[packages/pam-pam_pkcs11] - updated to 0.6.10 - added openssl patch (fixes for openssl 1.1.x)

qboosh qboosh at pld-linux.org
Mon Apr 22 17:58:22 CEST 2019 

commit e170801f051378529242a06d81493459fd2b6284
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date:   Mon Apr 22 17:58:29 2019 +0200

    - updated to 0.6.10
    - added openssl patch (fixes for openssl 1.1.x)

 pam-pam_pkcs11-openssl.patch | 94 ++++++++++++++++++++++++++++++++++++++++++++
 pam-pam_pkcs11.spec          |  8 ++--
 2 files changed, 99 insertions(+), 3 deletions(-)
---
diff --git a/pam-pam_pkcs11.spec b/pam-pam_pkcs11.spec
index d3e92f1..4bb70af 100644
--- a/pam-pam_pkcs11.spec
+++ b/pam-pam_pkcs11.spec
@@ -8,13 +8,14 @@
 Summary:	PAM login module that allows a X.509 certificate based user login
 Summary(pl.UTF-8):	Moduł PAM umożliwiający logowanie się w oparciu o certyfikat X.509
 Name:		pam-pam_pkcs11
-Version:	0.6.9
-Release:	2
+Version:	0.6.10
+Release:	1
 License:	LGPL v2.1+
 Group:		Libraries
 #Source0Download: https://github.com/OpenSC/pam_pkcs11/releases
 Source0:	https://github.com/OpenSC/pam_pkcs11/archive/pam_pkcs11-%{version}.tar.gz
-# Source0-md5:	e09e5e54ca92e0610e70eef9170e2355
+# Source0-md5:	8ededc8acdcc6084ad52ee03bdf9e4d3
+Patch0:		%{name}-openssl.patch
 URL:		https://github.com/OpenSC/pam_pkcs11
 BuildRequires:	autoconf >= 2.69
 BuildRequires:	automake
@@ -49,6 +50,7 @@ zdalnie CRL.
 
 %prep
 %setup -q -n pam_pkcs11-pam_pkcs11-%{version}
+%patch0 -p1
 
 %build
 %{__gettextize}
diff --git a/pam-pam_pkcs11-openssl.patch b/pam-pam_pkcs11-openssl.patch
new file mode 100644
index 0000000..34d7a48
--- /dev/null
+++ b/pam-pam_pkcs11-openssl.patch
@@ -0,0 +1,94 @@
+--- pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c.orig	2018-09-11 23:06:08.000000000 +0200
++++ pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c	2019-04-22 17:53:17.862358165 +0200
+@@ -143,20 +143,25 @@
+ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx)
+ {
+   int rv;
+-  X509_OBJECT obj;
++  X509_OBJECT *obj = X509_OBJECT_new();
+   EVP_PKEY *pkey = NULL;
+   X509 *issuer_cert;
+ 
++  if (obj == NULL) {
++    set_error("X509_OBJECT allocation failed");
++    return -1;
++  }
+   /* get issuer certificate */
+-  rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj);
++  rv = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj);
+   if (rv <= 0) {
+     set_error("getting the certificate of the crl-issuer failed");
++    X509_OBJECT_free(obj);
+     return -1;
+   }
+   /* extract public key and verify signature */
+-  issuer_cert = X509_OBJECT_get0_X509((&obj));
++  issuer_cert = X509_OBJECT_get0_X509(obj);
+   pkey = X509_get_pubkey(issuer_cert);
+-  X509_OBJECT_free_contents(&obj);
++  X509_OBJECT_free(obj);
+   if (pkey == NULL) {
+     set_error("getting the issuer's public key failed");
+     return -1;
+@@ -202,14 +207,13 @@
+ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy)
+ {
+   int rv, i, j;
+-  X509_OBJECT obj;
++  X509_OBJECT *obj;
+   X509_REVOKED *rev = NULL;
+   STACK_OF(DIST_POINT) * dist_points;
+   DIST_POINT *point;
+   GENERAL_NAME *name;
+   X509_CRL *crl;
+   X509 *x509_ca = NULL;
+-  EVP_PKEY crl_pkey;
+ 
+   DBG1("crl policy: %d", policy);
+   if (policy == CRLP_NONE) {
+@@ -227,27 +231,39 @@
+   } else if (policy == CRLP_OFFLINE) {
+     /* OFFLINE */
+     DBG("looking for an dedicated local crl");
+-    rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj);
++    obj = X509_OBJECT_new();
++    if (obj == NULL) {
++      set_error("X509_OBJECT allocation failed");
++      return -1;
++    }
++    rv = X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj);
+     if (rv <= 0) {
+       set_error("no dedicated crl available");
++      X509_OBJECT_free(obj);
+       return -1;
+     }
+-    crl = X509_OBJECT_get0_X509_CRL((&obj));
+-    X509_OBJECT_free_contents(&obj);
++    crl = X509_OBJECT_get0_X509_CRL(obj);
++    X509_OBJECT_free(obj);
+   } else if (policy == CRLP_ONLINE) {
+     /* ONLINE */
+     DBG("extracting crl distribution points");
+     dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL);
+     if (dist_points == NULL) {
+       /* if there is not crl distribution point in the certificate hava a look at the ca certificate */
+-      rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj);
++      obj = X509_OBJECT_new();
++      if (obj == NULL) {
++        set_error("X509_OBJECT allocation failed");
++        return -1;
++      }
++      rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj);
+       if (rv <= 0) {
+         set_error("no dedicated ca certificate available");
++	X509_OBJECT_free(obj);
+         return -1;
+       }
+-      x509_ca = X509_OBJECT_get0_X509((&obj));
++      x509_ca = X509_OBJECT_get0_X509(obj);
+       dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL);
+-      X509_OBJECT_free_contents(&obj);
++      X509_OBJECT_free(obj);
+       if (dist_points == NULL) {
+         set_error("neither the user nor the ca certificate does contain a crl distribution point");
+         return -1;
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/pam-pam_pkcs11.git/commitdiff/e170801f051378529242a06d81493459fd2b6284

More information about the pld-cvs-commit mailing list