAM-PKCS\#11 Login Tools +======================== -I @LudovicRousseau do not use this software any more and have no time to take care of it. -See "Pam-pkcs#11 needs a new maintainer(s) soon, or it will die" https://sourceforge.net/p/opensc/mailman/message/35191905/ +Description +----------- -If you want to become the new maintainer just ask me @LudovicRousseau to add you -in the https://github.com/orgs/OpenSC/teams/pam_pkcs11-maintainers group. +This Linux-PAM login module allows a X.509 certificate based user login. +The certificate and its dedicated private key are thereby accessed by +means of an appropriate PKCS\#11 module. For the verification of the +users' certificates, locally stored CA certificates as well as either +online or locally accessible CRLs are used. + +Detailed information about the Linux-PAM system can be found in [The +Linux-PAM System Administrators' +Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html), +[The Linux-PAM Module Writers' +Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html) +and [The Linux-PAM Application Developers' +Guide](http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_ADG.html) +The specification of the Cryptographic Token Interface Standard +(PKCS\#11) is available at [PKCS\#11 - Cryptographic Token Interface +Standard](https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html). + +PAM-PKCS\#11 package provides: + +* A PAM module able to:\ + * Use certificates to get user credentials + * Deduce a login based on provided certificate +* Several tools: + * Standalone cert-to-login finder tool + * Certificate contents viewer + * Card Event status monitor, to trigger actions on card insert/removal + +You can read the online [PAM-PKCS\#11 User +Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) to know +how to install, configure and use this software. + +### PKCS\#11 Module Requirements + +The PKCS\#11 modules must fulfill the requirements given by the RSA +Asymmetric Client Signing Profile, which has been specified in the + [PKCS\#11: Conformance Profile +Specification](http://www.rsa.com/rsalabs/node.asp?id=2133) by RSA +Laboratories. + +### User Matching + +To map the ownership of a certificate into a user login, pam-pkcs11 uses +the concept of mapper that is, a list of configurable, stackable +list of dynamic modules, each one trying to do a specific cert-to-login +maping. Several mappers are provided: + +* the common name of the subject matches the login name +* the unique identifier of the subject matches the login name +* the user part of an e-mail subject alternative name extension matches the login name +* the Microsoft universal principal name extension matches the login name +* etc...(see documentation on provided mappers) + +Many mappers may use also a *mapfile* to translate Certificate +contents to a login name. + +License +------- + +* Copyright © 2003-2004 Mario Strasser \\ +* Copyright © 2005 Juan Antonio Martinez \\ +* Copyright © 2005-2012 Ludovic Rousseau \ + +This library is free software; you can redistribute it and/or modify it +under the terms of the GNU Lesser General Public License as published by +the Free Software Foundation; either version 2.1 of the License, or (at +your option) any later version. + +This library is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser +General Public License for more details. + +You should have received a copy of the GNU Lesser General Public License +along with this library; if not, write to the Free Software Foundation, +Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +Download +-------- + +* [pam\_pkcs11-0.6.9.tar.gz](http://sourceforge.net/projects/opensc/files/pam_pkcs11/) + +Packages for [various Linux +distributions](https://repology.org/metapackage/pam-pkcs11) are +available through the their standard package management system. + +Installation +------------ + +Unpack the archive, configure, compile and install it: + +```sh +$ tar xvzf pkcs11_login-X.Y.Z.tar.gz +$ cd pkcs11_login-X.Y.Z +$ ./configure +$ make +$ sudo make install +``` + +If you want to use [cURL](http://curl.haxx.se/libcurl/) instead of +our native URI-functions for downloading CRLs, use `./configure --with-curl` + +However, up to now cURL is not able to handle binary LDAP replies and +thus CRL download might not work for all LDAP URIs. + +Next, you have to create the needed openssl-hash-links. + +``` +make_hash_link.sh ${path to the directory with the CA certificates} +make_hash_link.sh ${path to the directory with the CRLs} +``` + +Configuration +------------- + +See [PAM-PKCS\#11 User +Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) to +configure and set up pam\_pkcs11. + +See [PAM-PKCS\#11 Mappers +API](http://opensc.github.io/pam_pkcs11/doc/mappers_api.html) to get +advanced information on mappers (mainly for developers). + +Documentation +------------- + +* Online Manuals +* [PAM-PKCS\#11 User Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) +* [PAM-PKCS\#11 Mappers API Reference](http://opensc.github.io/pam_pkcs11/doc/mappers_api.html) +* [TODO](https://raw.github.com/OpenSC/pam_pkcs11/master/TODO) file (outdated) +* Man pages\ + * [`pam_pkcs11(8)`](https://linux.die.net/man/8/pam_pkcs11) + * [`card_eventmgr(1)`](https://linux.die.net/man/1/card_eventmgr) + * [`pkcs11_eventmgr(1)`](https://linux.die.net/man/1/pkcs11_eventmgr) + * [`pklogin_finder(1)`](https://linux.die.net/man/1/pklogin_finder) + * [`pkcs11_inspect(1)`](https://linux.die.net/man/1/pkcs11_inspect) + +Contact +------- + +[Get involved](https://github.com/OpenSC/pam_pkcs11/issues) +in development! All comments, suggestions and bug reports are welcome. From 24987f09a729dbb4c12450de084b1343ac20b54c Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Mon, 27 Aug 2018 13:12:08 +0200 Subject: [PATCH 002/111] README.md: removed license section ... we have a COPYING file anyway fixes some formatting --- README.md | 49 ++++++++++++++----------------------------------- 1 file changed, 14 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 013f28b1..d84a00b7 100644 --- a/README.md +++ b/README.md @@ -23,13 +23,13 @@ Standard](https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2 PAM-PKCS\#11 package provides: -* A PAM module able to:\ - * Use certificates to get user credentials - * Deduce a login based on provided certificate +* A PAM module able to: + * Use certificates to get user credentials + * Deduce a login based on provided certificate * Several tools: - * Standalone cert-to-login finder tool - * Certificate contents viewer - * Card Event status monitor, to trigger actions on card insert/removal + * Standalone cert-to-login finder tool + * Certificate contents viewer + * Card Event status monitor, to trigger actions on card insert/removal You can read the online [PAM-PKCS\#11 User Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) to know @@ -46,7 +46,7 @@ Laboratories. ### User Matching To map the ownership of a certificate into a user login, pam-pkcs11 uses -the concept of mapper that is, a list of configurable, stackable +the concept of *mapper* that is, a list of configurable, stackable list of dynamic modules, each one trying to do a specific cert-to-login maping. Several mappers are provided: @@ -59,27 +59,6 @@ maping. Several mappers are provided: Many mappers may use also a *mapfile* to translate Certificate contents to a login name. -License -------- - -* Copyright © 2003-2004 Mario Strasser \\ -* Copyright © 2005 Juan Antonio Martinez \\ -* Copyright © 2005-2012 Ludovic Rousseau \ - -This library is free software; you can redistribute it and/or modify it -under the terms of the GNU Lesser General Public License as published by -the Free Software Foundation; either version 2.1 of the License, or (at -your option) any later version. - -This library is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser -General Public License for more details. - -You should have received a copy of the GNU Lesser General Public License -along with this library; if not, write to the Free Software Foundation, -Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Download -------- @@ -95,11 +74,11 @@ Installation Unpack the archive, configure, compile and install it: ```sh -$ tar xvzf pkcs11_login-X.Y.Z.tar.gz -$ cd pkcs11_login-X.Y.Z -$ ./configure -$ make -$ sudo make install +tar xvzf pkcs11_login-X.Y.Z.tar.gz +cd pkcs11_login-X.Y.Z +./configure +make +sudo make install ``` If you want to use [cURL](http://curl.haxx.se/libcurl/) instead of @@ -110,7 +89,7 @@ thus CRL download might not work for all LDAP URIs. Next, you have to create the needed openssl-hash-links. -``` +```sh make_hash_link.sh ${path to the directory with the CA certificates} make_hash_link.sh ${path to the directory with the CRLs} ``` @@ -133,7 +112,7 @@ Documentation * [PAM-PKCS\#11 User Manual](http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html) * [PAM-PKCS\#11 Mappers API Reference](http://opensc.github.io/pam_pkcs11/doc/mappers_api.html) * [TODO](https://raw.github.com/OpenSC/pam_pkcs11/master/TODO) file (outdated) -* Man pages\ +* Man pages * [`pam_pkcs11(8)`](https://linux.die.net/man/8/pam_pkcs11) * [`card_eventmgr(1)`](https://linux.die.net/man/1/card_eventmgr) * [`pkcs11_eventmgr(1)`](https://linux.die.net/man/1/pkcs11_eventmgr) From 81e4d4be87253d04fe960f3c9c3caae191bbb946 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Tue, 11 Sep 2018 20:53:21 +0300 Subject: [PATCH 003/111] Fixed extra "0" argument passed to `cleanse()` --- src/common/pkcs11_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 912de057..a291baa9 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1208,7 +1208,7 @@ void release_pkcs11_module(pkcs11_handle_t *h) /* release all allocated memory */ if (h->slots != NULL) free(h->slots); - cleanse(h, 0, sizeof(pkcs11_handle_t)); + cleanse(h, sizeof(pkcs11_handle_t)); free(h); } From 4250344e6694b918848f1064e5bf1341794caeff Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Tue, 11 Sep 2018 20:57:39 +0300 Subject: [PATCH 004/111] 0.6.10 - Fixed some security issues (thx @frankmorgner): (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/) -- fixed buffer overflow with long home directory; -- fixed wiping secrets (now using OpenSSL_cleanse()); -- verify using a nonce from the system, not the card. --- ChangeLog | 8 ++++++++ NEWS | 10 ++++++++++ README | 3 ++- configure.ac | 2 +- 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7febf921..b2a90cdc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +12- Sep 2018 + - Version 0.6.10 is out. + - Fixed some security issues (thx @frankmorgner): + (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/) + -- fixed buffer overflow with long home directory; + -- fixed wiping secrets (now using OpenSSL_cleanse()); + -- verify using a nonce from the system, not the card. + 08- Sep 2005 - Fixes to pam_pkcs11.spec diff --git a/NEWS b/NEWS index 7c77b347..b64fd67e 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,13 @@ +12- Sep 2018 + - Version 0.6.10 is out. + - Fixed some security issues (thx @frankmorgner): + (https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/) + -- fixed buffer overflow with long home directory; + -- fixed wiping secrets (now using OpenSSL_cleanse()); + -- verify using a nonce from the system, not the card. + +... 0.6.9 ... 0.6.0 are yet undescribed. + 12- Sep 2005 - Finally pam_pkcs11-0.5.3 is out. - New mapper API and Docs diff --git a/README b/README index 2ab614f3..b7189c60 100644 --- a/README +++ b/README @@ -1,10 +1,11 @@ This is the README of the PKCS #11 PAM Login Module ====================================================================== -Release: 0.6.1 +Release: 0.6.10 Authors: Mario Strasser Juan Antonio Martinez Ludovic Rouseau + Frank Morgner This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby diff --git a/configure.ac b/configure.ac index 28210923..a773f733 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ AC_PREREQ([2.69]) # Process this file with autoconf to produce a configure script. -AC_INIT([pam_pkcs11],[0.6.9]) +AC_INIT([pam_pkcs11],[0.6.10]) AC_CONFIG_SRCDIR([src/pam_pkcs11/pam_pkcs11.c]) AC_CANONICAL_HOST AM_INIT_AUTOMAKE From ebf11498a47834bb3f63f95959fbd16e70f6878e Mon Sep 17 00:00:00 2001 From: Andrea Scarpino Date: Tue, 4 Dec 2018 00:20:16 +0100 Subject: [PATCH 005/111] Support openssl 1.1.0 --- src/common/cert_vfy.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 6016ca0b..fd809b00 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -143,12 +143,17 @@ static X509_CRL *download_crl(const char *uri) static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) { int rv; - X509_OBJECT obj; EVP_PKEY *pkey = NULL; X509 *issuer_cert; /* get issuer certificate */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + X509_OBJECT obj; rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj); +#else + X509_OBJECT *obj = X509_OBJECT_new(); + rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj); +#endif if (rv <= 0) { set_error("getting the certificate of the crl-issuer failed"); return -1; @@ -156,7 +161,11 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) /* extract public key and verify signature */ issuer_cert = X509_OBJECT_get0_X509((&obj)); pkey = X509_get_pubkey(issuer_cert); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) X509_OBJECT_free_contents(&obj); +#else + X509_OBJECT_free(obj); +#endif if (pkey == NULL) { set_error("getting the issuer's public key failed"); return -1; @@ -202,14 +211,17 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) { int rv, i, j; +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) X509_OBJECT obj; +#else + X509_OBJECT *obj = X509_OBJECT_new(); +#endif X509_REVOKED *rev = NULL; STACK_OF(DIST_POINT) * dist_points; DIST_POINT *point; GENERAL_NAME *name; X509_CRL *crl; X509 *x509_ca = NULL; - EVP_PKEY crl_pkey; DBG1("crl policy: %d", policy); if (policy == CRLP_NONE) { @@ -227,13 +239,21 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t } else if (policy == CRLP_OFFLINE) { /* OFFLINE */ DBG("looking for an dedicated local crl"); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); +#else + rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); +#endif if (rv <= 0) { set_error("no dedicated crl available"); return -1; } crl = X509_OBJECT_get0_X509_CRL((&obj)); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) X509_OBJECT_free_contents(&obj); +#else + X509_OBJECT_free(obj); +#endif } else if (policy == CRLP_ONLINE) { /* ONLINE */ DBG("extracting crl distribution points"); @@ -247,7 +267,11 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t } x509_ca = X509_OBJECT_get0_X509((&obj)); dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) X509_OBJECT_free_contents(&obj); +#else + X509_OBJECT_free(obj); +#endif if (dist_points == NULL) { set_error("neither the user nor the ca certificate does contain a crl distribution point"); return -1; From 367dd22f5580339b0aef510cd2e162b8a527529b Mon Sep 17 00:00:00 2001 From: alexandr nedvedicky - Sun Microsystems - Prague Czech Republic Date: Wed, 23 Jan 2019 06:26:17 -0800 Subject: [PATCH 006/111] - Solaris runs build process outside of srcdir this small tweak makes our life easier and should not harm other pam_pkcs11 users. Our build process generates makefiles and objects in dedicated build directory. without this patch it fails with error as follows: xsltproc \ --stringparam section.autolabel 1 \ --stringparam section.label.includes.component.label 1 \ -o pam_pkcs11.html pam_pkcs11.xsl /scratch/sashan/userland/components/pam_pkcs11/pam_pkcs11-0.6.10/doc/pam_pkcs11.xml warning: failed to load external entity "pam_pkcs11.xsl" cannot parse pam_pkcs11.xsl make[3]: *** [Makefile:644: pam_pkcs11.html] Error 4 make[3]: Leaving directory '/scratch/sashan/userland/components/pam_pkcs11/build/i86/doc' make[2]: *** [Makefile:464: all-recursive] Error 1 make[2]: Leaving directory '/scratch/sashan/userland/components/pam_pkcs11/build/i86' make[1]: *** [Makefile:396: all] Error 2 change in this pull request makes my build happy. --- doc/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 806c4b78..3b459418 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -21,7 +21,7 @@ EXTRA_DIST = $(MANSRC) $(XMLFILES) $(HTMLFILES) doxygen.conf.in \ README.ldap_mapper export-wiki.sh generate-api.sh \ api/index.html $(shell ls api/*) -STYLESHEET = pam_pkcs11.xsl +STYLESHEET = $(srcdir)/pam_pkcs11.xsl %.html: %.xml $(STYLESHEET) if HAVE_DOCBOOK From d89237dbd858b0441a31b6a98ce92d0ee13e6385 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Thu, 16 May 2019 15:21:59 +0200 Subject: [PATCH 007/111] Use green instead of blue for log lines Blue text on black background is unreadable. This is the case for login on the console. Green text is readable on a black background and also a white background. --- src/common/debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/debug.c b/src/common/debug.c index e52dc857..ab3eddee 100644 --- a/src/common/debug.c +++ b/src/common/debug.c @@ -37,7 +37,7 @@ void debug_print(int level, const char *file, int line, const char *format, ...) if (debug_level >= level) { /* is stdout is a tty */ if (isatty(1)) { - const char *t = "\033[34mDEBUG"; /* blue */ + const char *t = "\033[32mDEBUG"; /* green */ if (-1 == level) t = "\033[31mERROR"; /* red */ From d712ac3d52ef92efff93620d796ffb20b9a7d74d Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:01:52 +0200 Subject: [PATCH 008/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit card_eventmgr.c: In function ‘main’: card_eventmgr.c:336:8: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘pid_t’ {aka ‘int’} [-Wformat=] DBG1("Killing process: %ld", pid); ^~~~~~~~~~~~~~~~~~~~~~ ~~~ --- src/tools/card_eventmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/card_eventmgr.c b/src/tools/card_eventmgr.c index 459a41df..9b54a514 100644 --- a/src/tools/card_eventmgr.c +++ b/src/tools/card_eventmgr.c @@ -333,7 +333,7 @@ int main(int argc, char *argv[]) { pid_t pid = read_pidfile(pidfile); if (pid > 0) { - DBG1("Killing process: %ld", pid); + DBG1("Killing process: %ld", (long)pid); kill(pid, SIGQUIT); } else From db0d957310e3d26d7a59af2c1f823cca00d3697b Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:06:40 +0200 Subject: [PATCH 009/111] Fix potential buffer overflow by 1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pam_pkcs11.c:753:34: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] "PKCS11_LOGIN_TOKEN_NAME=%.*s", ^ pam_pkcs11.c:752:3: note: ‘snprintf’ output between 25 and 256 bytes into a destination of size 255 snprintf(env_temp, sizeof(env_temp) - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "PKCS11_LOGIN_TOKEN_NAME=%.*s", ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_TOKEN_NAME=")), ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ get_slot_tokenlabel(ph)); ~~~~~~~~~~~~~~~~~~~~~~~~ pam_pkcs11.c:770:35: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] "PKCS11_LOGIN_CERT_ISSUER=%.*s", ^ pam_pkcs11.c:769:5: note: ‘snprintf’ output between 26 and 256 bytes into a destination of size 255 snprintf(env_temp, sizeof(env_temp) - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "PKCS11_LOGIN_CERT_ISSUER=%.*s", ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_ISSUER=")), ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ issuer[0]); ~~~~~~~~~~ pam_pkcs11.c:792:35: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] "PKCS11_LOGIN_CERT_SERIAL=%.*s", ^ pam_pkcs11.c:791:5: note: ‘snprintf’ output between 26 and 256 bytes into a destination of size 255 snprintf(env_temp, sizeof(env_temp) - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "PKCS11_LOGIN_CERT_SERIAL=%.*s", ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_SERIAL=")), ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ serial[0]); ~~~~~~~~~~ --- src/pam_pkcs11/pam_pkcs11.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 3f2b6abb..b44fbe92 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -751,7 +751,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons */ snprintf(env_temp, sizeof(env_temp) - 1, "PKCS11_LOGIN_TOKEN_NAME=%.*s", - (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_TOKEN_NAME=")), + (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_TOKEN_NAME=") -1), get_slot_tokenlabel(ph)); rv = pam_putenv(pamh, env_temp); @@ -768,7 +768,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (issuer) { snprintf(env_temp, sizeof(env_temp) - 1, "PKCS11_LOGIN_CERT_ISSUER=%.*s", - (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_ISSUER=")), + (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_ISSUER=") -1), issuer[0]); rv = pam_putenv(pamh, env_temp); } else { @@ -790,7 +790,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (serial) { snprintf(env_temp, sizeof(env_temp) - 1, "PKCS11_LOGIN_CERT_SERIAL=%.*s", - (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_SERIAL=")), + (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_SERIAL=") -1), serial[0]); rv = pam_putenv(pamh, env_temp); } else { From 8b426b6364e3650a3c1b09000d05f1fb527d6525 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:19:38 +0200 Subject: [PATCH 010/111] Fix openssh_mapper_match_keys() for OpenSSL 1.0 & 1.1 The code was incorrect since the addition of OpenSSL 1.1 support in release 0.6.10. --- src/common/pam-pkcs11-ossl-compat.h | 2 ++ src/mappers/openssh_mapper.c | 10 ++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/common/pam-pkcs11-ossl-compat.h b/src/common/pam-pkcs11-ossl-compat.h index e14abb14..9a03e307 100644 --- a/src/common/pam-pkcs11-ossl-compat.h +++ b/src/common/pam-pkcs11-ossl-compat.h @@ -96,6 +96,8 @@ extern "C" { #define X509_get0_tbs_sigalg(x) (x->cert_info->key->algor) #define X509_OBJECT_get0_X509(x) (x->data.x509) #define X509_OBJECT_get0_X509_CRL(x) (x->data.crl) +#define RSA_get0_e(x) (x->e) +#define RSA_get0_n(x) (x->n) #define X509_OBJECT_free(x) ({ \ if (x) { \ diff --git a/src/mappers/openssh_mapper.c b/src/mappers/openssh_mapper.c index ed0a4091..aac097dc 100644 --- a/src/mappers/openssh_mapper.c +++ b/src/mappers/openssh_mapper.c @@ -287,13 +287,19 @@ static int openssh_mapper_match_keys(X509 *x509, const char *filename) { fclose(fd); for (i = 0; i < nkeys; i++) { RSA *authrsa, *rsa; - BIGNUM *authrsa_n, *authrsa_e; - BIGNUM *rsa_n, *rsa_e; + BIGNUM *authrsa_n, *authrsa_e; + BIGNUM *rsa_n, *rsa_e; authrsa = EVP_PKEY_get1_RSA(authkey); if (!authrsa) continue; /* not RSA */ rsa = EVP_PKEY_get1_RSA(keys[i]); if (!rsa) continue; /* not RSA */ + + authrsa_e = RSA_get0_e(authrsa); + rsa_e = RSA_get0_e(rsa); if (BN_cmp(rsa_e, authrsa_e) != 0) continue; + + authrsa_n = RSA_get0_n(authrsa); + rsa_n = RSA_get0_n(rsa); if (BN_cmp(rsa_n, authrsa_n) != 0) continue; return 1; /* FOUND */ } From b86eee946bcd6808cf0f9df38ad7f2107cb67ae2 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:22:31 +0200 Subject: [PATCH 011/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mail_mapper.c: In function ‘compare_email’: mail_mapper.c:100:27: warning: comparison of integer expressions of different signedness: ‘long int’ and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare] return (at - c_email) == strlen(c_user) && !strncmp(c_email, c_user, strlen(c_user)); ^~ --- src/mappers/mail_mapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mappers/mail_mapper.c b/src/mappers/mail_mapper.c index ef0abb8b..29ca064b 100644 --- a/src/mappers/mail_mapper.c +++ b/src/mappers/mail_mapper.c @@ -97,7 +97,7 @@ static int compare_email(char *email, const char *user) { DBG2("Mail domain name %s does not match with %s",1+at,hostname); return 0; } - return (at - c_email) == strlen(c_user) && !strncmp(c_email, c_user, strlen(c_user)); + return (at - c_email) == (int)strlen(c_user) && !strncmp(c_email, c_user, strlen(c_user)); } else { /* no domain provide: just a strcmp */ return !strcmp(c_email, c_user); } From e251dcb3317089fe1ad6fd716647f0181f7fccc4 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:24:50 +0200 Subject: [PATCH 012/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ldap_mapper.c:844:33: warning: pointer targets in passing argument 1 of ‘ldap_encode_escapes’ differ in signedness [-Wpointer-sign] escaped = ldap_encode_escapes(login, strlen(login)); ^~~~~ ldap_mapper.c:622:1: note: expected ‘const unsigned char *’ but argument is of type ‘const char *’ ldap_encode_escapes(const unsigned char *binary, size_t length) ^~~~~~~~~~~~~~~~~~~ --- src/mappers/ldap_mapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mappers/ldap_mapper.c b/src/mappers/ldap_mapper.c index fca6ec60..f1fc7e77 100644 --- a/src/mappers/ldap_mapper.c +++ b/src/mappers/ldap_mapper.c @@ -841,7 +841,7 @@ ldap_build_filter(const char *filter, const char *login, const char *map, /* If no user name is specified, this is a search across all users. */ if (login != NULL) { - escaped = ldap_encode_escapes(login, strlen(login)); + escaped = ldap_encode_escapes((const unsigned char *)login, strlen(login)); } else { escaped = strdup("*"); } From 03cbe348ea7b38faa5fcd7ff4417619b633c902c Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:27:36 +0200 Subject: [PATCH 013/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ldap_mapper.c: In function ‘ldap_build_filter’: ldap_mapper.c:836:31: warning: declaration of ‘filter’ shadows a global declaration [-Wshadow] ldap_build_filter(const char *filter, const char *login, const char *map, ~~~~~~~~~~~~^~~~~~ ldap_mapper.c:107:20: note: shadowed declaration is here static const char *filter="(&(objectClass=posixAccount)(uid=%s)"; ^~~~~~ --- src/mappers/ldap_mapper.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/mappers/ldap_mapper.c b/src/mappers/ldap_mapper.c index f1fc7e77..ab7d9063 100644 --- a/src/mappers/ldap_mapper.c +++ b/src/mappers/ldap_mapper.c @@ -833,7 +833,7 @@ ldap_build_cert_filter(const char *map, X509 *x509) /* Build a filter suitable for locating the entry for the named user. */ static char * -ldap_build_filter(const char *filter, const char *login, const char *map, +ldap_build_filter(const char *filter_param, const char *login, const char *map, X509 *x509) { char *buf, *user_filter, *escaped, *cert_filter; @@ -852,14 +852,14 @@ ldap_build_filter(const char *filter, const char *login, const char *map, } /* Build a user filter using the supplied filter and user name. */ - user_filter_len = strlen(filter) + strlen(escaped) + 1; + user_filter_len = strlen(filter_param) + strlen(escaped) + 1; user_filter = malloc(user_filter_len); if (user_filter == NULL) { DBG("ldap_build_filter(): out of memory for user filter"); free(escaped); return NULL; } - snprintf(user_filter, user_filter_len, filter, escaped); + snprintf(user_filter, user_filter_len, filter_param, escaped); free(escaped); /* Build the part of the filter that's specific to the certificate. */ @@ -874,7 +874,7 @@ ldap_build_filter(const char *filter, const char *login, const char *map, buf_len = 3 + strlen(user_filter) + 2 + 2 + strlen(cert_filter) + 2; buf = malloc(buf_len); if (buf != NULL) { - if (filter[0] == '(') { + if (filter_param[0] == '(') { snprintf(buf, buf_len, "(&%s%s)", user_filter, cert_filter); } else { From 754c37edf8b1e0afc0d995a92f2551b7adcd5f20 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:32:35 +0200 Subject: [PATCH 014/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit parse.c: In function ‘scconf_parse’: parse.c:389:3: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation] strncpy(buffer, p.emesg, sizeof(buffer)-1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ parse.c: In function ‘scconf_parse_string’: parse.c:416:3: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation] strncpy(buffer, p.emesg, sizeof(buffer)-1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- src/scconf/parse.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/scconf/parse.c b/src/scconf/parse.c index ad4f0ca2..d9d14cca 100644 --- a/src/scconf/parse.c +++ b/src/scconf/parse.c @@ -387,6 +387,7 @@ int scconf_parse(scconf_context * config) r = -1; } else if (p.error) { strncpy(buffer, p.emesg, sizeof(buffer)-1); + buffer[sizeof(buffer)-1] = '\0'; r = 0; } else { r = 1; @@ -414,6 +415,7 @@ int scconf_parse_string(scconf_context * config, const char *string) r = -1; } else if (p.error) { strncpy(buffer, p.emesg, sizeof(buffer)-1); + buffer[sizeof(buffer)-1] = '\0'; r = 0; } else { r = 1; From 86d9a8107ae16ff505f25fc3203153adcf50b8e9 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:37:47 +0200 Subject: [PATCH 015/111] Fix compiler warning and optimize speed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit memcpy() should be faster than strncpy(). ./strings.h: In function ‘clone_str’: strings.c:53:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation] strncpy(dst,str,len); ^~~~~~~~~~~~~~~~~~~~ strings.c:50:14: note: length computed here size_t len= strlen(str); ^~~~~~~~~~~ --- src/common/strings.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/common/strings.c b/src/common/strings.c index 085b9529..08da869c 100644 --- a/src/common/strings.c +++ b/src/common/strings.c @@ -50,8 +50,7 @@ char *clone_str(const char *str) { size_t len= strlen(str); char *dst= malloc(1+len); if (!dst) return NULL; - strncpy(dst,str,len); - *(dst+len)='\0'; + memcpy(dst,str,len+1); return dst; } From f6b4365520781ccd12b97ce0af096ab42d986757 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:40:36 +0200 Subject: [PATCH 016/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The function split_static() is not used anywhere in the code. I could have removed the code but maybe some external mapper are using it? strings.c:158:9: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] strncpy(dst,str,1+strlen(str)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ strings.c:158:27: note: length computed here strncpy(dst,str,1+strlen(str)); ^~~~~~~~~~~ --- src/common/strings.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/strings.c b/src/common/strings.c index 08da869c..b06211cd 100644 --- a/src/common/strings.c +++ b/src/common/strings.c @@ -154,7 +154,7 @@ char **split_static(const char *str,char sep, int nelems,char *dst){ char *pt; char **res= calloc(nelems,sizeof(char*)); if ( (!res) || (!dst) ) return NULL; - strncpy(dst,str,1+strlen(str)); + strcpy(dst,str); for (pt=dst,n=0;n Date: Fri, 17 May 2019 15:43:34 +0200 Subject: [PATCH 017/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pkcs11_lib.c: In function ‘refresh_slots’: pkcs11_lib.c:1111:11: warning: declaration of ‘rv’ shadows a previous local [-Wshadow] CK_RV rv; ^~ pkcs11_lib.c:1056:9: note: shadowed declaration is here CK_RV rv; ^~ --- src/common/pkcs11_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index a291baa9..4f7b609d 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1108,7 +1108,6 @@ refresh_slots(pkcs11_handle_t *h) for (i = 0; i < h->slot_count; i++) { CK_SLOT_INFO sinfo; CK_TOKEN_INFO tinfo; - CK_RV rv; DBG1("slot %ld:", i + 1); rv = h->fl->C_GetSlotInfo(h->slots[i].id, &sinfo); From 03150494e6ac246c1bcf70f7cdf65875aca03284 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:44:36 +0200 Subject: [PATCH 018/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pkcs11_lib.c: In function ‘init_pkcs11_module’: pkcs11_lib.c:1148:12: warning: unused variable ‘i’ [-Wunused-variable] CK_ULONG i; ^ --- src/common/pkcs11_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 4f7b609d..79cb6675 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1145,7 +1145,6 @@ refresh_slots(pkcs11_handle_t *h) int init_pkcs11_module(pkcs11_handle_t *h,int flag) { int rv; - CK_ULONG i; /* CK_SLOT_ID_PTR slots; */ CK_INFO info; /* From dce544ead7730a9540ec8964141cdeb92ecb5837 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:48:39 +0200 Subject: [PATCH 019/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit null_mapper.c: In function ‘mapper_match_user’: mapper.h:206:6: warning: declaration of ‘match’ shadows a global declaration [-Wshadow] int match = 0; \ ^~~~~ null_mapper.c:60:1: note: in expansion of macro ‘_DEFAULT_MAPPER_MATCH_USER’ _DEFAULT_MAPPER_MATCH_USER ^~~~~~~~~~~~~~~~~~~~~~~~~~ null_mapper.c:43:12: note: shadowed declaration is here static int match=0; ^~~~~ --- src/mappers/null_mapper.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/mappers/null_mapper.c b/src/mappers/null_mapper.c index 1d30d0bd..2be51933 100644 --- a/src/mappers/null_mapper.c +++ b/src/mappers/null_mapper.c @@ -40,12 +40,12 @@ */ static const char *default_user = "nobody"; -static int match=0; +static int Match=0; static int debug=0; static char * mapper_find_user(X509 *x509,void *context,int *mp) { if ( !x509 ) return NULL; - if (match) { + if (Match) { *mp = 1; return clone_str((char *)default_user); } @@ -87,14 +87,14 @@ mapper_module * null_mapper_module_init(scconf_block *ctx,const char *mapper_nam mapper_module *pt= NULL; if (ctx) { default_user = scconf_get_str( ctx,"default_user",default_user); - match = scconf_get_bool( ctx,"default_match",0); + Match = scconf_get_bool( ctx,"default_match",0); debug = scconf_get_bool( ctx,"debug",0); } else { DBG1("No block declaration for mapper '%s'", mapper_name); } set_debug_level(debug); pt = init_mapper_st(ctx,mapper_name); - if (pt) DBG1("Null mapper match set to '%s'",match?"always":"never"); + if (pt) DBG1("Null mapper match set to '%s'",Match?"always":"never"); else DBG("Null mapper initialization failed"); return pt; } From 269d6c9acaeee2bd23fa7e4a099c9b6e141bce0e Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 15:49:37 +0200 Subject: [PATCH 020/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit openssh_mapper.c: In function ‘openssh_mapper_match_keys’: openssh_mapper.c:297:27: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] authrsa_e = RSA_get0_e(authrsa); ^ openssh_mapper.c:298:23: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] rsa_e = RSA_get0_e(rsa); ^ openssh_mapper.c:301:27: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] authrsa_n = RSA_get0_n(authrsa); ^ openssh_mapper.c:302:23: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] rsa_n = RSA_get0_n(rsa); ^ --- src/mappers/openssh_mapper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mappers/openssh_mapper.c b/src/mappers/openssh_mapper.c index aac097dc..d5229427 100644 --- a/src/mappers/openssh_mapper.c +++ b/src/mappers/openssh_mapper.c @@ -287,8 +287,8 @@ static int openssh_mapper_match_keys(X509 *x509, const char *filename) { fclose(fd); for (i = 0; i < nkeys; i++) { RSA *authrsa, *rsa; - BIGNUM *authrsa_n, *authrsa_e; - BIGNUM *rsa_n, *rsa_e; + const BIGNUM *authrsa_n, *authrsa_e; + const BIGNUM *rsa_n, *rsa_e; authrsa = EVP_PKEY_get1_RSA(authkey); if (!authrsa) continue; /* not RSA */ rsa = EVP_PKEY_get1_RSA(keys[i]); From e9d0c4ed016cc774ff1ed07f5be4c822b2ef4f2e Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 16:15:01 +0200 Subject: [PATCH 021/111] Fix 64-bit pkcs11_inspect(1) fails on SPARC with a SIBGUS due to misaligned access A cast has been added in fa5b394b0523fd9254ddc2a8dea7a984699bceac (in 2005) and the problem was hidden. It was the wrong solution to fix a compiler warning. Fixes https://github.com/OpenSC/pam_pkcs11/issues/28 --- src/common/cert_info.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/cert_info.c b/src/common/cert_info.c index 12965e12..8254b7f2 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -670,7 +670,7 @@ static char **cert_info_sshpuk(X509 *x509) { const char *type; char *buf; unsigned char *blob,*pt,*data = NULL; - int data_len; + size_t data_len; int res; static char *entries[2] = { NULL,NULL }; const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; @@ -731,10 +731,10 @@ static char **cert_info_sshpuk(X509 *x509) { /* data_len=8192; */ data=calloc(data_len,sizeof(unsigned char)); if(!data) { - DBG1("calloc() to uuencode buffer '%d'",data_len); + DBG1("calloc() to uuencode buffer '%ld'",data_len); goto sshpuk_fail; } - res= base64_encode(blob,pt-blob,data,(size_t *) &data_len); + res= base64_encode(blob,pt-blob,data, &data_len); if (res<0) { DBG("BASE64 Encode failed"); goto sshpuk_fail; From 751eed9b5d6c96760798cb6399f43771b1d66b4d Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 16:42:56 +0200 Subject: [PATCH 022/111] Get the key type from the private key This will allow to add support of non-RSA keys. Thanks to sovaeta for the patch https://github.com/OpenSC/pam_pkcs11/issues/23 --- src/common/pkcs11_lib.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 79cb6675..cbbfe2a4 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1682,6 +1682,10 @@ int get_private_key(pkcs11_handle_t *h, cert_object_t *cert) { , {CKA_ID, NULL, 0} }; + CK_KEY_TYPE key_type; + CK_ATTRIBUTE attr_template[] = { + {CKA_KEY_TYPE, &key_type, sizeof(key_type)} + }; CK_OBJECT_HANDLE object; CK_ULONG object_count; int rv; @@ -1721,8 +1725,16 @@ int get_private_key(pkcs11_handle_t *h, cert_object_t *cert) { return -1; } + /* get private key type */ + rv = h->fl->C_GetAttributeValue(h->session, object, attr_template, sizeof(attr_template) / sizeof(CK_ATTRIBUTE)); + if (rv != CKR_OK) { + set_error("C_GetAttributeValue() failed! 0x%08lX", rv); + return -1; + } + DBG1("private key type: 0x%08lX", key_type); + cert->private_key = object; - cert->key_type = CKK_RSA; + cert->key_type = key_type; return 0; @@ -1764,7 +1776,7 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, mechanism.mechanism = CKM_RSA_PKCS; break; default: - set_error("unsupported key type %d", cert->type); + set_error("unsupported private key type 0x%08X", cert->key_type); return -1; } /* compute hash-value */ From 4a89cf3dc481425bfb9e31f91039afc5bd30c0e5 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 16:56:55 +0200 Subject: [PATCH 023/111] Add support of ECDSA signature in addition to RSA Thanks to sovaeta got the patch https://github.com/OpenSC/pam_pkcs11/issues/23 --- src/common/cert_vfy.c | 31 +++++++++++++++++++++++++++-- src/common/cert_vfy.h | 2 +- src/common/pam-pkcs11-ossl-compat.h | 2 ++ src/common/pkcs11_lib.c | 23 ++++++++++++++++++++- src/pam_pkcs11/pam_pkcs11.c | 2 +- 5 files changed, 55 insertions(+), 5 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index fd809b00..7e6d8be3 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -499,11 +499,15 @@ int verify_certificate(X509 * x509, cert_policy *policy) } int verify_signature(X509 * x509, unsigned char *data, int data_length, - unsigned char *signature, int signature_length) + unsigned char **signature, int *signature_length) { int rv; EVP_PKEY *pubkey; EVP_MD_CTX *md_ctx = NULL; + ECDSA_SIG* ec_sig; + int sig_der_len; + int rs_len; + unsigned char *p = NULL; /* get the public-key */ pubkey = X509_get_pubkey(x509); @@ -511,11 +515,34 @@ int verify_signature(X509 * x509, unsigned char *data, int data_length, set_error("X509_get_pubkey() failed: %s", ERR_error_string(ERR_get_error(), NULL)); return -1; } + + DBG1("public key type: 0x%08lx", EVP_PKEY_base_id(pubkey)); + DBG1("public key bits: 0x%08lx", EVP_PKEY_bits(pubkey)); + + if (EVP_PKEY_base_id(pubkey) == EVP_PKEY_EC) { + rs_len = *signature_length / 2; + ec_sig = ECDSA_SIG_new(); + BN_bin2bn(*signature, rs_len, ECDSA_SIG_get0_r(ec_sig)); + BN_bin2bn(*signature + rs_len, rs_len, ECDSA_SIG_get0_s(ec_sig)); + *signature_length = i2d_ECDSA_SIG(ec_sig, &p); + free(*signature); + *signature = malloc(*signature_length); + p = *signature; + *signature_length = i2d_ECDSA_SIG(ec_sig, &p); + ECDSA_SIG_free(ec_sig); + } + md_ctx = EVP_MD_CTX_new(); /* verify the signature */ +#ifdef USE_HASH_SHA1 + DBG("hashing with SHA1"); EVP_VerifyInit(md_ctx, EVP_sha1()); +#else + DBG("hashing with SHA256"); + EVP_VerifyInit(md_ctx, EVP_sha256()); +#endif EVP_VerifyUpdate(md_ctx, data, data_length); - rv = EVP_VerifyFinal(md_ctx, signature, signature_length, pubkey); + rv = EVP_VerifyFinal(md_ctx, *signature, *signature_length, pubkey); EVP_PKEY_free(pubkey); EVP_MD_CTX_free(md_ctx); if (rv != 1) { diff --git a/src/common/cert_vfy.h b/src/common/cert_vfy.h index 657b212d..480b8405 100644 --- a/src/common/cert_vfy.h +++ b/src/common/cert_vfy.h @@ -78,7 +78,7 @@ CERTVFY_EXTERN int verify_certificate(X509 * x509, cert_policy *policy); *@param signature_length Length of signature byte array *@return 1 on signature vfy sucess, 0 on vfy fail, -1 on process error */ -CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char *signature, int signature_length); +CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char **signature, int *signature_length); #undef CERTVFY_EXTERN diff --git a/src/common/pam-pkcs11-ossl-compat.h b/src/common/pam-pkcs11-ossl-compat.h index 9a03e307..d9a3dc42 100644 --- a/src/common/pam-pkcs11-ossl-compat.h +++ b/src/common/pam-pkcs11-ossl-compat.h @@ -98,6 +98,8 @@ extern "C" { #define X509_OBJECT_get0_X509_CRL(x) (x->data.crl) #define RSA_get0_e(x) (x->e) #define RSA_get0_n(x) (x->n) +#define ECDSA_SIG_get0_r(x) (x->r) +#define ECDSA_SIG_get0_s(x) (x->s) #define X509_OBJECT_free(x) ({ \ if (x) { \ diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index cbbfe2a4..6948b88b 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1760,8 +1760,14 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, CK_ULONG length, CK_BYTE **signature, CK_ULONG *signature_length) { int rv; + int h_offset = 0; +#ifdef USE_HASH_SHA1 CK_BYTE hash[15 + SHA_DIGEST_LENGTH] = "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14"; +#else + CK_BYTE hash[19 + SHA256_DIGEST_LENGTH] = + "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20"; +#endif CK_MECHANISM mechanism = { 0, NULL, 0 }; @@ -1775,14 +1781,29 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, case CKK_RSA: mechanism.mechanism = CKM_RSA_PKCS; break; + case CKK_ECDSA: + mechanism.mechanism = CKM_ECDSA; +#ifdef USE_HASH_SHA1 + h_offset = 15; +#else + h_offset = 19; +#endif + break; default: set_error("unsupported private key type 0x%08X", cert->key_type); return -1; } /* compute hash-value */ +#ifdef USE_HASH_SHA1 + DBG("hashing with SHA1"); SHA1(data, length, &hash[15]); DBG5("hash[%ld] = [...:%02x:%02x:%02x:...:%02x]", sizeof(hash), hash[15], hash[16], hash[17], hash[sizeof(hash) - 1]); +#else + SHA256(data, length, &hash[19]); + DBG5("hash[%ld] = [...:%02x:%02x:%02x:...:%02x]", sizeof(hash), + hash[19], hash[20], hash[21], hash[sizeof(hash) - 1]); +#endif /* sign the token */ rv = h->fl->C_SignInit(h->session, &mechanism, cert->private_key); if (rv != CKR_OK) { @@ -1797,7 +1818,7 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, set_error("not enough free memory available"); return -1; } - rv = h->fl->C_Sign(h->session, hash, sizeof(hash), *signature, signature_length); + rv = h->fl->C_Sign(h->session, hash + h_offset, sizeof(hash) - h_offset, *signature, signature_length); if (rv == CKR_BUFFER_TOO_SMALL) { /* increase signature length as long as it it to short */ free(*signature); diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index b44fbe92..a4a3e09f 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -726,7 +726,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* verify the signature */ DBG("verifying signature..."); rv = verify_signature((X509 *)get_X509_certificate(chosen_cert), - random_value, sizeof(random_value), signature, signature_length); + random_value, sizeof(random_value), &signature, &signature_length); if (signature != NULL) { free(signature); } From a78af08b2471323faac83d38f1f449933e97ed78 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 17 May 2019 16:59:31 +0200 Subject: [PATCH 024/111] Fix signature length computation The correct length to use is returned by C_Sign() so no need to manually increase the signature length. Thanks to sovaeta for the patch https://github.com/OpenSC/pam_pkcs11/issues/23 --- src/common/pkcs11_lib.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 6948b88b..77c67161 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1811,7 +1811,7 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, return -1; } *signature = NULL; - *signature_length = 128; + *signature_length = 64; while (*signature == NULL) { *signature = malloc(*signature_length); if (*signature == NULL) { @@ -1823,7 +1823,6 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, /* increase signature length as long as it it to short */ free(*signature); *signature = NULL; - *signature_length *= 2; DBG1("increased signature buffer-length to %ld", *signature_length); } else if (rv != CKR_OK) { free(*signature); From bc95a748470d84ff443c9d81292d40c1676fb080 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Sun, 19 May 2019 16:59:29 +0200 Subject: [PATCH 025/111] Do not use a specific version in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d84a00b7..ddec6ac5 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ contents to a login name. Download -------- -* [pam\_pkcs11-0.6.9.tar.gz](http://sourceforge.net/projects/opensc/files/pam_pkcs11/) +* [pam\_pkcs11-x.y.z.tar.gz](http://sourceforge.net/projects/opensc/files/pam_pkcs11/) Packages for [various Linux distributions](https://repology.org/metapackage/pam-pkcs11) are From 04f8b09080d7f48ec5ecd91a3d549aa134e016c4 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:27:44 +0200 Subject: [PATCH 026/111] Fix support of NSS after ECDSA addition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix compiler error: cert_vfy.c: At top level: cert_vfy.c:44:5: error: conflicting types for ‘verify_signature’ int verify_signature(X509 * x509, unsigned char *data, int data_length, ^~~~~~~~~~~~~~~~ In file included from cert_vfy.c:18:0: cert_vfy.h:81:20: note: previous declaration of ‘verify_signature’ was here CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char **signature, int *signature_length); ^~~~~~~~~~~~~~~~ --- src/common/cert_vfy.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 7e6d8be3..f82bf31b 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -42,7 +42,7 @@ int verify_certificate(X509 * x509, cert_policy *policy) } int verify_signature(X509 * x509, unsigned char *data, int data_length, - unsigned char *signature, int signature_length) + unsigned char **signature, int *signature_length) { SECKEYPublicKey *key; @@ -60,8 +60,8 @@ int verify_signature(X509 * x509, unsigned char *data, int data_length, /* shouldn't the algorithm be passed in? */ algid = SEC_GetSignatureAlgorithmOidTag(key->keyType, SEC_OID_SHA1); - sig.data = signature; - sig.len = signature_length; + sig.data = *signature; + sig.len = *signature_length; rv = VFY_VerifyData(data, data_length, key, &sig, algid, NULL); if (rv != SECSuccess) { DBG1("Couldn't verify Signature: %s", SECU_Strerror(PR_GetError())); From f4a9ac19b069789a5b2f4f7e674690d0f0a50686 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:34:44 +0200 Subject: [PATCH 027/111] Fix verify_signature() API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix compiler warning: pam_pkcs11.c:729:62: warning: passing argument 5 of ‘verify_signature’ from incompatible pointer type [-Wincompatible-pointer-types] random_value, sizeof(random_value), &signature, &signature_length); ^ In file included from pam_pkcs11.c:45:0: ../common/cert_vfy.h:81:20: note: expected ‘int *’ but argument is of type ‘long unsigned int *’ CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char **signature, int *signature_length); ^~~~~~~~~~~~~~~~ --- src/common/cert_vfy.c | 4 ++-- src/common/cert_vfy.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index f82bf31b..2c2ed992 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -42,7 +42,7 @@ int verify_certificate(X509 * x509, cert_policy *policy) } int verify_signature(X509 * x509, unsigned char *data, int data_length, - unsigned char **signature, int *signature_length) + unsigned char **signature, unsigned long *signature_length) { SECKEYPublicKey *key; @@ -499,7 +499,7 @@ int verify_certificate(X509 * x509, cert_policy *policy) } int verify_signature(X509 * x509, unsigned char *data, int data_length, - unsigned char **signature, int *signature_length) + unsigned char **signature, unsigned long *signature_length) { int rv; EVP_PKEY *pubkey; diff --git a/src/common/cert_vfy.h b/src/common/cert_vfy.h index 480b8405..c068558e 100644 --- a/src/common/cert_vfy.h +++ b/src/common/cert_vfy.h @@ -78,7 +78,7 @@ CERTVFY_EXTERN int verify_certificate(X509 * x509, cert_policy *policy); *@param signature_length Length of signature byte array *@return 1 on signature vfy sucess, 0 on vfy fail, -1 on process error */ -CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char **signature, int *signature_length); +CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char **signature, unsigned long *signature_length); #undef CERTVFY_EXTERN From 2d860c0e91fb99a3ceb600673c34fa0824f5500a Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:39:25 +0200 Subject: [PATCH 028/111] Fix DBG1() use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pkcs11_eventmgr.c: In function ‘main’: pkcs11_eventmgr.c:482:9: warning: too many arguments for format [-Wformat-extra-args] DBG1("Malloc failed when allocating module spec", ^ ../common/debug.h:55:54: note: in definition of macro ‘DBG1’ #define DBG1(f,a) debug_print(1, __FILE__, __LINE__, f , a ) ^ pkcs11_eventmgr.c:510:26: warning: statement with no effect [-Wunused-value] for (; modList; modList->next) ~~~~~~~^~~~~~ In file included from pkcs11_eventmgr.c:33:0: pkcs11_eventmgr.c:531:9: warning: too many arguments for format [-Wformat-extra-args] DBG1("Error in daemon() call", strerror(errno)); ^ ../common/debug.h:55:54: note: in definition of macro ‘DBG1’ #define DBG1(f,a) debug_print(1, __FILE__, __LINE__, f , a ) ^ --- src/tools/pkcs11_eventmgr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tools/pkcs11_eventmgr.c b/src/tools/pkcs11_eventmgr.c index 0ec28be4..c3dfcdfc 100644 --- a/src/tools/pkcs11_eventmgr.c +++ b/src/tools/pkcs11_eventmgr.c @@ -479,7 +479,7 @@ int main(int argc, char *argv[]) malloc(sizeof(SPEC_TEMPLATE) + strlen(pkcs11_module)); if (!moduleSpec) { - DBG1("Malloc failed when allocating module spec", + DBG1("Malloc failed when allocating module spec: %s", strerror(errno)); return 1; } @@ -528,7 +528,7 @@ int main(int argc, char *argv[]) DBG("Going to be daemon..."); if (daemon(0, debug) < 0) { - DBG1("Error in daemon() call", strerror(errno)); + DBG1("Error in daemon() call: %s", strerror(errno)); SECMOD_DestroyModule(module); rv = NSS_Shutdown(); if (ctx) From 2ce043bcbf9a4a083fec7c00da0c21fabca9a9d0 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:42:03 +0200 Subject: [PATCH 029/111] Fix DBG2() use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In file included from pkcs11_lib.c:31:0: pkcs11_lib.c: In function ‘find_module_by_library’: pkcs11_lib.c:265:10: warning: format ‘%x’ expects argument of type ‘unsigned int’, but argument 5 has type ‘SECMODModuleList * {aka struct SECMODModuleListStr *}’ [-Wformat=] DBG2("modList = 0x%x next = 0x%x\n", modList, modList->next); ^ debug.h:56:56: note: in definition of macro ‘DBG2’ #define DBG2(f,a,b) debug_print(1, __FILE__, __LINE__, f , a , b ) ^ pkcs11_lib.c:265:10: warning: format ‘%x’ expects argument of type ‘unsigned int’, but argument 6 has type ‘SECMODModuleList * {aka struct SECMODModuleListStr *}’ [-Wformat=] DBG2("modList = 0x%x next = 0x%x\n", modList, modList->next); ^ debug.h:56:56: note: in definition of macro ‘DBG2’ #define DBG2(f,a,b) debug_print(1, __FILE__, __LINE__, f , a , b ) ^ --- src/common/pkcs11_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 77c67161..1fa2c32c 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -262,7 +262,7 @@ static SECMODModule *find_module_by_library(char *pkcs11_module) DBG("Looking up module in list"); for ( ; modList; modList = modList->next) { char *dllName = modList->module->dllName; - DBG2("modList = 0x%x next = 0x%x\n", modList, modList->next); + DBG2("modList = %p next = %p\n", modList, modList->next); DBG1("dllName= %s \n", dllName ? dllName : ""); if (dllName && strcmp(dllName,pkcs11_module) == 0) { module = SECMOD_ReferenceModule(modList->module); From d853d94dc2cf02eb4d75d9bf23122e0d3f7a52c7 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:43:25 +0200 Subject: [PATCH 030/111] Fix DBG1() use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In file included from pkcs11_lib.c:31:0: pkcs11_lib.c:306:10: warning: too many arguments for format [-Wformat-extra-args] DBG1("Malloc failed when allocating module spec", strerror(errno)); ^ debug.h:55:54: note: in definition of macro ‘DBG1’ #define DBG1(f,a) debug_print(1, __FILE__, __LINE__, f , a ) ^ --- src/common/pkcs11_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 1fa2c32c..dcad2ee5 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -303,7 +303,7 @@ int load_pkcs11_module(const char *pkcs11_module, pkcs11_handle_t **hp) /* specified module is not already loaded, load it now */ moduleSpec = malloc(sizeof(SPEC_TEMPLATE) + strlen(pkcs11_module)); if (!moduleSpec) { - DBG1("Malloc failed when allocating module spec", strerror(errno)); + DBG1("Malloc failed when allocating module spec: %s", strerror(errno)); free (h); return -1; } From 716303b97e4111beb15e7b6da3b090fe9aeb53c1 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:45:02 +0200 Subject: [PATCH 031/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pkcs11_lib.c: In function ‘load_pkcs11_module’: pkcs11_lib.c:295:35: warning: passing argument 1 of ‘find_module_by_library’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] module = find_module_by_library(pkcs11_module); ^~~~~~~~~~~~~ pkcs11_lib.c:255:22: note: expected ‘char *’ but argument is of type ‘const char *’ static SECMODModule *find_module_by_library(char *pkcs11_module) ^~~~~~~~~~~~~~~~~~~~~~ --- src/common/pkcs11_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index dcad2ee5..f5a2b7bf 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -252,7 +252,7 @@ int crypto_init(cert_policy *policy) { } -static SECMODModule *find_module_by_library(char *pkcs11_module) +static SECMODModule *find_module_by_library(const char *pkcs11_module) { SECMODModule *module = NULL; SECMODModuleList *modList = SECMOD_GetDefaultModuleList(); From c02ad0ecb9573a924d3a63e42b2a2c4557329fe0 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:47:38 +0200 Subject: [PATCH 032/111] Fix DBG1() use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In file included from cert_info.c:26:0: cert_info.c: In function ‘cert_info_digest’: cert_info.c:123:10: warning: too many arguments for format [-Wformat-extra-args] DBG1("Invalid digest algorithm, using 'sha1'",algorithm); ^ debug.h:55:54: note: in definition of macro ‘DBG1’ #define DBG1(f,a) debug_print(1, __FILE__, __LINE__, f , a ) ^ --- src/common/cert_info.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/cert_info.c b/src/common/cert_info.c index 8254b7f2..738dcac5 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -120,7 +120,7 @@ static char **cert_info_digest(X509 *x509, ALGORITHM_TYPE algorithm) { if (type == HASH_AlgNULL) { type = HASH_AlgSHA1; - DBG1("Invalid digest algorithm, using 'sha1'",algorithm); + DBG1("Invalid digest algorithm 0x%X, using 'sha1'",algorithm); } HASH_HashBuf(type, data, x509->derCert.data, x509->derCert.len); entries[0] = bin2hex(data,HASH_ResultLen(type)); From b4f1fdde48293cb27abed4e1772e6e6a3c8d4793 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 16:50:13 +0200 Subject: [PATCH 033/111] pkcs11_eventmgr: Fix NSS module iteration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pkcs11_eventmgr.c: In function ‘main’: pkcs11_eventmgr.c:510:26: warning: statement with no effect [-Wunused-value] for (; modList; modList->next) ~~~~~~~^~~~~~ --- src/tools/pkcs11_eventmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/pkcs11_eventmgr.c b/src/tools/pkcs11_eventmgr.c index c3dfcdfc..a7e07d00 100644 --- a/src/tools/pkcs11_eventmgr.c +++ b/src/tools/pkcs11_eventmgr.c @@ -507,7 +507,7 @@ int main(int argc, char *argv[]) /* threaded applications should also acquire the * DefaultModuleListLock */ DBG("Looking up new module\n"); - for (; modList; modList->next) + for (; modList; modList = modList->next) { if (SECMOD_HasRemovableSlots(modList->module)) { From bed38a565b505b167ee365153e468cf683a222ec Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 17:05:43 +0200 Subject: [PATCH 034/111] Fix DBG1() use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cert_vfy.c: In function ‘verify_signature’: cert_vfy.c:519:8: warning: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 5 has type ‘int’ [-Wformat=] DBG1("public key type: 0x%08lx", EVP_PKEY_base_id(pubkey)); ^ debug.h:55:54: note: in definition of macro ‘DBG1’ #define DBG1(f,a) debug_print(1, __FILE__, __LINE__, f , a ) ^ cert_vfy.c:520:8: warning: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 5 has type ‘int’ [-Wformat=] DBG1("public key bits: 0x%08lx", EVP_PKEY_bits(pubkey)); ^ debug.h:55:54: note: in definition of macro ‘DBG1’ #define DBG1(f,a) debug_print(1, __FILE__, __LINE__, f , a ) ^ --- src/common/cert_vfy.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 2c2ed992..69834105 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -516,8 +516,8 @@ int verify_signature(X509 * x509, unsigned char *data, int data_length, return -1; } - DBG1("public key type: 0x%08lx", EVP_PKEY_base_id(pubkey)); - DBG1("public key bits: 0x%08lx", EVP_PKEY_bits(pubkey)); + DBG1("public key type: 0x%08x", EVP_PKEY_base_id(pubkey)); + DBG1("public key bits: 0x%08x", EVP_PKEY_bits(pubkey)); if (EVP_PKEY_base_id(pubkey) == EVP_PKEY_EC) { rs_len = *signature_length / 2; From 3b3f6876d89f937efbace83613e620675f15f476 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Mon, 20 May 2019 17:06:24 +0200 Subject: [PATCH 035/111] Fix compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cert_vfy.c: In function ‘verify_signature’: cert_vfy.c:508:7: warning: unused variable ‘sig_der_len’ [-Wunused-variable] int sig_der_len; ^~~~~~~~~~~ --- src/common/cert_vfy.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 69834105..ffdb76ed 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -505,7 +505,6 @@ int verify_signature(X509 * x509, unsigned char *data, int data_length, EVP_PKEY *pubkey; EVP_MD_CTX *md_ctx = NULL; ECDSA_SIG* ec_sig; - int sig_der_len; int rs_len; unsigned char *p = NULL; From d681296215c4a4988accf9236045749addd1ef57 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Wed, 22 May 2019 11:59:01 +0200 Subject: [PATCH 036/111] README: remove the release number --- README | 1 - 1 file changed, 1 deletion(-) diff --git a/README b/README index b7189c60..848df3d1 100644 --- a/README +++ b/README @@ -1,7 +1,6 @@ This is the README of the PKCS #11 PAM Login Module ====================================================================== -Release: 0.6.10 Authors: Mario Strasser Juan Antonio Martinez Ludovic Rouseau From 33072ec36631c884b09c545058551675bf22e199 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Wed, 22 May 2019 12:11:54 +0200 Subject: [PATCH 037/111] Release 0.6.11 Signed-off-by: Ludovic Rousseau --- ChangeLog | 9 +++++++++ NEWS | 9 +++++++++ configure.ac | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b2a90cdc..bad58b5e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +22- May 2019 + - Version 0.6.11 + - Support OpenSSL 1.1.0 + - use green instead of blue text for logs on the console + - Solaris runs build process outside of srcdir + - Fix openssh_mapper_match_keys() for OpenSSL 1.0 & 1.1 + - Fix 64-bit pkcs11_inspect(1) fails on SPARC with a SIBGUS due to misaligned access + - Add support of ECDSA signature in addition to RSA + 12- Sep 2018 - Version 0.6.10 is out. - Fixed some security issues (thx @frankmorgner): diff --git a/NEWS b/NEWS index b64fd67e..e25d55f7 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,12 @@ +22- May 2019 + - Version 0.6.11 + - Support OpenSSL 1.1.0 + - use green instead of blue text for logs on the console + - Solaris runs build process outside of srcdir + - Fix openssh_mapper_match_keys() for OpenSSL 1.0 & 1.1 + - Fix 64-bit pkcs11_inspect(1) fails on SPARC with a SIBGUS due to misaligned access + - Add support of ECDSA signature in addition to RSA + 12- Sep 2018 - Version 0.6.10 is out. - Fixed some security issues (thx @frankmorgner): diff --git a/configure.ac b/configure.ac index a773f733..7ce10463 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ AC_PREREQ([2.69]) # Process this file with autoconf to produce a configure script. -AC_INIT([pam_pkcs11],[0.6.10]) +AC_INIT([pam_pkcs11],[0.6.11]) AC_CONFIG_SRCDIR([src/pam_pkcs11/pam_pkcs11.c]) AC_CANONICAL_HOST AM_INIT_AUTOMAKE From 372a676635b9237b39d4e7116475f2797c24aeb6 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Tue, 24 Oct 2017 16:34:27 +0300 Subject: [PATCH 038/111] Fixed double free() in refresh_slots() --- src/common/pkcs11_lib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index a291baa9..616c230e 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1067,6 +1067,7 @@ refresh_slots(pkcs11_handle_t *h) /* number of slots has changed */ if (slot_count != h->slot_count) { free(h->slots); + h->slots = NULL; /* get a list of all slots */ rv = h->fl->C_GetSlotList(FALSE, NULL, &h->slot_count); From ae3a851dfe5e990897dfc6c104bdc8afb917bea6 Mon Sep 17 00:00:00 2001 From: AngusMcGyver <56880439+AngusMcGyver@users.noreply.github.com> Date: Fri, 7 Aug 2020 09:49:15 +0200 Subject: [PATCH 039/111] change for issue 46 see https://github.com/OpenSC/pam_pkcs11/issues/46 --- src/common/pkcs11_lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index f5a2b7bf..8c6fce77 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -522,7 +522,7 @@ find_slot_by_slotlabel(pkcs11_handle_t *h, const char *wanted_slot_label, slot = PK11_ReferenceSlot(module->slots[i]); slot_label = PK11_GetSlotName(slot); if (memcmp_pad_max((void *)slot_label, strlen(slot_label), - (void *)wanted_slot_label, strlen(wanted_slot_label), 64) == 0) { + (void *)wanted_slot_label, strlen(wanted_slot_label), strlen(wanted_slot_label)) == 0) { h->slot = slot; *slotID = PK11_GetSlotID(slot); return 0; @@ -1303,7 +1303,7 @@ find_slot_by_slotlabel(pkcs11_handle_t *h, const char *wanted_slot_label, for (idx = 0; idx < h->slot_count; idx++) { if (h->slots[idx].token_present && memcmp_pad_max(h->slots[idx].slotDescription, 64, - (void *)wanted_slot_label, len, 64) == 0) { + (void *)wanted_slot_label, len, len) == 0) { *slot_num = idx; return (0); } @@ -1347,7 +1347,7 @@ find_slot_by_slotlabel_and_tokenlabel(pkcs11_handle_t *h, const char *token_label = h->slots[i].label; if ((memcmp_pad_max((void *)slot_label, strlen(slot_label), - (void *)wanted_slot_label, strlen(wanted_slot_label), 64) == 0) && + (void *)wanted_slot_label, strlen(wanted_slot_label), strlen(wanted_slot_label)) == 0) && (memcmp_pad_max((void *)token_label, strlen(token_label), (void *)wanted_token_label, strlen(wanted_token_label), 33) == 0)) { From 6d33a04b4a3631f3b9579be80faa1cad7688d1a8 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 14 Aug 2020 14:53:09 +0300 Subject: [PATCH 040/111] Fixed the format strings for error code values Signed-off-by: Paul Wolneykien --- src/common/pkcs11_lib.c | 60 ++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index f5a2b7bf..4ecd09ab 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1040,7 +1040,7 @@ int load_pkcs11_module(const char *module, pkcs11_handle_t **hp) } rv = C_GetFunctionList_ptr(&h->fl); if (rv != CKR_OK) { - set_error("C_GetFunctionList() failed: 0x%08lX", rv); + set_error("C_GetFunctionList() failed: %i", rv); free(h); return -1; } @@ -1060,7 +1060,7 @@ refresh_slots(pkcs11_handle_t *h) slots = NULL; rv = h->fl->C_GetSlotList(FALSE, NULL, &slot_count); if (rv != CKR_OK) { - set_error("C_GetSlotList() failed: 0x%08lX", rv); + set_error("C_GetSlotList() failed: %i", rv); return -1; } @@ -1071,7 +1071,7 @@ refresh_slots(pkcs11_handle_t *h) /* get a list of all slots */ rv = h->fl->C_GetSlotList(FALSE, NULL, &h->slot_count); if (rv != CKR_OK) { - set_error("C_GetSlotList() failed: 0x%08lX", rv); + set_error("C_GetSlotList() failed: %i", rv); return -1; } DBG1("number of slots (a): %ld", h->slot_count); @@ -1094,7 +1094,7 @@ refresh_slots(pkcs11_handle_t *h) rv = h->fl->C_GetSlotList(FALSE, slots, &h->slot_count); if (rv != CKR_OK) { free(slots); - set_error("C_GetSlotList() failed: 0x%08lX", rv); + set_error("C_GetSlotList() failed: %i", rv); return -1; } DBG1("number of slots (b): %ld", h->slot_count); @@ -1112,7 +1112,7 @@ refresh_slots(pkcs11_handle_t *h) DBG1("slot %ld:", i + 1); rv = h->fl->C_GetSlotInfo(h->slots[i].id, &sinfo); if (rv != CKR_OK) { - set_error("C_GetSlotInfo() failed: 0x%08lX", rv); + set_error("C_GetSlotInfo() failed: %i", rv); return -1; } @@ -1126,7 +1126,7 @@ refresh_slots(pkcs11_handle_t *h) DBG("- token:"); rv = h->fl->C_GetTokenInfo(h->slots[i].id, &tinfo); if (rv != CKR_OK) { - set_error("C_GetTokenInfo() failed: 0x%08lX", rv); + set_error("C_GetTokenInfo() failed: %i", rv); return -1; } DBG1(" - label: %.32s", tinfo.label); @@ -1167,13 +1167,13 @@ int init_pkcs11_module(pkcs11_handle_t *h,int flag) if (rv == CKR_OK) h->should_finalize = 1; else if (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) { - set_error("C_Initialize() failed: 0x%08lX", rv); + set_error("C_Initialize() failed: %i", rv); return -1; } rv = h->fl->C_GetInfo(&info); if (rv != CKR_OK) { - set_error("C_GetInfo() failed: 0x%08lX", rv); + set_error("C_GetInfo() failed: %i", rv); return -1; } /* show some information about the module */ @@ -1416,7 +1416,7 @@ int open_pkcs11_session(pkcs11_handle_t *h, unsigned int slot) /* open a readonly user-session */ rv = h->fl->C_OpenSession(h->slots[slot].id, CKF_SERIAL_SESSION, NULL, NULL, &h->session); if (rv != CKR_OK) { - set_error("C_OpenSession() failed: 0x%08lX", rv); + set_error("C_OpenSession() failed: %i", rv); return -1; } h->current_slot = slot; @@ -1433,7 +1433,7 @@ int pkcs11_login(pkcs11_handle_t *h, char *password) else rv = h->fl->C_Login(h->session, CKU_USER, NULL, 0); if ((rv != CKR_OK) && (rv != CKR_USER_ALREADY_LOGGED_IN)) { - set_error("C_Login() failed: 0x%08lX", rv); + set_error("C_Login() failed: %i", rv); return -1; } return 0; @@ -1446,7 +1446,7 @@ int get_slot_login_required(pkcs11_handle_t *h) rv = h->fl->C_GetTokenInfo(h->slots[h->current_slot].id, &tinfo); if (rv != CKR_OK) { - set_error("C_GetTokenInfo() failed: 0x%08lX", rv); + set_error("C_GetTokenInfo() failed: %i", rv); return -1; } return tinfo.flags & CKF_LOGIN_REQUIRED; @@ -1459,7 +1459,7 @@ int get_slot_protected_authentication_path(pkcs11_handle_t *h) rv = h->fl->C_GetTokenInfo(h->slots[h->current_slot].id, &tinfo); if (rv != CKR_OK) { - set_error("C_GetTokenInfo() failed: 0x%08lX", rv); + set_error("C_GetTokenInfo() failed: %i", rv); return -1; } return tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH; @@ -1491,13 +1491,13 @@ int close_pkcs11_session(pkcs11_handle_t *h) rv = h->fl->C_Logout(h->session); if (rv != CKR_OK && rv != CKR_USER_NOT_LOGGED_IN && rv != CKR_FUNCTION_NOT_SUPPORTED) { - set_error("C_Logout() failed: 0x%08lX", rv); + set_error("C_Logout() failed: %i", rv); return -1; } DBG("closing the PKCS #11 session"); rv = h->fl->C_CloseSession(h->session); if (rv != CKR_OK && rv != CKR_FUNCTION_NOT_SUPPORTED) { - set_error("C_CloseSession() failed: 0x%08lX", rv); + set_error("C_CloseSession() failed: %i", rv); return -1; } DBG("releasing keys and certificates"); @@ -1539,14 +1539,14 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) rv = h->fl->C_FindObjectsInit(h->session, cert_template, 2); if (rv != CKR_OK) { - set_error("C_FindObjectsInit() failed: 0x%08lX", rv); + set_error("C_FindObjectsInit() failed: %i", rv); return NULL; } while(1) { /* look for certificates */ rv = h->fl->C_FindObjects(h->session, &object, 1, &object_count); if (rv != CKR_OK) { - set_error("C_FindObjects() failed: 0x%08lX", rv); + set_error("C_FindObjects() failed: %i", rv); goto getlist_error; } if (object_count == 0) break; /* no more certs */ @@ -1560,7 +1560,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) cert_template[2].ulValueLen = 0; rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 3); if (rv != CKR_OK) { - set_error("CertID length: C_GetAttributeValue() failed: 0x%08lX", rv); + set_error("CertID length: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } /* allocate enough space */ @@ -1574,7 +1574,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 3); if (rv != CKR_OK) { free(id_value); - set_error("CertID value: C_GetAttributeValue() failed: 0x%08lX", rv); + set_error("CertID value: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } @@ -1584,7 +1584,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) cert_template[3].pValue = NULL; rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 4); if (rv != CKR_OK) { - set_error("Cert Length: C_GetAttributeValue() failed: 0x%08lX", rv); + set_error("Cert Length: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } /* allocate enough space */ @@ -1598,7 +1598,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 4); if (rv != CKR_OK) { free(cert_value); - set_error("Cert Value: C_GetAttributeValue() failed: 0x%08lX", rv); + set_error("Cert Value: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } @@ -1645,7 +1645,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) /* release FindObject Sesion */ rv = h->fl->C_FindObjectsFinal(h->session); if (rv != CKR_OK) { - set_error("C_FindObjectsFinal() failed: 0x%08lX", rv); + set_error("C_FindObjectsFinal() failed: %i", rv); free_certs(certs, h->cert_count); certs = NULL; h->certs = NULL; @@ -1663,7 +1663,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) getlist_error: rv = h->fl->C_FindObjectsFinal(h->session); if (rv != CKR_OK) { - set_error("C_FindObjectsFinal() failed: 0x%08lX", rv); + set_error("C_FindObjectsFinal() failed: %i", rv); } free_certs(h->certs, h->cert_count); h->certs = NULL; @@ -1704,31 +1704,31 @@ int get_private_key(pkcs11_handle_t *h, cert_object_t *cert) { rv = h->fl->C_FindObjectsInit(h->session, key_template, 2); } if (rv != CKR_OK) { - set_error("C_FindObjectsInit() failed: 0x%08lX", rv); + set_error("C_FindObjectsInit() failed: %i", rv); return -1; } rv = h->fl->C_FindObjects(h->session, &object, 1, &object_count); if (rv != CKR_OK) { - set_error("C_FindObjects() failed: 0x%08lX", rv); + set_error("C_FindObjects() failed: %i", rv); goto get_privkey_failed; } if (object_count <= 0) { /* cert without prk: perhaps CA or CA-chain cert */ - set_error("No private key found for cert: 0x%08lX", rv); + set_error("No private key found for cert: %i", rv); goto get_privkey_failed; } /* and finally release Find session */ rv = h->fl->C_FindObjectsFinal(h->session); if (rv != CKR_OK) { - set_error("C_FindObjectsFinal() failed: 0x%08lX", rv); + set_error("C_FindObjectsFinal() failed: %i", rv); return -1; } /* get private key type */ rv = h->fl->C_GetAttributeValue(h->session, object, attr_template, sizeof(attr_template) / sizeof(CK_ATTRIBUTE)); if (rv != CKR_OK) { - set_error("C_GetAttributeValue() failed! 0x%08lX", rv); + set_error("C_GetAttributeValue() failed! %i", rv); return -1; } DBG1("private key type: 0x%08lX", key_type); @@ -1741,7 +1741,7 @@ int get_private_key(pkcs11_handle_t *h, cert_object_t *cert) { get_privkey_failed: rv = h->fl->C_FindObjectsFinal(h->session); if (rv != CKR_OK) { - set_error("C_FindObjectsFinal() failed: 0x%08lX", rv); + set_error("C_FindObjectsFinal() failed: %i", rv); } return -1; } @@ -1807,7 +1807,7 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, /* sign the token */ rv = h->fl->C_SignInit(h->session, &mechanism, cert->private_key); if (rv != CKR_OK) { - set_error("C_SignInit() failed: 0x%08lX", rv); + set_error("C_SignInit() failed: %i", rv); return -1; } *signature = NULL; @@ -1827,7 +1827,7 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, } else if (rv != CKR_OK) { free(*signature); *signature = NULL; - set_error("C_Sign() failed: 0x%08lX", rv); + set_error("C_Sign() failed: %i", rv); return -1; } } From e4705f01b52629092e71fb71e70bd39a9cfc7e72 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 14 Aug 2020 16:57:24 +0300 Subject: [PATCH 041/111] Fixed some reference type errors for OpenSSL objects Signed-off-by: Paul Wolneykien --- src/common/cert_vfy.c | 48 ++++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index ffdb76ed..b26103d0 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -150,22 +150,23 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) #if (OPENSSL_VERSION_NUMBER < 0x10100000L) X509_OBJECT obj; rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj); + if (rv > 0) { + issuer_cert = X509_OBJECT_get0_X509((&obj)); + X509_OBJECT_free_contents(&obj); #else X509_OBJECT *obj = X509_OBJECT_new(); rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj); + if (rv > 0) { + issuer_cert = X509_OBJECT_get0_X509(obj); + X509_OBJECT_free(obj); #endif - if (rv <= 0) { + } else { set_error("getting the certificate of the crl-issuer failed"); return -1; } /* extract public key and verify signature */ - issuer_cert = X509_OBJECT_get0_X509((&obj)); pkey = X509_get_pubkey(issuer_cert); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - X509_OBJECT_free_contents(&obj); -#else - X509_OBJECT_free(obj); -#endif + if (pkey == NULL) { set_error("getting the issuer's public key failed"); return -1; @@ -241,37 +242,42 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t DBG("looking for an dedicated local crl"); #if (OPENSSL_VERSION_NUMBER < 0x10100000L) rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); + if (rv > 0) { + crl = X509_OBJECT_get0_X509_CRL((&obj)); + X509_OBJECT_free_contents(&obj); #else rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); + if (rv > 0) { + crl = X509_OBJECT_get0_X509_CRL(obj); + X509_OBJECT_free(obj); #endif - if (rv <= 0) { + } else { set_error("no dedicated crl available"); return -1; } - crl = X509_OBJECT_get0_X509_CRL((&obj)); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - X509_OBJECT_free_contents(&obj); -#else - X509_OBJECT_free(obj); -#endif } else if (policy == CRLP_ONLINE) { /* ONLINE */ DBG("extracting crl distribution points"); dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); if (dist_points == NULL) { /* if there is not crl distribution point in the certificate hava a look at the ca certificate */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); - if (rv <= 0) { + if (rv > 0) { + x509_ca = X509_OBJECT_get0_X509((&obj)); + X509_OBJECT_free_contents(&obj); +#else + rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj); + if (rv > 0) { + x509_ca = X509_OBJECT_get0_X509(obj); + X509_OBJECT_free(obj); +#endif + } else { set_error("no dedicated ca certificate available"); return -1; } - x509_ca = X509_OBJECT_get0_X509((&obj)); + dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - X509_OBJECT_free_contents(&obj); -#else - X509_OBJECT_free(obj); -#endif if (dist_points == NULL) { set_error("neither the user nor the ca certificate does contain a crl distribution point"); return -1; From 15e80f474be3304ca9d18824ea5b637d5549029f Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 14 Aug 2020 17:29:45 +0300 Subject: [PATCH 042/111] Fix: Cast pointers for pam_get_item() --- src/pam_pkcs11/pam_pkcs11.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index a4a3e09f..57b79355 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -166,7 +166,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in /* use stored password if variable oitem is set */ if ((oitem == PAM_AUTHTOK) || (oitem == PAM_OLDAUTHTOK)) { /* try to get stored item */ - rv = pam_get_item(pamh, oitem, &old_pwd); + rv = pam_get_item(pamh, oitem, (const void **) &old_pwd); if (rv != PAM_SUCCESS) return rv; if (old_pwd != NULL) { @@ -179,7 +179,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in if (text != NULL) { msg.msg_style = PAM_PROMPT_ECHO_OFF; msg.msg = text; - rv = pam_get_item(pamh, PAM_CONV, &conv); + rv = pam_get_item(pamh, PAM_CONV, (const void **) &conv); if (rv != PAM_SUCCESS) return rv; if ((conv == NULL) || (conv->conv == NULL)) From ee9839bb35a41f8f6bb136799941e6563273ee38 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 14 Aug 2020 22:26:18 +0300 Subject: [PATCH 043/111] Fixed format for CK_RV error code Signed-off-by: Paul Wolneykien --- src/common/pkcs11_lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 2dd7087b..b8549ed5 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1060,7 +1060,7 @@ refresh_slots(pkcs11_handle_t *h) slots = NULL; rv = h->fl->C_GetSlotList(FALSE, NULL, &slot_count); if (rv != CKR_OK) { - set_error("C_GetSlotList() failed: %i", rv); + set_error("C_GetSlotList() failed: 0x%08lX", rv); return -1; } @@ -1072,7 +1072,7 @@ refresh_slots(pkcs11_handle_t *h) /* get a list of all slots */ rv = h->fl->C_GetSlotList(FALSE, NULL, &h->slot_count); if (rv != CKR_OK) { - set_error("C_GetSlotList() failed: %i", rv); + set_error("C_GetSlotList() failed: 0x%08lX", rv); return -1; } DBG1("number of slots (a): %ld", h->slot_count); @@ -1095,7 +1095,7 @@ refresh_slots(pkcs11_handle_t *h) rv = h->fl->C_GetSlotList(FALSE, slots, &h->slot_count); if (rv != CKR_OK) { free(slots); - set_error("C_GetSlotList() failed: %i", rv); + set_error("C_GetSlotList() failed: 0x%08lX", rv); return -1; } DBG1("number of slots (b): %ld", h->slot_count); From 3fa30a241bf5f1e32cafb38edf7c82bab9b5ed2d Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Sat, 15 Aug 2020 22:08:13 +0300 Subject: [PATCH 044/111] Disable pointer-sign warnings for a while... --- configure.ac | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configure.ac b/configure.ac index 7ce10463..3fb4b6a0 100644 --- a/configure.ac +++ b/configure.ac @@ -33,6 +33,9 @@ AC_PROG_MAKE_SET # check enable_dependency_tracking configure option AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) +# Disable pointer-sign warnings for a while... +CFLAGS="$CFLAGS -Wno-pointer-sign" + # Special check for pthread support AX_PTHREAD(, [ AC_MSG_ERROR([POSIX thread support required]) ]) CC="$PTHREAD_CC" From 17d05841d94b4d35f40fada78b11b4d41ed3a661 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Sat, 15 Aug 2020 22:52:32 +0300 Subject: [PATCH 045/111] Fix: Cast more pointers for pam_get_item() --- src/pam_pkcs11/pam_pkcs11.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 57b79355..8a722f9a 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -94,7 +94,7 @@ static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt, msg.msg_style = style; msg.msg = text; - rv = pam_get_item(pamh, PAM_CONV, &conv); + rv = pam_get_item(pamh, PAM_CONV, (const void **) &conv); if (rv != PAM_SUCCESS) return rv; if ((conv == NULL) || (conv->conv == NULL)) @@ -301,7 +301,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons char *service; if (configuration->screen_savers) { DBG("Is it a screen saver?"); - pam_get_item(pamh, PAM_SERVICE, &service); + pam_get_item(pamh, PAM_SERVICE, (const void **) &service); for (i=0; configuration->screen_savers[i]; i++) { if (strcmp(configuration->screen_savers[i], service) == 0) { is_a_screen_saver = 1; @@ -313,12 +313,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pkcs11_pam_fail = PAM_CRED_INSUFFICIENT; /* look to see if username is already set */ - pam_get_item(pamh, PAM_USER, &user); + pam_get_item(pamh, PAM_USER, (const void **) &user); if (user) { DBG1("explicit username = [%s]", user); } } else { - rv = pam_get_item(pamh, PAM_USER, &user); + rv = pam_get_item(pamh, PAM_USER, (const void **) &user); if (rv != PAM_SUCCESS || user == NULL || user[0] == '\0') { pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Please insert your %s or enter your username."), From 996dc857da9eb454d7d75736e6c54b61bb121bb6 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Sat, 15 Aug 2020 23:22:33 +0300 Subject: [PATCH 046/111] Fix: Use the return values of fscanf() and write() --- src/tools/card_eventmgr.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/tools/card_eventmgr.c b/src/tools/card_eventmgr.c index 9b54a514..c4744e35 100644 --- a/src/tools/card_eventmgr.c +++ b/src/tools/card_eventmgr.c @@ -268,7 +268,9 @@ static pid_t read_pidfile(char *filename) return 0; } - fscanf(fd, "%ld", &temp); + if (fscanf(fd, "%ld", &temp) != 1) + DBG2("Can't parse pidfile %s: %s", filename, strerror(errno)); + pid = temp; fclose(fd); @@ -297,7 +299,8 @@ static void create_pidfile(char *filename) snprintf(tmp, sizeof(tmp)-1, "%d\n", getpid()); tmp[sizeof(tmp)-1] = '\0'; - write(fd, tmp, strlen(tmp)); + if (write(fd, tmp, strlen(tmp)) != strlen(tmp)) + DBG2("Can't write pidfile %s: %s", filename, strerror(errno)); close(fd); } From 3cb362e3c23b9917360bd5864f3882d5e3da9a1d Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Sat, 15 Aug 2020 23:26:08 +0300 Subject: [PATCH 047/111] Fix: Remove `const` from `get_X509_certificate()` as OpenSSL functions have non-const arguments --- src/common/pkcs11_lib.c | 4 ++-- src/common/pkcs11_lib.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index b8549ed5..7ab4115c 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -831,7 +831,7 @@ int get_private_key(pkcs11_handle_t *h, cert_object_t *cert) { return 0; } -const X509 *get_X509_certificate(cert_object_t *cert) +X509 *get_X509_certificate(cert_object_t *cert) { return (CERTCertificate *)cert; } @@ -1752,7 +1752,7 @@ const char *get_slot_tokenlabel(pkcs11_handle_t *h) return h->slots[h->current_slot].label; } -const X509 *get_X509_certificate(cert_object_t *cert) +X509 *get_X509_certificate(cert_object_t *cert) { return cert->x509; } diff --git a/src/common/pkcs11_lib.h b/src/common/pkcs11_lib.h index 637a0c19..a3ed1c9c 100644 --- a/src/common/pkcs11_lib.h +++ b/src/common/pkcs11_lib.h @@ -52,7 +52,7 @@ PKCS11_EXTERN int wait_for_token_by_slotlabel(pkcs11_handle_t *h, const char *wanted_slot_label, const char *wanted_token_label, unsigned int *slot); -PKCS11_EXTERN const X509 *get_X509_certificate(cert_object_t *cert); +PKCS11_EXTERN X509 *get_X509_certificate(cert_object_t *cert); PKCS11_EXTERN void release_pkcs11_module(pkcs11_handle_t *h); PKCS11_EXTERN int open_pkcs11_session(pkcs11_handle_t *h, unsigned int slot); PKCS11_EXTERN int close_pkcs11_session(pkcs11_handle_t *h); From 1e7fb31032eaca6ece258ce4f5bd266dcda93ddf Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Sun, 16 Aug 2020 00:09:48 +0300 Subject: [PATCH 048/111] Fixed more format for CK_RV error code --- src/common/pkcs11_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 7ab4115c..c985fe27 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1113,7 +1113,7 @@ refresh_slots(pkcs11_handle_t *h) DBG1("slot %ld:", i + 1); rv = h->fl->C_GetSlotInfo(h->slots[i].id, &sinfo); if (rv != CKR_OK) { - set_error("C_GetSlotInfo() failed: %i", rv); + set_error("C_GetSlotInfo() failed: 0x%08lX", rv); return -1; } @@ -1127,7 +1127,7 @@ refresh_slots(pkcs11_handle_t *h) DBG("- token:"); rv = h->fl->C_GetTokenInfo(h->slots[i].id, &tinfo); if (rv != CKR_OK) { - set_error("C_GetTokenInfo() failed: %i", rv); + set_error("C_GetTokenInfo() failed: 0x%08lX", rv); return -1; } DBG1(" - label: %.32s", tinfo.label); From ab0319f7e6609c5fa542fbc07db243a2564e294d Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Thu, 3 Sep 2020 14:32:30 +0300 Subject: [PATCH 049/111] Fix: Use X509_CRL_get0_lastUpdate() and X509_CRL_get0_nextUpdate() Use X509_CRL_get0_lastUpdate(crl) and X509_CRL_get0_nextUpdate(crl) in new OpenSSL versions instead of X509_CRL_get_lastUpdate(crl) and X509_CRL_get_nextUpdate(crl). --- src/common/cert_vfy.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index b26103d0..c75f65b4 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -181,7 +181,16 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) return 0; } /* compare update times */ - rv = X509_cmp_current_time(X509_CRL_get_lastUpdate(crl)); + const ASN1_TIME *lastUpdate; + const ASN1_TIME *nextUpdate; +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + lastUpdate = X509_CRL_get_lastUpdate(crl); + nextUpdate = X509_CRL_get_nextUpdate(crl); +#else + lastUpdate = X509_CRL_get0_lastUpdate(crl); + nextUpdate = X509_CRL_get0_nextUpdate(crl); +#endif + rv = X509_cmp_current_time(lastUpdate); if (rv == 0) { set_error("crl has an invalid last update field"); return -1; @@ -190,7 +199,7 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) DBG("crl is not yet valid"); return 0; } - rv = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); + rv = X509_cmp_current_time(nextUpdate); if (rv == 0) { set_error("crl has an invalid next update field"); return -1; From 6c49136417ba523a27a30fe765537a78e43ec8c4 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Thu, 3 Sep 2020 15:28:54 +0300 Subject: [PATCH 050/111] Use ECDSA_SIG_set0() instead of ECDSA_SIG_get0_r() + ECDSA_SIG_get0_s() FIXME: Why not to use d2i_ECDSA_SIG() ??? --- src/common/cert_vfy.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index c75f65b4..82c5d0cb 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -534,10 +534,21 @@ int verify_signature(X509 * x509, unsigned char *data, int data_length, DBG1("public key bits: 0x%08x", EVP_PKEY_bits(pubkey)); if (EVP_PKEY_base_id(pubkey) == EVP_PKEY_EC) { + // FIXME: Why not to use d2i_ECDSA_SIG() ??? rs_len = *signature_length / 2; ec_sig = ECDSA_SIG_new(); - BN_bin2bn(*signature, rs_len, ECDSA_SIG_get0_r(ec_sig)); - BN_bin2bn(*signature + rs_len, rs_len, ECDSA_SIG_get0_s(ec_sig)); + BIGNUM *r = BN_bin2bn(*signature, rs_len, NULL); + BIGNUM *s = BN_bin2bn(*signature + rs_len, rs_len, NULL); + if (!r || !s) { + set_error("Unable to parse r+s EC signature numbers: %s", + ERR_error_string(ERR_get_error(), NULL)); + return -1; + } + if (1 != ECDSA_SIG_set0(ec_sig, r, s)) { + set_error("Unable to write r+s numbers to the signature structure: %s", + ERR_error_string(ERR_get_error(), NULL)); + return -1; + } *signature_length = i2d_ECDSA_SIG(ec_sig, &p); free(*signature); *signature = malloc(*signature_length); From 289f3b8bcfc821a19312f7390e3c651e647fd102 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Thu, 8 Jun 2017 17:04:03 +0300 Subject: [PATCH 051/111] Fix: Don't stuck if wait_for_card=false and ignore the token not found error when the auth isn't restricted to card only (either by option or by PKCS11_LOGIN_TOKEN_NAME env.var.) --- src/pam_pkcs11/pam_pkcs11.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 8a722f9a..0aa9aa24 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -388,14 +388,14 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons sleep(configuration->err_display_time); } - if (!configuration->card_only) { + if (!configuration->card_only || !login_token_name) { release_pkcs11_module(ph); - return PAM_AUTHINFO_UNAVAIL; + /* Allow to pass to the next module if the auth isn't + restricted to card only. */ + return PAM_IGNORE; } - /* we must have a smart card, either because we've configured it as such, - * or because we used one to log in */ - if (login_token_name || configuration->wait_for_card) { + if (configuration->wait_for_card) { if (login_token_name) { pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Please insert your smart card called \"%.32s\"."), From 6d0e9b81945df6298233766b319b19d55aad3195 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Wed, 21 Jun 2017 17:48:05 +0300 Subject: [PATCH 052/111] Allow to pass to the next module if the auth isn't restricted to card only. --- src/pam_pkcs11/pam_pkcs11.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 0aa9aa24..79f9c636 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -380,7 +380,18 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons login_token_name, &slot_num); } + if (!configuration->card_only || !login_token_name) { + /* Allow to pass to the next module if the auth isn't + restricted to card only. */ + pkcs11_pam_fail = PAM_IGNORE; + } + if (rv != 0) { + if (!configuration->card_only || !login_token_name) { + release_pkcs11_module(ph); + return pkcs11_pam_fail; + } + ERR("no suitable token available"); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "no suitable token available"); @@ -388,13 +399,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons sleep(configuration->err_display_time); } - if (!configuration->card_only || !login_token_name) { - release_pkcs11_module(ph); - /* Allow to pass to the next module if the auth isn't - restricted to card only. */ - return PAM_IGNORE; - } - if (configuration->wait_for_card) { if (login_token_name) { pam_prompt(pamh, PAM_TEXT_INFO, NULL, @@ -553,7 +557,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smartcard PIN")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed_wrongpw; } } @@ -839,6 +843,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons close_pkcs11_session(ph); release_pkcs11_module(ph); return pkcs11_pam_fail; + +auth_failed_wrongpw: + unload_mappers(); + close_pkcs11_session(ph); + release_pkcs11_module(ph); + return PAM_CRED_INSUFFICIENT; } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) From 1bb036a630d6dc49d0b652fa78919d5a05dea4fb Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Tue, 3 Oct 2017 15:44:57 +0300 Subject: [PATCH 053/111] Fix: Make wait-for-card work when the user is not logged in --- src/pam_pkcs11/pam_pkcs11.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 79f9c636..906545b7 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -387,7 +387,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } if (rv != 0) { - if (!configuration->card_only || !login_token_name) { + if (!configuration->card_only) { release_pkcs11_module(ph); return pkcs11_pam_fail; } From 5bcf25150fa50a6f67b9428d873619d973972ceb Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Wed, 4 Oct 2017 18:04:13 +0300 Subject: [PATCH 054/111] Fix: Return PAM_AUTH_ERR for login error --- src/pam_pkcs11/pam_pkcs11.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 906545b7..9c9d9327 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -848,7 +848,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons unload_mappers(); close_pkcs11_session(ph); release_pkcs11_module(ph); - return PAM_CRED_INSUFFICIENT; + return PAM_AUTH_ERR; } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) From 88a87d54ff0a9f1c425906bb1fe260e40bd7751c Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Mon, 16 Oct 2017 13:08:55 +0300 Subject: [PATCH 055/111] Fail if no token found only when it is strictly required 1. card_only = true AND PKCS11_LOGIN_TOKEN_NAME isn't set. 2. card_only = true AND wait_for_card = true This fixes/improves commit b08ec3b095d4fa143d046783cb010cc0f34f7c92. --- src/pam_pkcs11/pam_pkcs11.c | 181 ++++++++++++++---------------------- 1 file changed, 69 insertions(+), 112 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 9c9d9327..0e03ff61 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -232,8 +232,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons textdomain(PACKAGE); #endif - pam_prompt(pamh, PAM_TEXT_INFO , NULL, _("Smartcard authentication starts")); - /* first of all check whether debugging should be enabled */ for (i = 0; i < argc; i++) if (strcmp("debug", argv[i]) == 0) { @@ -253,39 +251,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons return PAM_AUTHINFO_UNAVAIL; } - /* fail if we are using a remote server - * local login: DISPLAY=:0 - * XDMCP login: DISPLAY=host:0 */ - { - char *display = getenv("DISPLAY"); - - if (display) - { - if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':') - && (display[0] != '\0')) { - ERR1("Remote login (from %s) is not (yet) supported", display); - pam_syslog(pamh, LOG_ERR, - "Remote login (from %s) is not (yet) supported", display); - return PAM_AUTHINFO_UNAVAIL; - } - } - } - - /* init openssl */ - rv = crypto_init(&configuration->policy); - if (rv != 0) { - ERR("Failed to initialize crypto"); - if (!configuration->quiet) - pam_syslog(pamh,LOG_ERR, "Failed to initialize crypto"); - return PAM_AUTHINFO_UNAVAIL; - } - + login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME"); /* - * card_only means: - * 1) always get the userid from the certificate. - * 2) don't prompt for the user name if the card is present. - * 3) if the token is present, then we must use the cardAuth mechanism. + * card_only means: restrict the authentication to token only if + * the user has already authenticated by the token. * * wait_for_card means: * 1) nothing if card_only isn't set @@ -309,33 +279,49 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } } } + } + if (!configuration->card_only || !login_token_name) { + /* Allow to pass to the next module if the auth isn't + restricted to card only. */ + pkcs11_pam_fail = PAM_IGNORE; + } else { pkcs11_pam_fail = PAM_CRED_INSUFFICIENT; + } - /* look to see if username is already set */ - pam_get_item(pamh, PAM_USER, (const void **) &user); - if (user) { - DBG1("explicit username = [%s]", user); - } - } else { - rv = pam_get_item(pamh, PAM_USER, (const void **) &user); - if (rv != PAM_SUCCESS || user == NULL || user[0] == '\0') { - pam_prompt(pamh, PAM_TEXT_INFO, NULL, - _("Please insert your %s or enter your username."), - _(configuration->token_type)); - /* get user name */ - rv = pam_get_user(pamh, &user, NULL); + /* fail if we are using a remote server + * local login: DISPLAY=:0 + * XDMCP login: DISPLAY=host:0 */ + { + char *display = getenv("DISPLAY"); - if (rv != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, - "pam_get_user() failed %s", pam_strerror(pamh, rv)); - return PAM_USER_UNKNOWN; + if (display) + { + if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':') + && (display[0] != '\0')) { + ERR1("Remote login (from %s) is not (yet) supported", display); + pam_syslog(pamh, LOG_ERR, + "Remote login (from %s) is not (yet) supported", display); + return pkcs11_pam_fail; + } } - } - DBG1("username = [%s]", user); } - login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME"); + /* init openssl */ + rv = crypto_init(&configuration->policy); + if (rv != 0) { + ERR("Failed to initialize crypto"); + if (!configuration->quiet) + pam_syslog(pamh,LOG_ERR, "Failed to initialize crypto"); + return pkcs11_pam_fail; + } + + /* look to see if username is already set */ + pam_get_item(pamh, PAM_USER, &user); + if (user) { + DBG1("explicit username = [%s]", user); + } + /* if we are using a screen saver, and we didn't log in using the smart card * drop to the next pam module. */ if (is_a_screen_saver && !login_token_name) { @@ -354,7 +340,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2302: PKCS#11 module failed loading")); sleep(configuration->err_display_time); } - return PAM_AUTHINFO_UNAVAIL; + return pkcs11_pam_fail; } /* initialise pkcs #11 module */ @@ -368,10 +354,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2304: PKCS#11 module could not be initialized")); sleep(configuration->err_display_time); } - return PAM_AUTHINFO_UNAVAIL; + return pkcs11_pam_fail; } - /* open pkcs #11 session */ if (configuration->slot_description != NULL) { rv = find_slot_by_slotlabel_and_tokenlabel(ph, configuration->slot_description, login_token_name, &slot_num); @@ -380,23 +365,18 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons login_token_name, &slot_num); } - if (!configuration->card_only || !login_token_name) { - /* Allow to pass to the next module if the auth isn't - restricted to card only. */ - pkcs11_pam_fail = PAM_IGNORE; - } - if (rv != 0) { - if (!configuration->card_only) { - release_pkcs11_module(ph); - return pkcs11_pam_fail; + /* No token found */ + if (!configuration->card_only || (!login_token_name && !configuration->wait_for_card)) { + /* If the user isn't already card-authrized and we isn't restricted + to card-only login, then proceed to the next auth. module. */ + release_pkcs11_module(ph); + return PAM_IGNORE; } ERR("no suitable token available"); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "no suitable token available"); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2306: No suitable token available")); - sleep(configuration->err_display_time); } if (configuration->wait_for_card) { @@ -410,58 +390,35 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } if (configuration->slot_description != NULL) { - rv = wait_for_token_by_slotlabel(ph, configuration->slot_description, - login_token_name, &slot_num); + rv = wait_for_token_by_slotlabel(ph, configuration->slot_description, + login_token_name, &slot_num); } else if (configuration->slot_num != -1) { - rv = wait_for_token(ph, configuration->slot_num, - login_token_name, &slot_num); + rv = wait_for_token(ph, configuration->slot_num, + login_token_name, &slot_num); } + } + } - if (rv != 0) { - release_pkcs11_module(ph); - return pkcs11_pam_fail; + if (rv != 0) { + /* Still no card */ + if (pkcs11_pam_fail != PAM_IGNORE) { + if (!configuration->quiet) { + pam_prompt(pamh, PAM_ERROR_MSG, + NULL, _("Error 2308: No smartcard found")); + sleep(configuration->err_display_time); + } + } else { + pam_prompt(pamh, PAM_TEXT_INFO, + NULL, _("No smartcard found")); } - } else if (user) { - if (!configuration->quiet) { - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2308: No smartcard found")); - sleep(configuration->err_display_time); - } - - /* we have a user and no smart card, go to the next pam module */ release_pkcs11_module(ph); - return PAM_AUTHINFO_UNAVAIL; - } else { - /* we haven't prompted for the user yet, get the user and see if - * the smart card has been inserted in the mean time */ - pam_prompt(pamh, PAM_TEXT_INFO, NULL, - _("Please insert your %s or enter your username."), - _(configuration->token_type)); - rv = pam_get_user(pamh, &user, NULL); - - /* check one last time for the smart card before bouncing to the next - * module */ - if (configuration->slot_description != NULL) { - rv = find_slot_by_slotlabel(ph, configuration->slot_description, - &slot_num); - } else if (configuration->slot_num != -1) { - rv = find_slot_by_number(ph, configuration->slot_num, &slot_num); - } + return pkcs11_pam_fail; + } - if (rv != 0) { - /* user gave us a user id and no smart card go to next module */ - if (!configuration->quiet) { - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2310: No smartcard found")); - sleep(configuration->err_display_time); - } + pam_prompt(pamh, PAM_TEXT_INFO, NULL, + _("%s found."), _(configuration->token_type)); - release_pkcs11_module(ph); - return PAM_AUTHINFO_UNAVAIL; - } - } - } else { - pam_prompt(pamh, PAM_TEXT_INFO, NULL, - _("%s found."), _(configuration->token_type)); - } + /* open pkcs #11 session */ rv = open_pkcs11_session(ph, slot_num); if (rv != 0) { ERR1("open_pkcs11_session() failed: %s", get_error()); From 503dd3206a13d54df19b8b8520bd2cb1c84bb38c Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Mon, 16 Oct 2017 16:53:26 +0300 Subject: [PATCH 056/111] Fix the layout a little bit --- src/pam_pkcs11/pam_pkcs11.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 0e03ff61..63760c0e 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -380,22 +380,22 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } if (configuration->wait_for_card) { - if (login_token_name) { - pam_prompt(pamh, PAM_TEXT_INFO, NULL, - _("Please insert your smart card called \"%.32s\"."), - login_token_name); - } else { - pam_prompt(pamh, PAM_TEXT_INFO, NULL, - _("Please insert your smart card.")); - } - - if (configuration->slot_description != NULL) { - rv = wait_for_token_by_slotlabel(ph, configuration->slot_description, + if (login_token_name) { + pam_prompt(pamh, PAM_TEXT_INFO, NULL, + _("Please insert your smart card called \"%.32s\"."), + login_token_name); + } else { + pam_prompt(pamh, PAM_TEXT_INFO, NULL, + _("Please insert your smart card.")); + } + + if (configuration->slot_description != NULL) { + rv = wait_for_token_by_slotlabel(ph, configuration->slot_description, login_token_name, &slot_num); - } else if (configuration->slot_num != -1) { - rv = wait_for_token(ph, configuration->slot_num, - login_token_name, &slot_num); - } + } else if (configuration->slot_num != -1) { + rv = wait_for_token(ph, configuration->slot_num, + login_token_name, &slot_num); + } } } From 0c6fcc159413f1c3fd1ad64ce82845a8f6f00caa Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 20 Oct 2017 12:51:45 +0300 Subject: [PATCH 057/111] Fix: Exit quietly only if card_only is false --- src/pam_pkcs11/pam_pkcs11.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 63760c0e..a1b67a6e 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -367,9 +367,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (rv != 0) { /* No token found */ - if (!configuration->card_only || (!login_token_name && !configuration->wait_for_card)) { - /* If the user isn't already card-authrized and we isn't restricted - to card-only login, then proceed to the next auth. module. */ + if (!configuration->card_only) { + /* If the login isn't restricted to card-only, then proceed + to the next auth. module quietly. */ release_pkcs11_module(ph); return PAM_IGNORE; } From 9938b5fe59eb387fc57a135396c44e872f6cba0e Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 20 Oct 2017 12:45:18 +0300 Subject: [PATCH 058/111] Fix: Do not return error when there are no slots --- src/common/pkcs11_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 9b56819e..caad49c1 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1078,7 +1078,7 @@ refresh_slots(pkcs11_handle_t *h) DBG1("number of slots (a): %ld", h->slot_count); if (h->slot_count == 0) { set_error("there are no slots available"); - return -1; + return 0; // That's not, strictly, an error. } slots = malloc(h->slot_count * sizeof(CK_SLOT_ID)); if (slots == NULL) { From 806e46625f7144be9de1b33c8c77bef1be1c962e Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Tue, 3 Oct 2017 16:49:40 +0300 Subject: [PATCH 059/111] Output "no token" errors only when wait-for-card mode is off --- src/pam_pkcs11/pam_pkcs11.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index a1b67a6e..0aece1ec 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -374,10 +374,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons return PAM_IGNORE; } - ERR("no suitable token available"); - if (!configuration->quiet) { - pam_syslog(pamh, LOG_ERR, "no suitable token available"); - } + if (!configuration->wait_for_card) { + ERR("no suitable token available"); + if (!configuration->quiet) { + pam_syslog(pamh, LOG_ERR, "no suitable token available"); + } + } if (configuration->wait_for_card) { if (login_token_name) { From ba24e532b637072c309408be0a50b606aad22c43 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Tue, 14 Nov 2017 13:27:38 +0300 Subject: [PATCH 060/111] Fixed cleanup of the old password --- src/pam_pkcs11/pam_pkcs11.c | 43 +++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 0aece1ec..243aa965 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -441,8 +441,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2314: Slot login failed")); sleep(configuration->err_display_time); } - release_pkcs11_module(ph); - return pkcs11_pam_fail; + goto auth_failed_nopw; } else if (rv) { /* get password */ pam_prompt(pamh, PAM_TEXT_INFO, NULL, @@ -468,10 +467,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2316: password could not be read")); sleep(configuration->err_display_time); } - release_pkcs11_module(ph); pam_syslog(pamh, LOG_ERR, "pam_get_pwd() failed: %s", pam_strerror(pamh, rv)); - return pkcs11_pam_fail; + goto auth_failed_nopw; } #ifdef DEBUG_SHOW_PASSWORD DBG1("password = [%s]", password); @@ -479,16 +477,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* check password length */ if (!configuration->nullok && strlen(password) == 0) { - release_pkcs11_module(ph); - cleanse(password, strlen(password)); - free(password); pam_syslog(pamh, LOG_ERR, "password length is zero but the 'nullok' argument was not defined."); if (!configuration->quiet) { pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smartcard PIN not allowed.")); sleep(configuration->err_display_time); } - return PAM_AUTH_ERR; + goto auth_failed_wrongpw; } } else @@ -503,12 +498,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons * we need to do thise before get_certificate_list because some tokens * can not read their certificates until the token is authenticated */ rv = pkcs11_login(ph, password); - /* erase and free in-memory password data asap */ - if (password) - { - cleanse(password, strlen(password)); - free(password); - } + if (rv != 0) { ERR1("open_pkcs11_login() failed: %s", get_error()); if (!configuration->quiet) { @@ -694,15 +684,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons free(signature); } if (rv != 0) { - close_pkcs11_session(ph); - release_pkcs11_module(ph); ERR1("verify_signature() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "verify_signature() failed: %s", get_error()); pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2342: Verifying signature failed")); sleep(configuration->err_display_time); } - return PAM_AUTH_ERR; + goto auth_failed_wrongpw; } } else { @@ -776,14 +764,19 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* close pkcs #11 session */ rv = close_pkcs11_session(ph); if (rv != 0) { - release_pkcs11_module(ph); ERR1("close_pkcs11_session() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "close_pkcs11_module() failed: %s", get_error()); pam_prompt(pamh, PAM_ERROR_MSG , NULL, ("Error 2344: Closing PKCS#11 session failed")); sleep(configuration->err_display_time); } - return pkcs11_pam_fail; + goto auth_failed_wrongpw; + } + + if ( password ) { + cleanse( password, strlen(password) ); + free( password ); + password = NULL; } /* release pkcs #11 module */ @@ -793,20 +786,24 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons DBG("authentication succeeded"); return PAM_SUCCESS; - /* quick and dirty fail exit point */ - cleanse(password, strlen(password)); - free(password); /* erase and free in-memory password data */ - auth_failed_nopw: unload_mappers(); close_pkcs11_session(ph); release_pkcs11_module(ph); + if ( password ) { + cleanse( password, strlen(password) ); + free( password ); + } return pkcs11_pam_fail; auth_failed_wrongpw: unload_mappers(); close_pkcs11_session(ph); release_pkcs11_module(ph); + if ( password ) { + cleanse( password, strlen(password) ); + free( password ); + } return PAM_AUTH_ERR; } From 097ff87538995152e1f96ea2189b1731d7516c6e Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 11 Jan 2019 17:03:25 +0300 Subject: [PATCH 061/111] Fix/improve: Write a message when the token authentication is cancelled --- po/pam_pkcs11.pot | 6 +++++- po/ru.po | 8 ++++++-- src/pam_pkcs11/pam_pkcs11.c | 15 ++++++++++++--- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/po/pam_pkcs11.pot b/po/pam_pkcs11.pot index a102b58b..60c034a7 100644 --- a/po/pam_pkcs11.pot +++ b/po/pam_pkcs11.pot @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: pam_pkcs11 0.6.8\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2019-01-11 16:54+0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -20,6 +20,10 @@ msgstr "" msgid "Smartcard authentication starts" msgstr "" +#: src/pam_pkcs11/pam_pkcs11.c:1187 +msgid "Smartcard authentication cancelled" +msgstr "" + #: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 #, c-format msgid "Please insert your %s or enter your username." diff --git a/po/ru.po b/po/ru.po index 3bcf4496..f6aed41f 100644 --- a/po/ru.po +++ b/po/ru.po @@ -9,8 +9,8 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2016-09-23 16:55+0200\n" -"PO-Revision-Date: 2007-09-10 14:14+0400\n" -"Last-Translator: sergio \n" +"PO-Revision-Date: 2019-01-11 16:55+0300\n" +"Last-Translator: Paul Wolneykien \n" "Language-Team: Russian\n" "Language: ru\n" "MIME-Version: 1.0\n" @@ -21,6 +21,10 @@ msgstr "" msgid "Smartcard authentication starts" msgstr "" +#: src/pam_pkcs11/pam_pkcs11.c:1187 +msgid "Smartcard authentication cancelled" +msgstr "Аутентификация по токену отменена" + #: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 #, fuzzy, c-format msgid "Please insert your %s or enter your username." diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 243aa965..4560b3b7 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -325,7 +325,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* if we are using a screen saver, and we didn't log in using the smart card * drop to the next pam module. */ if (is_a_screen_saver && !login_token_name) { - return PAM_IGNORE; + goto exit_ignore; } /* load pkcs #11 module */ @@ -371,7 +371,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* If the login isn't restricted to card-only, then proceed to the next auth. module quietly. */ release_pkcs11_module(ph); - return PAM_IGNORE; + goto exit_ignore; } if (!configuration->wait_for_card) { @@ -794,7 +794,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons cleanse( password, strlen(password) ); free( password ); } - return pkcs11_pam_fail; + + if (PAM_IGNORE == pkcs11_pam_fail) + goto exit_ignore; + else + return pkcs11_pam_fail; auth_failed_wrongpw: unload_mappers(); @@ -805,6 +809,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons free( password ); } return PAM_AUTH_ERR; + + exit_ignore: + pam_prompt( pamh, PAM_TEXT_INFO, NULL, + _("Smartcard authentication cancelled") ); + return PAM_IGNORE; } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) From 26a9f81b4f5026e0804639334fd378e103dcbf25 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 11 Jan 2019 17:45:02 +0300 Subject: [PATCH 062/111] Improve more: Write a message when the token authentication is cancelled (no card case) --- src/pam_pkcs11/pam_pkcs11.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 4560b3b7..14b5cd2a 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -402,6 +402,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } if (rv != 0) { + release_pkcs11_module(ph); /* Still no card */ if (pkcs11_pam_fail != PAM_IGNORE) { if (!configuration->quiet) { @@ -412,8 +413,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } else { pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("No smartcard found")); + goto exit_ignore; } - release_pkcs11_module(ph); return pkcs11_pam_fail; } From e3ebe576c3bb98b3ab1b4a69b1e6a8b4ffcef5b3 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 19 Jun 2020 15:58:48 +0300 Subject: [PATCH 063/111] Fix/improve: Output the "no token" debug message even when `wait_for_card` is set --- src/pam_pkcs11/pam_pkcs11.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 14b5cd2a..d5cafc81 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -374,11 +374,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons goto exit_ignore; } - if (!configuration->wait_for_card) { - ERR("no suitable token available"); - if (!configuration->quiet) { - pam_syslog(pamh, LOG_ERR, "no suitable token available"); - } + ERR("no suitable token available"); + if (!configuration->quiet) { + pam_syslog(pamh, LOG_ERR, "no suitable token available"); } if (configuration->wait_for_card) { From 4a7a3ea8c1145e78adbb5cddaab829cfd05271c3 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Mon, 6 Jul 2020 15:29:46 +0300 Subject: [PATCH 064/111] Added the exmple PAM configuration which uses the ignore result The configuration allows users in the group "wheel" to login without token when "card_only=false". --- etc/Makefile.am | 3 +++ etc/system-auth-pkcs11_strict | 13 +++++++++++++ etc/system-auth-use_first_pass-pkcs11_strict | 8 ++++++++ 3 files changed, 24 insertions(+) create mode 100644 etc/system-auth-pkcs11_strict create mode 100644 etc/system-auth-use_first_pass-pkcs11_strict diff --git a/etc/Makefile.am b/etc/Makefile.am index fc5e35b0..ea9b2688 100644 --- a/etc/Makefile.am +++ b/etc/Makefile.am @@ -16,3 +16,6 @@ EXTRA_DIST = $(TO_INSTALL) \ doc_DATA = $(TO_INSTALL) \ pam_pkcs11.conf.example \ pam.d_login.example + +pamdir = $(sysconfdir)/pam.d +pam_DATA = system-auth-pkcs11_strict system-auth-use_first_pass-pkcs11_strict diff --git a/etc/system-auth-pkcs11_strict b/etc/system-auth-pkcs11_strict new file mode 100644 index 00000000..fc323408 --- /dev/null +++ b/etc/system-auth-pkcs11_strict @@ -0,0 +1,13 @@ +#%PAM-1.0 +auth [success=done ignore=ignore default=die] pam_pkcs11.so +auth requisite pam_succeed_if.so user ingroup wheel +auth include system-auth-local + +account include system-auth-local + +password [success=done ignore=ignore default=die] pam_pkcs11.so +password requisite pam_succeed_if.so user ingroup wheel +password include system-auth-local + +session include system-auth-local +session required pam_mkhomedir.so silent diff --git a/etc/system-auth-use_first_pass-pkcs11_strict b/etc/system-auth-use_first_pass-pkcs11_strict new file mode 100644 index 00000000..63406f50 --- /dev/null +++ b/etc/system-auth-use_first_pass-pkcs11_strict @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth [success=done ignore=ignore default=die] pam_pkcs11.so use_first_pass +auth requisite pam_succeed_if.so user ingroup wheel +auth include system-auth-use_first_pass-local + +password [success=done ignore=ignore default=die] pam_pkcs11.so use_first_pass +password requisite pam_succeed_if.so user ingroup wheel +password include system-auth-use_first_pass-local From b1ea66dad88672daef8b2e2ef171830c5808d7c4 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Tue, 7 Jul 2020 13:37:32 +0300 Subject: [PATCH 065/111] Rename "pkcs11_strict" PAM config to "ignore_no_card" and install it in the docs as an example --- etc/Makefile.am | 6 ++---- ...em-auth-pkcs11_strict => pam.d_ignore_no_card.example} | 0 etc/system-auth-use_first_pass-pkcs11_strict | 8 -------- 3 files changed, 2 insertions(+), 12 deletions(-) rename etc/{system-auth-pkcs11_strict => pam.d_ignore_no_card.example} (100%) delete mode 100644 etc/system-auth-use_first_pass-pkcs11_strict diff --git a/etc/Makefile.am b/etc/Makefile.am index ea9b2688..ae191fc4 100644 --- a/etc/Makefile.am +++ b/etc/Makefile.am @@ -15,7 +15,5 @@ EXTRA_DIST = $(TO_INSTALL) \ doc_DATA = $(TO_INSTALL) \ pam_pkcs11.conf.example \ - pam.d_login.example - -pamdir = $(sysconfdir)/pam.d -pam_DATA = system-auth-pkcs11_strict system-auth-use_first_pass-pkcs11_strict + pam.d_login.example \ + pam.d_ignore_no_card.example diff --git a/etc/system-auth-pkcs11_strict b/etc/pam.d_ignore_no_card.example similarity index 100% rename from etc/system-auth-pkcs11_strict rename to etc/pam.d_ignore_no_card.example diff --git a/etc/system-auth-use_first_pass-pkcs11_strict b/etc/system-auth-use_first_pass-pkcs11_strict deleted file mode 100644 index 63406f50..00000000 --- a/etc/system-auth-use_first_pass-pkcs11_strict +++ /dev/null @@ -1,8 +0,0 @@ -#%PAM-1.0 -auth [success=done ignore=ignore default=die] pam_pkcs11.so use_first_pass -auth requisite pam_succeed_if.so user ingroup wheel -auth include system-auth-use_first_pass-local - -password [success=done ignore=ignore default=die] pam_pkcs11.so use_first_pass -password requisite pam_succeed_if.so user ingroup wheel -password include system-auth-use_first_pass-local From e05600c88d1a673d9f69211af6dd99adb16f7279 Mon Sep 17 00:00:00 2001 From: "Alexey I. Froloff" Date: Thu, 30 Jul 2009 21:58:38 +0400 Subject: [PATCH 066/111] Add card_only and wait_for_card to example config. --- etc/pam_pkcs11.conf.example.in | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/etc/pam_pkcs11.conf.example.in b/etc/pam_pkcs11.conf.example.in index 648ec7a4..b99e0706 100644 --- a/etc/pam_pkcs11.conf.example.in +++ b/etc/pam_pkcs11.conf.example.in @@ -23,6 +23,23 @@ pam_pkcs11 { # previously set (intended for stacking password modules only). use_authtok = false; + # card_only means: + # 1) always get the userid from the certificate. + # 2) don't prompt for the user name if the card is present. + # 3) if the token is present, then we must use the cardAuth mechanism. + card_only = false; + + # wait_for_card means: + # 1) nothing if card_only isn't set + # 2) if logged in, block in pam conversation until the token used for login + # is inserted + # 3) if not logged in, block until a token that could be used for logging in + # is inserted + # right now, logged in means PKC11_LOGIN_TOKEN_NAME is set, + # but we could something else later (like set some per-user state in + # a pam session module keyed off uid) + wait_for_card = false; + # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = opensc; From d3a9e2eae721da3fb501c29468423bd45ea115c8 Mon Sep 17 00:00:00 2001 From: "Alexey I. Froloff" Date: Thu, 30 Jul 2009 22:04:53 +0400 Subject: [PATCH 067/111] Add screen_savers to example config --- etc/pam_pkcs11.conf.example.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/pam_pkcs11.conf.example.in b/etc/pam_pkcs11.conf.example.in index b99e0706..3ae668cb 100644 --- a/etc/pam_pkcs11.conf.example.in +++ b/etc/pam_pkcs11.conf.example.in @@ -40,6 +40,13 @@ pam_pkcs11 { # a pam session module keyed off uid) wait_for_card = false; + # List of screen saver services. + # This list is only parsed if card_only is set. Basically the screen saver + # will bypass pam_pkcs11 if a token was not used to login (The basic idea is + # you always unlock the screen saver with the same mechanism you used to + # login). + screen_savers = xfce4-screensaver, mate-screensaver, gnome-screensaver, kde4-kscreensaver, kscreensaver, xscreensaver; + # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = opensc; From a2495ecff9cbcb3e165cecc09ef693d6b635840a Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Thu, 13 Aug 2020 14:02:47 +0300 Subject: [PATCH 068/111] Use the single fail exit point --- src/pam_pkcs11/pam_pkcs11.c | 42 ++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index d5cafc81..8bf60bad 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -440,7 +440,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2314: Slot login failed")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed; } else if (rv) { /* get password */ pam_prompt(pamh, PAM_TEXT_INFO, NULL, @@ -468,7 +468,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } pam_syslog(pamh, LOG_ERR, "pam_get_pwd() failed: %s", pam_strerror(pamh, rv)); - goto auth_failed_nopw; + goto auth_failed; } #ifdef DEBUG_SHOW_PASSWORD DBG1("password = [%s]", password); @@ -482,7 +482,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smartcard PIN not allowed.")); sleep(configuration->err_display_time); } - goto auth_failed_wrongpw; + pkcs11_pam_fail = PAM_AUTH_ERR; + goto auth_failed; } } else @@ -505,7 +506,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smartcard PIN")); sleep(configuration->err_display_time); } - goto auth_failed_wrongpw; + pkcs11_pam_fail = PAM_AUTH_ERR; + goto auth_failed; } } @@ -517,7 +519,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2322: No certificate found")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed; } /* load mapper modules */ @@ -592,7 +594,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2332: setting PAM userentry failed")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed; } chosen_cert = cert_list[i]; break; /* end loop, as find user success */ @@ -608,7 +610,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2334: No matching user")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed; } else if (rv == 0) { /* match didn't success */ DBG("certificate is valid but does not match the user"); continue; /* try next certificate */ @@ -629,7 +631,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2336: No matching certificate found")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed; } @@ -645,7 +647,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (!configuration->quiet) pam_syslog(pamh, LOG_ERR, "get_private_key() failed: %s", get_error()); - goto auth_failed_nopw; + goto auth_failed; } #endif @@ -658,7 +660,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2338: Getting random value failed")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed; } /* sign random value */ @@ -672,7 +674,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2340: Signing failed")); sleep(configuration->err_display_time); } - goto auth_failed_nopw; + goto auth_failed; } /* verify the signature */ @@ -689,7 +691,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2342: Verifying signature failed")); sleep(configuration->err_display_time); } - goto auth_failed_wrongpw; + pkcs11_pam_fail = PAM_AUTH_ERR; + goto auth_failed; } } else { @@ -769,7 +772,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, ("Error 2344: Closing PKCS#11 session failed")); sleep(configuration->err_display_time); } - goto auth_failed_wrongpw; + pkcs11_pam_fail = PAM_AUTH_ERR; + goto auth_failed; } if ( password ) { @@ -785,7 +789,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons DBG("authentication succeeded"); return PAM_SUCCESS; -auth_failed_nopw: +auth_failed: unload_mappers(); close_pkcs11_session(ph); release_pkcs11_module(ph); @@ -799,16 +803,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons else return pkcs11_pam_fail; -auth_failed_wrongpw: - unload_mappers(); - close_pkcs11_session(ph); - release_pkcs11_module(ph); - if ( password ) { - cleanse( password, strlen(password) ); - free( password ); - } - return PAM_AUTH_ERR; - exit_ignore: pam_prompt( pamh, PAM_TEXT_INFO, NULL, _("Smartcard authentication cancelled") ); From bcf31ad533233f3d37a65e4f384e4e5f1ba937e6 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 14 Aug 2020 17:41:29 +0300 Subject: [PATCH 069/111] Fix: Cast the &user pointer for pam_get_item() --- src/pam_pkcs11/pam_pkcs11.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 8bf60bad..e4bc49ad 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -317,7 +317,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } /* look to see if username is already set */ - pam_get_item(pamh, PAM_USER, &user); + pam_get_item(pamh, PAM_USER, (const void **) &user); if (user) { DBG1("explicit username = [%s]", user); } From 0ddd3a7bd32d697790b1bc5b00e59147de352d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Skalski?= Date: Fri, 10 Jan 2020 12:36:50 +0100 Subject: [PATCH 070/111] Workaround for buggy PKCS#11 C_Sign() implementation Add workaround for buggy implementation of PKCS#11 library when it does not update signature_length parameter if it returns CKR_BUFFER_TOO_SMALL. It handles also (hypotetical) reducing by PKCS#11 library returned signature length. Additionally speeds up signature using larger buffer (of 1024 bytes) at beginning which should result for most of cases calling C_Sign() only once. --- src/common/pkcs11_lib.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index caad49c1..8c13225e 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1812,8 +1812,9 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, return -1; } *signature = NULL; - *signature_length = 64; + *signature_length = 1024; while (*signature == NULL) { + CK_ULONG current_signature_length = *signature_length; *signature = malloc(*signature_length); if (*signature == NULL) { set_error("not enough free memory available"); @@ -1824,6 +1825,11 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, /* increase signature length as long as it it to short */ free(*signature); *signature = NULL; + if (current_signature_length >= *signature_length) { + /* workaround for buggy PKCS#11 implementation: it didn't change + or even lowered buffer size - forcing using larger (double size) buffer */ + *signature_length = current_signature_length * 2; + } DBG1("increased signature buffer-length to %ld", *signature_length); } else if (rv != CKR_OK) { free(*signature); From bae6bed9fc8b4c2c78f0f46e5247b78e7cbc518c Mon Sep 17 00:00:00 2001 From: Olivier Martin Date: Thu, 20 May 2021 16:31:51 +0200 Subject: [PATCH 071/111] pam_config: Handle 'card_only' option from command line --- src/pam_pkcs11/pam_config.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/pam_pkcs11/pam_config.c b/src/pam_pkcs11/pam_config.c index 6739deff..96e2a3f6 100644 --- a/src/pam_pkcs11/pam_config.c +++ b/src/pam_pkcs11/pam_config.c @@ -266,6 +266,10 @@ struct configuration_st *pk_configure( int argc, const char **argv ) { configuration.use_first_pass = 1; continue; } + if (strcmp("card_only", argv[i]) == 0) { + configuration.card_only = 1; + continue; + } if (strcmp("wait_for_card", argv[i]) == 0) { configuration.wait_for_card = 1; continue; From 2e7e4b880cd17b06d4633d1f1b5eb21190e0365b Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Mon, 31 May 2021 19:21:34 +0300 Subject: [PATCH 072/111] Limit signature length to 65536 bytes This protects the C_Sign() loop from infinite looping in the case of a buggy PKCS#11 implementation (see commit f81e22c). --- src/common/pkcs11_lib.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 8c13225e..2377fdaf 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1757,6 +1757,8 @@ X509 *get_X509_certificate(cert_object_t *cert) return cert->x509; } +#define MAX_SIGNATURE_LENGTH 65536 + int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, CK_ULONG length, CK_BYTE **signature, CK_ULONG *signature_length) { @@ -1831,6 +1833,10 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, *signature_length = current_signature_length * 2; } DBG1("increased signature buffer-length to %ld", *signature_length); + if (*signature_length > MAX_SIGNATURE_LENGTH) { + set_error("signature too long"); + return -1; + } } else if (rv != CKR_OK) { free(*signature); *signature = NULL; From 8647c7cde99c8cf3a8df910c0185d3997f5c56e2 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Mon, 31 May 2021 21:18:38 +0300 Subject: [PATCH 073/111] Release 0.6.12 Signed-off-by: Paul Wolneykien --- AUTHORS | 4 ++++ ChangeLog | 16 ++++++++++++++++ README | 1 + configure.ac | 2 +- 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/AUTHORS b/AUTHORS index 5aa6e025..de79c770 100644 --- a/AUTHORS +++ b/AUTHORS @@ -24,5 +24,9 @@ Dominik Fischer Ville Skyttä Original pam_pkcs11.spec file +Paul Wolneykien + Additional features and fixes (card_only, wait_for_card, openssl + versions). + Also Thanks to all the people at the OpenSC project diff --git a/ChangeLog b/ChangeLog index bad58b5e..9061fd10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +31- May 2021 + - Version 0.6.12 + - Limit signature length to 65536 bytes. + - Workaround for buggy PKCS#11 C_Sign() implementation that always + returns the same signature length along with + CKR_BUFFER_TOO_SMALL. + - Don't stuck if wait_for_card=false and ignore the token not found + error when the authentication isn't restricted to card only + (either by the option `card_only` or by PKCS11_LOGIN_TOKEN_NAME + environment variable). + - Added the exmple PAM configuration which uses the ignore status + result. + - Added `screen_savers` to example config. + - Fixes to deal with old and new OpenSSL versions. + - Various small fixes including type casts and printf() formats. + 22- May 2019 - Version 0.6.11 - Support OpenSSL 1.1.0 diff --git a/README b/README index 848df3d1..9cff3fbd 100644 --- a/README +++ b/README @@ -5,6 +5,7 @@ Authors: Mario Strasser Juan Antonio Martinez Ludovic Rouseau Frank Morgner + Paul Wolneykien This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby diff --git a/configure.ac b/configure.ac index 3fb4b6a0..2484558e 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ AC_PREREQ([2.69]) # Process this file with autoconf to produce a configure script. -AC_INIT([pam_pkcs11],[0.6.11]) +AC_INIT([pam_pkcs11],[0.6.12]) AC_CONFIG_SRCDIR([src/pam_pkcs11/pam_pkcs11.c]) AC_CANONICAL_HOST AM_INIT_AUTOMAKE From e8c26d01e1b9c8eb3bb8d965505d682b151a4775 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Fri, 27 Aug 2021 21:07:24 +0300 Subject: [PATCH 074/111] Fixed missing X509_CRL_free() in check_for_revocation Fixed missing X509_CRL_free() in check_for_revocation (thx Komarov Egor). --- src/common/cert_vfy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 82c5d0cb..4f6a4b33 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -332,6 +332,7 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t set_error("verify_crl() failed: %s", get_error()); return -1; } else if (rv == 0) { + X509_CRL_free(crl); return 0; } DBG("checking revocation"); From faa8a2f09f2eda1d39e2d60f2cd9830f023e2e73 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Wed, 15 Sep 2021 21:08:01 +0200 Subject: [PATCH 075/111] Fix typos found by codespell --- AUTHORS | 2 +- ChangeLog | 12 +++---- README | 2 +- README.md | 2 +- doc/README.autologin | 2 +- doc/README.eventmgr | 4 +-- doc/README.mappers | 14 ++++---- doc/mappers_api.xml | 50 ++++++++++++++--------------- doc/pam_pkcs11.xml | 16 ++++----- doc/pkcs11_eventmgr.1 | 4 +-- etc/pam_pkcs11.conf.example.in | 8 ++--- pam_pkcs11.spec | 2 +- src/common/cert_info.c | 4 +-- src/common/cert_vfy.c | 4 +-- src/common/cert_vfy.h | 6 ++-- src/common/pam-pkcs11-ossl-compat.h | 4 +-- src/common/pkcs11_lib.c | 8 ++--- src/common/rsaref/pkcs11.h | 2 +- src/common/strings.h | 2 +- src/common/uri.c | 4 +-- src/common/uri.h | 2 +- src/mappers/ldap_mapper.c | 8 ++--- src/mappers/mail_mapper.c | 4 +-- src/mappers/mapper.h | 10 +++--- src/mappers/null_mapper.c | 2 +- src/pam_pkcs11/mapper_mgr.h | 2 +- src/pam_pkcs11/pam_pkcs11.c | 2 +- src/scconf/README.scconf | 6 ++-- src/tools/card_eventmgr.c | 4 +-- src/tools/pkcs11_eventmgr.c | 6 ++-- 30 files changed, 99 insertions(+), 99 deletions(-) diff --git a/AUTHORS b/AUTHORS index de79c770..bd9ce304 100644 --- a/AUTHORS +++ b/AUTHORS @@ -11,7 +11,7 @@ Timo Sirainen Ludovic Rousseau Many fixes and improvements - card_eventmgr mantainer + card_eventmgr maintainer Andreas Jellinghaus OpenSC and OpenSSH mappers original diff --git a/ChangeLog b/ChangeLog index 9061fd10..4b66c0fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,7 +8,7 @@ error when the authentication isn't restricted to card only (either by the option `card_only` or by PKCS11_LOGIN_TOKEN_NAME environment variable). - - Added the exmple PAM configuration which uses the ignore status + - Added the example PAM configuration which uses the ignore status result. - Added `screen_savers` to example config. - Fixes to deal with old and new OpenSSL versions. @@ -52,7 +52,7 @@ 01- Sep 2005 - Finished OpenSC mapper. Thanks to Andreas for their pam_opensc module - New .spec file - - Cleanning tasks to prepare next release + - Cleaning tasks to prepare next release 31- Aug 2005 - Include HOWTO in Pam-pkcs11 manual @@ -123,12 +123,12 @@ 31- Mar 2005 - Added CA & CRL mgmnt doc to manual - - Chaged ocurrences of "if (!x) free(x)" to "free(x)" as glibc - already does propper null check + - Changed occurrences of "if (!x) free(x)" to "free(x)" as glibc + already does proper null check - Finished krb_mapper ( no pkinit, just kpn -> login map ). NOTE: I assume that KPN is stored as ASN1_STRING, but cannot deduce it from RFC's - - MS mapper rewriten to use cert_info lib + - MS mapper rewritten to use cert_info lib 29- Mar 2005 - Manual rewritten in xml format @@ -176,7 +176,7 @@ 4- Mar 2005 - Added mapfiles to UID mapper - - ms_mapper now works properly ( sorry, no ADS conection yet :-( ) + - ms_mapper now works properly ( sorry, no ADS connection yet :-( ) - Updated doc and sample files 3- Mar 2005 diff --git a/README b/README index 9cff3fbd..6f58f970 100644 --- a/README +++ b/README @@ -21,7 +21,7 @@ Standard (PKCS #11) is available at [4]. PKCS #11 Module Requirements ---------------------------------------------------------------------- -The PKCS #11 modules must fullfill the requirements given by the RSA +The PKCS #11 modules must fulfill the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the PKCS #11 Conformance Profile Specification [5] by RSA Laboratories. diff --git a/README.md b/README.md index ddec6ac5..1cbff67f 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ Laboratories. To map the ownership of a certificate into a user login, pam-pkcs11 uses the concept of *mapper* that is, a list of configurable, stackable list of dynamic modules, each one trying to do a specific cert-to-login -maping. Several mappers are provided: +mapping. Several mappers are provided: * the common name of the subject matches the login name * the unique identifier of the subject matches the login name diff --git a/doc/README.autologin b/doc/README.autologin index cd828ad6..1c27cafb 100644 --- a/doc/README.autologin +++ b/doc/README.autologin @@ -60,7 +60,7 @@ provided for logging processes running as root. Improper mapper chain configurations with unauthorized certificates can lead in the creation of fake accounts in the system if pam_mkhomedir.so -module is used. So be really carefull when authenticating users directly +module is used. So be really careful when authenticating users directly from certificates. Enjoy! diff --git a/doc/README.eventmgr b/doc/README.eventmgr index e80e338f..80f5ad03 100644 --- a/doc/README.eventmgr +++ b/doc/README.eventmgr @@ -15,14 +15,14 @@ To invoke the program, just type "card_eventmgr". Several command lines are recognized: - debug - to enable debugging. Defaults to unset -- daemon - to run as daemon. If debug is unset, also dettach from tty. +- daemon - to run as daemon. If debug is unset, also detach from tty. Default to unset - timeout= - time in msec between two consecutive status poll. Defaults to 1000 (1 second) - config_file= - configuration file to use. Defaults to /etc/pam_pkcs11/card_eventmgr.conf -Structure of configuration file is described bellow: +Structure of configuration file is described below: card_eventmgr { diff --git a/doc/README.mappers b/doc/README.mappers index c01968a7..0cd2f672 100644 --- a/doc/README.mappers +++ b/doc/README.mappers @@ -28,8 +28,8 @@ An alternate way of working is by mean of not providing user name: - Map certificate into an user (*) - open session for deduced login -Last way needs an aditional pam-mkhomedir.so PAM module, that can -dinamically create an account. +Last way needs an additional pam-mkhomedir.so PAM module, that can +dynamically create an account. Operations (*) and (**) are the reason for cert-mappers to exist. @@ -97,7 +97,7 @@ pw - Compare CN against getpwent() "login" or "gecos" fields to match This means you can setup /etc/nsswitch.conf password entries to lookup in to /etc/passwd, or ldap/kerberos/NIS+/YP services -ldap - Uses an ldap server to retrieve user name. An aditional file tells +ldap - Uses an ldap server to retrieve user name. An additional file tells module the mapping between Cert fields and LDAP entries This mapper is still under development. Provided one just search @@ -117,13 +117,13 @@ mail - Try to extract an e-mail from the certificate. If found, tries to map the email field from the certificate to a user (or alternate email). - if use_alias is not set, just use email addres from certificate + if use_alias is not set, just use email address from certificate to perform find/match. * When used as finder, just return email or mapped email/user (see above) * When used as matcher, compare found email/user against - provided by pam. Additionaly you can set "ignorecase" or + provided by pam. Additionally you can set "ignorecase" or "ignoredomain" flags domain check (if set) is done by testing if provided email domain @@ -165,13 +165,13 @@ edit skeleton sample files and follow instructions on how to compile and link Mapper.h provides default implementation for required some functions. -They should be overriden by user code, but can be used for testing purposes +They should be overridden by user code, but can be used for testing purposes Wish list --------- - Implement PKINIT draft protocol for talking to a kerberos server -- Use MS Universal Principal Name to autenticate against an MS Active +- Use MS Universal Principal Name to authenticate against an MS Active directory server - Implement mail_aliases parsing for mail mapper module diff --git a/doc/mappers_api.xml b/doc/mappers_api.xml index db4848fe..268acf28 100644 --- a/doc/mappers_api.xml +++ b/doc/mappers_api.xml @@ -149,7 +149,7 @@ to ease mapper coding. You'll find: Configuration support -Althought all mappers have default values, most of then have +Although all mappers have default values, most of then have configuration options. The file /etc/pam_pkcs11/pam_pkcs11.conf stores them. @@ -157,16 +157,16 @@ stores them. - - Writting a mapper + + Writing a mapper Before starting -Decide if the mapper will be statically or dinamically compiled +Decide if the mapper will be statically or dynamically compiled The first way is for simple, quick and easy mappers that doesn't need -aditional/optional libraries, just inspect certificate contents. +additional/optional libraries, just inspect certificate contents. The second way is for those mappers that need some optional libraries, such as ldap, kerberos, openssh or so @@ -210,7 +210,7 @@ When the mapper is used to map more than one field, you should add one entry for each mapped field. Each entry must have an unique mapper name, and (if the mapper is to be dynamically loaded) the same library name path -See bellow on how to set up code to include multiple fields mappers to be +See below on how to set up code to include multiple fields mappers to be statically compiled @@ -286,7 +286,7 @@ FOO_EXTERN mapper_module * foo_mapper_module_init(scconf_block *blk,const char * Skeleton code for mapper C file. -This is a sample skeleton file for single field mappers. It provides all the methods and data required by the API. Is up to you to include aditional functions as required. +This is a sample skeleton file for single field mappers. It provides all the methods and data required by the API. Is up to you to include additional functions as required. They only need to export one symbol: the entry point of the init routine @@ -453,7 +453,7 @@ mapper_module * foo_mapper_module_init(scconf_block *blk,const char *mapper_name -See bellow on what's each function is intended to do, comodity macros, +See below on what's each function is intended to do, comodity macros, and some examples on how to code them @@ -577,7 +577,7 @@ struct mapper_listitem { The list of mappers to be loaded are declared by mean of entry in /etc/pam_pkcs11/pam_pksc11.conf configuration file. Each declared mapper is loaded in turn. The first in the list will be the first one in the mapper chain -On each mapper entry, pam_pkcs11 search for the keyword. If not found, or equals to "", the code assumes that reffers to an statically linked mapper, and search it in the list of mappers declared at src/mappers/mapperlist.c. Otherwise assume that we provide the full pathname to a dynamic library, and try to load by mean of dlopen() function +On each mapper entry, pam_pkcs11 search for the keyword. If not found, or equals to "", the code assumes that refers to an statically linked mapper, and search it in the list of mappers declared at src/mappers/mapperlist.c. Otherwise assume that we provide the full pathname to a dynamic library, and try to load by mean of dlopen() function When module is found or loaded, the module_load() calls to the mapper_module_init() function, and if the result is not null assumes to be returned a pointer to the internal mapper entries table. These entries will be used to call finder, matcher, and deinit functions on the mapper @@ -637,7 +637,7 @@ Many of the mapper functions are repetitive. Many others are nonsense in some ma -The only usefull one is _DEFAULT_MAPPER_END, but the other ones are provided for compile work-in-progress mappers +The only useful one is _DEFAULT_MAPPER_END, but the other ones are provided for compile work-in-progress mappers See the code, to provide you an idea of how to code real functions @@ -647,7 +647,7 @@ See the code, to provide you an idea of how to code real functions Multifield mappers -The sample code provided in first section can be used directly to create single field mappers. When writting multiple fields mappers ( a mapper, that can resolve two or more different certificate contents, ie CN and KPN ), a different approach is needed: +The sample code provided in first section can be used directly to create single field mappers. When writing multiple fields mappers ( a mapper, that can resolve two or more different certificate contents, ie CN and KPN ), a different approach is needed: @@ -677,7 +677,7 @@ Most of statically linked mappers share common configuration options: -So if up to the system administrator, if agreed with default values, to ommit in the configuration file /etc/pam_pkcs11/pam_pkcs11.conf the mapper entry for this module. The module loader will look for proper mapper entry. If not found, assume that the module is static, and will try to load it and set up with default values. This behaviour is coded in the provided sample skeleton file for coding mappers +So if up to the system administrator, if agreed with default values, to omit in the configuration file /etc/pam_pkcs11/pam_pkcs11.conf the mapper entry for this module. The module loader will look for proper mapper entry. If not found, assume that the module is static, and will try to load it and set up with default values. This behaviour is coded in the provided sample skeleton file for coding mappers Above note does not apply, of course, to dynamically loaded mappers, as they always need at least the "" entry to be specified @@ -716,7 +716,7 @@ Several functions and macros are provided to generate and display debug and erro The mapper API provides several functions to manage mapfiles. They are declared in src/mappers/mapper.h -To use a mapfile, we must create a mapfile entry, then make sucessive calls to retrieve data, and finally destroy the structure. It works in a similar way as setpwent(), getpwent() and endpwent() functions works in walking throught a password file +To use a mapfile, we must create a mapfile entry, then make successive calls to retrieve data, and finally destroy the structure. It works in a similar way as setpwent(), getpwent() and endpwent() functions works in walking through a password file The mapfile structure is defined as: @@ -728,8 +728,8 @@ The mapfile structure is defined as: struct mapfile { const char *uri;/* URL of mapfile */ char *buffer; /* buffer to content of mapfile */ - size_t length; /* lenght of buffer */ - char *pt; /* pointer to last readed entry in buffer */ + size_t length; /* length of buffer */ + char *pt; /* pointer to last read entry in buffer */ char *key; /* key entry in current buffer */ char *value; /* value assigned to key */ }; @@ -762,7 +762,7 @@ The returned "" and "" entries should PAM-PKCS#11 configuration files are based in the SCConf library of the OpenSC Project. See the file src/scconf/README.scconf for a detailed description of the scconf -As a resume, bellow are shown the most relevants scconf API functions for the mapper programmer: +As a resume, below are shown the most relevants scconf API functions for the mapper programmer: const char *scconf_get_str(const scconf_block * block, const char *option, const char *default); To retrieve the string value assigned to keyword or return if keyword not found int scconf_get_int(const scconf_block * block, const char *option, int default); To retrieve the integer value assigned to keyword or return if keyword not found @@ -782,7 +782,7 @@ The user should not modify nor free() values returned from scconf_get_ String tools API -The string.h standard library is so powerfull. But lacks on some usefull routines. The file src/common/strings.c contains some of them, as declared at src/common/strings.h +The string.h standard library is so powerful. But lacks on some useful routines. The file src/common/strings.c contains some of them, as declared at src/common/strings.h @@ -794,7 +794,7 @@ The string.h standard library is so powerfull. But lacks on unsigned char *hex2bin(const char *hexstr); Convert a colon-separated hexadecimal string into a binary array unsigned char *hex2bin_static(const char *hexstr,unsigned char **res,int *size); Same as above, but programmer supplies pre-allocated memory space for conversion char **split(const char *str,char sep, int nelems); Splits provided string in an string array of nelems elements, using sep as character separator - char **split_static(const char *str,char sep, int nelems,char *dst); Same as above, but user provides pre-allocated buffer for storeing result + char **split_static(const char *str,char sep, int nelems,char *dst); Same as above, but user provides pre-allocated buffer for storing result char *trim(const char *str); Return an string that has all superfluous spaces trimmed. Also converts any space char ( newline, tabs, etc ) in normal " " space character @@ -802,7 +802,7 @@ The string.h standard library is so powerfull. But lacks on A note on split(), and split_static() functions. To free allocated resources, is enough to call free() on the first element of the array -Note that trim() function behaviour is different from Java or PHP counterparts, as remove ALL extra spaces, not only at the begining and at the end of string +Note that trim() function behaviour is different from Java or PHP counterparts, as remove ALL extra spaces, not only at the beginning and at the end of string See the code for further reference :-) @@ -812,7 +812,7 @@ See the code for further reference :-) BASE64 Encoding functions -In order to read/write public SSH keys, two funtions are provided to manage base64 encoding: +In order to read/write public SSH keys, two functions are provided to manage base64 encoding: int base64_encode(const unsigned char *in, size_t len, unsigned char *out, size_t outlen) To encode a byte array into a base64 string int base64_decode(const char *in, unsigned char *out, size_t outlen) To decode a base64 data into a byte array @@ -835,7 +835,7 @@ The basic library call is: -This function takes an argument, the X509 certificate to be inspected, and a macro that shows the certificate content to be searched. Some contents needs an aditional third parameters. When not used should be set to NULL +This function takes an argument, the X509 certificate to be inspected, and a macro that shows the certificate content to be searched. Some contents needs an additional third parameters. When not used should be set to NULL The mapper API defines following macros: @@ -853,7 +853,7 @@ The mapper API defines following macros: -Aditionally, when requesting you must provide a valid digest algorithm: "", "", "", "", "", "", "", "" or "" +Additionally, when requesting you must provide a valid digest algorithm: "", "", "", "", "", "", "", "" or "" cert_info() returns an array of up to 15 string entries, corresponding to as many entry founds in the provided certificate. Last entry in the returned array is set to NULL; @@ -881,10 +881,10 @@ There are two additional methods to check certificate/signatures: It's really recommended the study of provided mappers, and the comodity macros -Before start writting a new mapper, perhaps you'd better to check if there are already one mapper that performs your desired map. For instance, pwent and generic mapper can use Naming Swictch Service (NSS) to lookup pasword entries, and NSS is capable of perform some LDAP or Kerberos authentication task +Before start writing a new mapper, perhaps you'd better to check if there are already one mapper that performs your desired map. For instance, pwent and generic mapper can use Naming Swictch Service (NSS) to lookup password entries, and NSS is capable of perform some LDAP or Kerberos authentication task -Don't hessitate in use of debugging functions. They are really usefull +Don't hessitate in use of debugging functions. They are really useful It's recommended write mappers in a way that they could be statically or dynamically linked without code change, Doing so you'll make maintainer life easier :-) @@ -894,7 +894,7 @@ Also, in order to ease debugging, single field mappers is preferred over multifi Avoid write access to any global variable from the mapper code. Use comodity functions -Don't make assumptions on the code. Allways add checks. +Don't make assumptions on the code. Always add checks. Use Universal Resource Locators -and the curl library- instead of hardcoded pathnames to specify files diff --git a/doc/pam_pkcs11.xml b/doc/pam_pkcs11.xml index a073c90c..d7008c39 100644 --- a/doc/pam_pkcs11.xml +++ b/doc/pam_pkcs11.xml @@ -251,7 +251,7 @@ rpm -v -i /usr/src/redhat/RPMS/i386/pam_pkcs11-tools-X.Y-Z.i386.rpm allow an easy editing Edit and configure /etc/pam.d/xxx - entries. See instructions bellow + entries. See instructions below Use pkcs11_inspect and pklogin_finder provided tools to see if @@ -468,7 +468,7 @@ Certificate2 data -> login3 and returns on the first match. -As you can see bellow, mapfile specification doesn't need to be +As you can see below, mapfile specification doesn't need to be a regular file: you can retrieve data from any legal URL. Anyway, data format must be preserved. See mapfile for additional info. @@ -1637,7 +1637,7 @@ Starting pam-pkcs11-0.5.3 this module is now statical Note: newer implementations of getpwent() libraries, use an - additional Name Service Swicth (NSS) infrastructure, that + additional Name Service Switch (NSS) infrastructure, that allows administrators to specify how to obtain requested data. This means you can setup /etc/nsswitch.conf password entries to lookup in to /etc/passwd, or LDAP/Kerberos/NIS+/YP services @@ -1701,7 +1701,7 @@ The following options are recognized by ldaphost -The FQDN (hostname) oder IP-address of the ldap server. +The FQDN (hostname) or IP-address of the ldap server. @@ -1804,7 +1804,7 @@ the attribute named by the setting. filter -LDAP filter string. You can use ist to restrict +LDAP filter string. You can use it to restrict the entries returned by the LDAP server, e.g. by checking other attributes of the user entry. %s is substituted by the user name. @@ -1815,8 +1815,8 @@ LDAP entry is returned which has an objectClass "posixAccount" and the uid with the user name. IMPORTANT NOTE: The filter string -must be choosen in such a way that only one entry for the user is -returned. If an user has more certifactes than these should be +must be chosen in such a way that only one entry for the user is +returned. If an user has more certificates than these should be collected under the attribute. @@ -2085,7 +2085,7 @@ Starting pam-pkcs11-0.5.3 this module is now statical Configuration file should provide the digest algorithm. Depending on OpenSSL configuration all of listed - bellow may or not be present in your system. + below may or not be present in your system. Configuration entry: diff --git a/doc/pkcs11_eventmgr.1 b/doc/pkcs11_eventmgr.1 index 62bc0dbc..532381f8 100644 --- a/doc/pkcs11_eventmgr.1 +++ b/doc/pkcs11_eventmgr.1 @@ -17,7 +17,7 @@ Three events are supported: card insert, card removal and timeout on removed car Enable debugging output. Default is no debug .TP \fB[no]daemon\fR -Runs in background. If debug is unset, dettach also from tty. Default: no daemon +Runs in background. If debug is unset, detach also from tty. Default: no daemon .TP \fBpolling_time=\fR Set polling timeout in secs. Defaults to 1 sec @@ -54,7 +54,7 @@ Some apps like [\fIxscreensaver\-command\fP] may fail due to external events ( eg: try to unlock an unlocked session ). In this case, command incorrectly returns error code. .br -User shoult take care on this circumstance +User should take care on this circumstance .SH "AUTHORS" .LP Juan Antonio Martinez diff --git a/etc/pam_pkcs11.conf.example.in b/etc/pam_pkcs11.conf.example.in index 3ae668cb..464fc1ff 100644 --- a/etc/pam_pkcs11.conf.example.in +++ b/etc/pam_pkcs11.conf.example.in @@ -151,7 +151,7 @@ pam_pkcs11 { # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys # mail - Compare email fields from certificate # ms - Use Microsoft Universal Principal Name extension - # krb - Compare againts Kerberos Principal Name + # krb - Compare against Kerberos Principal Name # cn - Compare Common Name (CN) # uid - Compare Unique Identifier # digest - Certificate digest to login (mapfile based) mapper @@ -216,7 +216,7 @@ pam_pkcs11 { # module = @libdir@/pam_pkcs11/pwent_mapper.so; } - # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" + # Null ( no map ) mapper. when user as finder matches to NULL or "nobody" mapper null { debug = false; # module = @libdir@/pam_pkcs11/null_mapper.so; @@ -237,7 +237,7 @@ pam_pkcs11 { # if no port is given in URI below # if empty, then 389 for TLS and 636 for SSL is used ldapport = ; - # space separted list of LDAP URIs (URIs are used by given order) + # space separated list of LDAP URIs (URIs are used by given order) URI = ""; # Scope of search: 0-2 # Default is 1 = "one", meaning the set of records one @@ -310,7 +310,7 @@ pam_pkcs11 { domainname = "domain.com"; } - # krb - Compare againts Kerberos Principal Name + # krb - Compare against Kerberos Principal Name mapper krb { debug = false; module = internal; diff --git a/pam_pkcs11.spec b/pam_pkcs11.spec index f55dbf23..1eb4e36c 100644 --- a/pam_pkcs11.spec +++ b/pam_pkcs11.spec @@ -28,7 +28,7 @@ Adittional included pam_pkcs11 related tools - pkcs11_eventmgr: Generate actions on card insert/removal/timeout events - pklogin_finder: Get the loginname that maps to a certificate - pkcs11_inspect: Inspect the contents of a certificate -- make_hash_links: create hash link directories for storeing CA's and CRL's +- make_hash_links: create hash link directories for storing CA's and CRL's %package pcsc Group: System Environment/Utilities diff --git a/src/common/cert_info.c b/src/common/cert_info.c index 738dcac5..207f9377 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -200,7 +200,7 @@ cert_info_upn (X509 *x509) * request info on certificate * @param x509 Certificate to parse * @param type Information to retrieve -* @param algorithm Digest algoritm to use +* @param algorithm Digest algorithm to use * @return utf-8 string array with provided information */ char **cert_info(X509 *x509, int type, ALGORITHM_TYPE algorithm ) { @@ -898,7 +898,7 @@ static char **cert_info_serial_number(X509 *x509) { * request info on certificate * @param x509 Certificate to parse * @param type Information to retrieve -* @param algorithm Digest algoritm to use +* @param algorithm Digest algorithm to use * @return utf-8 string array with provided information */ char **cert_info(X509 *x509, int type, const char *algorithm ) { diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 82c5d0cb..0c1ce66b 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -269,7 +269,7 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t DBG("extracting crl distribution points"); dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); if (dist_points == NULL) { - /* if there is not crl distribution point in the certificate hava a look at the ca certificate */ + /* if there is not crl distribution point in the certificate have a look at the ca certificate */ #if (OPENSSL_VERSION_NUMBER < 0x10100000L) rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); if (rv > 0) { @@ -441,7 +441,7 @@ static X509_STORE * setup_store(cert_policy *policy) { } /* -* @return -1 on error, 0 on verify failed, 1 on verify sucess +* @return -1 on error, 0 on verify failed, 1 on verify success */ int verify_certificate(X509 * x509, cert_policy *policy) { diff --git a/src/common/cert_vfy.h b/src/common/cert_vfy.h index c068558e..27ca3c97 100644 --- a/src/common/cert_vfy.h +++ b/src/common/cert_vfy.h @@ -65,7 +65,7 @@ struct cert_policy_st { * Verify provided certificate, and if needed, CRL *@param x509 Certificate to check *@param policy CRL verify policy -*@return 1 on cert vfy sucess, 0 on fail, -1 on process error +*@return 1 on cert vfy success, 0 on fail, -1 on process error */ CERTVFY_EXTERN int verify_certificate(X509 * x509, cert_policy *policy); @@ -73,10 +73,10 @@ CERTVFY_EXTERN int verify_certificate(X509 * x509, cert_policy *policy); * Verify signature of provided data *@param x509 Certificate to be used *@param data Byte array of data to check -*@param data_length Lenght of provided byte array +*@param data_length Length of provided byte array *@param signature Byte array of signature to check *@param signature_length Length of signature byte array -*@return 1 on signature vfy sucess, 0 on vfy fail, -1 on process error +*@return 1 on signature vfy success, 0 on vfy fail, -1 on process error */ CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char **signature, unsigned long *signature_length); diff --git a/src/common/pam-pkcs11-ossl-compat.h b/src/common/pam-pkcs11-ossl-compat.h index d9a3dc42..9685496d 100644 --- a/src/common/pam-pkcs11-ossl-compat.h +++ b/src/common/pam-pkcs11-ossl-compat.h @@ -29,7 +29,7 @@ extern "C" { #include #include /* - * Provide backward compatability to older versions of OpenSSL + * Provide backward compatibility to older versions of OpenSSL * while using most of OpenSSL 1.1 API */ @@ -43,7 +43,7 @@ extern "C" { * * EVP_CIPHER_CTX_new does a EVP_CIPHER_CTX_init * EVP_CIPHER_CTX_free does a EVP_CIPHER_CTX_cleanup - * EVP_CIPHER_CTX_cleanup does equivelent of a EVP_CIPHER_CTX_init + * EVP_CIPHER_CTX_cleanup does equivalent of a EVP_CIPHER_CTX_init * Use EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free, and EVP_CIPHER_CTX_cleanup between operations */ diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 2377fdaf..b8ea6334 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -274,7 +274,7 @@ static SECMODModule *find_module_by_library(const char *pkcs11_module) /* * NSS allows you to load a specific module. If the user specified a module - * to load, load it, otherwize select on of the standard modules from the + * to load, load it, otherwise select on of the standard modules from the * secmod.db list. */ int load_pkcs11_module(const char *pkcs11_module, pkcs11_handle_t **hp) @@ -308,7 +308,7 @@ int load_pkcs11_module(const char *pkcs11_module, pkcs11_handle_t **hp) return -1; } sprintf(moduleSpec,SPEC_TEMPLATE, pkcs11_module); - DBG2("loading Module explictly, moduleSpec=<%s> module=%s", + DBG2("loading Module explicitly, moduleSpec=<%s> module=%s", moduleSpec, pkcs11_module); module = SECMOD_LoadUserModule(moduleSpec, NULL, 0); free(moduleSpec); @@ -885,7 +885,7 @@ typedef struct tuple_str tuple_str; #include "sslerr.h" const tuple_str errStrings[] = { -/* keep this list in asceding order of error numbers */ +/* keep this list in ascending order of error numbers */ #include "SSLerrs.h" #include "SECerrs.h" #include "NSPRerrs.h" @@ -1218,7 +1218,7 @@ int find_slot_by_number(pkcs11_handle_t *h, unsigned int slot_num, unsigned int for (slot_num = 0; slot_num < h->slot_count && !h->slots[slot_num].token_present; slot_num++); } else { - /* otherwize it's an index into the slot table (it is *NOT* the slot + /* otherwise it's an index into the slot table (it is *NOT* the slot * id!).... */ slot_num--; } diff --git a/src/common/rsaref/pkcs11.h b/src/common/rsaref/pkcs11.h index 9b45dd53..cfca8d7c 100644 --- a/src/common/rsaref/pkcs11.h +++ b/src/common/rsaref/pkcs11.h @@ -94,7 +94,7 @@ /* ============================================================== - * Define structed vector of entry points. A CK_FUNCTION_LIST + * Define structured vector of entry points. A CK_FUNCTION_LIST * contains a CK_VERSION indicating a library's Cryptoki version * and then a whole slew of function pointers to the routines in * the library. This type was declared, but not defined, in diff --git a/src/common/strings.h b/src/common/strings.h index 04d09a32..cf413a10 100644 --- a/src/common/strings.h +++ b/src/common/strings.h @@ -87,7 +87,7 @@ M_EXTERN unsigned char *hex2bin(const char *hexstr); * store result into a previously allocated space *@param hexstr String to be parsed *@param res Pointer to pre-allocated user space - *@param size Pointer to store lenght of data parsed + *@param size Pointer to store length of data parsed *@return Pointer to resulting byte array, or null on parse error */ M_EXTERN unsigned char *hex2bin_static(const char *hexstr,unsigned char **res,int *size); diff --git a/src/common/uri.c b/src/common/uri.c index 8e658840..475e6a5d 100644 --- a/src/common/uri.c +++ b/src/common/uri.c @@ -30,7 +30,7 @@ static const char *valid_urls[]= {"file:///","http://","https://","ftp://","ldap://",NULL}; /* comodity functions -Analize provided pathname and check type +Analyze provided pathname and check type Returns 1 on true, 0 on false, -1 on error */ @@ -481,7 +481,7 @@ static int get_http(uri_t *uri, unsigned char **data, size_t *length, int rec_le set_error("redirection uri is invalid that is not of the scheme http"); return -1; } - /* downlaod recursively */ + /* download recursively */ rv = get_http(ruri, data, length, ++rec_level); free_uri(ruri); free(buf); diff --git a/src/common/uri.h b/src/common/uri.h index f388d098..06a78957 100644 --- a/src/common/uri.h +++ b/src/common/uri.h @@ -51,7 +51,7 @@ URI_EXTERN int is_symlink(const char *path); *@param uri_str URL string where to retrieve data *@param data Pointer to a String buffer where data is retrieved *@param length Length of retrieved data -*@return -1 on error, 0 on sucess +*@return -1 on error, 0 on success */ URI_EXTERN int get_from_uri(const char *uri_str, unsigned char **data, size_t *length); diff --git a/src/mappers/ldap_mapper.c b/src/mappers/ldap_mapper.c index ab7d9063..6259a514 100644 --- a/src/mappers/ldap_mapper.c +++ b/src/mappers/ldap_mapper.c @@ -66,7 +66,7 @@ static const int LDAP_CONFIG_URI_MAX = 10; * TODO: * - Support for SASL-AUTH not included yet, I can't test it * - * - ldap_unbind (*ld) crash if you connect to a SSL port but have set TLS intead SSL + * - ldap_unbind (*ld) crash if you connect to a SSL port but have set TLS instead SSL * - no idea why!? * - you got no error-massage from your application * - believe skip ldap_unbind (*ld) for a bind handle isn't a good solution @@ -278,7 +278,7 @@ static int do_ssl_options (LDAP *ldap_connection) } } - /* where is the requiered cert */ + /* where is the required cert */ if (strncmp(tls_cert,"",1)) { rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, @@ -548,7 +548,7 @@ static int do_open (LDAP **ld, const char* uri, int defport, ldap_ssl_options_t } /* - * add singe URI to array of uris + * add single URI to array of uris */ static int ldap_add_uri (char **uris, const char *a_uri, char **buffer, size_t *buflen) { @@ -1073,7 +1073,7 @@ static int ldap_get_certificate(const char *login, X509 *x509) { } /* Only first entry is used. "filter" and "attribute" - * should be choosen, so that only one entry with + * should be chosen, so that only one entry with * one attribute is returned */ if ( NULL == (entry = ldap_first_entry(ldap_connection, res))){ DBG("ldap_first_entry() failed"); diff --git a/src/mappers/mail_mapper.c b/src/mappers/mail_mapper.c index 29ca064b..5cafb2c3 100644 --- a/src/mappers/mail_mapper.c +++ b/src/mappers/mail_mapper.c @@ -44,7 +44,7 @@ /* where to retrieve aliases file ( email -> login pairs ) */ static const char *mapfile = "none"; -/* ignore upper/lowercase in email comparisions */ +/* ignore upper/lowercase in email comparisons */ static int ignorecase = 1; /* also check the domain part on email field */ @@ -185,7 +185,7 @@ mapper_module * mail_mapper_module_init(scconf_block *blk,const char *mapper_nam /* obtain and store hostname */ /* Note: in some systems without nis/yp, getdomainname() call returns NULL. So instead we use gethostname() an match - mail domain by mean strstr() funtion */ + mail domain by mean strstr() function */ if (!ignoredomain) { hostname= calloc(256,sizeof(char)); if (!hostname) { diff --git a/src/mappers/mapper.h b/src/mappers/mapper.h index c2cd3f51..1b1f88b2 100644 --- a/src/mappers/mapper.h +++ b/src/mappers/mapper.h @@ -65,9 +65,9 @@ struct mapfile { const char *uri; /** buffer to content of mapfile */ char *buffer; - /** lenght of buffer */ + /** length of buffer */ size_t length; - /** pointer to last readed entry in buffer */ + /** pointer to last read entry in buffer */ char *pt; /** key entry in current buffer */ char *key; @@ -110,7 +110,7 @@ MAPPER_EXTERN struct mapfile *set_mapent(const char *uri); /** * Retrieve next entry of given map file *@param mfile Map file entry pointer -*@return 1 on sucess, 0 on no more entries, -1 on error +*@return 1 on success, 0 on no more entries, -1 on error */ MAPPER_EXTERN int get_mapent(struct mapfile *mfile); @@ -145,7 +145,7 @@ MAPPER_EXTERN int mapfile_match(const char *file,char *key,const char *value,int /** * find the user login that matches pw_name or pw_gecos with provided item *@param item Data to be searched from password database -*@param ignorecase Flag to check upper/lowercase in string comparisions +*@param ignorecase Flag to check upper/lowercase in string comparisons *@return userlogin if match found, else NULL */ MAPPER_EXTERN char *search_pw_entry(const char *item, int ignorecase); @@ -154,7 +154,7 @@ MAPPER_EXTERN char *search_pw_entry(const char *item, int ignorecase); * Test if provided item matches pw_name or pw_gecos of provided password structure *@param item String to be compared *@param pw password entry to search into -*@param ignorecase Flag to check upper/lowercase in string comparisions +*@param ignorecase Flag to check upper/lowercase in string comparisons *@return 1 on match, 0 on no match, -1 on error */ MAPPER_EXTERN int compare_pw_entry(const char *item, struct passwd *pw,int ignorecase); diff --git a/src/mappers/null_mapper.c b/src/mappers/null_mapper.c index 2be51933..a6bb85d8 100644 --- a/src/mappers/null_mapper.c +++ b/src/mappers/null_mapper.c @@ -36,7 +36,7 @@ /* * A blind mapper: just read from config default value -* and return it withouth further checking +* and return it without further checking */ static const char *default_user = "nobody"; diff --git a/src/pam_pkcs11/mapper_mgr.h b/src/pam_pkcs11/mapper_mgr.h index 6bf05649..c4fafa3b 100644 --- a/src/pam_pkcs11/mapper_mgr.h +++ b/src/pam_pkcs11/mapper_mgr.h @@ -89,7 +89,7 @@ char * find_user(X509 *x509); int match_user(X509 *x509, const char *login); /* -* This funcions goest throught the mapper list +* This functions goes through the mapper list * and trying to get the certificate strings to be used on each * module to perform find/match functions. * No map / match are done: just print found strings on stdout. diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index e4bc49ad..980880de 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -495,7 +495,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } /* call pkcs#11 login to ensure that the user is the real owner of the card - * we need to do thise before get_certificate_list because some tokens + * we need to do this before get_certificate_list because some tokens * can not read their certificates until the token is authenticated */ rv = pkcs11_login(ph, password); diff --git a/src/scconf/README.scconf b/src/scconf/README.scconf index f30e3823..16537894 100644 --- a/src/scconf/README.scconf +++ b/src/scconf/README.scconf @@ -18,7 +18,7 @@ It isn't It doesn't have - anything else but data. No locking, no threads etc. -It has heirarchical data blocks, it has lists. +It has hierarchical data blocks, it has lists. Similar, but different: - .ini files. scconf is block structured, has lists and arrays @@ -132,9 +132,9 @@ const scconf_block *scconf_find_block(const scconf_context * config, const scconf_block * block, const char *item_name); This finds a block in the given context. This function doesn't descend -the heirarchy, it only finds blocks in the top level of either +the hierarchy, it only finds blocks in the top level of either the context (the root block) or of the block given in the block -paramter (if not NULL). +parameter (if not NULL). The block pointer returned points to data held by the context, hence the const qualifier. diff --git a/src/tools/card_eventmgr.c b/src/tools/card_eventmgr.c index c4744e35..e21c89d7 100644 --- a/src/tools/card_eventmgr.c +++ b/src/tools/card_eventmgr.c @@ -70,7 +70,7 @@ char AraKiri = FALSE; static void thats_all_folks(void) { int rv; - DBG("Exitting"); + DBG("Exiting"); /* We try to leave things as clean as possible */ rv = SCardReleaseContext(hContext); if (rv != SCARD_S_SUCCESS) { @@ -139,7 +139,7 @@ static int execute_event (const char *action) { while (actionlist) { int res; char *action_cmd= actionlist->data; - DBG1("Executiong action: '%s'",action_cmd); + DBG1("Executing action: '%s'",action_cmd); /* there are some security issues on using system() in setuid/setgid programs. so we will use an alternate function diff --git a/src/tools/pkcs11_eventmgr.c b/src/tools/pkcs11_eventmgr.c index a7e07d00..a93883cd 100644 --- a/src/tools/pkcs11_eventmgr.c +++ b/src/tools/pkcs11_eventmgr.c @@ -96,7 +96,7 @@ struct pkcs11_handle_str static void thats_all_folks(void) { int rv; - DBG("Exitting"); + DBG("Exiting"); #ifdef HAVE_NSS if (module) { @@ -203,7 +203,7 @@ static int execute_event(const char *action) { int res; char *action_cmd = actionlist->data; - DBG1("Executiong action: '%s'", action_cmd); + DBG1("Executing action: '%s'", action_cmd); /* there are some security issues on using system() in setuid/setgid programs. so we will use an alternate function @@ -484,7 +484,7 @@ int main(int argc, char *argv[]) return 1; } sprintf(moduleSpec, SPEC_TEMPLATE, pkcs11_module); - DBG2("loading Module explictly, moduleSpec=<%s> module=%s\n", + DBG2("loading Module explicitly, moduleSpec=<%s> module=%s\n", moduleSpec, pkcs11_module); module = SECMOD_LoadUserModule(moduleSpec, NULL, 0); free(moduleSpec); From 85c5b9707b2dfc0c4c4a37be0ec06ad9ec7fc1d1 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Wed, 15 Sep 2021 21:15:17 +0200 Subject: [PATCH 076/111] Add codespell to CI to find typos early --- .github/workflows/codespell.yml | 18 ++++++++++++++++++ codespell_ignore_words.txt | 5 +++++ 2 files changed, 23 insertions(+) create mode 100644 .github/workflows/codespell.yml create mode 100644 codespell_ignore_words.txt diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 00000000..982d785b --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,18 @@ +--- +name: Codespell + +on: + pull_request: + push: + +jobs: + codespell: + name: Check for spelling errors + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - uses: codespell-project/actions-codespell@master + with: + skip: *.po,base64.*,SSLerrs.h + ignore_words_file: codespell_ignore_words.txt diff --git a/codespell_ignore_words.txt b/codespell_ignore_words.txt new file mode 100644 index 00000000..abda4ff1 --- /dev/null +++ b/codespell_ignore_words.txt @@ -0,0 +1,5 @@ +ba +gord +parm +parms +pres From d09ae6efb672dba32e772a176abec20eb8979cbb Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Wed, 15 Sep 2021 21:28:32 +0200 Subject: [PATCH 077/111] Fix LGTM.com errors Wrong type of arguments to formatting function --- src/common/pkcs11_lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 2377fdaf..e20f882f 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1567,7 +1567,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) /* allocate enough space */ id_value = malloc(cert_template[2].ulValueLen); if (id_value == NULL) { - set_error("CertID malloc(%d): not enough free memory available", cert_template[2].ulValueLen); + set_error("CertID malloc(%ul): not enough free memory available", cert_template[2].ulValueLen); goto getlist_error; } /* read cert id into allocated space */ @@ -1591,7 +1591,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) /* allocate enough space */ cert_value = malloc(cert_template[3].ulValueLen); if (cert_value == NULL) { - set_error("Cert Length malloc(%d): not enough free memory available", cert_template[3].ulValueLen); + set_error("Cert Length malloc(%ul): not enough free memory available", cert_template[3].ulValueLen); goto getlist_error; } /* read certificate into allocated space */ @@ -1793,7 +1793,7 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, #endif break; default: - set_error("unsupported private key type 0x%08X", cert->key_type); + set_error("unsupported private key type 0x%08lX", cert->key_type); return -1; } /* compute hash-value */ From dfe124c0be7ef1fab8389aaab4cf0407c75d2ab5 Mon Sep 17 00:00:00 2001 From: krolikov Date: Tue, 22 Mar 2022 21:30:19 +0300 Subject: [PATCH 078/111] Making changes to pkcs11_make_hash_link to support whitespaces in file names --- tools/pkcs11_make_hash_link | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/pkcs11_make_hash_link b/tools/pkcs11_make_hash_link index a3175e54..17743252 100755 --- a/tools/pkcs11_make_hash_link +++ b/tools/pkcs11_make_hash_link @@ -50,6 +50,11 @@ then exit -1 fi # process all files + +#change IFS to be able to loop through files with whitespaces in file names +OLD_IFS=$IFS +IFS=$'\n' + for file in *; do hash=`$OPENSSL x509 -inform pem -in $file -noout -hash 2> /dev/null` if [ ! -z "$hash" ]; then @@ -86,4 +91,7 @@ for file in *; do echo "we got a problem with: $file" done +#restore previous IFS value +IFS=$OLD_IFS + exit 0 From c886c4cc7f1a4a76fdccda6c50a1e45bd108ee47 Mon Sep 17 00:00:00 2001 From: krolikov Date: Thu, 7 Apr 2022 14:33:35 +0300 Subject: [PATCH 079/111] Change IFS variable inside a subshell to accomodate for whitespaces in file names --- tools/pkcs11_make_hash_link | 69 ++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 36 deletions(-) diff --git a/tools/pkcs11_make_hash_link b/tools/pkcs11_make_hash_link index 17743252..d1bde36c 100755 --- a/tools/pkcs11_make_hash_link +++ b/tools/pkcs11_make_hash_link @@ -51,47 +51,44 @@ then fi # process all files -#change IFS to be able to loop through files with whitespaces in file names -OLD_IFS=$IFS -IFS=$'\n' +( + IFS=$'\n' -for file in *; do - hash=`$OPENSSL x509 -inform pem -in $file -noout -hash 2> /dev/null` - if [ ! -z "$hash" ]; then - is_ca=`$OPENSSL x509 -inform pem -in $file -noout -text | grep 'CA:TRUE'` - if [ ! -z "$is_ca" ]; then - hash=$hash. + for file in *; do + hash=`$OPENSSL x509 -inform pem -in $file -noout -hash 2> /dev/null` + if [ ! -z "$hash" ]; then + is_ca=`$OPENSSL x509 -inform pem -in $file -noout -text | grep 'CA:TRUE'` + if [ ! -z "$is_ca" ]; then + hash=$hash. + mk_link + fi + continue + fi + hash=`$OPENSSL x509 -inform der -in $file -noout -hash 2> /dev/null` + if [ ! -z "$hash" ]; then + is_ca=`$OPENSSL x509 -inform der -in $file -noout -text | grep 'CA:TRUE'` + if [ ! -z "$is_ca" ]; then + hash=$hash. + mk_link + fi + continue + fi + hash=`$OPENSSL crl -inform pem -in $file -noout -hash 2> /dev/null` + if [ ! -z "$hash" ]; then + hash=$hash.r mk_link + continue fi - continue - fi - hash=`$OPENSSL x509 -inform der -in $file -noout -hash 2> /dev/null` - if [ ! -z "$hash" ]; then - is_ca=`$OPENSSL x509 -inform der -in $file -noout -text | grep 'CA:TRUE'` - if [ ! -z "$is_ca" ]; then - hash=$hash. + hash=`$OPENSSL crl -inform der -in $file -noout -hash 2> /dev/null` + if [ ! -z "$hash" ]; then + hash=$hash.r mk_link + continue fi - continue - fi - hash=`$OPENSSL crl -inform pem -in $file -noout -hash 2> /dev/null` - if [ ! -z "$hash" ]; then - hash=$hash.r - mk_link - continue - fi - hash=`$OPENSSL crl -inform der -in $file -noout -hash 2> /dev/null` - if [ ! -z "$hash" ]; then - hash=$hash.r - mk_link - continue - fi - # nothing can be done with the file - echo "we got a problem with: $file" -done - -#restore previous IFS value -IFS=$OLD_IFS + # nothing can be done with the file + echo "we got a problem with: $file" + done +) exit 0 From cf14bf97c55a8c442d46d1f4970922049a2b8652 Mon Sep 17 00:00:00 2001 From: Bowb <6180319+bowb@users.noreply.github.com> Date: Tue, 7 Jun 2022 12:46:39 -0600 Subject: [PATCH 080/111] Update mapper.c Check if *from has value before passing to strchr --- src/mappers/mapper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/mappers/mapper.c b/src/mappers/mapper.c index 3c245fd0..759923c2 100644 --- a/src/mappers/mapper.c +++ b/src/mappers/mapper.c @@ -84,6 +84,7 @@ int get_mapent(struct mapfile *mfile) { from = mfile->pt; /* set up pointer */ while( *from && isspace(*from) ) from++; + if(!*from) return 0; to = strchr(from,'\n'); /* if no newline, assume string ends at end of buffer */ if (!to) to=mfile->buffer+mfile->length; From d1fc946597207750b9d5a93a63ebb77c7c343967 Mon Sep 17 00:00:00 2001 From: Truman H Lackey Date: Wed, 8 Jun 2022 19:30:10 -0600 Subject: [PATCH 081/111] cleanup memory leaks. --- src/common/pkcs11_lib.c | 6 ++++- src/mappers/mapper.c | 8 +++++-- src/mappers/subject_mapper.c | 8 +++++-- src/pam_pkcs11/mapper_mgr.c | 3 +++ src/pam_pkcs11/pam_config.c | 8 +++++++ src/pam_pkcs11/pam_config.h | 1 + src/pam_pkcs11/pam_pkcs11.c | 45 ++++++++++++++++++++++++++++-------- 7 files changed, 64 insertions(+), 15 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 2377fdaf..c11f4c95 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1585,6 +1585,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) cert_template[3].pValue = NULL; rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 4); if (rv != CKR_OK) { + free(id_value); set_error("Cert Length: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } @@ -1598,6 +1599,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) cert_template[3].pValue = cert_value; rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 4); if (rv != CKR_OK) { + free(id_value); free(cert_value); set_error("Cert Value: C_GetAttributeValue() failed: %i", rv); goto getlist_error; @@ -1613,6 +1615,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) set_error("d2i_x509() failed: %s", ERR_error_string(ERR_get_error(), NULL)); goto getlist_error; } + free(cert_value); /* finally add certificate to chain */ certs= realloc(h->certs,(h->cert_count+1) * sizeof(cert_object_t *)); if (!certs) { @@ -1628,7 +1631,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) DBG1("- id: %02x", id_value[0]); h->certs[h->cert_count] = (cert_object_t *)calloc(sizeof(cert_object_t),1); if (h->certs[h->cert_count] == NULL) { - free(id_value); + free(id_value); X509_free(x509); set_error("malloc() not space to allocate cert object"); goto getlist_error; @@ -1648,6 +1651,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) if (rv != CKR_OK) { set_error("C_FindObjectsFinal() failed: %i", rv); free_certs(certs, h->cert_count); + free(id_value); certs = NULL; h->certs = NULL; h->cert_count = 0; diff --git a/src/mappers/mapper.c b/src/mappers/mapper.c index 3c245fd0..331b905c 100644 --- a/src/mappers/mapper.c +++ b/src/mappers/mapper.c @@ -84,6 +84,7 @@ int get_mapent(struct mapfile *mfile) { from = mfile->pt; /* set up pointer */ while( *from && isspace(*from) ) from++; + if(!*from) return 0; to = strchr(from,'\n'); /* if no newline, assume string ends at end of buffer */ if (!to) to=mfile->buffer+mfile->length; @@ -128,9 +129,12 @@ void end_mapent(struct mapfile *mfile) { if (!mfile) return; /* don't free uri: is a scconf provided "const char *" */; /* free (mfile->uri); */ - /* don't free key/value: they are pointers to somewhere in buffer */ + /* don't free value: they are pointers to somewhere in buffer */ /* free (mfile->value); */ - /* free (mfile->key); */ + if(mfile->key) { + free (mfile->key); + mfile->key = NULL; + } free (mfile->buffer); free(mfile); return; diff --git a/src/mappers/subject_mapper.c b/src/mappers/subject_mapper.c index a3e54772..497290d6 100644 --- a/src/mappers/subject_mapper.c +++ b/src/mappers/subject_mapper.c @@ -62,11 +62,15 @@ static char * subject_mapper_find_user(X509 *x509, void *context, int *match) { DBG("X509_get_subject_name failed"); return NULL; } - return mapfile_find(filename,entries[0],ignorecase,match); + char* val = mapfile_find(filename,entries[0],ignorecase,match); + if(entries[0]) { + free(entries[0]); + } + return val; } /* -* parses the certificate and try to macth Subject in the certificate +* parses the certificate and try to match Subject in the certificate * with provided user */ static int subject_mapper_match_user(X509 *x509, const char *login, void *context) { diff --git a/src/pam_pkcs11/mapper_mgr.c b/src/pam_pkcs11/mapper_mgr.c index edcbb760..f7c78ac4 100644 --- a/src/pam_pkcs11/mapper_mgr.c +++ b/src/pam_pkcs11/mapper_mgr.c @@ -147,6 +147,9 @@ void unload_module( struct mapper_instance *module ) { } else {/* static mapper module */ DBG1("Module %s is static: don't remove",module->module_name); } + if(module->module_data) { + free(module->module_data); + } module->module_data=NULL; /* don't free name and libname: they are elements of scconf tree */ diff --git a/src/pam_pkcs11/pam_config.c b/src/pam_pkcs11/pam_config.c index 96e2a3f6..034bcb05 100644 --- a/src/pam_pkcs11/pam_config.c +++ b/src/pam_pkcs11/pam_config.c @@ -369,3 +369,11 @@ struct configuration_st *pk_configure( int argc, const char **argv ) { return &configuration; } + +void configure_free(struct configuration_st *pk_configure){ + if(!pk_configure) return; + + if(pk_configure->ctx) { + scconf_free(pk_configure->ctx); + } +} diff --git a/src/pam_pkcs11/pam_config.h b/src/pam_pkcs11/pam_config.h index cf4e0896..28dc24f5 100644 --- a/src/pam_pkcs11/pam_config.h +++ b/src/pam_pkcs11/pam_config.h @@ -49,5 +49,6 @@ struct configuration_st { }; struct configuration_st *pk_configure( int argc, const char **argv ); +void configure_free(struct configuration_st *pk_configure); #endif diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index e4bc49ad..23f1e179 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -33,6 +33,7 @@ #ifdef OPENPAM #include #endif +#include #include #include #include @@ -185,13 +186,15 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in if ((conv == NULL) || (conv->conv == NULL)) return PAM_CRED_INSUFFICIENT; rv = conv->conv(1, msgp, &resp, conv->appdata_ptr); - if (rv != PAM_SUCCESS) - return rv; - if ((resp == NULL) || (resp[0].resp == NULL)) - return PAM_CRED_INSUFFICIENT; + if (rv != PAM_SUCCESS) goto pwd_exit; + if ((resp == NULL) || (resp[0].resp == NULL)) { + rv = PAM_CRED_INSUFFICIENT; + goto pwd_exit; + } *pwd = strdup(resp[0].resp); /* overwrite memory and release it */ cleanse(resp[0].resp, strlen(resp[0].resp)); + free(resp[0].resp); free(&resp[0]); /* save password if variable nitem is set */ if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) { @@ -201,13 +204,21 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in } return PAM_SUCCESS; } - return PAM_CRED_INSUFFICIENT; +pwd_exit: + if(NULL != resp[0].resp) { + cleanse(resp[0].resp, strlen(resp[0].resp)); + free(resp[0].resp); + } + if(NULL != &resp[0]) { + free(&resp[0]); + } + return rv; } PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { int i, rv; - const char *user = NULL; + char *user = NULL; char *password; unsigned int slot_num = 0; int is_a_screen_saver = 0; @@ -248,11 +259,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* Either slot_description or slot_num, but not both, needs to be used */ if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) { ERR("Error setting configuration parameters"); + configure_free(configuration); return PAM_AUTHINFO_UNAVAIL; } login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME"); - /* * card_only means: restrict the authentication to token only if * the user has already authenticated by the token. @@ -302,23 +313,28 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("Remote login (from %s) is not (yet) supported", display); pam_syslog(pamh, LOG_ERR, "Remote login (from %s) is not (yet) supported", display); + configure_free(configuration); return pkcs11_pam_fail; } } } - /* init openssl */ rv = crypto_init(&configuration->policy); if (rv != 0) { ERR("Failed to initialize crypto"); if (!configuration->quiet) pam_syslog(pamh,LOG_ERR, "Failed to initialize crypto"); + configure_free(configuration); return pkcs11_pam_fail; } + bool user_set_pam = false; /* look to see if username is already set */ pam_get_item(pamh, PAM_USER, (const void **) &user); if (user) { + if ( !is_spaced_str(user) ) { + user_set_pam = true; + } DBG1("explicit username = [%s]", user); } @@ -340,8 +356,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2302: PKCS#11 module failed loading")); sleep(configuration->err_display_time); } + configure_free(configuration); return pkcs11_pam_fail; - } + } /* initialise pkcs #11 module */ DBG("initialising pkcs #11 module..."); @@ -354,6 +371,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2304: PKCS#11 module could not be initialized")); sleep(configuration->err_display_time); } + configure_free(configuration); return pkcs11_pam_fail; } @@ -429,6 +447,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons sleep(configuration->err_display_time); } release_pkcs11_module(ph); + configure_free(configuration); return pkcs11_pam_fail; } @@ -586,6 +605,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons DBG1("certificate is valid and matches user %s",user); /* try to set up PAM user entry with evaluated value */ rv = pam_set_item(pamh, PAM_USER,(const void *)user); + free( user ); if (rv != PAM_SUCCESS) { ERR1("pam_set_item() failed %s", pam_strerror(pamh, rv)); if (!configuration->quiet) { @@ -787,9 +807,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons release_pkcs11_module(ph); DBG("authentication succeeded"); + configure_free(configuration); return PAM_SUCCESS; auth_failed: + if( !user_set_pam && user ) { + free( user ); + } unload_mappers(); close_pkcs11_session(ph); release_pkcs11_module(ph); @@ -797,7 +821,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons cleanse( password, strlen(password) ); free( password ); } - + configure_free(configuration); if (PAM_IGNORE == pkcs11_pam_fail) goto exit_ignore; else @@ -806,6 +830,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons exit_ignore: pam_prompt( pamh, PAM_TEXT_INFO, NULL, _("Smartcard authentication cancelled") ); + configure_free(configuration); return PAM_IGNORE; } From f8e7d85aa3ca4fd2e2a8c2dfe601d1224debe372 Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Thu, 9 Jun 2022 12:13:23 -0600 Subject: [PATCH 082/111] memory leak fixes. --- src/mappers/mapper.c | 10 +++++++--- src/pam_pkcs11/pam_config.c | 1 + src/pam_pkcs11/pam_pkcs11.c | 15 ++++++--------- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/src/mappers/mapper.c b/src/mappers/mapper.c index 331b905c..a36b8072 100644 --- a/src/mappers/mapper.c +++ b/src/mappers/mapper.c @@ -83,8 +83,12 @@ int get_mapent(struct mapfile *mfile) { /* get a line from buffer */ from = mfile->pt; /* set up pointer */ - while( *from && isspace(*from) ) from++; - if(!*from) return 0; + while( *from && isspace(*from)){ + if(from - mfile->buffer + 1 >= mfile->length){ + return 0; + } + from++; + } to = strchr(from,'\n'); /* if no newline, assume string ends at end of buffer */ if (!to) to=mfile->buffer+mfile->length; @@ -185,7 +189,7 @@ char *mapfile_find(const char *file, char *key, int icase, int *match) { char *res=clone_str(mfile->value); DBG2("Found mapfile match '%s' -> '%s'",key,mfile->value); end_mapent(mfile); - *match = 1; + *match = 1; return res; } } diff --git a/src/pam_pkcs11/pam_config.c b/src/pam_pkcs11/pam_config.c index 034bcb05..5f8f4639 100644 --- a/src/pam_pkcs11/pam_config.c +++ b/src/pam_pkcs11/pam_config.c @@ -375,5 +375,6 @@ void configure_free(struct configuration_st *pk_configure){ if(pk_configure->ctx) { scconf_free(pk_configure->ctx); + pk_configure->ctx = NULL; } } diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 23f1e179..8710d1ee 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -33,7 +33,6 @@ #ifdef OPENPAM #include #endif -#include #include #include #include @@ -219,7 +218,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons { int i, rv; char *user = NULL; - char *password; + char *password = NULL; unsigned int slot_num = 0; int is_a_screen_saver = 0; struct configuration_st *configuration; @@ -328,13 +327,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons return pkcs11_pam_fail; } - bool user_set_pam = false; /* look to see if username is already set */ pam_get_item(pamh, PAM_USER, (const void **) &user); if (user) { - if ( !is_spaced_str(user) ) { - user_set_pam = true; - } DBG1("explicit username = [%s]", user); } @@ -606,6 +601,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* try to set up PAM user entry with evaluated value */ rv = pam_set_item(pamh, PAM_USER,(const void *)user); free( user ); + user = NULL; if (rv != PAM_SUCCESS) { ERR1("pam_set_item() failed %s", pam_strerror(pamh, rv)); if (!configuration->quiet) { @@ -808,12 +804,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons DBG("authentication succeeded"); configure_free(configuration); + configuration = NULL; return PAM_SUCCESS; auth_failed: - if( !user_set_pam && user ) { - free( user ); - } + unload_mappers(); close_pkcs11_session(ph); release_pkcs11_module(ph); @@ -822,6 +817,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons free( password ); } configure_free(configuration); + configuration = NULL; if (PAM_IGNORE == pkcs11_pam_fail) goto exit_ignore; else @@ -831,6 +827,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_prompt( pamh, PAM_TEXT_INFO, NULL, _("Smartcard authentication cancelled") ); configure_free(configuration); + configuration = NULL; return PAM_IGNORE; } From db03519dcd8de95538074da06260636003c23ce6 Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Thu, 9 Jun 2022 12:22:08 -0600 Subject: [PATCH 083/111] check from bounds. --- src/mappers/mapper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/mappers/mapper.c b/src/mappers/mapper.c index a6464927..a36b8072 100644 --- a/src/mappers/mapper.c +++ b/src/mappers/mapper.c @@ -83,8 +83,12 @@ int get_mapent(struct mapfile *mfile) { /* get a line from buffer */ from = mfile->pt; /* set up pointer */ - while( *from && isspace(*from) ) from++; - if(!*from) return 0; + while( *from && isspace(*from)){ + if(from - mfile->buffer + 1 >= mfile->length){ + return 0; + } + from++; + } to = strchr(from,'\n'); /* if no newline, assume string ends at end of buffer */ if (!to) to=mfile->buffer+mfile->length; From a7553612563b6fdd3e55507751d25f41e72411d3 Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Thu, 9 Jun 2022 12:34:30 -0600 Subject: [PATCH 084/111] formatting fixes. --- src/common/pkcs11_lib.c | 2 +- src/mappers/mapper.c | 2 +- src/pam_pkcs11/pam_pkcs11.c | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 980dec51..926e66c9 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1631,7 +1631,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) DBG1("- id: %02x", id_value[0]); h->certs[h->cert_count] = (cert_object_t *)calloc(sizeof(cert_object_t),1); if (h->certs[h->cert_count] == NULL) { - free(id_value); + free(id_value); X509_free(x509); set_error("malloc() not space to allocate cert object"); goto getlist_error; diff --git a/src/mappers/mapper.c b/src/mappers/mapper.c index a36b8072..6b787906 100644 --- a/src/mappers/mapper.c +++ b/src/mappers/mapper.c @@ -189,7 +189,7 @@ char *mapfile_find(const char *file, char *key, int icase, int *match) { char *res=clone_str(mfile->value); DBG2("Found mapfile match '%s' -> '%s'",key,mfile->value); end_mapent(mfile); - *match = 1; + *match = 1; return res; } } diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index b420391a..7f9e026a 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -258,7 +258,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* Either slot_description or slot_num, but not both, needs to be used */ if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) { ERR("Error setting configuration parameters"); - configure_free(configuration); + configure_free(configuration); return PAM_AUTHINFO_UNAVAIL; } @@ -312,7 +312,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("Remote login (from %s) is not (yet) supported", display); pam_syslog(pamh, LOG_ERR, "Remote login (from %s) is not (yet) supported", display); - configure_free(configuration); + configure_free(configuration); return pkcs11_pam_fail; } } @@ -600,8 +600,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons DBG1("certificate is valid and matches user %s",user); /* try to set up PAM user entry with evaluated value */ rv = pam_set_item(pamh, PAM_USER,(const void *)user); - free( user ); - user = NULL; + free( user ); + user = NULL; if (rv != PAM_SUCCESS) { ERR1("pam_set_item() failed %s", pam_strerror(pamh, rv)); if (!configuration->quiet) { @@ -826,8 +826,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons exit_ignore: pam_prompt( pamh, PAM_TEXT_INFO, NULL, _("Smartcard authentication cancelled") ); - configure_free(configuration); - configuration = NULL; + configure_free(configuration); + configuration = NULL; return PAM_IGNORE; } From fcceff3eeef0cb8cf7f054054d1593ca00b9b797 Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Thu, 9 Jun 2022 13:33:39 -0600 Subject: [PATCH 085/111] free memory returned by cert_info --- src/pam_pkcs11/pam_pkcs11.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 7f9e026a..99a6f2bc 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -739,6 +739,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons "PKCS11_LOGIN_CERT_ISSUER=%.*s", (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_ISSUER=") -1), issuer[0]); + free(*issuer); rv = pam_putenv(pamh, env_temp); } else { ERR("couldn't get certificate issuer."); @@ -761,6 +762,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons "PKCS11_LOGIN_CERT_SERIAL=%.*s", (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_SERIAL=") -1), serial[0]); + free(*serial); rv = pam_putenv(pamh, env_temp); } else { ERR("couldn't get certificate serial number."); From 345b22721fd97848e2d20ddca4a3df91e9fc0b14 Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Fri, 10 Jun 2022 15:17:46 -0600 Subject: [PATCH 086/111] cleanup formatting. fix memory leak check_for_revocation --- src/common/cert_vfy.c | 4 ++++ src/pam_pkcs11/pam_pkcs11.c | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index f6646f79..76073e42 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -237,6 +237,7 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t if (policy == CRLP_NONE) { /* NONE */ DBG("no revocation-check performed"); + X509_OBJECT_free(obj); return 1; } else if (policy == CRLP_AUTO) { /* AUTO -> first try it ONLINE then OFFLINE */ @@ -245,6 +246,7 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t DBG1("check_for_revocation() failed: %s", get_error()); rv = check_for_revocation(x509, ctx, CRLP_OFFLINE); } + X509_OBJECT_free(obj); return rv; } else if (policy == CRLP_OFFLINE) { /* OFFLINE */ @@ -262,6 +264,7 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t #endif } else { set_error("no dedicated crl available"); + X509_OBJECT_free(obj); return -1; } } else if (policy == CRLP_ONLINE) { @@ -283,6 +286,7 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t #endif } else { set_error("no dedicated ca certificate available"); + X509_OBJECT_free(obj); return -1; } diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 99a6f2bc..d34c8c1d 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -258,7 +258,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* Either slot_description or slot_num, but not both, needs to be used */ if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) { ERR("Error setting configuration parameters"); - configure_free(configuration); + configure_free(configuration); return PAM_AUTHINFO_UNAVAIL; } @@ -312,7 +312,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("Remote login (from %s) is not (yet) supported", display); pam_syslog(pamh, LOG_ERR, "Remote login (from %s) is not (yet) supported", display); - configure_free(configuration); + configure_free(configuration); return pkcs11_pam_fail; } } @@ -353,7 +353,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } configure_free(configuration); return pkcs11_pam_fail; - } + } /* initialise pkcs #11 module */ DBG("initialising pkcs #11 module..."); @@ -600,8 +600,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons DBG1("certificate is valid and matches user %s",user); /* try to set up PAM user entry with evaluated value */ rv = pam_set_item(pamh, PAM_USER,(const void *)user); - free( user ); - user = NULL; + free( user ); + user = NULL; if (rv != PAM_SUCCESS) { ERR1("pam_set_item() failed %s", pam_strerror(pamh, rv)); if (!configuration->quiet) { @@ -828,8 +828,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons exit_ignore: pam_prompt( pamh, PAM_TEXT_INFO, NULL, _("Smartcard authentication cancelled") ); - configure_free(configuration); - configuration = NULL; + configure_free(configuration); + configuration = NULL; return PAM_IGNORE; } From bdad577afc434b20420f6c4a1fa8a33b9cc7693a Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Fri, 10 Jun 2022 18:13:00 -0600 Subject: [PATCH 087/111] initialize unitialized variables. --- src/common/algorithm.c | 2 +- src/common/base64.c | 12 +++--- src/common/cert_info.c | 75 ++++++++++++++++---------------- src/common/cert_vfy.c | 94 ++++++++++++++++++++++------------------- src/common/pkcs11_lib.c | 93 ++++++++++++++++++++-------------------- src/common/strings.c | 28 ++++++------ src/common/strndup.c | 2 +- src/common/uri.c | 30 ++++++------- 8 files changed, 173 insertions(+), 163 deletions(-) diff --git a/src/common/algorithm.c b/src/common/algorithm.c index da72e140..8d56feb8 100644 --- a/src/common/algorithm.c +++ b/src/common/algorithm.c @@ -60,7 +60,7 @@ const ALGDIGEST *Alg_get_digest_by_name(ALGORITHM_TYPE hash) ALGORITHM_TYPE Alg_get_alg_from_string(const char *hashString) { - const EVP_MD *digest; + const EVP_MD *digest = NULL; digest = EVP_get_digestbyname(hashString); if (!digest) { diff --git a/src/common/base64.c b/src/common/base64.c index 9f0b51a2..7a23cfad 100644 --- a/src/common/base64.c +++ b/src/common/base64.c @@ -1,7 +1,7 @@ /* * base64.c: Base64 converting functions * - * Copyright (C) 2001, 2002 Juha Yrjl + * Copyright (C) 2001, 2002 Juha Yrj�l� * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -52,7 +52,7 @@ static const unsigned char bin_table[128] = { }; static int from_base64(const char *in, unsigned int *out, int *skip) { - unsigned int res = 0, c, s = 18; + unsigned int res = 0, c = 0, s = 18; const char *in0 = in; for (c = 0; c < 4; c++, in++) { @@ -79,8 +79,8 @@ static int from_base64(const char *in, unsigned int *out, int *skip) { } int base64_encode(const unsigned char *in, size_t len, unsigned char *out, size_t *outlen) { - size_t i, len2, leven; - unsigned char *p; + size_t i = 0, len2 = 0, leven = 0; + unsigned char *p = NULL; if (!in) return -1; if (!out) return -1; @@ -120,8 +120,8 @@ int base64_encode(const unsigned char *in, size_t len, unsigned char *out, size } int base64_decode(const char *in, unsigned char *out, size_t outlen) { - int len = 0, r, skip; - unsigned int i; + int len = 0, r = 0, skip = 0; + unsigned int i = 0; while ((r = from_base64(in, &i, &skip)) > 0) { int finished = 0, s = 16; diff --git a/src/common/cert_info.c b/src/common/cert_info.c index 207f9377..acca9653 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -133,8 +133,8 @@ cert_info_upn (X509 *x509) SECItem alt_name; SECStatus status; PRArenaPool *arena = NULL; - CERTGeneralName *nameList; - CERTGeneralName *current; + CERTGeneralName *nameList = NULL; + CERTGeneralName *current = NULL; SECOidTag tag; static char *results[CERT_INFO_SIZE] = { NULL }; int result = 0; @@ -205,7 +205,7 @@ cert_info_upn (X509 *x509) */ char **cert_info(X509 *x509, int type, ALGORITHM_TYPE algorithm ) { static char *results[CERT_INFO_SIZE]; - SECOidData *oid; + SECOidData *oid = NULL; int i; if (!x509) { @@ -304,7 +304,7 @@ char **cert_info(X509 *x509, int type, ALGORITHM_TYPE algorithm ) { * Generate and compose a certificate chain */ void add_cert(X509 *cert, X509 ***certs, int *ncerts) { - X509 **certs2; + X509 **certs2 = NULL; /* sanity checks */ if (!cert) return; if (!certs) return; @@ -334,7 +334,7 @@ void add_cert(X509 *cert, X509 ***certs, int *ncerts) { */ static char **cert_info_cn(X509 *x509) { static char *results[CERT_INFO_SIZE]; - int lastpos,position; + int lastpos = 0,position = 0; X509_NAME *name = X509_get_subject_name(x509); if (!name) { DBG("Certificate has no subject"); @@ -376,7 +376,7 @@ static char **cert_info_cn(X509 *x509) { * Extract Certificate's Subject */ static char **cert_info_subject(X509 *x509) { - X509_NAME *subject; + X509_NAME *subject= NULL; static char *entries[2] = { NULL, NULL }; entries[0] = malloc(256); if (!entries[0]) return NULL; @@ -393,7 +393,7 @@ static char **cert_info_subject(X509 *x509) { * Extract Certificate's Issuer */ static char **cert_info_issuer(X509 *x509) { - X509_NAME *issuer; + X509_NAME *issuer = NULL; static char *entries[2] = { NULL, NULL }; entries[0] = malloc(256); if (!entries[0]) return NULL; @@ -410,7 +410,7 @@ static char **cert_info_issuer(X509 *x509) { * Extract Certificate's Kerberos Principal Name */ static char **cert_info_kpn(X509 *x509) { - int i,j; + int i = 0,j = 0; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; @@ -437,7 +437,7 @@ static char **cert_info_kpn(X509 *x509) { Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ - unsigned char *txt; + unsigned char *txt = NULL; ASN1_TYPE *val = name->d.otherName->value; ASN1_STRING *str= val->value.asn1_string; DBG("Found Kerberos Principal Name "); @@ -463,9 +463,9 @@ static char **cert_info_kpn(X509 *x509) { * Extract Certificate's email */ static char **cert_info_email(X509 *x509) { - int i,j; + int i = 0,j = 0; static char *entries[CERT_INFO_SIZE]; - STACK_OF(GENERAL_NAME) *gens; + STACK_OF(GENERAL_NAME) *gens = NULL; GENERAL_NAME *name; DBG("Trying to find an email in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); @@ -492,10 +492,10 @@ static char **cert_info_email(X509 *x509) { * Extract Certificate's Microsoft Universal Principal Name */ static char **cert_info_upn(X509 *x509) { - int i,j; + int i = 0,j = 0; static char *entries[CERT_INFO_SIZE]; - STACK_OF(GENERAL_NAME) *gens; - GENERAL_NAME *name; + STACK_OF(GENERAL_NAME) *gens = NULL; + GENERAL_NAME *name = NULL; DBG("Trying to find an Universal Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); if (!gens) { @@ -533,7 +533,7 @@ static char **cert_info_upn(X509 *x509) { */ static char **cert_info_uid(X509 *x509) { static char *results[CERT_INFO_SIZE]; - int lastpos,position; + int lastpos = 0,position = 0; int uid_type = UID_TYPE; X509_NAME *name = X509_get_subject_name(x509); if (!name) { @@ -552,9 +552,9 @@ static char **cert_info_uid(X509 *x509) { } } while( ( lastpos != -1 ) && (position first try it ONLINE then OFFLINE */ rv = check_for_revocation(x509, ctx, CRLP_ONLINE); @@ -246,8 +246,8 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t DBG1("check_for_revocation() failed: %s", get_error()); rv = check_for_revocation(x509, ctx, CRLP_OFFLINE); } - X509_OBJECT_free(obj); - return rv; + ret = rv; + goto exit; } else if (policy == CRLP_OFFLINE) { /* OFFLINE */ DBG("looking for an dedicated local crl"); @@ -255,17 +255,15 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); if (rv > 0) { crl = X509_OBJECT_get0_X509_CRL((&obj)); - X509_OBJECT_free_contents(&obj); #else rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); if (rv > 0) { crl = X509_OBJECT_get0_X509_CRL(obj); - X509_OBJECT_free(obj); #endif } else { set_error("no dedicated crl available"); - X509_OBJECT_free(obj); - return -1; + ret = -1; + goto exit; } } else if (policy == CRLP_ONLINE) { /* ONLINE */ @@ -277,23 +275,22 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); if (rv > 0) { x509_ca = X509_OBJECT_get0_X509((&obj)); - X509_OBJECT_free_contents(&obj); #else rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj); if (rv > 0) { x509_ca = X509_OBJECT_get0_X509(obj); - X509_OBJECT_free(obj); #endif } else { set_error("no dedicated ca certificate available"); - X509_OBJECT_free(obj); - return -1; + ret = -1; + goto exit; } dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); if (dist_points == NULL) { set_error("neither the user nor the ca certificate does contain a crl distribution point"); - return -1; + ret = -1; + goto exit; } } crl = NULL; @@ -322,27 +319,38 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t sk_DIST_POINT_pop_free(dist_points, DIST_POINT_free); if (crl == NULL) { set_error("downloading the crl failed for all distribution points"); - return -1; + ret = -1; + goto exit; } } else { set_error("policy %d is not supported", policy); - return -1; + ret = -1; + goto exit; } /* verify the crl and check whether the certificate is revoked or not */ DBG("verifying crl"); rv = verify_crl(crl, ctx); if (rv < 0) { - X509_CRL_free(crl); set_error("verify_crl() failed: %s", get_error()); - return -1; + ret = -1; + goto exit; } else if (rv == 0) { - X509_CRL_free(crl); - return 0; + ret = 0; + goto exit; } DBG("checking revocation"); rv = X509_CRL_get0_by_cert(crl, &rev, x509); - X509_CRL_free(crl); - return (rv == 0); + ret = (rv == 0); + +exit: +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* is this correct for older openssl? */ + X509_OBJECT_free_contents(&obj); +#else + X509_OBJECT_free(obj); +#endif + /* crl is being freed by caller X509_STORE_free */ + return ret; + } static int add_hash( X509_LOOKUP *lookup, const char *dir) { @@ -374,7 +382,7 @@ static int add_file( X509_LOOKUP *lookup, const char *file) { } static X509_STORE * setup_store(cert_policy *policy) { - int rv; + int rv = 0; X509_STORE *store = NULL; X509_LOOKUP *lookup = NULL; @@ -450,9 +458,9 @@ static X509_STORE * setup_store(cert_policy *policy) { */ int verify_certificate(X509 * x509, cert_policy *policy) { - int rv; - X509_STORE *store; - X509_STORE_CTX *ctx; + int rv = 0; + X509_STORE *store = NULL; + X509_STORE_CTX *ctx = NULL; /* if neither ca nor crl check are requested skip */ if ( (policy->ca_policy==0) && (policy->crl_policy==CRLP_NONE) ) { @@ -521,11 +529,11 @@ int verify_certificate(X509 * x509, cert_policy *policy) int verify_signature(X509 * x509, unsigned char *data, int data_length, unsigned char **signature, unsigned long *signature_length) { - int rv; - EVP_PKEY *pubkey; + int rv = 0; + EVP_PKEY *pubkey = NULL; EVP_MD_CTX *md_ctx = NULL; - ECDSA_SIG* ec_sig; - int rs_len; + ECDSA_SIG* ec_sig = NULL; + int rs_len = 0; unsigned char *p = NULL; /* get the public-key */ diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 926e66c9..e5a067fa 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -39,8 +39,8 @@ */ int pkcs11_pass_login(pkcs11_handle_t *h, int nullok) { - int rv; - char *pin; + int rv = 0; + char *pin = NULL; /* get password */ pin =getpass("PIN for token: "); @@ -98,8 +98,8 @@ static int memcmp_pad_max(void *d1, size_t d1_len, void *d2, size_t d2_len, size_t max_sz) { - size_t len, extra_len; - char *marker; + size_t len = 0, extra_len = 0; + char *marker = NULL; /* No point in comparing anything beyond max_sz */ if (d1_len > max_sz) @@ -134,7 +134,7 @@ memcmp_pad_max(void *d1, size_t d1_len, void *d2, size_t d2_len, int get_random_value(unsigned char *data, int length) { static const char *random_device = "/dev/urandom"; - int rv, fh, l; + int rv = 0, fh = 0, l = 0; DBG2("reading %d random bytes from %s", length, random_device); fh = open(random_device, O_RDONLY); @@ -992,10 +992,10 @@ int crypto_init(cert_policy *policy) int load_pkcs11_module(const char *module, pkcs11_handle_t **hp) { - int rv; + int rv = 0; struct stat module_stat; CK_C_GetFunctionList C_GetFunctionList_ptr; - pkcs11_handle_t *h; + pkcs11_handle_t *h = NULL; DBG1("PKCS #11 module = [%s]", module); /* reset pkcs #11 handle */ @@ -1051,13 +1051,11 @@ int load_pkcs11_module(const char *module, pkcs11_handle_t **hp) static int refresh_slots(pkcs11_handle_t *h) { - CK_ULONG i, slot_count; - CK_SLOT_ID_PTR slots; - CK_RV rv; - int j; + CK_ULONG i = 0UL, slot_count = -1; + CK_SLOT_ID_PTR slots = NULL; + CK_RV rv = 0; + int j = 0; - slot_count = -1; - slots = NULL; rv = h->fl->C_GetSlotList(FALSE, NULL, &slot_count); if (rv != CKR_OK) { set_error("C_GetSlotList() failed: 0x%08lX", rv); @@ -1145,7 +1143,7 @@ refresh_slots(pkcs11_handle_t *h) int init_pkcs11_module(pkcs11_handle_t *h,int flag) { - int rv; + int rv = 0; /* CK_SLOT_ID_PTR slots; */ CK_INFO info; /* @@ -1284,8 +1282,8 @@ int find_slot_by_slotlabel(pkcs11_handle_t *h, const char *wanted_slot_label, unsigned int *slot_num) { - unsigned long idx; - size_t len; + unsigned long idx = 0; + size_t len = 0; if (slot_num == NULL || wanted_slot_label == NULL || strlen(wanted_slot_label) == 0) @@ -1320,8 +1318,8 @@ find_slot_by_slotlabel_and_tokenlabel(pkcs11_handle_t *h, const char *wanted_slot_label, const char *wanted_token_label, unsigned int *slot_num) { - unsigned long i; - int rv; + unsigned long i = 0; + int rv = 0; if (slot_num == NULL) return (-1); @@ -1366,7 +1364,7 @@ int wait_for_token_by_slotlabel(pkcs11_handle_t *h, const char *wanted_token_label, unsigned int *slot_num) { - int rv; + int rv = 0; do { /* see if the card we're looking for is inserted */ @@ -1388,7 +1386,7 @@ int wait_for_token(pkcs11_handle_t *h, const char *wanted_token_label, unsigned int *slot_num) { - int rv; + int rv = 0; do { /* see if the card we're looking for is inserted */ @@ -1407,7 +1405,7 @@ int wait_for_token(pkcs11_handle_t *h, int open_pkcs11_session(pkcs11_handle_t *h, unsigned int slot) { - int rv; + int rv = 0; DBG1("opening a new PKCS #11 session for slot %d", slot + 1); if (slot >= h->slot_count) { @@ -1426,7 +1424,7 @@ int open_pkcs11_session(pkcs11_handle_t *h, unsigned int slot) int pkcs11_login(pkcs11_handle_t *h, char *password) { - int rv; + int rv = 0; DBG("login as user CKU_USER"); if (password) @@ -1442,7 +1440,7 @@ int pkcs11_login(pkcs11_handle_t *h, char *password) int get_slot_login_required(pkcs11_handle_t *h) { - int rv; + int rv = 0; CK_TOKEN_INFO tinfo; rv = h->fl->C_GetTokenInfo(h->slots[h->current_slot].id, &tinfo); @@ -1455,7 +1453,7 @@ int get_slot_login_required(pkcs11_handle_t *h) int get_slot_protected_authentication_path(pkcs11_handle_t *h) { - int rv; + int rv = 0; CK_TOKEN_INFO tinfo; rv = h->fl->C_GetTokenInfo(h->slots[h->current_slot].id, &tinfo); @@ -1468,7 +1466,7 @@ int get_slot_protected_authentication_path(pkcs11_handle_t *h) static void free_certs(cert_object_t **certs, int cert_count) { - int i; + int i = 0; for (i = 0; i < cert_count; i++) { if (!certs[i]) { @@ -1485,7 +1483,7 @@ static void free_certs(cert_object_t **certs, int cert_count) int close_pkcs11_session(pkcs11_handle_t *h) { - int rv; + int rv = 0; /* close user-session */ DBG("logout user"); @@ -1513,13 +1511,14 @@ int close_pkcs11_session(pkcs11_handle_t *h) /* get a list of certificates */ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) { - CK_BYTE *id_value; - CK_BYTE *cert_value; - CK_OBJECT_HANDLE object; - CK_ULONG object_count; - X509 *x509; + CK_BYTE *id_value = NULL; + CK_BYTE *cert_value = NULL; + CK_OBJECT_HANDLE object = 0L; + CK_ULONG object_count = 0L; + X509 *x509 = NULL; cert_object_t **certs = NULL; - int rv; + cert_object_t **ret = NULL; + int rv = 0; CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; CK_CERTIFICATE_TYPE cert_type = CKC_X_509; @@ -1574,7 +1573,6 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) cert_template[2].pValue = id_value; rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 3); if (rv != CKR_OK) { - free(id_value); set_error("CertID value: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } @@ -1585,7 +1583,6 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) cert_template[3].pValue = NULL; rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 4); if (rv != CKR_OK) { - free(id_value); set_error("Cert Length: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } @@ -1599,27 +1596,22 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) cert_template[3].pValue = cert_value; rv = h->fl->C_GetAttributeValue(h->session, object, cert_template, 4); if (rv != CKR_OK) { - free(id_value); - free(cert_value); set_error("Cert Value: C_GetAttributeValue() failed: %i", rv); goto getlist_error; } - /* Pass 3: store certificate */ /* convert to X509 data structure */ x509 = d2i_X509(NULL, (const unsigned char **)&cert_template[3].pValue, cert_template[3].ulValueLen); if (x509 == NULL) { - free(id_value); - free(cert_value); set_error("d2i_x509() failed: %s", ERR_error_string(ERR_get_error(), NULL)); goto getlist_error; } free(cert_value); + cert_value = NULL; /* finally add certificate to chain */ certs= realloc(h->certs,(h->cert_count+1) * sizeof(cert_object_t *)); if (!certs) { - free(id_value); X509_free(x509); set_error("realloc() not space to re-size cert table"); goto getlist_error; @@ -1631,7 +1623,6 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) DBG1("- id: %02x", id_value[0]); h->certs[h->cert_count] = (cert_object_t *)calloc(sizeof(cert_object_t),1); if (h->certs[h->cert_count] == NULL) { - free(id_value); X509_free(x509); set_error("malloc() not space to allocate cert object"); goto getlist_error; @@ -1651,18 +1642,21 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) if (rv != CKR_OK) { set_error("C_FindObjectsFinal() failed: %i", rv); free_certs(certs, h->cert_count); - free(id_value); certs = NULL; h->certs = NULL; h->cert_count = 0; - return NULL; + ret = NULL; + goto exit; } *ncerts = h->cert_count; /* arriving here means that's all right */ DBG1("Found %d certificates in token",h->cert_count); - return h->certs; + ret = h->certs; + +exit: + return ret; /* some error arrived: clean as possible, and return fail */ getlist_error: @@ -1673,7 +1667,14 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) free_certs(h->certs, h->cert_count); h->certs = NULL; h->cert_count = 0; - return NULL; + ret = NULL; + if(id_value) { + free(id_value); + } + if(cert_value) { + free(cert_value); + } + goto exit; } /* retrieve the private key associated with a given certificate */ @@ -1766,7 +1767,7 @@ X509 *get_X509_certificate(cert_object_t *cert) int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, CK_ULONG length, CK_BYTE **signature, CK_ULONG *signature_length) { - int rv; + int rv = 0; int h_offset = 0; #ifdef USE_HASH_SHA1 CK_BYTE hash[15 + SHA_DIGEST_LENGTH] = diff --git a/src/common/strings.c b/src/common/strings.c index b06211cd..83a9bd91 100644 --- a/src/common/strings.c +++ b/src/common/strings.c @@ -38,7 +38,7 @@ check for null or blank string */ int is_empty_str(const char *str) { - const char *pt; + const char *pt = NULL; if (!str) return 1; for (pt=str; *pt;pt++) if (!isspace(*pt)) return 0; /* arriving here means no non-blank char found */ @@ -56,8 +56,8 @@ char *clone_str(const char *str) { /* returns a uppercased clone of provided string */ char *toupper_str(const char *str) { - const char *from; - char *to; + const char *from = NULL; + char *to = NULL; char *dst= malloc(1+strlen(str)); if(!dst) return (char *) str; /* should I advise?? */ for (from=str,to=dst;*from; from++,to++) *to=toupper(*from); @@ -67,8 +67,8 @@ char *toupper_str(const char *str) { /* returns a lowercased clone of provided string */ char *tolower_str(const char *str) { - const char *from; - char *to; + const char *from = NULL; + char *to = NULL; char *dst= malloc(1+strlen(str)); if(!dst) return (char *)str /* should I advise?? */; for (from=str,to=dst;*from; from++,to++) *to=tolower(*from); @@ -78,8 +78,8 @@ char *tolower_str(const char *str) { /* print a binary array in xx:xx:.... format */ char *bin2hex(const unsigned char *binstr,const int len) { - int i; - char *pt; + int i = 0; + char *pt = NULL; char *res= malloc(1+3*len); if (!res) return NULL; if (len == 0) { @@ -95,7 +95,7 @@ char *bin2hex(const unsigned char *binstr,const int len) { /* convert xx:xx:xx to binary array */ unsigned char *hex2bin(const char *hexstr) { - char *to; + char *to = NULL; char *from = (char* )hexstr; int nelems = (1+strlen(hexstr))/3; unsigned char *res = calloc(nelems,sizeof(unsigned char)); @@ -111,7 +111,7 @@ unsigned char *hex2bin(const char *hexstr) { /* same as above, but no malloc needed if res is not null */ unsigned char *hex2bin_static(const char *hexstr,unsigned char **res,int *size) { - char *to; + char *to = NULL; char *from = (char* )hexstr; *size = (1+strlen(hexstr))/3; if(!*res) *res = calloc(*size,sizeof(unsigned char)); @@ -129,8 +129,8 @@ unsigned char *hex2bin_static(const char *hexstr,unsigned char **res,int *size) * splits a string into a nelems string array by using sep as char separator */ char **split(const char *str,char sep, int nelems){ - int n; - char *pt; + int n = 0; + char *pt = NULL; char *copy= clone_str(str); char **res= calloc(nelems,sizeof(char*)); if ( (!res) || (!copy) ) return NULL; @@ -150,8 +150,8 @@ char **split(const char *str,char sep, int nelems){ * Note that result must be still free()'d */ char **split_static(const char *str,char sep, int nelems,char *dst){ - int n; - char *pt; + int n = 0; + char *pt = NULL; char **res= calloc(nelems,sizeof(char*)); if ( (!res) || (!dst) ) return NULL; strcpy(dst,str); @@ -167,7 +167,7 @@ char **split_static(const char *str,char sep, int nelems,char *dst){ /* remove redundant spaces from string */ char *trim(const char *str){ - char *from,*to; + char *from = NULL,*to = NULL; int space=1; char *res=malloc(strlen(str)); if (!res) return NULL; diff --git a/src/common/strndup.c b/src/common/strndup.c index 5a7074a7..57b8bfb0 100644 --- a/src/common/strndup.c +++ b/src/common/strndup.c @@ -17,7 +17,7 @@ #ifndef HAVE_STRNDUP char * strndup (const char *s, size_t size) { - char *r; + char *r = NULL; char *end = memchr(s, 0, size); if (NULL == end) diff --git a/src/common/uri.c b/src/common/uri.c index 475e6a5d..53ea0c71 100644 --- a/src/common/uri.c +++ b/src/common/uri.c @@ -45,7 +45,7 @@ int is_uri(const char *path) { static struct stat * stat_file(const char *path) { static struct stat buf; - int res; + int res = 0; const char *pt=path; if(is_empty_str(path)) return NULL; if (is_uri(path)) { @@ -92,7 +92,7 @@ struct curl_data_s { /* curl call-back function */ static size_t curl_get(void *ptr, size_t size, size_t nmemb, void *stream) { struct curl_data_s *cd = (struct curl_data_s*)stream; - unsigned char *p; + unsigned char *p = NULL; size *= nmemb; p = realloc(cd->data, cd->length + size); @@ -109,8 +109,8 @@ static size_t curl_get(void *ptr, size_t size, size_t nmemb, void *stream) { } int get_from_uri(const char *uri_str, unsigned char **data, size_t *length) { - int rv; - CURL *curl; + int rv = 0; + CURL *curl = NULL; char curl_error[CURL_ERROR_SIZE] = "0"; struct curl_data_s curl_data = { NULL, 0}; /* init curl */ @@ -188,7 +188,7 @@ static void free_uri(uri_t *uri) { static int parse_generic_uri(const char *in, generic_uri_t **out) { - char *p; + char *p = NULL; *out = malloc(sizeof(generic_uri_t)); if (*out == NULL) { @@ -280,7 +280,7 @@ static int parse_ldap_uri(const char *in, LDAPURLDesc ** out) static int parse_uri(const char *str, uri_t **uri) { - int rv; + int rv = 0; *uri = malloc(sizeof(uri_t)); if (*uri == NULL) { @@ -323,8 +323,8 @@ static int parse_uri(const char *str, uri_t **uri) static int get_file(uri_t *uri, unsigned char **data, ssize_t * length) { - int fd; - ssize_t len, rv; + int fd = -1; + ssize_t len = 0, rv = 0; *length = 0; *data = NULL; @@ -369,12 +369,12 @@ static int get_file(uri_t *uri, unsigned char **data, ssize_t * length) static int get_http(uri_t *uri, unsigned char **data, size_t *length, int rec_level) { - int rv, sock, i, j; + int rv = 0, sock = 0, i = 0, j = 0; struct addrinfo hint = { 0, PF_UNSPEC, SOCK_STREAM, 0, 0, NULL, NULL, NULL }; - struct addrinfo *info; - char *request; - unsigned char *buf; - ssize_t len, bufsize; + struct addrinfo *info = NULL; + char *request = NULL; + unsigned char *buf = NULL; + ssize_t len = 0, bufsize = 0; *length = 0; *data = NULL; @@ -586,8 +586,8 @@ static int get_ldap(uri_t *uri, unsigned char **data, size_t *length) int get_from_uri(const char *str, unsigned char **data, size_t *length) { - int rv; - uri_t *uri; + int rv = 0; + uri_t *uri = NULL; /* parse uri */ DBG("parsing uri:"); From ecdce1afad21ea6126160f49cc11d581b8a3cd03 Mon Sep 17 00:00:00 2001 From: Bowb <6180319+bowb@users.noreply.github.com> Date: Fri, 10 Jun 2022 18:15:43 -0600 Subject: [PATCH 088/111] Update base64.c --- src/common/base64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/base64.c b/src/common/base64.c index 7a23cfad..8a1a1d60 100644 --- a/src/common/base64.c +++ b/src/common/base64.c @@ -1,7 +1,7 @@ /* * base64.c: Base64 converting functions * - * Copyright (C) 2001, 2002 Juha Yrj�l� + * Copyright (C) 2001, 2002 Juha Yrjölä * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public From 0cbc9627bbdb4ee73e405acd3266fce854637118 Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Mon, 13 Jun 2022 10:30:14 -0600 Subject: [PATCH 089/111] add free_entries. only used by subject_mapper --- src/common/cert_info.c | 56 +++++++++++++++++++++--------------- src/common/cert_info.h | 11 +++++++ src/mappers/subject_mapper.c | 8 +++--- 3 files changed, 48 insertions(+), 27 deletions(-) diff --git a/src/common/cert_info.c b/src/common/cert_info.c index acca9653..e08dbe4c 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -114,7 +114,7 @@ cert_GetNameElements(CERTName *name, int wantedTag) * Evaluate Certificate Signature Digest */ static char **cert_info_digest(X509 *x509, ALGORITHM_TYPE algorithm) { - static char *entries[2] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; HASH_HashType type = HASH_GetHashTypeByOidTag(algorithm); unsigned char data[HASH_LENGTH_MAX]; @@ -377,7 +377,7 @@ static char **cert_info_cn(X509 *x509) { */ static char **cert_info_subject(X509 *x509) { X509_NAME *subject= NULL; - static char *entries[2] = { NULL, NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL, NULL }; entries[0] = malloc(256); if (!entries[0]) return NULL; subject = X509_get_subject_name(x509); @@ -394,7 +394,7 @@ static char **cert_info_subject(X509 *x509) { */ static char **cert_info_issuer(X509 *x509) { X509_NAME *issuer = NULL; - static char *entries[2] = { NULL, NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL, NULL }; entries[0] = malloc(256); if (!entries[0]) return NULL; issuer = X509_get_issuer_name(x509); @@ -607,7 +607,7 @@ static char *key2pem(EVP_PKEY *key) { */ static char **cert_info_puk(X509 *x509) { char *pt = NULL; - static char *entries[2] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; EVP_PKEY *pubk = X509_get_pubkey(x509); if(!pubk) { DBG("Cannot extract public key"); @@ -666,17 +666,19 @@ static int BN_append(unsigned char *pt, const BIGNUM *bn) { * Extract Certificate's Public Key in OpenSSH format */ static char **cert_info_sshpuk(X509 *x509) { + char **ret = NULL; char **maillist = NULL; const char *type = NULL; char *buf = NULL; unsigned char *blob = NULL,*pt = NULL,*data = NULL; size_t data_len = 0; int res = 0; - static char *entries[2] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; const BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; const BIGNUM *rsa_e = NULL, *rsa_n = NULL; DSA *dsa = NULL; RSA *rsa = NULL; + EVP_PKEY *pubk = X509_get_pubkey(x509); if(!pubk) { DBG("Cannot extract public key"); @@ -685,7 +687,7 @@ static char **cert_info_sshpuk(X509 *x509) { blob=calloc(8192,sizeof(unsigned char)); if (!blob ) { DBG("Cannot allocate space to compose pkey string"); - goto sshpuk_fail; + goto sshpuk_exit; } pt=blob; switch (EVP_PKEY_base_id(pubk)) { @@ -693,7 +695,7 @@ static char **cert_info_sshpuk(X509 *x509) { dsa = EVP_PKEY_get1_DSA(pubk); if (dsa == NULL) { DBG("No data for public DSA key"); - goto sshpuk_fail; + goto sshpuk_exit; } type="ssh-dss"; /* dump key into a byte array */ @@ -712,7 +714,7 @@ static char **cert_info_sshpuk(X509 *x509) { rsa = EVP_PKEY_get1_RSA(pubk); if (rsa == NULL) { DBG("No data for public RSA key"); - goto sshpuk_fail; + goto sshpuk_exit; } /* dump key into a byte array */ type="ssh-rsa"; @@ -724,7 +726,7 @@ static char **cert_info_sshpuk(X509 *x509) { RSA_free(rsa); break; default: DBG("Unknown public key type"); - goto sshpuk_fail; + goto sshpuk_exit; } /* encode data in base64 format */ data_len= 1+ 4*((2+pt-blob)/3); @@ -732,12 +734,12 @@ static char **cert_info_sshpuk(X509 *x509) { data=calloc(data_len,sizeof(unsigned char)); if(!data) { DBG1("calloc() to uuencode buffer '%ld'",data_len); - goto sshpuk_fail; + goto sshpuk_exit; } res= base64_encode(blob,pt-blob,data, &data_len); if (res<0) { DBG("BASE64 Encode failed"); - goto sshpuk_fail; + goto sshpuk_exit; } /* retrieve email from certificate and compose ssh-key string */ maillist= cert_info_email(x509); @@ -746,23 +748,23 @@ static char **cert_info_sshpuk(X509 *x509) { buf=malloc(3+res+strlen(type)+data_len); if (!buf) { DBG("No memory to store public key dump"); - goto sshpuk_fail; + goto sshpuk_exit; } if (maillist && maillist[0]) sprintf(buf,"%s %s %s",type,data,maillist[0]); else sprintf(buf,"%s %s",type,data); DBG1("Public key is '%s'\n",buf); - EVP_PKEY_free(pubk); - free(blob); - free(data); entries[0]=buf; - return entries; + ret = entries; -sshpuk_fail: +sshpuk_exit: + if(maillist) + free_entries(maillist, CERT_INFO_SIZE); EVP_PKEY_free(pubk); - free(blob); + if(blob) + free(blob); if (data) free(data); - return NULL; + return ret; } static char* get_fingerprint(X509 *cert,const EVP_MD *type) { @@ -781,7 +783,7 @@ static char* get_fingerprint(X509 *cert,const EVP_MD *type) { * Evaluate Certificate Signature Digest */ static char **cert_info_digest(X509 *x509, const char *algorithm) { - static char *entries[2] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; const EVP_MD *digest = EVP_get_digestbyname(algorithm); if(!digest) { digest= EVP_sha1(); @@ -797,7 +799,7 @@ static char **cert_info_digest(X509 *x509, const char *algorithm) { static char **cert_info_pem(X509 *x509) { int len = 0; char *pt = NULL,*res = NULL; - static char *entries[2] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; BIO *buf= BIO_new(BIO_s_mem()); if (!buf) { DBG("BIO_new() failed"); @@ -825,7 +827,7 @@ static char **cert_info_pem(X509 *x509) { * Return certificate in PEM format */ static char **cert_key_alg(X509 *x509) { - static char *entries[2] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; X509_PUBKEY *pubkey = NULL; X509_ALGOR * pa= NULL; const char *alg = NULL; @@ -842,7 +844,7 @@ static char **cert_key_alg(X509 *x509) { * Return certificate serial number as a hex string */ static char **cert_info_serial_number(X509 *x509) { - static char *entries[2] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; ASN1_INTEGER *serial = X509_get_serialNumber(x509); int len = 0; unsigned char *buffer = NULL, *tmp_ptr; @@ -948,3 +950,11 @@ char **cert_info(X509 *x509, int type, const char *algorithm ) { } #endif /* HAVE_NSS */ #endif /* _CERT_INFO_C */ + +void free_entries(char **entries, int count) { + for(int idx = 0; idx < count; idx++) { + if(entries[idx]) { + free(entries[idx]); + } + } +} diff --git a/src/common/cert_info.h b/src/common/cert_info.h index 3b3353ec..a4c5551d 100644 --- a/src/common/cert_info.h +++ b/src/common/cert_info.h @@ -59,6 +59,8 @@ #define CERTINFO_EXTERN #endif +#define DEFUALT_ENTRIES_SIZE 2 + /** * Generate and compose a certificate chain * @param cert Certificate to add @@ -76,6 +78,15 @@ void add_cert(X509 *cert, X509 ***certs, int *ncerts); */ CERTINFO_EXTERN char **cert_info(X509 *x509, int type, ALGORITHM_TYPE algorithm); +/** + * @brief free allocated + * + * @param entries + * @param count + * @return CERTINFO_EXTERN + */ +CERTINFO_EXTERN void free_entries(char **entries, int count); + #undef CERTINFO_EXTERN #endif /* __CERT_INFO_H_ */ diff --git a/src/mappers/subject_mapper.c b/src/mappers/subject_mapper.c index 497290d6..43db3c48 100644 --- a/src/mappers/subject_mapper.c +++ b/src/mappers/subject_mapper.c @@ -63,9 +63,7 @@ static char * subject_mapper_find_user(X509 *x509, void *context, int *match) { return NULL; } char* val = mapfile_find(filename,entries[0],ignorecase,match); - if(entries[0]) { - free(entries[0]); - } + free_entries(entries, DEFUALT_ENTRIES_SIZE); return val; } @@ -79,7 +77,9 @@ static int subject_mapper_match_user(X509 *x509, const char *login, void *contex DBG("X509_get_subject_name failed"); return -1; } - return mapfile_match(filename,entries[0],login,ignorecase); + char* val = mapfile_match(filename,entries[0],login,ignorecase); + free_entries(entries, DEFUALT_ENTRIES_SIZE); + return val; } _DEFAULT_MAPPER_END From 6d0a4bcafb34b2835135739f0b3cc16e7290715c Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Mon, 13 Jun 2022 10:38:53 -0600 Subject: [PATCH 090/111] fix return type. --- src/mappers/subject_mapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mappers/subject_mapper.c b/src/mappers/subject_mapper.c index 43db3c48..d2162305 100644 --- a/src/mappers/subject_mapper.c +++ b/src/mappers/subject_mapper.c @@ -77,7 +77,7 @@ static int subject_mapper_match_user(X509 *x509, const char *login, void *contex DBG("X509_get_subject_name failed"); return -1; } - char* val = mapfile_match(filename,entries[0],login,ignorecase); + int val = mapfile_match(filename,entries[0],login,ignorecase); free_entries(entries, DEFUALT_ENTRIES_SIZE); return val; } From 54d6e48dc583f8a0be01e2b228cbfbb247b8f1e2 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Wed, 3 Aug 2022 19:50:42 +0300 Subject: [PATCH 091/111] Initialize the entries array based on its declared size The expression char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; is too complex and misleading: it should be either char *entries[DEFUALT_ENTRIES_SIZE]; // array of specified size or char *entries[] = { NULL,NULL }; // an initialized array of size 2 And as we have a size constant DEFUALT_ENTRIES_SIZE it would be better to declare the array of that size and than to initialize *all* elements in it with `NULL`. --- src/common/cert_info.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/src/common/cert_info.c b/src/common/cert_info.c index e08dbe4c..c3d54e05 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -114,7 +114,8 @@ cert_GetNameElements(CERTName *name, int wantedTag) * Evaluate Certificate Signature Digest */ static char **cert_info_digest(X509 *x509, ALGORITHM_TYPE algorithm) { - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); HASH_HashType type = HASH_GetHashTypeByOidTag(algorithm); unsigned char data[HASH_LENGTH_MAX]; @@ -136,7 +137,8 @@ cert_info_upn (X509 *x509) CERTGeneralName *nameList = NULL; CERTGeneralName *current = NULL; SECOidTag tag; - static char *results[CERT_INFO_SIZE] = { NULL }; + static char *results[CERT_INFO_SIZE]; + init_entries(results, CERT_INFO_SIZE); int result = 0; SECItem decoded; @@ -334,6 +336,7 @@ void add_cert(X509 *cert, X509 ***certs, int *ncerts) { */ static char **cert_info_cn(X509 *x509) { static char *results[CERT_INFO_SIZE]; + init_entries(results, CERT_INFO_SIZE); int lastpos = 0,position = 0; X509_NAME *name = X509_get_subject_name(x509); if (!name) { @@ -377,7 +380,8 @@ static char **cert_info_cn(X509 *x509) { */ static char **cert_info_subject(X509 *x509) { X509_NAME *subject= NULL; - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL, NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); entries[0] = malloc(256); if (!entries[0]) return NULL; subject = X509_get_subject_name(x509); @@ -394,7 +398,8 @@ static char **cert_info_subject(X509 *x509) { */ static char **cert_info_issuer(X509 *x509) { X509_NAME *issuer = NULL; - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL, NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); entries[0] = malloc(256); if (!entries[0]) return NULL; issuer = X509_get_issuer_name(x509); @@ -412,6 +417,7 @@ static char **cert_info_issuer(X509 *x509) { static char **cert_info_kpn(X509 *x509) { int i = 0,j = 0; static char *entries[CERT_INFO_SIZE]; + init_entries(entries, CERT_INFO_SIZE); STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; @@ -465,6 +471,7 @@ static char **cert_info_kpn(X509 *x509) { static char **cert_info_email(X509 *x509) { int i = 0,j = 0; static char *entries[CERT_INFO_SIZE]; + init_entries(entries, CERT_INFO_SIZE); STACK_OF(GENERAL_NAME) *gens = NULL; GENERAL_NAME *name; DBG("Trying to find an email in certificate"); @@ -533,6 +540,7 @@ static char **cert_info_upn(X509 *x509) { */ static char **cert_info_uid(X509 *x509) { static char *results[CERT_INFO_SIZE]; + init_entries(results, CERT_INFO_SIZE); int lastpos = 0,position = 0; int uid_type = UID_TYPE; X509_NAME *name = X509_get_subject_name(x509); @@ -607,7 +615,8 @@ static char *key2pem(EVP_PKEY *key) { */ static char **cert_info_puk(X509 *x509) { char *pt = NULL; - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); EVP_PKEY *pubk = X509_get_pubkey(x509); if(!pubk) { DBG("Cannot extract public key"); @@ -673,7 +682,8 @@ static char **cert_info_sshpuk(X509 *x509) { unsigned char *blob = NULL,*pt = NULL,*data = NULL; size_t data_len = 0; int res = 0; - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); const BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; const BIGNUM *rsa_e = NULL, *rsa_n = NULL; DSA *dsa = NULL; @@ -783,7 +793,8 @@ static char* get_fingerprint(X509 *cert,const EVP_MD *type) { * Evaluate Certificate Signature Digest */ static char **cert_info_digest(X509 *x509, const char *algorithm) { - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); const EVP_MD *digest = EVP_get_digestbyname(algorithm); if(!digest) { digest= EVP_sha1(); @@ -799,7 +810,8 @@ static char **cert_info_digest(X509 *x509, const char *algorithm) { static char **cert_info_pem(X509 *x509) { int len = 0; char *pt = NULL,*res = NULL; - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); BIO *buf= BIO_new(BIO_s_mem()); if (!buf) { DBG("BIO_new() failed"); @@ -827,7 +839,8 @@ static char **cert_info_pem(X509 *x509) { * Return certificate in PEM format */ static char **cert_key_alg(X509 *x509) { - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); X509_PUBKEY *pubkey = NULL; X509_ALGOR * pa= NULL; const char *alg = NULL; @@ -844,7 +857,8 @@ static char **cert_key_alg(X509 *x509) { * Return certificate serial number as a hex string */ static char **cert_info_serial_number(X509 *x509) { - static char *entries[DEFUALT_ENTRIES_SIZE] = { NULL,NULL }; + static char *entries[DEFUALT_ENTRIES_SIZE]; + init_entries(entries, DEFUALT_ENTRIES_SIZE); ASN1_INTEGER *serial = X509_get_serialNumber(x509); int len = 0; unsigned char *buffer = NULL, *tmp_ptr; @@ -958,3 +972,9 @@ void free_entries(char **entries, int count) { } } } + +static void init_entries(char **entries, int count) { + for(int idx = 0; idx < count; idx++) { + entries[idx] = NULL; + } +} From eaacec4722932d9ddb8115a6ce98042903f07cf8 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Wed, 3 Aug 2022 20:01:22 +0300 Subject: [PATCH 092/111] Accroding to free(3) man page it is okay to `free(NULL)` --- src/common/cert_info.c | 13 ++++--------- src/common/cert_vfy.c | 1 + src/common/pkcs11_lib.c | 9 +++------ src/pam_pkcs11/mapper_mgr.c | 4 +--- src/pam_pkcs11/pam_config.c | 8 +++----- src/pam_pkcs11/pam_pkcs11.c | 4 +--- 6 files changed, 13 insertions(+), 26 deletions(-) diff --git a/src/common/cert_info.c b/src/common/cert_info.c index c3d54e05..c6865b9b 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -767,13 +767,10 @@ static char **cert_info_sshpuk(X509 *x509) { ret = entries; sshpuk_exit: - if(maillist) - free_entries(maillist, CERT_INFO_SIZE); + free_entries(maillist, CERT_INFO_SIZE); EVP_PKEY_free(pubk); - if(blob) - free(blob); - if (data) - free(data); + free(blob); + free(data); return ret; } @@ -967,9 +964,7 @@ char **cert_info(X509 *x509, int type, const char *algorithm ) { void free_entries(char **entries, int count) { for(int idx = 0; idx < count; idx++) { - if(entries[idx]) { - free(entries[idx]); - } + free(entries[idx]); } } diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index a905952b..a9dbba2c 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -349,6 +349,7 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t X509_OBJECT_free(obj); #endif /* crl is being freed by caller X509_STORE_free */ + /* FIXME: Isn't it still okay to free the CRL here? */ return ret; } diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index e5a067fa..ad6c013e 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1668,12 +1668,9 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) h->certs = NULL; h->cert_count = 0; ret = NULL; - if(id_value) { - free(id_value); - } - if(cert_value) { - free(cert_value); - } + free(id_value); + free(cert_value); + goto exit; } diff --git a/src/pam_pkcs11/mapper_mgr.c b/src/pam_pkcs11/mapper_mgr.c index f7c78ac4..09cb8ded 100644 --- a/src/pam_pkcs11/mapper_mgr.c +++ b/src/pam_pkcs11/mapper_mgr.c @@ -147,9 +147,7 @@ void unload_module( struct mapper_instance *module ) { } else {/* static mapper module */ DBG1("Module %s is static: don't remove",module->module_name); } - if(module->module_data) { - free(module->module_data); - } + free(module->module_data); module->module_data=NULL; /* don't free name and libname: they are elements of scconf tree */ diff --git a/src/pam_pkcs11/pam_config.c b/src/pam_pkcs11/pam_config.c index 5f8f4639..d7e2b0fe 100644 --- a/src/pam_pkcs11/pam_config.c +++ b/src/pam_pkcs11/pam_config.c @@ -372,9 +372,7 @@ struct configuration_st *pk_configure( int argc, const char **argv ) { void configure_free(struct configuration_st *pk_configure){ if(!pk_configure) return; - - if(pk_configure->ctx) { - scconf_free(pk_configure->ctx); - pk_configure->ctx = NULL; - } + + scconf_free(pk_configure->ctx); + pk_configure->ctx = NULL; } diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index d34c8c1d..2b2f4d06 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -208,9 +208,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in cleanse(resp[0].resp, strlen(resp[0].resp)); free(resp[0].resp); } - if(NULL != &resp[0]) { - free(&resp[0]); - } + free(&resp[0]); return rv; } From f476107640ef90df3084986a520cacfbcad614f5 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Wed, 3 Aug 2022 20:02:19 +0300 Subject: [PATCH 093/111] Language... --- src/mappers/mapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mappers/mapper.c b/src/mappers/mapper.c index 6b787906..cd05d941 100644 --- a/src/mappers/mapper.c +++ b/src/mappers/mapper.c @@ -133,7 +133,7 @@ void end_mapent(struct mapfile *mfile) { if (!mfile) return; /* don't free uri: is a scconf provided "const char *" */; /* free (mfile->uri); */ - /* don't free value: they are pointers to somewhere in buffer */ + /* don't free value: it's a pointer to somewhere in buffer */ /* free (mfile->value); */ if(mfile->key) { free (mfile->key); From de2c0cf0a39c51b095dae592dcc7444fd0a1b6e2 Mon Sep 17 00:00:00 2001 From: Paul Wolneykien Date: Wed, 3 Aug 2022 20:02:39 +0300 Subject: [PATCH 094/111] Let's try to free all entries in the returned array --- src/pam_pkcs11/pam_pkcs11.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 2b2f4d06..011ca892 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -737,7 +737,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons "PKCS11_LOGIN_CERT_ISSUER=%.*s", (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_ISSUER=") -1), issuer[0]); - free(*issuer); + free_entries(issuer, DEFUALT_ENTRIES_SIZE); rv = pam_putenv(pamh, env_temp); } else { ERR("couldn't get certificate issuer."); @@ -760,7 +760,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons "PKCS11_LOGIN_CERT_SERIAL=%.*s", (int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_SERIAL=") -1), serial[0]); - free(*serial); + free_entries(serial, DEFUALT_ENTRIES_SIZE); rv = pam_putenv(pamh, env_temp); } else { ERR("couldn't get certificate serial number."); From 4d304188a38260eb6e14ddf2c8a02bdb4b432ee0 Mon Sep 17 00:00:00 2001 From: bowb <6180319+bowb@users.noreply.github.com> Date: Mon, 8 Aug 2022 09:43:37 -0600 Subject: [PATCH 095/111] declare init_entries in header. Fix using before declared. --- src/common/cert_info.c | 2 +- src/common/cert_info.h | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/common/cert_info.c b/src/common/cert_info.c index c6865b9b..52def97d 100644 --- a/src/common/cert_info.c +++ b/src/common/cert_info.c @@ -968,7 +968,7 @@ void free_entries(char **entries, int count) { } } -static void init_entries(char **entries, int count) { +void init_entries(char **entries, int count) { for(int idx = 0; idx < count; idx++) { entries[idx] = NULL; } diff --git a/src/common/cert_info.h b/src/common/cert_info.h index a4c5551d..5a797def 100644 --- a/src/common/cert_info.h +++ b/src/common/cert_info.h @@ -87,6 +87,15 @@ CERTINFO_EXTERN char **cert_info(X509 *x509, int type, ALGORITHM_TYPE algorithm) */ CERTINFO_EXTERN void free_entries(char **entries, int count); +/** + * @brief initialize entries + * + * @param entries + * @param count + * @return CERTINFO_EXTERN + */ +CERTINFO_EXTERN void init_entries(char **entries, int count); + #undef CERTINFO_EXTERN #endif /* __CERT_INFO_H_ */ From 441482a2fd7b9f33c60cd6640b10464d8e8adb81 Mon Sep 17 00:00:00 2001 From: Alynx Zhou Date: Thu, 1 Dec 2022 14:25:06 +0800 Subject: [PATCH 096/111] Capitalize all pam messages Some messages are capitalized but some are not, this commit unifies them by capitalizing all messages, and also appends punctuation. --- src/pam_pkcs11/pam_pkcs11.c | 48 ++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index 980880de..9734cd9b 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -337,7 +337,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "load_pkcs11_module() failed loading %s: %s", configuration->pkcs11_modulepath, get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2302: PKCS#11 module failed loading")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2302: PKCS#11 module failed loading.")); sleep(configuration->err_display_time); } return pkcs11_pam_fail; @@ -351,7 +351,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("init_pkcs11_module() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "init_pkcs11_module() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2304: PKCS#11 module could not be initialized")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2304: PKCS#11 module could not be initialized.")); sleep(configuration->err_display_time); } return pkcs11_pam_fail; @@ -405,12 +405,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (pkcs11_pam_fail != PAM_IGNORE) { if (!configuration->quiet) { pam_prompt(pamh, PAM_ERROR_MSG, - NULL, _("Error 2308: No smartcard found")); + NULL, _("Error 2308: No smart card found.")); sleep(configuration->err_display_time); } } else { pam_prompt(pamh, PAM_TEXT_INFO, - NULL, _("No smartcard found")); + NULL, _("No smart card found.")); goto exit_ignore; } return pkcs11_pam_fail; @@ -425,7 +425,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("open_pkcs11_session() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "open_pkcs11_session() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2312: open PKCS#11 session failed")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2312: Open PKCS#11 session failed.")); sleep(configuration->err_display_time); } release_pkcs11_module(ph); @@ -437,7 +437,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("get_slot_login_required() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "get_slot_login_required() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2314: Slot login failed")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2314: Slot login failed.")); sleep(configuration->err_display_time); } goto auth_failed; @@ -463,7 +463,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons } if (rv != PAM_SUCCESS) { if (!configuration->quiet) { - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2316: password could not be read")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2316: Password could not be read.")); sleep(configuration->err_display_time); } pam_syslog(pamh, LOG_ERR, @@ -479,7 +479,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons pam_syslog(pamh, LOG_ERR, "password length is zero but the 'nullok' argument was not defined."); if (!configuration->quiet) { - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smartcard PIN not allowed.")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smart card PIN not allowed.")); sleep(configuration->err_display_time); } pkcs11_pam_fail = PAM_AUTH_ERR; @@ -489,7 +489,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons else { pam_prompt(pamh, PAM_TEXT_INFO, NULL, - _("Enter your %s PIN on the pinpad"), _(configuration->token_type)); + _("Enter your %s PIN on the pinpad."), _(configuration->token_type)); /* use pin pad */ password = NULL; } @@ -503,7 +503,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("open_pkcs11_login() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "open_pkcs11_login() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smartcard PIN")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smart card PIN.")); sleep(configuration->err_display_time); } pkcs11_pam_fail = PAM_AUTH_ERR; @@ -516,7 +516,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("get_certificate_list() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "get_certificate_list() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2322: No certificate found")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2322: No certificate found.")); sleep(configuration->err_display_time); } goto auth_failed; @@ -531,7 +531,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (!x509 ) continue; /* sanity check */ DBG1("verifying the certificate #%d", i + 1); if (!configuration->quiet) { - pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("verifying certificate")); + pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Verifying certificate...")); } /* verify certificate (date, signature, CRL, ...) */ @@ -544,19 +544,19 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons switch (rv) { case -2: // X509_V_ERR_CERT_HAS_EXPIRED: pam_prompt(pamh, PAM_ERROR_MSG , NULL, - _("Error 2324: Certificate has expired")); + _("Error 2324: Certificate has expired.")); break; case -3: // X509_V_ERR_CERT_NOT_YET_VALID: pam_prompt(pamh, PAM_ERROR_MSG , NULL, - _("Error 2326: Certificate not yet valid")); + _("Error 2326: Certificate not yet valid.")); break; case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: pam_prompt(pamh, PAM_ERROR_MSG , NULL, - _("Error 2328: Certificate signature invalid")); + _("Error 2328: Certificate signature invalid.")); break; default: pam_prompt(pamh, PAM_ERROR_MSG , NULL, - _("Error 2330: Certificate invalid")); + _("Error 2330: Certificate invalid.")); break; } sleep(configuration->err_display_time); @@ -591,7 +591,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "pam_set_item() failed %s", pam_strerror(pamh, rv)); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2332: setting PAM userentry failed")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2332: Setting PAM user entry failed.")); sleep(configuration->err_display_time); } goto auth_failed; @@ -607,7 +607,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("match_user() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "match_user() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2334: No matching user")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2334: No matching user.")); sleep(configuration->err_display_time); } goto auth_failed; @@ -628,7 +628,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "no valid certificate which meets all requirements found"); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2336: No matching certificate found")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2336: No matching certificate found.")); sleep(configuration->err_display_time); } goto auth_failed; @@ -637,7 +637,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* if signature check is enforced, generate random data, sign and verify */ if (configuration->policy.signature_policy) { - pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature")); + pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature...")); #ifdef notdef @@ -657,7 +657,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("get_random_value() failed: %s", get_error()); if (!configuration->quiet){ pam_syslog(pamh, LOG_ERR, "get_random_value() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2338: Getting random value failed")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2338: Getting random value failed.")); sleep(configuration->err_display_time); } goto auth_failed; @@ -671,7 +671,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("sign_value() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "sign_value() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2340: Signing failed")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2340: Signing failed.")); sleep(configuration->err_display_time); } goto auth_failed; @@ -688,7 +688,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons ERR1("verify_signature() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "verify_signature() failed: %s", get_error()); - pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2342: Verifying signature failed")); + pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2342: Verifying signature failed.")); sleep(configuration->err_display_time); } pkcs11_pam_fail = PAM_AUTH_ERR; @@ -805,7 +805,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons exit_ignore: pam_prompt( pamh, PAM_TEXT_INFO, NULL, - _("Smartcard authentication cancelled") ); + _("Smart card authentication cancelled.") ); return PAM_IGNORE; } From afba553fb6fa767e09fd2c9a506e4916a1576dc0 Mon Sep 17 00:00:00 2001 From: Alynx Zhou Date: Thu, 1 Dec 2022 14:40:32 +0800 Subject: [PATCH 097/111] Update PO files Just uses `make -C po update-po`, translation should be updated by translators. --- po/de.po | 159 ++++++++++++++++++++++------------------ po/fr.po | 130 ++++++++++++++++----------------- po/it.po | 160 +++++++++++++++++++++++------------------ po/nl.po | 128 ++++++++++++++++----------------- po/pam_pkcs11.pot | 127 +++++++++++++++----------------- po/pl.po | 159 ++++++++++++++++++++++------------------ po/pt_BR.po | 160 +++++++++++++++++++++++------------------ po/remove-potcdate.sed | 11 +++ po/ru.po | 133 ++++++++++++++++------------------ po/tr.po | 130 ++++++++++++++++----------------- 10 files changed, 685 insertions(+), 612 deletions(-) create mode 100644 po/remove-potcdate.sed diff --git a/po/de.po b/po/de.po index 7da7c6a1..10d5502f 100644 --- a/po/de.po +++ b/po/de.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2011-03-20 17:04+0100\n" "Last-Translator: Dominik Fischer \n" "Language-Team: LANGUAGE \n" @@ -16,138 +16,151 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 +#: src/pam_pkcs11/pam_pkcs11.c:340 #, fuzzy -msgid "Smartcard authentication starts" -msgstr "Smartcardauthentifizierung startet" - -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." -msgstr "Bitte %s einstecken oder Benutzername eingeben." - -#: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" +msgid "Error 2302: PKCS#11 module failed loading." msgstr "Fehler 2302: PKCS11-Modul konnte nicht geladen werden." -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" +#: src/pam_pkcs11/pam_pkcs11.c:354 +#, fuzzy +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "Fehler 2304: PKCS11-Modul konnte nicht initialisiert werden." -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" -msgstr "Fehler 2306: Es wurde keine Smartcard gefunden." - -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Bitte stecken Sie Ihre Smart Card mit der Bezeichnung \"%.32s\" ein" -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Bitte stecken Sie Ihre Smart Card ein." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +#, fuzzy +msgid "Error 2308: No smart card found." msgstr "Fehler 2308: Es wurde keine Smartcard gefunden." -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "Fehler 2310: Es wurde keine Smartcard gefunden." +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Fehler 2308: Es wurde keine Smartcard gefunden." -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "%s gefunden." -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +#, fuzzy +msgid "Error 2312: Open PKCS#11 session failed." msgstr "Fehler 2312: PKCS11-Session konnte nicht geoeffnet werden." -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +#, fuzzy +msgid "Error 2314: Slot login failed." msgstr "Fehler 2314: Slot Login fehlgeschlagen." -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Willkommen %.32s!" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +#, fuzzy +msgid "Error 2316: Password could not be read." msgstr "Fehler 2316: Passwort konnte nicht eingelesen werden." -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +#, fuzzy +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "Fehler 2318: Smartcard PIN darf nicht leer sein." -#: src/pam_pkcs11/pam_pkcs11.c:534 -#, c-format -msgid "Enter your %s PIN on the pinpad" +#: src/pam_pkcs11/pam_pkcs11.c:492 +#, fuzzy, c-format +msgid "Enter your %s PIN on the pinpad." msgstr "Bitte geben Sie Ihre %s PIN auf dem Pinpad ein" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +#, fuzzy +msgid "Error 2320: Wrong smart card PIN." msgstr "Fehler 2320: Die eingegebene Smartcard PIN ist falsch." -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +#, fuzzy +msgid "Error 2322: No certificate found." msgstr "Fehler 2322: Es wurde kein Zertifikat gefunden." -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +#, fuzzy +msgid "Verifying certificate..." msgstr "Zertifikat wird geprueft." -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +#, fuzzy +msgid "Error 2324: Certificate has expired." msgstr "Fehler 2324: Zertifikat abgelaufen." -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +#, fuzzy +msgid "Error 2326: Certificate not yet valid." msgstr "Fehler 2326: Zertifikat noch nicht gueltig." -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +#, fuzzy +msgid "Error 2328: Certificate signature invalid." msgstr "Fehler 2328: Zertifikatsunterschrift ungueltig." -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +#, fuzzy +msgid "Error 2330: Certificate invalid." msgstr "Fehler 2330: Ungueltiges Zertifikat gefunden." -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +#, fuzzy +msgid "Error 2332: Setting PAM user entry failed." msgstr "Fehler 2332: PAM Usereintrag konnte nicht gesetzt werden." -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +#, fuzzy +msgid "Error 2334: No matching user." msgstr "Fehler 2334: Pruefung des Usereintrags fehlgeschlagen." -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +#, fuzzy +msgid "Error 2336: No matching certificate found." msgstr "Fehler 2336: Kein passendes Zertifikat gefunden." -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +#, fuzzy +msgid "Checking signature..." msgstr "Signieren wird geprueft." -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +#, fuzzy +msgid "Error 2338: Getting random value failed." msgstr "Fehler 2338: Holen der Zufallszahl zum Signieren fehlgeschlagen." -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +#, fuzzy +msgid "Error 2340: Signing failed." msgstr "Fehler 2340: Signieren fehlgeschlagen." -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +#, fuzzy +msgid "Error 2342: Verifying signature failed." msgstr "Fehler 2342: Verifizierung der Signatur fehlgeschlagen." -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +#, fuzzy +msgid "Smart card authentication cancelled." +msgstr "Smartcardauthentifizierung startet" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Das Kennwort Ihrer Smart Card kann nicht geändert werden." @@ -155,5 +168,15 @@ msgstr "Das Kennwort Ihrer Smart Card kann nicht geändert werden." msgid "Smart card" msgstr "Smart Card" +#, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Bitte %s einstecken oder Benutzername eingeben." + +#~ msgid "Error 2306: No suitable token available" +#~ msgstr "Fehler 2306: Es wurde keine Smartcard gefunden." + +#~ msgid "Error 2310: No smartcard found" +#~ msgstr "Fehler 2310: Es wurde keine Smartcard gefunden." + #~ msgid "Error 2344: Closing PKCS#11 session failed" #~ msgstr "Fehler 2344: PKCS11 Session konnte nicht geschlossen werden." diff --git a/po/fr.po b/po/fr.po index e200c847..d93ceaf1 100644 --- a/po/fr.po +++ b/po/fr.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: pam_pkcs11 0.5.4\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2007-05-22 10:27+0200\n" "Last-Translator: Ludovic Rousseau \n" "Language-Team: French \n" @@ -15,137 +15,129 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 -msgid "Smartcard authentication starts" +#: src/pam_pkcs11/pam_pkcs11.c:340 +msgid "Error 2302: PKCS#11 module failed loading." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." -msgstr "Veuillez insérer votre %s ou entrer votre login." - #: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Veuillez insérer la carte à puce appelée \"%.32s\"." -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Veuillez insérer votre carte à puce." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +msgid "Error 2308: No smart card found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "" +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Carte à puce" -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "%s trouvé(e)." -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +msgid "Error 2312: Open PKCS#11 session failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +msgid "Error 2314: Slot login failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Bienvenue %.32s !" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "PIN du/de la %s : " -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +msgid "Error 2316: Password could not be read." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:534 -#, c-format -msgid "Enter your %s PIN on the pinpad" +#: src/pam_pkcs11/pam_pkcs11.c:492 +#, fuzzy, c-format +msgid "Enter your %s PIN on the pinpad." msgstr "Entrez le PIN %s sur le pinpad" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +msgid "Error 2320: Wrong smart card PIN." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +msgid "Error 2322: No certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +msgid "Verifying certificate..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +msgid "Error 2324: Certificate has expired." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +msgid "Error 2326: Certificate not yet valid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +msgid "Error 2328: Certificate signature invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +msgid "Error 2330: Certificate invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +msgid "Error 2332: Setting PAM user entry failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +msgid "Error 2334: No matching user." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +msgid "Error 2336: No matching certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +msgid "Checking signature..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +msgid "Error 2338: Getting random value failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +msgid "Error 2340: Signing failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +msgid "Error 2342: Verifying signature failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +msgid "Smart card authentication cancelled." +msgstr "" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Ne peut pas changer le mot de passe de la carte à puce." @@ -153,6 +145,10 @@ msgstr "Ne peut pas changer le mot de passe de la carte à puce." msgid "Smart card" msgstr "Carte à puce" +#, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Veuillez insérer votre %s ou entrer votre login." + #~ msgid "Found the %s." #~ msgstr "%s trouvé(e)." diff --git a/po/it.po b/po/it.po index 4da63c8f..476e2e2b 100644 --- a/po/it.po +++ b/po/it.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: pam_pkcs11 0.6.8\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2014-03-05 16:32+0100\n" "Last-Translator: Maxxer \n" "Language-Team: Italian\n" @@ -16,140 +16,164 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 -msgid "Smartcard authentication starts" -msgstr "Inizio autenticazione con smartcard" - -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." -msgstr "Inserire il proprio %s o il nome utente." - -#: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" +#: src/pam_pkcs11/pam_pkcs11.c:340 +#, fuzzy +msgid "Error 2302: PKCS#11 module failed loading." msgstr "Errore 2302: impossibile caricare il modulo PKCS#11" -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" +#: src/pam_pkcs11/pam_pkcs11.c:354 +#, fuzzy +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "Errore 2304: impossibile inizializzare il modulo PKCS#11" -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" -msgstr "Errore 2306: nesun token disponibile" - -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Inserire la smartcard con nome \"%.32s\"." -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Inserire la smartcard." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +#, fuzzy +msgid "Error 2308: No smart card found." msgstr "Errore 2308: nessuna smartcard trovata" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "Errore 2310: Nessuna smartcard trovata" +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Errore 2308: nessuna smartcard trovata" -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "Trovato %s." -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +#, fuzzy +msgid "Error 2312: Open PKCS#11 session failed." msgstr "Errore 2312: errore nell'apertura della sessione PKCS#11" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +#, fuzzy +msgid "Error 2314: Slot login failed." msgstr "Errore 2314: login con slot fallito" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Benvenuto %.32s!" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "PIN %s: " -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +#, fuzzy +msgid "Error 2316: Password could not be read." msgstr "Errore 2316: impossibile leggere la password" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +#, fuzzy +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "Error 2318: PIN vuoto non consentito per la smartcard." -#: src/pam_pkcs11/pam_pkcs11.c:534 -#, c-format -msgid "Enter your %s PIN on the pinpad" +#: src/pam_pkcs11/pam_pkcs11.c:492 +#, fuzzy, c-format +msgid "Enter your %s PIN on the pinpad." msgstr "Inserire il PIN %s sul tastierino" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +#, fuzzy +msgid "Error 2320: Wrong smart card PIN." msgstr "Errore 2320: PIN errato" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +#, fuzzy +msgid "Error 2322: No certificate found." msgstr "Errore 2322: nessun certificato trovato" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +#, fuzzy +msgid "Verifying certificate..." msgstr "verifica certificato" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +#, fuzzy +msgid "Error 2324: Certificate has expired." msgstr "Errore 2324: certificato scaduto" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +#, fuzzy +msgid "Error 2326: Certificate not yet valid." msgstr "Errore 2326: certificato non ancora valido" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +#, fuzzy +msgid "Error 2328: Certificate signature invalid." msgstr "Errore 2328: firma certificato non valida" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +#, fuzzy +msgid "Error 2330: Certificate invalid." msgstr "Errore 2330: certfificato non valido" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +#, fuzzy +msgid "Error 2332: Setting PAM user entry failed." msgstr "Errore 2332: errore impostazione utente in PAM" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +#, fuzzy +msgid "Error 2334: No matching user." msgstr "Errore 2334: nessun utente corrispondente trovato" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +#, fuzzy +msgid "Error 2336: No matching certificate found." msgstr "Errore 2336: nessun certificato corrispondente trovato" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +#, fuzzy +msgid "Checking signature..." msgstr "Verifica firma" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +#, fuzzy +msgid "Error 2338: Getting random value failed." msgstr "Errore 2338: errore reperimento valore casuale" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +#, fuzzy +msgid "Error 2340: Signing failed." msgstr "Errore 2340: firma fallita" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +#, fuzzy +msgid "Error 2342: Verifying signature failed." msgstr "Errore 2342: verifica firma fallita" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +#, fuzzy +msgid "Smart card authentication cancelled." +msgstr "Inizio autenticazione con smartcard" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Impossibile modificare la password sulla smartcard." #: src/pam_pkcs11/pam_config.c:65 msgid "Smart card" msgstr "Smartcard" + +#, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Inserire il proprio %s o il nome utente." + +#~ msgid "Error 2306: No suitable token available" +#~ msgstr "Errore 2306: nesun token disponibile" + +#~ msgid "Error 2310: No smartcard found" +#~ msgstr "Errore 2310: Nessuna smartcard trovata" diff --git a/po/nl.po b/po/nl.po index b999cfe1..7e374dbd 100644 --- a/po/nl.po +++ b/po/nl.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: pam_pkcs11 0.5.4\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2010-05-30 09:00+0200\n" "Last-Translator: Guy Zelck \n" "Language-Team: Dutch \n" @@ -15,137 +15,129 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 -msgid "Smartcard authentication starts" +#: src/pam_pkcs11/pam_pkcs11.c:340 +msgid "Error 2302: PKCS#11 module failed loading." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." -msgstr "Gelieve je %s aan te brengen of je gebruikersnaam in te geven." - #: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Gelieve je smartcard genaamd \"%.32s\" aan te brengen." -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Gelieve je smartcard aan te brengen." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +msgid "Error 2308: No smart card found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "" +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Smartcard" -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +msgid "Error 2312: Open PKCS#11 session failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +msgid "Error 2314: Slot login failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Welkom %.32s!" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "PIN van %s : " -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +msgid "Error 2316: Password could not be read." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:534 +#: src/pam_pkcs11/pam_pkcs11.c:492 #, c-format -msgid "Enter your %s PIN on the pinpad" +msgid "Enter your %s PIN on the pinpad." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +msgid "Error 2320: Wrong smart card PIN." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +msgid "Error 2322: No certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +msgid "Verifying certificate..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +msgid "Error 2324: Certificate has expired." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +msgid "Error 2326: Certificate not yet valid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +msgid "Error 2328: Certificate signature invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +msgid "Error 2330: Certificate invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +msgid "Error 2332: Setting PAM user entry failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +msgid "Error 2334: No matching user." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +msgid "Error 2336: No matching certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +msgid "Checking signature..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +msgid "Error 2338: Getting random value failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +msgid "Error 2340: Signing failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +msgid "Error 2342: Verifying signature failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +msgid "Smart card authentication cancelled." +msgstr "" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Kan het paswoord op je smartcard niet wijzigen." @@ -153,6 +145,10 @@ msgstr "Kan het paswoord op je smartcard niet wijzigen." msgid "Smart card" msgstr "Smartcard" +#, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Gelieve je %s aan te brengen of je gebruikersnaam in te geven." + #~ msgid "Found the %s." #~ msgstr "%s gevonden." diff --git a/po/pam_pkcs11.pot b/po/pam_pkcs11.pot index 60c034a7..ab73a514 100644 --- a/po/pam_pkcs11.pot +++ b/po/pam_pkcs11.pot @@ -5,9 +5,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: pam_pkcs11 0.6.8\n" +"Project-Id-Version: pam_pkcs11 0.6.12\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2019-01-11 16:54+0300\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -16,141 +16,128 @@ msgstr "" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 -msgid "Smartcard authentication starts" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:1187 -msgid "Smartcard authentication cancelled" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." +#: src/pam_pkcs11/pam_pkcs11.c:340 +msgid "Error 2302: PKCS#11 module failed loading." msgstr "" #: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +msgid "Error 2308: No smart card found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:413 +msgid "No smart card found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +msgid "Error 2312: Open PKCS#11 session failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +msgid "Error 2314: Slot login failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +msgid "Error 2316: Password could not be read." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:534 +#: src/pam_pkcs11/pam_pkcs11.c:492 #, c-format -msgid "Enter your %s PIN on the pinpad" +msgid "Enter your %s PIN on the pinpad." +msgstr "" + +#: src/pam_pkcs11/pam_pkcs11.c:506 +msgid "Error 2320: Wrong smart card PIN." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:519 +msgid "Error 2322: No certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:534 +msgid "Verifying certificate..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:547 +msgid "Error 2324: Certificate has expired." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:551 +msgid "Error 2326: Certificate not yet valid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +msgid "Error 2328: Certificate signature invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +msgid "Error 2330: Certificate invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:594 +msgid "Error 2332: Setting PAM user entry failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:610 +msgid "Error 2334: No matching user." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:631 +msgid "Error 2336: No matching certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:640 +msgid "Checking signature..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:660 +msgid "Error 2338: Getting random value failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +msgid "Error 2340: Signing failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +msgid "Error 2342: Verifying signature failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:808 +msgid "Smart card authentication cancelled." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "" diff --git a/po/pl.po b/po/pl.po index bafed6c6..888e9c1a 100644 --- a/po/pl.po +++ b/po/pl.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: pam_pkcs11 0.6.7\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2011-08-11 16:22+0200\n" "Last-Translator: Jakub Bogusz \n" "Language-Team: Polish \n" @@ -15,138 +15,151 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 +#: src/pam_pkcs11/pam_pkcs11.c:340 #, fuzzy -msgid "Smartcard authentication starts" -msgstr "Rozpoczęcie uwierzytelniania kartą procesorową" - -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." -msgstr "Proszę włożyć token (%s) lub wpisać nazwę użytkownika." - -#: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" +msgid "Error 2302: PKCS#11 module failed loading." msgstr "Błąd 2302: wczytanie modułu PKCS#11 nie powiodło się" -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" +#: src/pam_pkcs11/pam_pkcs11.c:354 +#, fuzzy +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "Błąd 2304: nie udało się zainicjować modułu PKCS#11" -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" -msgstr "Błąd 2306: Brak odpowiedniego tokenu" - -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Proszę włożyć własną kartę procesorową o nazwie \"%.32s\"." -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Proszę włożyć własną kartę procesorową." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +#, fuzzy +msgid "Error 2308: No smart card found." msgstr "Błąd 2308: Nie znaleziono karty procesorowej" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "Błąd 2310: Nie znaleziono karty procesorowej" +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Błąd 2308: Nie znaleziono karty procesorowej" -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "Znaleziono token: %s." -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +#, fuzzy +msgid "Error 2312: Open PKCS#11 session failed." msgstr "Błąd 2312: nie udało się otworzyć sesji PKCS#11" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +#, fuzzy +msgid "Error 2314: Slot login failed." msgstr "Błąd 2314: Logowanie przez slot nie powiodło się" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Witaj %.32s!" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "%s - PIN: " -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +#, fuzzy +msgid "Error 2316: Password could not be read." msgstr "Błąd 2316: nie udało się odczytać hasła" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +#, fuzzy +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "Błąd 2318: Pusty PIN karty procesorowej nie jest dozwolony." -#: src/pam_pkcs11/pam_pkcs11.c:534 -#, c-format -msgid "Enter your %s PIN on the pinpad" +#: src/pam_pkcs11/pam_pkcs11.c:492 +#, fuzzy, c-format +msgid "Enter your %s PIN on the pinpad." msgstr "Proszę wprowadzić PIN tokenu (%s) na klawiaturze czytnika" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +#, fuzzy +msgid "Error 2320: Wrong smart card PIN." msgstr "Błąd 2320: Błędny PIN karty procesorowej" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +#, fuzzy +msgid "Error 2322: No certificate found." msgstr "Błąd 2322: Nie znaleziono certyfikatu" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +#, fuzzy +msgid "Verifying certificate..." msgstr "weryfikacja certyfikatu" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +#, fuzzy +msgid "Error 2324: Certificate has expired." msgstr "Błąd 2324: Certyfikat wygasł" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +#, fuzzy +msgid "Error 2326: Certificate not yet valid." msgstr "Błąd 2326: Certyfikat jeszcze nie jest ważny" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +#, fuzzy +msgid "Error 2328: Certificate signature invalid." msgstr "Błąd 2328: Błędny podpis certyfikatu" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +#, fuzzy +msgid "Error 2330: Certificate invalid." msgstr "Błąd 2330: Błędny certyfikat" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +#, fuzzy +msgid "Error 2332: Setting PAM user entry failed." msgstr "Błąd 2332: ustawienie wpisu użytkownika PAM nie powiodło się" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +#, fuzzy +msgid "Error 2334: No matching user." msgstr "Błąd 2334: Brak pasującego użytkownika" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +#, fuzzy +msgid "Error 2336: No matching certificate found." msgstr "Błąd 2336: Nie znaleziono pasującego certyfikatu" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +#, fuzzy +msgid "Checking signature..." msgstr "Sprawdzanie podpisu" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +#, fuzzy +msgid "Error 2338: Getting random value failed." msgstr "Błąd 2338: Pobranie wartości losowej nie powiodło się" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +#, fuzzy +msgid "Error 2340: Signing failed." msgstr "Błąd 2340: Podpisanie nie powiodło się" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +#, fuzzy +msgid "Error 2342: Verifying signature failed." msgstr "Błąd 2342: Sprawdzenie podpisu nie powiodło się" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +#, fuzzy +msgid "Smart card authentication cancelled." +msgstr "Rozpoczęcie uwierzytelniania kartą procesorową" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Nie można zmienić hasła na tej karcie procesorowej." @@ -154,5 +167,15 @@ msgstr "Nie można zmienić hasła na tej karcie procesorowej." msgid "Smart card" msgstr "Karta procesorowa" +#, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Proszę włożyć token (%s) lub wpisać nazwę użytkownika." + +#~ msgid "Error 2306: No suitable token available" +#~ msgstr "Błąd 2306: Brak odpowiedniego tokenu" + +#~ msgid "Error 2310: No smartcard found" +#~ msgstr "Błąd 2310: Nie znaleziono karty procesorowej" + #~ msgid "Error 2344: Closing PKCS#11 session failed" #~ msgstr "Błąd 2344: Błąd zamykania sesji PKCS#11" diff --git a/po/pt_BR.po b/po/pt_BR.po index 83ce25e1..14ea7868 100644 --- a/po/pt_BR.po +++ b/po/pt_BR.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: 0.6.3\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2015-08-26 10:42-0300\n" "Last-Translator: Alexandre Souza Aguiar \n" "Language-Team: LANGUAGE \n" @@ -16,137 +16,151 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 -msgid "Smartcard authentication starts" -msgstr "Autenticação com smartcard iniciou" - -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." -msgstr "Favor inserir seu %s ou entre com um nome de usuário." - -#: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" +#: src/pam_pkcs11/pam_pkcs11.c:340 +#, fuzzy +msgid "Error 2302: PKCS#11 module failed loading." msgstr "Erro 2302: Modulo PKCS#11 falhou carregando" -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" +#: src/pam_pkcs11/pam_pkcs11.c:354 +#, fuzzy +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "Error 2304: Modulo PKCS#11 não pôde ser inicializado" -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" -msgstr "Error 2306: Sem token disponíveis" - -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Favor inserir seu smartcard chamado \"%.32s\"." -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Favor inserir seu smartcard." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +#, fuzzy +msgid "Error 2308: No smart card found." msgstr "Error 2308: Não foram achados smartcards" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "Error 2310: Não foram achados smartcards" +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Error 2308: Não foram achados smartcards" -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "%s achado." -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +#, fuzzy +msgid "Error 2312: Open PKCS#11 session failed." msgstr "Error 2312: abertura da sessão PKCS#11 falhou" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +#, fuzzy +msgid "Error 2314: Slot login failed." msgstr "Error 2314: Slot de login falhou" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Bem vindo %.32s!" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "%s PIN: " -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +#, fuzzy +msgid "Error 2316: Password could not be read." msgstr "Error 2316: senha não pôde ser lida" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +#, fuzzy +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "Error 2318: Senha de PIN vazia não permitida." -#: src/pam_pkcs11/pam_pkcs11.c:534 -#, c-format -msgid "Enter your %s PIN on the pinpad" +#: src/pam_pkcs11/pam_pkcs11.c:492 +#, fuzzy, c-format +msgid "Enter your %s PIN on the pinpad." msgstr "Digite seu PIN %s no pinpad" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +#, fuzzy +msgid "Error 2320: Wrong smart card PIN." msgstr "Error 2320: PIN do smartcard errado" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +#, fuzzy +msgid "Error 2322: No certificate found." msgstr "Error 2322: Não foram encontrados certificados" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +#, fuzzy +msgid "Verifying certificate..." msgstr "verificando certificado" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +#, fuzzy +msgid "Error 2324: Certificate has expired." msgstr "Error 2324: Certificado expirou" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +#, fuzzy +msgid "Error 2326: Certificate not yet valid." msgstr "Error 2326: Certificado ainda não é válido" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +#, fuzzy +msgid "Error 2328: Certificate signature invalid." msgstr "Error 2328: Assinatura do certificado inválida" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +#, fuzzy +msgid "Error 2330: Certificate invalid." msgstr "Error 2330: Certificado inválido" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +#, fuzzy +msgid "Error 2332: Setting PAM user entry failed." msgstr "Error 2332: falha ao setando PAM userentry" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +#, fuzzy +msgid "Error 2334: No matching user." msgstr "Error 2334: Nenhum usuário correspondente" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +#, fuzzy +msgid "Error 2336: No matching certificate found." msgstr "Error 2336: Nenhum certificado correspondente encontrado" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +#, fuzzy +msgid "Checking signature..." msgstr "Verificando a assinatura" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +#, fuzzy +msgid "Error 2338: Getting random value failed." msgstr "Error 2338: Falha ao obter valor aleatório" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +#, fuzzy +msgid "Error 2340: Signing failed." msgstr "Error 2340: Assinatura falhou" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +#, fuzzy +msgid "Error 2342: Verifying signature failed." msgstr "Error 2342: Falha ao verificar assinatura" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +#, fuzzy +msgid "Smart card authentication cancelled." +msgstr "Autenticação com smartcard iniciou" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Não foi possível alterar a senha no seu smart card." @@ -154,5 +168,15 @@ msgstr "Não foi possível alterar a senha no seu smart card." msgid "Smart card" msgstr "Smartcard" +#, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Favor inserir seu %s ou entre com um nome de usuário." + +#~ msgid "Error 2306: No suitable token available" +#~ msgstr "Error 2306: Sem token disponíveis" + +#~ msgid "Error 2310: No smartcard found" +#~ msgstr "Error 2310: Não foram achados smartcards" + #~ msgid "Found the %s." #~ msgstr "%s encontrado." diff --git a/po/remove-potcdate.sed b/po/remove-potcdate.sed new file mode 100644 index 00000000..edb38d70 --- /dev/null +++ b/po/remove-potcdate.sed @@ -0,0 +1,11 @@ +/^"POT-Creation-Date: .*"$/{ +x +s/P/P/ +ta +g +d +bb +:a +x +:b +} diff --git a/po/ru.po b/po/ru.po index f6aed41f..1ffd14e8 100644 --- a/po/ru.po +++ b/po/ru.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2019-01-11 16:55+0300\n" "Last-Translator: Paul Wolneykien \n" "Language-Team: Russian\n" @@ -17,141 +17,130 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 -msgid "Smartcard authentication starts" +#: src/pam_pkcs11/pam_pkcs11.c:340 +msgid "Error 2302: PKCS#11 module failed loading." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:1187 -msgid "Smartcard authentication cancelled" -msgstr "Аутентификация по токену отменена" - -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, fuzzy, c-format -msgid "Please insert your %s or enter your username." -msgstr "Пожалуйста, вставьте смарткарту или введите имя пользователя." - #: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Пожалуйста, вставьте смарткарту, которая называется \"%.32s\"." -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Пожалуйста, вставьте смарткарту." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +msgid "Error 2308: No smart card found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "" +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Смарткарта вставлена. " -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +msgid "Error 2312: Open PKCS#11 session failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +msgid "Error 2314: Slot login failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Добро пожаловать %.32s!" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +msgid "Error 2316: Password could not be read." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:534 +#: src/pam_pkcs11/pam_pkcs11.c:492 #, c-format -msgid "Enter your %s PIN on the pinpad" +msgid "Enter your %s PIN on the pinpad." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +msgid "Error 2320: Wrong smart card PIN." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +msgid "Error 2322: No certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +msgid "Verifying certificate..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +msgid "Error 2324: Certificate has expired." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +msgid "Error 2326: Certificate not yet valid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +msgid "Error 2328: Certificate signature invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +msgid "Error 2330: Certificate invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +msgid "Error 2332: Setting PAM user entry failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +msgid "Error 2334: No matching user." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +msgid "Error 2336: No matching certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +msgid "Checking signature..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +msgid "Error 2338: Getting random value failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +msgid "Error 2340: Signing failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +msgid "Error 2342: Verifying signature failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +#, fuzzy +msgid "Smart card authentication cancelled." +msgstr "Аутентификация по токену отменена" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Не могу поменять пароль смарткарты." @@ -160,5 +149,9 @@ msgstr "Не могу поменять пароль смарткарты." msgid "Smart card" msgstr "Смарткарта вставлена. " +#, fuzzy, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Пожалуйста, вставьте смарткарту или введите имя пользователя." + #~ msgid "Smart card password: " #~ msgstr "Пароль смарткарты: " diff --git a/po/tr.po b/po/tr.po index 045e448b..8b8470d8 100644 --- a/po/tr.po +++ b/po/tr.po @@ -5,7 +5,7 @@ msgid "" msgstr "" "Project-Id-Version: pam_pkcs11 0.6.6\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-09-23 16:55+0200\n" +"POT-Creation-Date: 2022-12-01 15:13+0800\n" "PO-Revision-Date: 2011-07-05 11:17:+0300\n" "Last-Translator: Ozan Çağlayan \n" "Language-Team: Turkish \n" @@ -14,140 +14,136 @@ msgstr "" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" -#: src/pam_pkcs11/pam_pkcs11.c:235 -msgid "Smartcard authentication starts" +#: src/pam_pkcs11/pam_pkcs11.c:340 +msgid "Error 2302: PKCS#11 module failed loading." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:324 src/pam_pkcs11/pam_pkcs11.c:433 -#, c-format -msgid "Please insert your %s or enter your username." -msgstr "Lütfen size ait bir %s yerleştirin veya kullanıcı adınızı girin." - #: src/pam_pkcs11/pam_pkcs11.c:354 -msgid "Error 2302: PKCS#11 module failed loading" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:368 -msgid "Error 2304: PKCS#11 module could not be initialized" -msgstr "" - -#: src/pam_pkcs11/pam_pkcs11.c:387 -msgid "Error 2306: No suitable token available" +msgid "Error 2304: PKCS#11 module could not be initialized." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:401 +#: src/pam_pkcs11/pam_pkcs11.c:385 #, c-format msgid "Please insert your smart card called \"%.32s\"." msgstr "Lütfen \"%.32s\" isimli akıllı kartı yerleştirin." -#: src/pam_pkcs11/pam_pkcs11.c:405 +#: src/pam_pkcs11/pam_pkcs11.c:389 msgid "Please insert your smart card." msgstr "Lütfen akıllı kartı yerleştirin." -#: src/pam_pkcs11/pam_pkcs11.c:422 -msgid "Error 2308: No smartcard found" +#: src/pam_pkcs11/pam_pkcs11.c:408 +msgid "Error 2308: No smart card found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:449 -msgid "Error 2310: No smartcard found" -msgstr "" +#: src/pam_pkcs11/pam_pkcs11.c:413 +#, fuzzy +msgid "No smart card found." +msgstr "Akıllı kart" -#: src/pam_pkcs11/pam_pkcs11.c:459 +#: src/pam_pkcs11/pam_pkcs11.c:420 #, c-format msgid "%s found." msgstr "%s bulundu." -#: src/pam_pkcs11/pam_pkcs11.c:466 -msgid "Error 2312: open PKCS#11 session failed" +#: src/pam_pkcs11/pam_pkcs11.c:428 +msgid "Error 2312: Open PKCS#11 session failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:478 -msgid "Error 2314: Slot login failed" +#: src/pam_pkcs11/pam_pkcs11.c:440 +msgid "Error 2314: Slot login failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:486 +#: src/pam_pkcs11/pam_pkcs11.c:447 #, c-format msgid "Welcome %.32s!" msgstr "Hoş geldiniz %.32s" -#: src/pam_pkcs11/pam_pkcs11.c:494 +#: src/pam_pkcs11/pam_pkcs11.c:455 #, c-format msgid "%s PIN: " msgstr "%s PIN: " -#: src/pam_pkcs11/pam_pkcs11.c:505 -msgid "Error 2316: password could not be read" +#: src/pam_pkcs11/pam_pkcs11.c:466 +msgid "Error 2316: Password could not be read." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:525 -msgid "Error 2318: Empty smartcard PIN not allowed." +#: src/pam_pkcs11/pam_pkcs11.c:482 +msgid "Error 2318: Empty smart card PIN not allowed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:534 -#, c-format -msgid "Enter your %s PIN on the pinpad" +#: src/pam_pkcs11/pam_pkcs11.c:492 +#, fuzzy, c-format +msgid "Enter your %s PIN on the pinpad." msgstr "PIN klavyesini kullanarak %s PIN kodunu giriniz." -#: src/pam_pkcs11/pam_pkcs11.c:553 -msgid "Error 2320: Wrong smartcard PIN" +#: src/pam_pkcs11/pam_pkcs11.c:506 +msgid "Error 2320: Wrong smart card PIN." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:565 -msgid "Error 2322: No certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:519 +msgid "Error 2322: No certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:580 -msgid "verifying certificate" +#: src/pam_pkcs11/pam_pkcs11.c:534 +msgid "Verifying certificate..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:593 -msgid "Error 2324: Certificate has expired" +#: src/pam_pkcs11/pam_pkcs11.c:547 +msgid "Error 2324: Certificate has expired." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:597 -msgid "Error 2326: Certificate not yet valid" +#: src/pam_pkcs11/pam_pkcs11.c:551 +msgid "Error 2326: Certificate not yet valid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:601 -msgid "Error 2328: Certificate signature invalid" +#: src/pam_pkcs11/pam_pkcs11.c:555 +msgid "Error 2328: Certificate signature invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:605 -msgid "Error 2330: Certificate invalid" +#: src/pam_pkcs11/pam_pkcs11.c:559 +msgid "Error 2330: Certificate invalid." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:640 -msgid "Error 2332: setting PAM userentry failed" +#: src/pam_pkcs11/pam_pkcs11.c:594 +msgid "Error 2332: Setting PAM user entry failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:656 -msgid "Error 2334: No matching user" +#: src/pam_pkcs11/pam_pkcs11.c:610 +msgid "Error 2334: No matching user." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:677 -msgid "Error 2336: No matching certificate found" +#: src/pam_pkcs11/pam_pkcs11.c:631 +msgid "Error 2336: No matching certificate found." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:686 -msgid "Checking signature" +#: src/pam_pkcs11/pam_pkcs11.c:640 +msgid "Checking signature..." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:706 -msgid "Error 2338: Getting random value failed" +#: src/pam_pkcs11/pam_pkcs11.c:660 +msgid "Error 2338: Getting random value failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:720 -msgid "Error 2340: Signing failed" +#: src/pam_pkcs11/pam_pkcs11.c:674 +msgid "Error 2340: Signing failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:739 -msgid "Error 2342: Verifying signature failed" +#: src/pam_pkcs11/pam_pkcs11.c:691 +msgid "Error 2342: Verifying signature failed." msgstr "" -#: src/pam_pkcs11/pam_pkcs11.c:886 +#: src/pam_pkcs11/pam_pkcs11.c:808 +msgid "Smart card authentication cancelled." +msgstr "" + +#: src/pam_pkcs11/pam_pkcs11.c:854 msgid "Cannot change the password on your smart card." msgstr "Akıllı kart parolası değiştirilemiyor." #: src/pam_pkcs11/pam_config.c:65 msgid "Smart card" msgstr "Akıllı kart" + +#, c-format +#~ msgid "Please insert your %s or enter your username." +#~ msgstr "Lütfen size ait bir %s yerleştirin veya kullanıcı adınızı girin." From 918c0f6f8d0c1784f1a22eac60e12fb3c4992d2b Mon Sep 17 00:00:00 2001 From: EtienneBarbier Date: Thu, 1 Dec 2022 12:54:23 +0100 Subject: [PATCH 098/111] Update specfile to allow build in version 0.6.12 --- pam_pkcs11.spec | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/pam_pkcs11.spec b/pam_pkcs11.spec index 1eb4e36c..a2bd17eb 100644 --- a/pam_pkcs11.spec +++ b/pam_pkcs11.spec @@ -1,5 +1,5 @@ Name: pam_pkcs11 -Version: 0.6.0 +Version: 0.6.12 Release: 0 Epoch: 0 Summary: PKCS #11 PAM module @@ -7,7 +7,7 @@ Summary: PKCS #11 PAM module Group: System Environment/Base License: LGPL URL: http://www.opensc-project.org/pam_pkcs11/ -Source0: http://www.opensc-project.org/files/pam_pkcs11-0.6.0.tar.gz +Source0: http://www.opensc-project.org/files/pam_pkcs11-0.6.12.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, openssl-devel @@ -33,7 +33,7 @@ Adittional included pam_pkcs11 related tools %package pcsc Group: System Environment/Utilities Summary: PCSC-Lite extra tools for pam_pkcs11 -BuildRequires: pcsc-lite-devel +BuildRequires: pcsc-lite-devel Requires: pcsc-lite Requires: pam_pkcs11 Provides: pam_pkcs11-pcsc @@ -51,14 +51,14 @@ Requires: pam_pkcs11 Provides: pam_pkcs11-ldap %description ldap -This package contains a Certificate-To-Login mapper based on queries +This package contains a Certificate-To-Login mapper based on queries to a LDAP server. As it depends on extra libraries, is distributed as a separate package - ldap_mapper.so: ldap based mapper library %prep %setup -q -n %{name}-%{version} -#./bootstrap +./bootstrap %build %configure --disable-dependency-tracking %{?_with_curl} %{?_with_ldap} @@ -68,7 +68,7 @@ make %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT -rm -f $RPM_BUILD_ROOT/%{_lib}/security/*.*a +rm -f $RPM_BUILD_ROOT/%{_libdir}/security/*.*a rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.*a # Hardcoded defaults... no sysconfdir @@ -92,7 +92,7 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) %{_sysconfdir}/%{name}/crls %config(noreplace) %{_sysconfdir}/%{name}/pam_pkcs11.conf %config(noreplace) %{_sysconfdir}/%{name}/pkcs11_eventmgr.conf -%{_bindir}/make_hash_link.sh +%{_bindir}/pkcs11_make_hash_link %{_bindir}/pkcs11_eventmgr %{_bindir}/pklogin_finder %{_bindir}/pkcs11_inspect @@ -105,19 +105,23 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/pkcs11_eventmgr.1.gz %{_mandir}/man1/pkcs11_inspect.1.gz %{_mandir}/man1/pklogin_finder.1.gz -%{_datadir}/%{name}/%{name}.conf.example -%{_datadir}/%{name}/pam.d_login.example -%{_datadir}/%{name}/subject_mapping.example -%{_datadir}/%{name}/mail_mapping.example -%{_datadir}/%{name}/digest_mapping.example -%{_datadir}/%{name}/pkcs11_eventmgr.conf.example +%{_mandir}/man1/pkcs11_listcerts.1.gz +%{_mandir}/man1/pkcs11_make_hash_link.1.gz +%{_mandir}/man1/pkcs11_setup.1.gz +%{_docdir}/%{name}/%{name}.conf.example +%{_docdir}/%{name}/pam.d_login.example +%{_docdir}/%{name}/subject_mapping.example +%{_docdir}/%{name}/mail_mapping.example +%{_docdir}/%{name}/digest_mapping.example +%{_docdir}/%{name}/pkcs11_eventmgr.conf.example +%{_docdir}/%{name}/pam.d_ignore_no_card.example %{_datadir}/locale/*/LC_MESSAGES/* %files pcsc %config(noreplace) %{_sysconfdir}/%{name}/card_eventmgr.conf %{_bindir}/card_eventmgr %{_mandir}/man1/card_eventmgr.1.gz -%{_datadir}/%{name}/card_eventmgr.conf.example +%{_docdir}/%{name}/card_eventmgr.conf.example %doc doc/README.eventmgr %files ldap @@ -125,18 +129,21 @@ rm -rf $RPM_BUILD_ROOT %doc doc/README.ldap_mapper %changelog +* Thu Dec 1 2022 Etienne Barbier 0:0.6.12-0 +- Update to 0.6.12 + * Wed Jun 6 2007 Ludovic Rousseau 0:0.6.0-1 - Update to 0.6.0 -* Thu Sep 7 2005 Juan Antonio Martinez Date: Thu, 1 Dec 2022 15:14:31 +0800 Subject: [PATCH 099/111] Add Chinese (Simplified) translation Because it happens to be my first language. --- configure.ac | 2 +- po/zh_CN.po | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 po/zh_CN.po diff --git a/configure.ac b/configure.ac index 2484558e..3c4d2e93 100644 --- a/configure.ac +++ b/configure.ac @@ -18,7 +18,7 @@ AM_MAINTAINER_MODE AM_GNU_GETTEXT([external]) dnl Add the languages which your application supports here. -ALL_LINGUAS="de fr it nl pl pt_BR ru tr" +ALL_LINGUAS="de fr it nl pl pt_BR ru tr zh_CN" # Checks for programs. AC_PROG_CC diff --git a/po/zh_CN.po b/po/zh_CN.po new file mode 100644 index 00000000..8ee2a6f7 --- /dev/null +++ b/po/zh_CN.po @@ -0,0 +1,145 @@ +# Chinese translations for pam_pkcs11 package. +# This file is put in the public domain. +# Alynx Zhou , 2022. +# +msgid "" +msgstr "" +"Project-Id-Version: pam_pkcs11 0.6.12\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2022-12-01 14:31+0800\n" +"PO-Revision-Date: 2022-12-01 14:53+0800\n" +"Last-Translator: Alynx Zhou \n" +"Language-Team: Chinese (simplified) \n" +"Language: zh_CN\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: src/pam_pkcs11/pam_pkcs11.c:340 +msgid "Error 2302: PKCS#11 module failed loading." +msgstr "错误 2302:PKCS#11 模块加载失败。" + +#: src/pam_pkcs11/pam_pkcs11.c:354 +msgid "Error 2304: PKCS#11 module could not be initialized." +msgstr "错误 2304:PKCS#11 模块无法初始化。" + +#: src/pam_pkcs11/pam_pkcs11.c:385 +#, c-format +msgid "Please insert your smart card called \"%.32s\"." +msgstr "请插入名为 \"%.32s\" 的智能卡。" + +#: src/pam_pkcs11/pam_pkcs11.c:389 +msgid "Please insert your smart card." +msgstr "请插入您的智能卡。" + +#: src/pam_pkcs11/pam_pkcs11.c:408 +msgid "Error 2308: No smart card found." +msgstr "错误 2308:未检测到智能卡。" + +#: src/pam_pkcs11/pam_pkcs11.c:413 +msgid "No smart card found." +msgstr "未检测到智能卡。" + +#: src/pam_pkcs11/pam_pkcs11.c:420 +#, c-format +msgid "%s found." +msgstr "检测到 %s。" + +#: src/pam_pkcs11/pam_pkcs11.c:428 +msgid "Error 2312: Open PKCS#11 session failed." +msgstr "错误 2312:开启 PKCS#11 会话失败。" + +#: src/pam_pkcs11/pam_pkcs11.c:440 +msgid "Error 2314: Slot login failed." +msgstr "错误 2314:卡槽登录失败。" + +#: src/pam_pkcs11/pam_pkcs11.c:447 +#, c-format +msgid "Welcome %.32s!" +msgstr "欢迎 %.32s!" + +#: src/pam_pkcs11/pam_pkcs11.c:455 +#, c-format +msgid "%s PIN: " +msgstr "%s PIN: " + +#: src/pam_pkcs11/pam_pkcs11.c:466 +msgid "Error 2316: Password could not be read." +msgstr "错误 2316:无法读取密码。" + +#: src/pam_pkcs11/pam_pkcs11.c:482 +msgid "Error 2318: Empty smart card PIN not allowed." +msgstr "错误 2318:不允许使用空白的智能卡 PIN。" + +#: src/pam_pkcs11/pam_pkcs11.c:492 +#, c-format +msgid "Enter your %s PIN on the pinpad." +msgstr "请在密码键盘上输入您的 %s PIN。" + +#: src/pam_pkcs11/pam_pkcs11.c:506 +msgid "Error 2320: Wrong smart card PIN." +msgstr "错误 2320:智能卡 PIN 不正确。" + +#: src/pam_pkcs11/pam_pkcs11.c:519 +msgid "Error 2322: No certificate found." +msgstr "错误 2322:未检测到证书。" + +#: src/pam_pkcs11/pam_pkcs11.c:534 +msgid "Verifying certificate..." +msgstr "正在验证证书……" + +#: src/pam_pkcs11/pam_pkcs11.c:547 +msgid "Error 2324: Certificate has expired." +msgstr "错误 2324:证书已过期。" + +#: src/pam_pkcs11/pam_pkcs11.c:551 +msgid "Error 2326: Certificate not yet valid." +msgstr "错误 2326:证书还未生效。" + +#: src/pam_pkcs11/pam_pkcs11.c:555 +msgid "Error 2328: Certificate signature invalid." +msgstr "错误 2328:证书签名无效。" + +#: src/pam_pkcs11/pam_pkcs11.c:559 +msgid "Error 2330: Certificate invalid." +msgstr "错误 2330:证书无效。" + +#: src/pam_pkcs11/pam_pkcs11.c:594 +msgid "Error 2332: Setting PAM user entry failed." +msgstr "错误 2332:设置 PAM 用户条目失败。" + +#: src/pam_pkcs11/pam_pkcs11.c:610 +msgid "Error 2334: No matching user." +msgstr "错误 2334:没有匹配到用户。" + +#: src/pam_pkcs11/pam_pkcs11.c:631 +msgid "Error 2336: No matching certificate found." +msgstr "错误 2336:没有匹配到证书。" + +#: src/pam_pkcs11/pam_pkcs11.c:640 +msgid "Checking signature..." +msgstr "正在检查签名……" + +#: src/pam_pkcs11/pam_pkcs11.c:660 +msgid "Error 2338: Getting random value failed." +msgstr "错误 2338:获取随机值失败。" + +#: src/pam_pkcs11/pam_pkcs11.c:674 +msgid "Error 2340: Signing failed." +msgstr "错误 2340:签名失败。" + +#: src/pam_pkcs11/pam_pkcs11.c:691 +msgid "Error 2342: Verifying signature failed." +msgstr "错误 2342:验证签名失败。" + +#: src/pam_pkcs11/pam_pkcs11.c:808 +msgid "Smart card authentication cancelled." +msgstr "智能卡认证取消。" + +#: src/pam_pkcs11/pam_pkcs11.c:854 +msgid "Cannot change the password on your smart card." +msgstr "无法修改智能卡上的密码。" + +#: src/pam_pkcs11/pam_config.c:65 +msgid "Smart card" +msgstr "智能卡" From eeb4b49d06c5b1147badec32ef8be6a3240b8a29 Mon Sep 17 00:00:00 2001 From: EtienneBarbier Date: Wed, 28 Dec 2022 15:09:05 +0100 Subject: [PATCH 100/111] Update specfile with up to date informations and fix linting --- pam_pkcs11.spec | 69 +++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 36 deletions(-) diff --git a/pam_pkcs11.spec b/pam_pkcs11.spec index a2bd17eb..d4d67206 100644 --- a/pam_pkcs11.spec +++ b/pam_pkcs11.spec @@ -1,21 +1,20 @@ Name: pam_pkcs11 Version: 0.6.12 -Release: 0 -Epoch: 0 +Release: 1%{?dist} Summary: PKCS #11 PAM module Group: System Environment/Base License: LGPL -URL: http://www.opensc-project.org/pam_pkcs11/ -Source0: http://www.opensc-project.org/files/pam_pkcs11-0.6.12.tar.gz +URL: https://github.com/OpenSC/pam_pkcs11 +Source0: https://github.com/OpenSC/pam_pkcs11/archive/refs/tags/%{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, openssl-devel %{?_with_ldap:BuildRequires: openldap-devel} %{?_with_curl:BuildRequires: curl-devel} -BuildRequires: libxslt docbook-style-xsl -BuildRequires: automake >= 1.7.8 -Provides: pam_pkcs11 = %{epoch}:%{version}-%{release} +BuildRequires: libxslt libtool gettext docbook-style-xsl +BuildRequires: automake >= 1.7.8 +Provides: pam_pkcs11 = %{version}-%{release} %description This Linux-PAM module allows a X.509 certificate based user @@ -32,11 +31,11 @@ Adittional included pam_pkcs11 related tools %package pcsc Group: System Environment/Utilities -Summary: PCSC-Lite extra tools for pam_pkcs11 -BuildRequires: pcsc-lite-devel -Requires: pcsc-lite -Requires: pam_pkcs11 -Provides: pam_pkcs11-pcsc +Summary: PCSC-Lite extra tools for pam_pkcs11 +BuildRequires: pcsc-lite-devel +Requires: pcsc-lite +Requires: pam_pkcs11 +Provides: pam_pkcs11-pcsc = %{version}-%{release} %description pcsc This package contains pam_pkcs11 tools that relies on PCSC-Lite library @@ -44,11 +43,11 @@ This package contains pam_pkcs11 tools that relies on PCSC-Lite library %package ldap Group: System Environment/Utilities -Summary: LDAP Cert-to-Login mapper for pam_pkcs11 -BuildRequires: openldap-devel -Requires: openldap -Requires: pam_pkcs11 -Provides: pam_pkcs11-ldap +Summary: LDAP Cert-to-Login mapper for pam_pkcs11 +BuildRequires: openldap-devel +Requires: openldap +Requires: pam_pkcs11 +Provides: pam_pkcs11-ldap = %{version}-%{release} %description ldap This package contains a Certificate-To-Login mapper based on queries @@ -56,8 +55,9 @@ to a LDAP server. As it depends on extra libraries, is distributed as a separate package - ldap_mapper.so: ldap based mapper library + %prep -%setup -q -n %{name}-%{version} +%setup -q -n %{name}-%{name}-%{version} ./bootstrap %build @@ -78,9 +78,6 @@ install -m 644 etc/%{name}.conf.example $RPM_BUILD_ROOT/etc/%{name}/%{name}.conf install -m 644 etc/card_eventmgr.conf.example $RPM_BUILD_ROOT/etc/%{name}/card_eventmgr.conf install -m 644 etc/pkcs11_eventmgr.conf.example $RPM_BUILD_ROOT/etc/%{name}/pkcs11_eventmgr.conf -%clean -rm -rf $RPM_BUILD_ROOT - %files %defattr(-,root,root,-) %doc AUTHORS COPYING README TODO ChangeLog NEWS @@ -129,59 +126,59 @@ rm -rf $RPM_BUILD_ROOT %doc doc/README.ldap_mapper %changelog -* Thu Dec 1 2022 Etienne Barbier 0:0.6.12-0 +* Wed Dec 28 2022 Etienne Barbier 0.6.12-1 - Update to 0.6.12 * Wed Jun 6 2007 Ludovic Rousseau 0:0.6.0-1 - Update to 0.6.0 -* Wed Sep 7 2005 Juan Antonio Martinez 0:0.5.3-2 - Add ldap_mapper.so as separate package, as it depends on external library - Changes from FC4 team -* Thu Sep 1 2005 Juan Antonio Martinez 0:0.5.3-0 - Update to 0.5.3 - Remove tools package, and create pcsc one with pcsc-lite dependent files -* Mon Apr 11 2005 Juan Antonio Martinez 0:0.5.2-1 - Changed package name to pam_pkcs11 -* Fri Apr 8 2005 Juan Antonio Martinez 0:0.5.2-0 - Updated to 0.5.2 release - Changed /etc/pkcs11 for /etc/pam_pkcs11 - Changed /usr/share/pkcs11_login for /usr/share/pam_pkcs11 - Next item is change package name to pam_pkcs11 -* Thu Apr 7 2005 Juan Antonio Martinez 0:0.5.1-0 - patches to avoid autotools in compile from tgz -* Thu Mar 29 2005 Juan Antonio Martinez 0:0.5-1 - upgrade to 0.5beta1 version - BuildRequires now complains compilation of html manual from xml file -* Thu Feb 28 2005 Juan Antonio Martinez 0:0.4.4-2 +* Mon Feb 28 2005 Juan Antonio Martinez 0:0.4.4-2 - New pkcs11_eventmgr app in "tools" package -* Thu Feb 24 2005 Juan Antonio Martinez 0:0.4.4-1 +* Thu Feb 24 2005 Juan Antonio Martinez 0:0.4.4-1 - Fix pcsc-lite dependencies -* Thu Feb 15 2005 Juan Antonio Martinez 0:0.4.4-0 +* Tue Feb 15 2005 Juan Antonio Martinez 0:0.4.4-0 - Update to 0.4.4b2 -* Sun Sep 12 2004 Ville Skyttä - 0:0.3b-0.fdr.1 +* Sun Sep 12 2004 Ville Skyttä - 0:0.3b-0.fdr.1 - Update to 0.3b. - Disable dependency tracking to speed up the build. -* Tue May 4 2004 Ville Skyttä - 0:0.3-0.fdr.1 +* Tue May 4 2004 Ville Skyttä - 0:0.3-0.fdr.1 - Update to 0.3. - Do not use libcurl by default; rebuild using "--with curl" to use it. -* Mon Mar 29 2004 Ville Skyttä - 0:0.2-0.fdr.1 +* Mon Mar 29 2004 Ville Skyttä - 0:0.2-0.fdr.1 - Update to 0.2. - Use libcurl by default; rebuild using "--without curl" to disable. -* Wed Jan 21 2004 Ville Skyttä - 0:0.1-0.fdr.0.2.beta5 +* Wed Jan 21 2004 Ville Skyttä - 0:0.1-0.fdr.0.2.beta5 - Add the user_mapping config file. -* Mon Jan 19 2004 Ville Skyttä - 0:0.1-0.fdr.0.1.beta5 +* Mon Jan 19 2004 Ville Skyttä - 0:0.1-0.fdr.0.1.beta5 - First build. From aa02fc6e4cc95146bd4b8551f056418f80b436d5 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 15:00:49 +0100 Subject: [PATCH 101/111] Add missing file in .tar.gz archive Fix "make distcheck" error: make[3]: *** No rule to make target 'pam.d_ignore_no_card.example', needed by 'all-am'. Stop. --- etc/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/Makefile.am b/etc/Makefile.am index ae191fc4..bcb50268 100644 --- a/etc/Makefile.am +++ b/etc/Makefile.am @@ -10,6 +10,7 @@ TO_INSTALL = \ card_eventmgr.conf.example EXTRA_DIST = $(TO_INSTALL) \ + pam.d_ignore_no_card.example \ pam.d_login.example.in \ pam_pkcs11.conf.example.in From 1838f5e26d71dd90aebc2a0616788eaf1d8df91d Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 15:03:07 +0100 Subject: [PATCH 102/111] doc: update Doxygen file from 1.8.9.1 to 1.9.4 $ doxygen -u doxygen.conf.in warning: Tag 'TCL_SUBST' at line 237 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. warning: Tag 'COLS_IN_ALPHA_INDEX' at line 1021 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. warning: Tag 'LATEX_SOURCE_CODE' at line 1723 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. warning: Tag 'RTF_SOURCE_CODE' at line 1797 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. warning: Tag 'DOCBOOK_PROGRAMLISTING' at line 1895 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. warning: Tag 'PERL_PATH' at line 2075 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. warning: Tag 'CLASS_DIAGRAMS' at line 2088 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. warning: Tag 'MSCGEN_PATH' at line 2097 of file 'doxygen.conf.in' has become obsolete. This tag has been removed. Configuration file 'doxygen.conf.in' updated. --- doc/doxygen.conf.in | 748 ++++++++++++++++++++++++++++++-------------- 1 file changed, 521 insertions(+), 227 deletions(-) diff --git a/doc/doxygen.conf.in b/doc/doxygen.conf.in index 0fb223b2..14bd6fe2 100644 --- a/doc/doxygen.conf.in +++ b/doc/doxygen.conf.in @@ -1,4 +1,4 @@ -# Doxyfile 1.8.9.1 +# Doxyfile 1.9.4 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project. @@ -12,16 +12,25 @@ # For lists, items can also be appended using: # TAG += value [value, ...] # Values that contain spaces should be placed between quotes (\" \"). +# +# Note: +# +# Use doxygen to compare the used configuration file with the template +# configuration file: +# doxygen -x [configFile] +# Use doxygen to compare the used configuration file with the template +# configuration file without replacing the environment variables: +# doxygen -x_noenv [configFile] #--------------------------------------------------------------------------- # Project related configuration options #--------------------------------------------------------------------------- -# This tag specifies the encoding used for all characters in the config file -# that follow. The default is UTF-8 which is also the encoding used for all text -# before the first occurrence of this tag. Doxygen uses libiconv (or the iconv -# built into libc) for the transcoding. See http://www.gnu.org/software/libiconv -# for the list of possible encodings. +# This tag specifies the encoding used for all characters in the configuration +# file that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# https://www.gnu.org/software/libiconv/ for the list of possible encodings. # The default value is: UTF-8. DOXYFILE_ENCODING = UTF-8 @@ -60,16 +69,28 @@ PROJECT_LOGO = OUTPUT_DIRECTORY = doc -# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub- -# directories (in 2 levels) under the output directory of each output format and -# will distribute the generated files over these directories. Enabling this +# If the CREATE_SUBDIRS tag is set to YES then doxygen will create up to 4096 +# sub-directories (in 2 levels) under the output directory of each output format +# and will distribute the generated files over these directories. Enabling this # option can be useful when feeding doxygen a huge amount of source files, where # putting all generated files in the same directory would otherwise causes -# performance problems for the file system. +# performance problems for the file system. Adapt CREATE_SUBDIRS_LEVEL to +# control the number of sub-directories. # The default value is: NO. CREATE_SUBDIRS = NO +# Controls the number of sub-directories that will be created when +# CREATE_SUBDIRS tag is set to YES. Level 0 represents 16 directories, and every +# level increment doubles the number of directories, resulting in 4096 +# directories at level 8 which is the default and also the maximum value. The +# sub-directories are organized in 2 levels, the first level always has a fixed +# numer of 16 directories. +# Minimum value: 0, maximum value: 8, default value: 8. +# This tag requires that the tag CREATE_SUBDIRS is set to YES. + +CREATE_SUBDIRS_LEVEL = 8 + # If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII # characters to appear in the names of generated files. If set to NO, non-ASCII # characters will be escaped, for example _xE3_x81_x84 will be used for Unicode @@ -81,14 +102,14 @@ ALLOW_UNICODE_NAMES = NO # The OUTPUT_LANGUAGE tag is used to specify the language in which all # documentation generated by doxygen is written. Doxygen will use this # information to generate all constant output in the proper language. -# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese, -# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States), -# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian, -# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages), -# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian, -# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian, -# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish, -# Ukrainian and Vietnamese. +# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Bulgarian, +# Catalan, Chinese, Chinese-Traditional, Croatian, Czech, Danish, Dutch, English +# (United States), Esperanto, Farsi (Persian), Finnish, French, German, Greek, +# Hindi, Hungarian, Indonesian, Italian, Japanese, Japanese-en (Japanese with +# English messages), Korean, Korean-en (Korean with English messages), Latvian, +# Lithuanian, Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, +# Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, +# Swedish, Turkish, Ukrainian and Vietnamese. # The default value is: English. OUTPUT_LANGUAGE = English @@ -179,6 +200,16 @@ SHORT_NAMES = NO JAVADOC_AUTOBRIEF = YES +# If the JAVADOC_BANNER tag is set to YES then doxygen will interpret a line +# such as +# /*************** +# as being the beginning of a Javadoc-style comment "banner". If set to NO, the +# Javadoc-style will behave just like regular comments and it will not be +# interpreted by doxygen. +# The default value is: NO. + +JAVADOC_BANNER = NO + # If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first # line (until the first dot) of a Qt-style comment as the brief description. If # set to NO, the Qt-style will behave just like regular Qt-style comments (thus @@ -199,6 +230,14 @@ QT_AUTOBRIEF = NO MULTILINE_CPP_IS_BRIEF = NO +# By default Python docstrings are displayed as preformatted text and doxygen's +# special commands cannot be used. By setting PYTHON_DOCSTRING to NO the +# doxygen's special commands can be used and the contents of the docstring +# documentation blocks is shown as doxygen documentation. +# The default value is: YES. + +PYTHON_DOCSTRING = YES + # If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the # documentation from any documented member that it re-implements. # The default value is: YES. @@ -222,20 +261,19 @@ TAB_SIZE = 8 # the documentation. An alias has the form: # name=value # For example adding -# "sideeffect=@par Side Effects:\n" +# "sideeffect=@par Side Effects:^^" # will allow you to put the command \sideeffect (or @sideeffect) in the # documentation, which will result in a user-defined paragraph with heading -# "Side Effects:". You can put \n's in the value part of an alias to insert -# newlines. +# "Side Effects:". Note that you cannot put \n's in the value part of an alias +# to insert newlines (in the resulting output). You can put ^^ in the value part +# of an alias to insert a newline as if a physical newline was in the original +# file. When you need a literal { or } or , in the value part of an alias you +# have to escape them by means of a backslash (\), this can lead to conflicts +# with the commands \{ and \} for these it is advised to use the version @{ and +# @} or use a double escape (\\{ and \\}) ALIASES = -# This tag can be used to specify a number of word-keyword mappings (TCL only). -# A mapping has the form "name=value". For example adding "class=itcl::class" -# will allow you to use the command class in the itcl::class meaning. - -TCL_SUBST = - # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources # only. Doxygen will then generate output that is more tailored for C. For # instance, some of the names that are used will be different. The list of all @@ -264,28 +302,40 @@ OPTIMIZE_FOR_FORTRAN = NO OPTIMIZE_OUTPUT_VHDL = NO +# Set the OPTIMIZE_OUTPUT_SLICE tag to YES if your project consists of Slice +# sources only. Doxygen will then generate output that is more tailored for that +# language. For instance, namespaces will be presented as modules, types will be +# separated into more groups, etc. +# The default value is: NO. + +OPTIMIZE_OUTPUT_SLICE = NO + # Doxygen selects the parser to use depending on the extension of the files it # parses. With this tag you can assign which parser to use for a given # extension. Doxygen has a built-in mapping, but you can override or extend it # using this tag. The format is ext=language, where ext is a file extension, and -# language is one of the parsers supported by doxygen: IDL, Java, Javascript, -# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran: -# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran: -# Fortran. In the later case the parser tries to guess whether the code is fixed -# or free formatted code, this is the default for Fortran type files), VHDL. For -# instance to make doxygen treat .inc files as Fortran files (default is PHP), -# and .f files as C (default is Fortran), use: inc=Fortran f=C. +# language is one of the parsers supported by doxygen: IDL, Java, JavaScript, +# Csharp (C#), C, C++, Lex, D, PHP, md (Markdown), Objective-C, Python, Slice, +# VHDL, Fortran (fixed format Fortran: FortranFixed, free formatted Fortran: +# FortranFree, unknown formatted Fortran: Fortran. In the later case the parser +# tries to guess whether the code is fixed or free formatted code, this is the +# default for Fortran type files). For instance to make doxygen treat .inc files +# as Fortran files (default is PHP), and .f files as C (default is Fortran), +# use: inc=Fortran f=C. # # Note: For files without extension you can use no_extension as a placeholder. # # Note that for custom extensions you also need to set FILE_PATTERNS otherwise -# the files are not read by doxygen. +# the files are not read by doxygen. When specifying no_extension you should add +# * to the FILE_PATTERNS. +# +# Note see also the list of default file extension mappings. EXTENSION_MAPPING = # If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments # according to the Markdown format, which allows for more readable -# documentation. See http://daringfireball.net/projects/markdown/ for details. +# documentation. See https://daringfireball.net/projects/markdown/ for details. # The output of markdown processing is further processed by doxygen, so you can # mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in # case of backward compatibilities issues. @@ -293,6 +343,15 @@ EXTENSION_MAPPING = MARKDOWN_SUPPORT = YES +# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up +# to that level are automatically included in the table of contents, even if +# they do not have an id attribute. +# Note: This feature currently applies only to Markdown headings. +# Minimum value: 0, maximum value: 99, default value: 5. +# This tag requires that the tag MARKDOWN_SUPPORT is set to YES. + +TOC_INCLUDE_HEADINGS = 5 + # When enabled doxygen tries to link words that correspond to documented # classes, or namespaces to their corresponding documentation. Such a link can # be prevented in individual cases by putting a % sign in front of the word or @@ -318,7 +377,7 @@ BUILTIN_STL_SUPPORT = NO CPP_CLI_SUPPORT = NO # Set the SIP_SUPPORT tag to YES if your project consists of sip (see: -# http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen +# https://www.riverbankcomputing.com/software/sip/intro) sources only. Doxygen # will parse them like normal C++ but will assume all classes use public instead # of private inheritance when no explicit protection keyword is present. # The default value is: NO. @@ -343,6 +402,13 @@ IDL_PROPERTY_SUPPORT = YES DISTRIBUTE_GROUP_DOC = NO +# If one adds a struct or class to a group and this option is enabled, then also +# any nested class or struct is added to the same group. By default this option +# is disabled and one has to add nested compounds explicitly via \ingroup. +# The default value is: NO. + +GROUP_NESTED_COMPOUNDS = NO + # Set the SUBGROUPING tag to YES to allow class member groups of the same type # (for instance a group of public functions) to be put as a subgroup of that # type (e.g. under the Public Functions section). Set it to NO to prevent @@ -397,6 +463,19 @@ TYPEDEF_HIDES_STRUCT = NO LOOKUP_CACHE_SIZE = 0 +# The NUM_PROC_THREADS specifies the number of threads doxygen is allowed to use +# during processing. When set to 0 doxygen will based this on the number of +# cores available in the system. You can set it explicitly to a value larger +# than 0 to get more control over the balance between CPU load and processing +# speed. At this moment only the input processing can be done using multiple +# threads. Since this is still an experimental feature the default is set to 1, +# which effectively disables parallel processing. Please report any issues you +# encounter. Generating dot graphs in parallel is controlled by the +# DOT_NUM_THREADS setting. +# Minimum value: 0, maximum value: 32, default value: 1. + +NUM_PROC_THREADS = 1 + #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- @@ -417,6 +496,12 @@ EXTRACT_ALL = YES EXTRACT_PRIVATE = NO +# If the EXTRACT_PRIV_VIRTUAL tag is set to YES, documented private virtual +# methods of a class will be included in the documentation. +# The default value is: NO. + +EXTRACT_PRIV_VIRTUAL = NO + # If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal # scope will be included in the documentation. # The default value is: NO. @@ -454,6 +539,13 @@ EXTRACT_LOCAL_METHODS = NO EXTRACT_ANON_NSPACES = NO +# If this flag is set to YES, the name of an unnamed parameter in a declaration +# will be determined by the corresponding definition. By default unnamed +# parameters remain unnamed in the output. +# The default value is: YES. + +RESOLVE_UNNAMED_PARAMS = YES + # If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all # undocumented members inside documented classes or files. If set to NO these # members will be included in the various overviews, but no documentation @@ -471,8 +563,8 @@ HIDE_UNDOC_MEMBERS = NO HIDE_UNDOC_CLASSES = NO # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend -# (class|struct|union) declarations. If set to NO, these declarations will be -# included in the documentation. +# declarations. If set to NO, these declarations will be included in the +# documentation. # The default value is: NO. HIDE_FRIEND_COMPOUNDS = NO @@ -491,11 +583,18 @@ HIDE_IN_BODY_DOCS = NO INTERNAL_DOCS = NO -# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file -# names in lower-case letters. If set to YES, upper-case letters are also -# allowed. This is useful if you have classes or files whose names only differ -# in case and if your file system supports case sensitive file names. Windows -# and Mac users are advised to set this option to NO. +# With the correct setting of option CASE_SENSE_NAMES doxygen will better be +# able to match the capabilities of the underlying filesystem. In case the +# filesystem is case sensitive (i.e. it supports files in the same directory +# whose names only differ in casing), the option must be set to YES to properly +# deal with such files in case they appear in the input. For filesystems that +# are not case sensitive the option should be set to NO to properly deal with +# output files written for symbols that only differ in casing, such as for two +# classes, one named CLASS and the other named Class, and to also support +# references to files without having to specify the exact matching casing. On +# Windows (including Cygwin) and MacOS, users should typically set this option +# to NO, whereas on Linux or other Unix flavors it should typically be set to +# YES. # The default value is: system dependent. CASE_SENSE_NAMES = YES @@ -514,6 +613,12 @@ HIDE_SCOPE_NAMES = YES HIDE_COMPOUND_REFERENCE= NO +# If the SHOW_HEADERFILE tag is set to YES then the documentation for a class +# will show which file needs to be included to use the class. +# The default value is: YES. + +SHOW_HEADERFILE = YES + # If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of # the files that are included by a file in the documentation of that file. # The default value is: YES. @@ -671,7 +776,8 @@ FILE_VERSION_FILTER = # output files in an output format independent way. To create the layout file # that represents doxygen's defaults, run doxygen with the -l option. You can # optionally specify a file name after the option, if omitted DoxygenLayout.xml -# will be used as the name of the layout file. +# will be used as the name of the layout file. See also section "Changing the +# layout of pages" for information. # # Note that if you run doxygen from a directory containing a file called # DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE @@ -682,7 +788,7 @@ LAYOUT_FILE = # The CITE_BIB_FILES tag can be used to specify one or more bib files containing # the reference definitions. This must be a list of .bib files. The .bib # extension is automatically appended if omitted. This requires the bibtex tool -# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info. +# to be installed. See also https://en.wikipedia.org/wiki/BibTeX for more info. # For LaTeX the style of the bibliography can be controlled using # LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the # search path. See also \cite for info how to create references. @@ -717,34 +823,66 @@ WARNINGS = YES WARN_IF_UNDOCUMENTED = NO # If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for -# potential errors in the documentation, such as not documenting some parameters -# in a documented function, or documenting parameters that don't exist or using -# markup commands wrongly. +# potential errors in the documentation, such as documenting some parameters in +# a documented function twice, or documenting parameters that don't exist or +# using markup commands wrongly. # The default value is: YES. WARN_IF_DOC_ERROR = YES +# If WARN_IF_INCOMPLETE_DOC is set to YES, doxygen will warn about incomplete +# function parameter documentation. If set to NO, doxygen will accept that some +# parameters have no documentation without warning. +# The default value is: YES. + +WARN_IF_INCOMPLETE_DOC = YES + # This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that # are documented, but have no documentation for their parameters or return -# value. If set to NO, doxygen will only warn about wrong or incomplete -# parameter documentation, but not about the absence of documentation. +# value. If set to NO, doxygen will only warn about wrong parameter +# documentation, but not about the absence of documentation. If EXTRACT_ALL is +# set to YES then this flag will automatically be disabled. See also +# WARN_IF_INCOMPLETE_DOC # The default value is: NO. WARN_NO_PARAMDOC = NO +# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when +# a warning is encountered. If the WARN_AS_ERROR tag is set to FAIL_ON_WARNINGS +# then doxygen will continue running as if WARN_AS_ERROR tag is set to NO, but +# at the end of the doxygen process doxygen will return with a non-zero status. +# Possible values are: NO, YES and FAIL_ON_WARNINGS. +# The default value is: NO. + +WARN_AS_ERROR = NO + # The WARN_FORMAT tag determines the format of the warning messages that doxygen # can produce. The string should contain the $file, $line, and $text tags, which # will be replaced by the file and line number from which the warning originated # and the warning text. Optionally the format may contain $version, which will # be replaced by the version of the file (if it could be obtained via # FILE_VERSION_FILTER) +# See also: WARN_LINE_FORMAT # The default value is: $file:$line: $text. WARN_FORMAT = "$file:$line: $text" +# In the $text part of the WARN_FORMAT command it is possible that a reference +# to a more specific place is given. To make it easier to jump to this place +# (outside of doxygen) the user can define a custom "cut" / "paste" string. +# Example: +# WARN_LINE_FORMAT = "'vi $file +$line'" +# See also: WARN_FORMAT +# The default value is: at line $line of file $file. + +WARN_LINE_FORMAT = "at line $line of file $file" + # The WARN_LOGFILE tag can be used to specify a file to which warning and error # messages should be written. If left blank the output is written to standard -# error (stderr). +# error (stderr). In case the file specified cannot be opened for writing the +# warning and error messages are written to standard error. When as file - is +# specified the warning and error messages are written to standard output +# (stdout). WARN_LOGFILE = @@ -755,7 +893,7 @@ WARN_LOGFILE = # The INPUT tag is used to specify the files and/or directories that contain # documented source files. You may enter file names like myfile.cpp or # directories like /usr/src/myproject. Separate the files or directories with -# spaces. +# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING # Note: If this tag is empty the current directory is searched. INPUT = src @@ -763,20 +901,29 @@ INPUT = src # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses # libiconv (or the iconv built into libc) for the transcoding. See the libiconv -# documentation (see: http://www.gnu.org/software/libiconv) for the list of -# possible encodings. +# documentation (see: +# https://www.gnu.org/software/libiconv/) for the list of possible encodings. # The default value is: UTF-8. INPUT_ENCODING = UTF-8 # If the value of the INPUT tag contains directories, you can use the # FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and -# *.h) to filter out the source-files in the directories. If left blank the -# following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii, -# *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp, -# *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown, -# *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf, -# *.qsf, *.as and *.js. +# *.h) to filter out the source-files in the directories. +# +# Note that for custom extensions or not directly supported extensions you also +# need to set EXTENSION_MAPPING for the extension otherwise the files are not +# read by doxygen. +# +# Note the list of default checked file patterns might differ from the list of +# default file extension mappings. +# +# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp, +# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, +# *.hh, *.hxx, *.hpp, *.h++, *.l, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, +# *.inc, *.m, *.markdown, *.md, *.mm, *.dox (to be provided as doxygen C +# comment), *.py, *.pyw, *.f90, *.f95, *.f03, *.f08, *.f18, *.f, *.for, *.vhd, +# *.vhdl, *.ucf, *.qsf and *.ice. FILE_PATTERNS = *.h @@ -816,7 +963,7 @@ EXCLUDE_PATTERNS = # (namespaces, classes, functions, etc.) that should be excluded from the # output. The symbol name can be a fully qualified name, a word, or if the # wildcard * is used, a substring. Examples: ANamespace, AClass, -# AClass::ANamespace, ANamespace::*Test +# ANamespace::AClass, ANamespace::*Test # # Note that the wildcards are matched against the file with absolute path, so to # exclude all test directories use the pattern */test/* @@ -863,6 +1010,10 @@ IMAGE_PATH = # Note that the filter must not add or remove lines; it is applied before the # code is scanned, but not when the output code is generated. If lines are added # or removed, the anchors will not be placed correctly. +# +# Note that for custom extensions or not directly supported extensions you also +# need to set EXTENSION_MAPPING for the extension otherwise the files are not +# properly processed by doxygen. INPUT_FILTER = @@ -872,6 +1023,10 @@ INPUT_FILTER = # (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how # filters are used. If the FILTER_PATTERNS tag is empty or if none of the # patterns match the file name, INPUT_FILTER is applied. +# +# Note that for custom extensions or not directly supported extensions you also +# need to set EXTENSION_MAPPING for the extension otherwise the files are not +# properly processed by doxygen. FILTER_PATTERNS = @@ -924,7 +1079,7 @@ INLINE_SOURCES = NO STRIP_CODE_COMMENTS = YES # If the REFERENCED_BY_RELATION tag is set to YES then for each documented -# function all documented functions referencing it will be listed. +# entity all documented functions referencing it will be listed. # The default value is: NO. REFERENCED_BY_RELATION = YES @@ -956,12 +1111,12 @@ SOURCE_TOOLTIPS = YES # If the USE_HTAGS tag is set to YES then the references to source code will # point to the HTML generated by the htags(1) tool instead of doxygen built-in # source browser. The htags tool is part of GNU's global source tagging system -# (see http://www.gnu.org/software/global/global.html). You will need version +# (see https://www.gnu.org/software/global/global.html). You will need version # 4.8.6 or higher. # # To use it do the following: # - Install the latest version of global -# - Enable SOURCE_BROWSER and USE_HTAGS in the config file +# - Enable SOURCE_BROWSER and USE_HTAGS in the configuration file # - Make sure the INPUT points to the root of the source tree # - Run doxygen as normal # @@ -984,16 +1139,24 @@ USE_HTAGS = NO VERBATIM_HEADERS = YES # If the CLANG_ASSISTED_PARSING tag is set to YES then doxygen will use the -# clang parser (see: http://clang.llvm.org/) for more accurate parsing at the -# cost of reduced performance. This can be particularly helpful with template -# rich C++ code for which doxygen's built-in parser lacks the necessary type -# information. +# clang parser (see: +# http://clang.llvm.org/) for more accurate parsing at the cost of reduced +# performance. This can be particularly helpful with template rich C++ code for +# which doxygen's built-in parser lacks the necessary type information. # Note: The availability of this option depends on whether or not doxygen was -# compiled with the --with-libclang option. +# generated with the -Duse_libclang=ON option for CMake. # The default value is: NO. CLANG_ASSISTED_PARSING = NO +# If the CLANG_ASSISTED_PARSING tag is set to YES and the CLANG_ADD_INC_PATHS +# tag is set to YES then doxygen will add the directory of each input to the +# include path. +# The default value is: YES. +# This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES. + +CLANG_ADD_INC_PATHS = YES + # If clang assisted parsing is enabled you can provide the compiler with command # line options that you would normally use when invoking the compiler. Note that # the include paths will already be set by doxygen for the files and directories @@ -1002,6 +1165,19 @@ CLANG_ASSISTED_PARSING = NO CLANG_OPTIONS = +# If clang assisted parsing is enabled you can provide the clang parser with the +# path to the directory containing a file called compile_commands.json. This +# file is the compilation database (see: +# http://clang.llvm.org/docs/HowToSetupToolingForLLVM.html) containing the +# options used when the source files were built. This is equivalent to +# specifying the -p option to a clang tool, such as clang-check. These options +# will then be passed to the parser. Any options specified with CLANG_OPTIONS +# will be added as well. +# Note: The availability of this option depends on whether or not doxygen was +# generated with the -Duse_libclang=ON option for CMake. + +CLANG_DATABASE_PATH = + #--------------------------------------------------------------------------- # Configuration options related to the alphabetical class index #--------------------------------------------------------------------------- @@ -1013,13 +1189,6 @@ CLANG_OPTIONS = ALPHABETICAL_INDEX = NO -# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in -# which the alphabetical index list will be split. -# Minimum value: 1, maximum value: 20, default value: 5. -# This tag requires that the tag ALPHABETICAL_INDEX is set to YES. - -COLS_IN_ALPHA_INDEX = 5 - # In case all classes in a project start with a common prefix, all classes will # be put under the same header in the alphabetical index. The IGNORE_PREFIX tag # can be used to specify a prefix (or a list of prefixes) that should be ignored @@ -1119,8 +1288,8 @@ HTML_EXTRA_FILES = # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen # will adjust the colors in the style sheet and background images according to -# this color. Hue is specified as an angle on a colorwheel, see -# http://en.wikipedia.org/wiki/Hue for more information. For instance the value +# this color. Hue is specified as an angle on a color-wheel, see +# https://en.wikipedia.org/wiki/Hue for more information. For instance the value # 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300 # purple, and 360 is red again. # Minimum value: 0, maximum value: 359, default value: 220. @@ -1129,7 +1298,7 @@ HTML_EXTRA_FILES = HTML_COLORSTYLE_HUE = 220 # The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors -# in the HTML output. For a value of 0 the output will use grayscales only. A +# in the HTML output. For a value of 0 the output will use gray-scales only. A # value of 255 will produce the most vivid colors. # Minimum value: 0, maximum value: 255, default value: 100. # This tag requires that the tag GENERATE_HTML is set to YES. @@ -1156,6 +1325,17 @@ HTML_COLORSTYLE_GAMMA = 80 HTML_TIMESTAMP = YES +# If the HTML_DYNAMIC_MENUS tag is set to YES then the generated HTML +# documentation will contain a main index with vertical navigation menus that +# are dynamically created via JavaScript. If disabled, the navigation index will +# consists of multiple levels of tabs that are statically embedded in every HTML +# page. Disable this option to support browsers that do not have JavaScript, +# like the Qt help browser. +# The default value is: YES. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_DYNAMIC_MENUS = YES + # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML # documentation will contain sections that can be hidden and shown after the # page has loaded. @@ -1179,13 +1359,14 @@ HTML_INDEX_NUM_ENTRIES = 100 # If the GENERATE_DOCSET tag is set to YES, additional index files will be # generated that can be used as input for Apple's Xcode 3 integrated development -# environment (see: http://developer.apple.com/tools/xcode/), introduced with -# OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a -# Makefile in the HTML output directory. Running make will produce the docset in -# that directory and running make install will install the docset in +# environment (see: +# https://developer.apple.com/xcode/), introduced with OSX 10.5 (Leopard). To +# create a documentation set, doxygen will generate a Makefile in the HTML +# output directory. Running make will produce the docset in that directory and +# running make install will install the docset in # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at -# startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html -# for more information. +# startup. See https://developer.apple.com/library/archive/featuredarticles/Doxy +# genXcode/_index.html for more information. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. @@ -1199,6 +1380,13 @@ GENERATE_DOCSET = NO DOCSET_FEEDNAME = "Doxygen generated docs" +# This tag determines the URL of the docset feed. A documentation feed provides +# an umbrella under which multiple documentation sets from a single provider +# (such as a company or product suite) can be grouped. +# This tag requires that the tag GENERATE_DOCSET is set to YES. + +DOCSET_FEEDURL = + # This tag specifies a string that should uniquely identify the documentation # set bundle. This should be a reverse domain-name style string, e.g. # com.mycompany.MyDocSet. Doxygen will append .docset to the name. @@ -1224,8 +1412,12 @@ DOCSET_PUBLISHER_NAME = Publisher # If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three # additional HTML index files: index.hhp, index.hhc, and index.hhk. The # index.hhp is a project file that can be read by Microsoft's HTML Help Workshop -# (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on -# Windows. +# on Windows. In the beginning of 2021 Microsoft took the original page, with +# a.o. the download links, offline the HTML help workshop was already many years +# in maintenance mode). You can download the HTML help workshop from the web +# archives at Installation executable (see: +# http://web.archive.org/web/20160201063255/http://download.microsoft.com/downlo +# ad/0/A/9/0A939EF6-E31C-430F-A3DF-DFAE7960D564/htmlhelp.exe). # # The HTML Help Workshop contains a compiler that can convert all HTML output # generated by doxygen into a single compiled HTML file (.chm). Compiled HTML @@ -1255,7 +1447,7 @@ CHM_FILE = HHC_LOCATION = # The GENERATE_CHI flag controls if a separate .chi index file is generated -# (YES) or that it should be included in the master .chm file (NO). +# (YES) or that it should be included in the main .chm file (NO). # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. @@ -1300,7 +1492,8 @@ QCH_FILE = # The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help # Project output. For more information please see Qt Help Project / Namespace -# (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace). +# (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#namespace). # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_QHP is set to YES. @@ -1308,8 +1501,8 @@ QHP_NAMESPACE = org.doxygen.Project # The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt # Help Project output. For more information please see Qt Help Project / Virtual -# Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual- -# folders). +# Folders (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#virtual-folders). # The default value is: doc. # This tag requires that the tag GENERATE_QHP is set to YES. @@ -1317,30 +1510,30 @@ QHP_VIRTUAL_FOLDER = doc # If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom # filter to add. For more information please see Qt Help Project / Custom -# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- -# filters). +# Filters (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_NAME = # The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the # custom filter to add. For more information please see Qt Help Project / Custom -# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- -# filters). +# Filters (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_ATTRS = # The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this # project's filter section matches. Qt Help Project / Filter Attributes (see: -# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes). +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#filter-attributes). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_SECT_FILTER_ATTRS = -# The QHG_LOCATION tag can be used to specify the location of Qt's -# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the -# generated .qhp file. +# The QHG_LOCATION tag can be used to specify the location (absolute path +# including file name) of Qt's qhelpgenerator. If non-empty doxygen will try to +# run qhelpgenerator on the generated .qhp file. # This tag requires that the tag GENERATE_QHP is set to YES. QHG_LOCATION = @@ -1383,16 +1576,28 @@ DISABLE_INDEX = NO # to work a browser that supports JavaScript, DHTML, CSS and frames is required # (i.e. any modern browser). Windows users are probably better off using the # HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can -# further fine-tune the look of the index. As an example, the default style -# sheet generated by doxygen has an example that shows how to put an image at -# the root of the tree instead of the PROJECT_NAME. Since the tree basically has -# the same information as the tab index, you could consider setting -# DISABLE_INDEX to YES when enabling this option. +# further fine tune the look of the index (see "Fine-tuning the output"). As an +# example, the default style sheet generated by doxygen has an example that +# shows how to put an image at the root of the tree instead of the PROJECT_NAME. +# Since the tree basically has the same information as the tab index, you could +# consider setting DISABLE_INDEX to YES when enabling this option. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_TREEVIEW = NO +# When both GENERATE_TREEVIEW and DISABLE_INDEX are set to YES, then the +# FULL_SIDEBAR option determines if the side bar is limited to only the treeview +# area (value NO) or if it should extend to the full height of the window (value +# YES). Setting this to YES gives a layout similar to +# https://docs.readthedocs.io with more room for contents, but less room for the +# project logo, title, and description. If either GENERATE_TREEVIEW or +# DISABLE_INDEX is set to NO, this option has no effect. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +FULL_SIDEBAR = NO + # The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that # doxygen will group on one line in the generated HTML documentation. # @@ -1417,6 +1622,24 @@ TREEVIEW_WIDTH = 250 EXT_LINKS_IN_WINDOW = NO +# If the OBFUSCATE_EMAILS tag is set to YES, doxygen will obfuscate email +# addresses. +# The default value is: YES. +# This tag requires that the tag GENERATE_HTML is set to YES. + +OBFUSCATE_EMAILS = YES + +# If the HTML_FORMULA_FORMAT option is set to svg, doxygen will use the pdf2svg +# tool (see https://github.com/dawbarton/pdf2svg) or inkscape (see +# https://inkscape.org) to generate formulas as SVG images instead of PNGs for +# the HTML output. These images will generally look nicer at scaled resolutions. +# Possible values are: png (the default) and svg (looks nicer but requires the +# pdf2svg or inkscape tool). +# The default value is: png. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_FORMULA_FORMAT = png + # Use this tag to change the font size of LaTeX formulas included as images in # the HTML documentation. When you change the font size after a successful # doxygen run you need to manually remove any form_*.png images from the HTML @@ -1426,7 +1649,7 @@ EXT_LINKS_IN_WINDOW = NO FORMULA_FONTSIZE = 10 -# Use the FORMULA_TRANPARENT tag to determine whether or not the images +# Use the FORMULA_TRANSPARENT tag to determine whether or not the images # generated for formulas are transparent PNGs. Transparent PNGs are not # supported properly for IE 6.0, but are supported on all modern browsers. # @@ -1437,8 +1660,14 @@ FORMULA_FONTSIZE = 10 FORMULA_TRANSPARENT = YES +# The FORMULA_MACROFILE can contain LaTeX \newcommand and \renewcommand commands +# to create new LaTeX commands to be used in formulas as building blocks. See +# the section "Including formulas" for details. + +FORMULA_MACROFILE = + # Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see -# http://www.mathjax.org) which uses client side Javascript for the rendering +# https://www.mathjax.org) which uses client side JavaScript for the rendering # instead of using pre-rendered bitmaps. Use this if you do not have LaTeX # installed or if you want to formulas look prettier in the HTML output. When # enabled you may also need to install MathJax separately and configure the path @@ -1448,11 +1677,29 @@ FORMULA_TRANSPARENT = YES USE_MATHJAX = NO +# With MATHJAX_VERSION it is possible to specify the MathJax version to be used. +# Note that the different versions of MathJax have different requirements with +# regards to the different settings, so it is possible that also other MathJax +# settings have to be changed when switching between the different MathJax +# versions. +# Possible values are: MathJax_2 and MathJax_3. +# The default value is: MathJax_2. +# This tag requires that the tag USE_MATHJAX is set to YES. + +MATHJAX_VERSION = MathJax_2 + # When MathJax is enabled you can set the default output format to be used for -# the MathJax output. See the MathJax site (see: -# http://docs.mathjax.org/en/latest/output.html) for more details. +# the MathJax output. For more details about the output format see MathJax +# version 2 (see: +# http://docs.mathjax.org/en/v2.7-latest/output.html) and MathJax version 3 +# (see: +# http://docs.mathjax.org/en/latest/web/components/output.html). # Possible values are: HTML-CSS (which is slower, but has the best -# compatibility), NativeMML (i.e. MathML) and SVG. +# compatibility. This is the name for Mathjax version 2, for MathJax version 3 +# this will be translated into chtml), NativeMML (i.e. MathML. Only supported +# for NathJax 2. For MathJax version 3 chtml will be used instead.), chtml (This +# is the name for Mathjax version 3, for MathJax version 2 this will be +# translated into HTML-CSS) and SVG. # The default value is: HTML-CSS. # This tag requires that the tag USE_MATHJAX is set to YES. @@ -1465,22 +1712,29 @@ MATHJAX_FORMAT = HTML-CSS # MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax # Content Delivery Network so you can quickly see the result without installing # MathJax. However, it is strongly recommended to install a local copy of -# MathJax from http://www.mathjax.org before deployment. -# The default value is: http://cdn.mathjax.org/mathjax/latest. +# MathJax from https://www.mathjax.org before deployment. The default value is: +# - in case of MathJax version 2: https://cdn.jsdelivr.net/npm/mathjax@2 +# - in case of MathJax version 3: https://cdn.jsdelivr.net/npm/mathjax@3 # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest # The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax # extension names that should be enabled during MathJax rendering. For example +# for MathJax version 2 (see +# https://docs.mathjax.org/en/v2.7-latest/tex.html#tex-and-latex-extensions): # MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols +# For example for MathJax version 3 (see +# http://docs.mathjax.org/en/latest/input/tex/extensions/index.html): +# MATHJAX_EXTENSIONS = ams # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_EXTENSIONS = # The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces # of code that will be used on startup of the MathJax code. See the MathJax site -# (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an +# (see: +# http://docs.mathjax.org/en/v2.7-latest/output.html) for more details. For an # example see the documentation. # This tag requires that the tag USE_MATHJAX is set to YES. @@ -1508,7 +1762,7 @@ MATHJAX_CODEFILE = SEARCHENGINE = NO # When the SERVER_BASED_SEARCH tag is enabled the search engine will be -# implemented using a web server instead of a web client using Javascript. There +# implemented using a web server instead of a web client using JavaScript. There # are two flavors of web server based searching depending on the EXTERNAL_SEARCH # setting. When disabled, doxygen will generate a PHP script for searching and # an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing @@ -1527,7 +1781,8 @@ SERVER_BASED_SEARCH = NO # # Doxygen ships with an example indexer (doxyindexer) and search engine # (doxysearch.cgi) which are based on the open source search engine library -# Xapian (see: http://xapian.org/). +# Xapian (see: +# https://xapian.org/). # # See the section "External Indexing and Searching" for details. # The default value is: NO. @@ -1540,8 +1795,9 @@ EXTERNAL_SEARCH = NO # # Doxygen ships with an example indexer (doxyindexer) and search engine # (doxysearch.cgi) which are based on the open source search engine library -# Xapian (see: http://xapian.org/). See the section "External Indexing and -# Searching" for details. +# Xapian (see: +# https://xapian.org/). See the section "External Indexing and Searching" for +# details. # This tag requires that the tag SEARCHENGINE is set to YES. SEARCHENGINE_URL = @@ -1592,21 +1848,35 @@ LATEX_OUTPUT = latex # The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be # invoked. # -# Note that when enabling USE_PDFLATEX this option is only used for generating -# bitmaps for formulas in the HTML output, but not in the Makefile that is -# written to the output directory. -# The default file is: latex. +# Note that when not enabling USE_PDFLATEX the default is latex when enabling +# USE_PDFLATEX the default is pdflatex and when in the later case latex is +# chosen this is overwritten by pdflatex. For specific output languages the +# default can have been set differently, this depends on the implementation of +# the output language. # This tag requires that the tag GENERATE_LATEX is set to YES. LATEX_CMD_NAME = latex # The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate # index for LaTeX. +# Note: This tag is used in the Makefile / make.bat. +# See also: LATEX_MAKEINDEX_CMD for the part in the generated output file +# (.tex). # The default file is: makeindex. # This tag requires that the tag GENERATE_LATEX is set to YES. MAKEINDEX_CMD_NAME = makeindex +# The LATEX_MAKEINDEX_CMD tag can be used to specify the command name to +# generate index for LaTeX. In case there is no backslash (\) as first character +# it will be automatically added in the LaTeX code. +# Note: This tag is used in the generated output file (.tex). +# See also: MAKEINDEX_CMD_NAME for the part in the Makefile / make.bat. +# The default value is: makeindex. +# This tag requires that the tag GENERATE_LATEX is set to YES. + +LATEX_MAKEINDEX_CMD = makeindex + # If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX # documents. This may be useful for small projects and may help to save some # trees in general. @@ -1625,37 +1895,42 @@ COMPACT_LATEX = NO PAPER_TYPE = a4wide # The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names -# that should be included in the LaTeX output. To get the times font for -# instance you can specify -# EXTRA_PACKAGES=times +# that should be included in the LaTeX output. The package can be specified just +# by its name or with the correct syntax as to be used with the LaTeX +# \usepackage command. To get the times font for instance you can specify : +# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times} +# To use the option intlimits with the amsmath package you can specify: +# EXTRA_PACKAGES=[intlimits]{amsmath} # If left blank no extra packages will be included. # This tag requires that the tag GENERATE_LATEX is set to YES. EXTRA_PACKAGES = -# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the -# generated LaTeX document. The header should contain everything until the first -# chapter. If it is left blank doxygen will generate a standard header. See -# section "Doxygen usage" for information on how to let doxygen write the -# default header to a separate file. +# The LATEX_HEADER tag can be used to specify a user-defined LaTeX header for +# the generated LaTeX document. The header should contain everything until the +# first chapter. If it is left blank doxygen will generate a standard header. It +# is highly recommended to start with a default header using +# doxygen -w latex new_header.tex new_footer.tex new_stylesheet.sty +# and then modify the file new_header.tex. See also section "Doxygen usage" for +# information on how to generate the default header that doxygen normally uses. # -# Note: Only use a user-defined header if you know what you are doing! The -# following commands have a special meaning inside the header: $title, -# $datetime, $date, $doxygenversion, $projectname, $projectnumber, -# $projectbrief, $projectlogo. Doxygen will replace $title with the empty -# string, for the replacement values of the other commands the user is referred -# to HTML_HEADER. +# Note: Only use a user-defined header if you know what you are doing! +# Note: The header is subject to change so you typically have to regenerate the +# default header when upgrading to a newer version of doxygen. The following +# commands have a special meaning inside the header (and footer): For a +# description of the possible markers and block names see the documentation. # This tag requires that the tag GENERATE_LATEX is set to YES. LATEX_HEADER = -# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the -# generated LaTeX document. The footer should contain everything after the last -# chapter. If it is left blank doxygen will generate a standard footer. See +# The LATEX_FOOTER tag can be used to specify a user-defined LaTeX footer for +# the generated LaTeX document. The footer should contain everything after the +# last chapter. If it is left blank doxygen will generate a standard footer. See # LATEX_HEADER for more information on how to generate a default footer and what -# special commands can be used inside the footer. -# -# Note: Only use a user-defined footer if you know what you are doing! +# special commands can be used inside the footer. See also section "Doxygen +# usage" for information on how to generate the default footer that doxygen +# normally uses. Note: Only use a user-defined footer if you know what you are +# doing! # This tag requires that the tag GENERATE_LATEX is set to YES. LATEX_FOOTER = @@ -1688,9 +1963,11 @@ LATEX_EXTRA_FILES = PDF_HYPERLINKS = NO -# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate -# the PDF file directly from the LaTeX files. Set this option to YES, to get a -# higher quality PDF documentation. +# If the USE_PDFLATEX tag is set to YES, doxygen will use the engine as +# specified with LATEX_CMD_NAME to generate the PDF file directly from the LaTeX +# files. Set this option to YES, to get a higher quality PDF documentation. +# +# See also section LATEX_CMD_NAME for selecting the engine. # The default value is: YES. # This tag requires that the tag GENERATE_LATEX is set to YES. @@ -1698,8 +1975,7 @@ USE_PDFLATEX = NO # If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode # command to the generated LaTeX files. This will instruct LaTeX to keep running -# if errors occur, instead of asking the user for help. This option is also used -# when generating formulas in HTML. +# if errors occur, instead of asking the user for help. # The default value is: NO. # This tag requires that the tag GENERATE_LATEX is set to YES. @@ -1712,24 +1988,30 @@ LATEX_BATCHMODE = NO LATEX_HIDE_INDICES = NO -# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source -# code with syntax highlighting in the LaTeX output. -# -# Note that which sources are shown also depends on other settings such as -# SOURCE_BROWSER. -# The default value is: NO. -# This tag requires that the tag GENERATE_LATEX is set to YES. - -LATEX_SOURCE_CODE = NO - # The LATEX_BIB_STYLE tag can be used to specify the style to use for the # bibliography, e.g. plainnat, or ieeetr. See -# http://en.wikipedia.org/wiki/BibTeX and \cite for more info. +# https://en.wikipedia.org/wiki/BibTeX and \cite for more info. # The default value is: plain. # This tag requires that the tag GENERATE_LATEX is set to YES. LATEX_BIB_STYLE = plain +# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated +# page will contain the date and time when the page was generated. Setting this +# to NO can help when comparing the output of multiple runs. +# The default value is: NO. +# This tag requires that the tag GENERATE_LATEX is set to YES. + +LATEX_TIMESTAMP = NO + +# The LATEX_EMOJI_DIRECTORY tag is used to specify the (relative or absolute) +# path from which the emoji images will be read. If a relative path is entered, +# it will be relative to the LATEX_OUTPUT directory. If left blank the +# LATEX_OUTPUT directory will be used. +# This tag requires that the tag GENERATE_LATEX is set to YES. + +LATEX_EMOJI_DIRECTORY = + #--------------------------------------------------------------------------- # Configuration options related to the RTF output #--------------------------------------------------------------------------- @@ -1769,9 +2051,9 @@ COMPACT_RTF = NO RTF_HYPERLINKS = NO -# Load stylesheet definitions from file. Syntax is similar to doxygen's config -# file, i.e. a series of assignments. You only have to provide replacements, -# missing definitions are set to their default value. +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# configuration file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. # # See also section "Doxygen usage" for information on how to generate the # default style sheet that doxygen normally uses. @@ -1780,22 +2062,12 @@ RTF_HYPERLINKS = NO RTF_STYLESHEET_FILE = # Set optional variables used in the generation of an RTF document. Syntax is -# similar to doxygen's config file. A template extensions file can be generated -# using doxygen -e rtf extensionFile. +# similar to doxygen's configuration file. A template extensions file can be +# generated using doxygen -e rtf extensionFile. # This tag requires that the tag GENERATE_RTF is set to YES. RTF_EXTENSIONS_FILE = -# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code -# with syntax highlighting in the RTF output. -# -# Note that which sources are shown also depends on other settings such as -# SOURCE_BROWSER. -# The default value is: NO. -# This tag requires that the tag GENERATE_RTF is set to YES. - -RTF_SOURCE_CODE = NO - #--------------------------------------------------------------------------- # Configuration options related to the man page output #--------------------------------------------------------------------------- @@ -1867,6 +2139,13 @@ XML_OUTPUT = xml XML_PROGRAMLISTING = YES +# If the XML_NS_MEMB_FILE_SCOPE tag is set to YES, doxygen will include +# namespace members in file scope as well, matching the HTML output. +# The default value is: NO. +# This tag requires that the tag GENERATE_XML is set to YES. + +XML_NS_MEMB_FILE_SCOPE = NO + #--------------------------------------------------------------------------- # Configuration options related to the DOCBOOK output #--------------------------------------------------------------------------- @@ -1885,23 +2164,14 @@ GENERATE_DOCBOOK = NO DOCBOOK_OUTPUT = docbook -# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the -# program listings (including syntax highlighting and cross-referencing -# information) to the DOCBOOK output. Note that enabling this will significantly -# increase the size of the DOCBOOK output. -# The default value is: NO. -# This tag requires that the tag GENERATE_DOCBOOK is set to YES. - -DOCBOOK_PROGRAMLISTING = NO - #--------------------------------------------------------------------------- # Configuration options for the AutoGen Definitions output #--------------------------------------------------------------------------- # If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an -# AutoGen Definitions (see http://autogen.sf.net) file that captures the -# structure of the code including all documentation. Note that this feature is -# still experimental and incomplete at the moment. +# AutoGen Definitions (see http://autogen.sourceforge.net/) file that captures +# the structure of the code including all documentation. Note that this feature +# is still experimental and incomplete at the moment. # The default value is: NO. GENERATE_AUTOGEN_DEF = NO @@ -1980,7 +2250,8 @@ SEARCH_INCLUDES = YES # The INCLUDE_PATH tag can be used to specify one or more directories that # contain include files that are not input files but should be processed by the -# preprocessor. +# preprocessor. Note that the INCLUDE_PATH is not recursive, so the setting of +# RECURSIVE has no effect here. # This tag requires that the tag SEARCH_INCLUDES is set to YES. INCLUDE_PATH = @@ -2068,34 +2339,10 @@ EXTERNAL_GROUPS = YES EXTERNAL_PAGES = YES -# The PERL_PATH should be the absolute path and name of the perl script -# interpreter (i.e. the result of 'which perl'). -# The default file (with absolute path) is: /usr/bin/perl. - -PERL_PATH = /usr/bin/perl - #--------------------------------------------------------------------------- # Configuration options related to the dot tool #--------------------------------------------------------------------------- -# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram -# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to -# NO turns the diagrams off. Note that this option also works with HAVE_DOT -# disabled, but it is recommended to install and use dot, since it yields more -# powerful graphs. -# The default value is: YES. - -CLASS_DIAGRAMS = YES - -# You can define message sequence charts within doxygen comments using the \msc -# command. Doxygen will then run the mscgen tool (see: -# http://www.mcternan.me.uk/mscgen/)) to produce the chart and insert it in the -# documentation. The MSCGEN_PATH tag allows you to specify the directory where -# the mscgen tool resides. If left empty the tool is assumed to be found in the -# default search path. - -MSCGEN_PATH = - # You can include diagrams made with dia in doxygen documentation. Doxygen will # then run dia to produce the diagram and insert it in the documentation. The # DIA_PATH tag allows you to specify the directory where the dia binary resides. @@ -2152,11 +2399,14 @@ DOT_FONTSIZE = 10 DOT_FONTPATH = -# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for -# each documented class showing the direct and indirect inheritance relations. -# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO. +# If the CLASS_GRAPH tag is set to YES (or GRAPH) then doxygen will generate a +# graph for each documented class showing the direct and indirect inheritance +# relations. In case HAVE_DOT is set as well dot will be used to draw the graph, +# otherwise the built-in generator will be used. If the CLASS_GRAPH tag is set +# to TEXT the direct and indirect inheritance relations will be shown as texts / +# links. +# Possible values are: NO, YES, TEXT and GRAPH. # The default value is: YES. -# This tag requires that the tag HAVE_DOT is set to YES. CLASS_GRAPH = YES @@ -2170,7 +2420,8 @@ CLASS_GRAPH = YES COLLABORATION_GRAPH = YES # If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for -# groups, showing the direct groups dependencies. +# groups, showing the direct groups dependencies. See also the chapter Grouping +# in the manual. # The default value is: YES. # This tag requires that the tag HAVE_DOT is set to YES. @@ -2193,10 +2444,32 @@ UML_LOOK = NO # but if the number exceeds 15, the total amount of fields shown is limited to # 10. # Minimum value: 0, maximum value: 100, default value: 10. -# This tag requires that the tag HAVE_DOT is set to YES. +# This tag requires that the tag UML_LOOK is set to YES. UML_LIMIT_NUM_FIELDS = 10 +# If the DOT_UML_DETAILS tag is set to NO, doxygen will show attributes and +# methods without types and arguments in the UML graphs. If the DOT_UML_DETAILS +# tag is set to YES, doxygen will add type and arguments for attributes and +# methods in the UML graphs. If the DOT_UML_DETAILS tag is set to NONE, doxygen +# will not generate fields with class member information in the UML graphs. The +# class diagrams will look similar to the default class diagrams but using UML +# notation for the relationships. +# Possible values are: NO, YES and NONE. +# The default value is: NO. +# This tag requires that the tag UML_LOOK is set to YES. + +DOT_UML_DETAILS = NO + +# The DOT_WRAP_THRESHOLD tag can be used to set the maximum number of characters +# to display on a single line. If the actual line length exceeds this threshold +# significantly it will wrapped across multiple lines. Some heuristics are apply +# to avoid ugly line breaks. +# Minimum value: 0, maximum value: 1000, default value: 17. +# This tag requires that the tag HAVE_DOT is set to YES. + +DOT_WRAP_THRESHOLD = 17 + # If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and # collaboration graphs will show the relations between templates and their # instances. @@ -2228,7 +2501,8 @@ INCLUDED_BY_GRAPH = YES # # Note that enabling this option will significantly increase the time of a run. # So in most cases it will be better to enable call graphs for selected -# functions only using the \callgraph command. +# functions only using the \callgraph command. Disabling a call graph can be +# accomplished by means of the command \hidecallgraph. # The default value is: NO. # This tag requires that the tag HAVE_DOT is set to YES. @@ -2239,7 +2513,8 @@ CALL_GRAPH = NO # # Note that enabling this option will significantly increase the time of a run. # So in most cases it will be better to enable caller graphs for selected -# functions only using the \callergraph command. +# functions only using the \callergraph command. Disabling a caller graph can be +# accomplished by means of the command \hidecallergraph. # The default value is: NO. # This tag requires that the tag HAVE_DOT is set to YES. @@ -2261,14 +2536,24 @@ GRAPHICAL_HIERARCHY = YES DIRECTORY_GRAPH = YES +# The DIR_GRAPH_MAX_DEPTH tag can be used to limit the maximum number of levels +# of child directories generated in directory dependency graphs by dot. +# Minimum value: 1, maximum value: 25, default value: 1. +# This tag requires that the tag DIRECTORY_GRAPH is set to YES. + +DIR_GRAPH_MAX_DEPTH = 1 + # The DOT_IMAGE_FORMAT tag can be used to set the image format of the images -# generated by dot. +# generated by dot. For an explanation of the image formats see the section +# output formats in the documentation of the dot tool (Graphviz (see: +# http://www.graphviz.org/)). # Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order # to make the SVG files visible in IE 9+ (other browsers do not have this # requirement). -# Possible values are: png, png:cairo, png:cairo:cairo, png:cairo:gd, png:gd, -# png:gd:gd, jpg, jpg:cairo, jpg:cairo:gd, jpg:gd, jpg:gd:gd, gif, gif:cairo, -# gif:cairo:gd, gif:gd, gif:gd:gd and svg. +# Possible values are: png, jpg, jpg:cairo, jpg:cairo:gd, jpg:gd, jpg:gd:gd, +# gif, gif:cairo, gif:cairo:gd, gif:gd, gif:gd:gd, svg, png:gd, png:gd:gd, +# png:cairo, png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and +# png:gdiplus:gdiplus. # The default value is: png. # This tag requires that the tag HAVE_DOT is set to YES. @@ -2312,13 +2597,18 @@ MSCFILE_DIRS = DIAFILE_DIRS = # When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the -# path where java can find the plantuml.jar file. If left blank, it is assumed -# PlantUML is not used or called during a preprocessing step. Doxygen will -# generate a warning when it encounters a \startuml command in this case and -# will not generate output for the diagram. +# path where java can find the plantuml.jar file or to the filename of jar file +# to be used. If left blank, it is assumed PlantUML is not used or called during +# a preprocessing step. Doxygen will generate a warning when it encounters a +# \startuml command in this case and will not generate output for the diagram. PLANTUML_JAR_PATH = +# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a +# configuration file for plantuml. + +PLANTUML_CFG_FILE = + # When using plantuml, the specified paths are searched for files specified by # the !include statement in a plantuml block. @@ -2372,14 +2662,18 @@ DOT_MULTI_TARGETS = NO # If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page # explaining the meaning of the various boxes and arrows in the dot generated # graphs. +# Note: This tag requires that UML_LOOK isn't set, i.e. the doxygen internal +# graphical representation for inheritance and collaboration diagrams is used. # The default value is: YES. # This tag requires that the tag HAVE_DOT is set to YES. GENERATE_LEGEND = YES -# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot +# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate # files that are used to generate the various graphs. +# +# Note: This setting is not only used for dot files but also for msc temporary +# files. # The default value is: YES. -# This tag requires that the tag HAVE_DOT is set to YES. DOT_CLEANUP = YES From 33da2f75c069b19476bbdf1ccc6b364931cbbaba Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 15:36:56 +0100 Subject: [PATCH 103/111] Fix .github/workflows/codespell.yml --- .github/workflows/codespell.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 982d785b..d94b2e44 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -12,7 +12,7 @@ jobs: steps: - uses: actions/checkout@v2 - - uses: codespell-project/actions-codespell@master + - uses: codespell-project/actions-codespell@v1 with: - skip: *.po,base64.*,SSLerrs.h + skip: ./po/de.po,./po/fr.po,./po/nl.po,./po/pt_BR.po ignore_words_file: codespell_ignore_words.txt From 2125b6c4150618c227fb61b1dcaab53bb76309d6 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 15:41:20 +0100 Subject: [PATCH 104/111] Add .github/workflows/build.yml --- .github/workflows/build.yml | 56 +++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..1e6a81a5 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,56 @@ +name: build + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the master branch +on: [push, pull_request] + +# A workflow run is made up of one or more jobs that can run +# sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + runs-on: ubuntu-latest + + strategy: + matrix: + configure_args: [ + "", + "--with-curl", + "--with-nss", + ] + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job + # can access it + - uses: actions/checkout@v2 + + - name: setup prerequisites + shell: bash + run: | + sudo apt update + sudo apt install \ + docbook-xsl \ + doxygen \ + gettext \ + libcurl4-openssl-dev \ + libldap2-dev \ + libnss3-dev \ + libpam-dev \ + libpcsclite-dev \ + libssl-dev \ + pkg-config \ + xsltproc + + - name: compile + shell: bash + run: | + ./bootstrap + export CFLAGS="-Wall -Wextra -Wformat -Wformat-security -Wmissing-declarations -Wmissing-prototypes -Wold-style-definition -Wpointer-arith -Wredundant-decls -Wshadow -Wstrict-prototypes -Wswitch-enum -Wundef -Wuninitialized -Wunused -Wwrite-strings -Wmissing-noreturn -flto=auto -O2 -Wp,-D_FORTIFY_SOURCE=2" + ./configure ${{ matrix.configure_args }} + make V=1 + + - name: distcheck + shell: bash + run: | + make distcheck From 3fba590d57d877d675363d44b2094062d714a0a8 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 16:08:28 +0100 Subject: [PATCH 105/111] Fix spelling error Check for spelling errors: doc/mappers_api.xml#L862 ocurrs ==> occurs --- doc/mappers_api.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/mappers_api.xml b/doc/mappers_api.xml index 268acf28..dc834f6c 100644 --- a/doc/mappers_api.xml +++ b/doc/mappers_api.xml @@ -859,7 +859,7 @@ Additionally, when requesting you must provide a va cert_info() returns an array of up to 15 string entries, corresponding to as many entry founds in the provided certificate. Last entry in the returned array is set to NULL; -If some error ocurrs, or the certificate does not contain any entry, return NULL +If some error occurs, or the certificate does not contain any entry, return NULL There are two additional methods to check certificate/signatures: From 4373e0b4e43fcedba49b81b3c57bd5eff0be05f4 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 16:09:29 +0100 Subject: [PATCH 106/111] Fix spelling error Check for spelling errors: doc/doxygen.conf.in#L88 numer ==> number --- doc/doxygen.conf.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/doxygen.conf.in b/doc/doxygen.conf.in index 14bd6fe2..a3606f60 100644 --- a/doc/doxygen.conf.in +++ b/doc/doxygen.conf.in @@ -85,7 +85,7 @@ CREATE_SUBDIRS = NO # level increment doubles the number of directories, resulting in 4096 # directories at level 8 which is the default and also the maximum value. The # sub-directories are organized in 2 levels, the first level always has a fixed -# numer of 16 directories. +# number of 16 directories. # Minimum value: 0, maximum value: 8, default value: 8. # This tag requires that the tag CREATE_SUBDIRS is set to YES. From 8166b19435d2ee794249f57354506da71e11c181 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 16:10:28 +0100 Subject: [PATCH 107/111] Fix spelling error Check for spelling errors: src/tools/pkcs11_eventmgr.c#L637 sesion ==> session --- src/tools/pkcs11_eventmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/pkcs11_eventmgr.c b/src/tools/pkcs11_eventmgr.c index a93883cd..fded69c7 100644 --- a/src/tools/pkcs11_eventmgr.c +++ b/src/tools/pkcs11_eventmgr.c @@ -634,7 +634,7 @@ int main(int argc, char *argv[]) } #endif - /* open pkcs11 sesion */ + /* open pkcs11 session */ DBG("initialising pkcs #11 module..."); rv = ph->fl->C_Initialize(NULL); if (rv != 0) From ac6aeed43c664e7fc436d6a05181c021fbab4dc5 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 16:11:45 +0100 Subject: [PATCH 108/111] Fix spelling error Check for spelling errors: src/common/base64.h#L2 funtions ==> functions Check for spelling errors: src/common/base64.h#L32 lenght ==> length Check for spelling errors: src/common/base64.h#L35 sucess ==> success --- src/common/base64.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/common/base64.h b/src/common/base64.h index b22ef1b1..45824df4 100644 --- a/src/common/base64.h +++ b/src/common/base64.h @@ -1,5 +1,5 @@ /* - * BASE64 Encoding funtions + * BASE64 Encoding functions * Copyright (C) 2001, 2002 Juha Yrj\uffffl\uffff * Copyright (C) 2003-2004 Mario Strasser * Copyright (C) 2005 Juan Antonio Martinez @@ -29,10 +29,10 @@ /** * Encode byte array into a base64 string *@param in Pointer to byte array -*@param len lenght of input data +*@param len length of input data *@param out Pointer to preallocated buffer space *@param outlen Size of buffer -*@return 0 on sucess, -1 on error +*@return 0 on success, -1 on error */ BASE64_EXTERN int base64_encode(const unsigned char *in, size_t len, unsigned char *out, size_t *outlen); From 7c00fac0ceb8bf348677aafb0a79c0b1063b3cf4 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 16:13:26 +0100 Subject: [PATCH 109/111] Fix spelling error Check for spelling errors: src/common/SSLerrs.h#L241 succesfully ==> successfully --- src/common/SSLerrs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/SSLerrs.h b/src/common/SSLerrs.h index 3ad438d7..7af8c6ac 100644 --- a/src/common/SSLerrs.h +++ b/src/common/SSLerrs.h @@ -238,7 +238,7 @@ ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59), "SSL peer was not expecting a handshake message it received.") ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60), -"SSL peer was unable to succesfully decompress an SSL record it received.") +"SSL peer was unable to successfully decompress an SSL record it received.") ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61), "SSL peer was unable to negotiate an acceptable set of security parameters.") From 3d0176b8926707405e6a9ec462ce1bbee1970bb7 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 16:14:28 +0100 Subject: [PATCH 110/111] Fix spelling error Check for spelling errors: src/common/pkcs11_lib.c#L1646 Sesion ==> Session --- src/common/pkcs11_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index 8420e872..2d7cf04e 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -1643,7 +1643,7 @@ cert_object_t **get_certificate_list(pkcs11_handle_t *h, int *ncerts) } /* end of while(1) */ - /* release FindObject Sesion */ + /* release FindObject Session */ rv = h->fl->C_FindObjectsFinal(h->session); if (rv != CKR_OK) { set_error("C_FindObjectsFinal() failed: %i", rv); From 5c1a998485e8e0d02e933de8dd2ec1b6d5d839d8 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Fri, 3 Feb 2023 16:16:05 +0100 Subject: [PATCH 111/111] base64.c: Convert to utf-8 --- src/common/base64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/base64.c b/src/common/base64.c index 9f0b51a2..0a0d9198 100644 --- a/src/common/base64.c +++ b/src/common/base64.c @@ -1,7 +1,7 @@ /* * base64.c: Base64 converting functions * - * Copyright (C) 2001, 2002 Juha Yrjl + * Copyright (C) 2001, 2002 Juha Yrjölä * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public