[packages/pam-pam_pkcs11] - updated to 0.6.10 - added openssl patch (fixes for openssl 1.1.x)
qboosh
qboosh at pld-linux.org
Mon Apr 22 17:58:22 CEST 2019
commit e170801f051378529242a06d81493459fd2b6284
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Mon Apr 22 17:58:29 2019 +0200
- updated to 0.6.10
- added openssl patch (fixes for openssl 1.1.x)
pam-pam_pkcs11-openssl.patch | 94 ++++++++++++++++++++++++++++++++++++++++++++
pam-pam_pkcs11.spec | 8 ++--
2 files changed, 99 insertions(+), 3 deletions(-)
---
diff --git a/pam-pam_pkcs11.spec b/pam-pam_pkcs11.spec
index d3e92f1..4bb70af 100644
--- a/pam-pam_pkcs11.spec
+++ b/pam-pam_pkcs11.spec
@@ -8,13 +8,14 @@
Summary: PAM login module that allows a X.509 certificate based user login
Summary(pl.UTF-8): Moduł PAM umożliwiający logowanie się w oparciu o certyfikat X.509
Name: pam-pam_pkcs11
-Version: 0.6.9
-Release: 2
+Version: 0.6.10
+Release: 1
License: LGPL v2.1+
Group: Libraries
#Source0Download: https://github.com/OpenSC/pam_pkcs11/releases
Source0: https://github.com/OpenSC/pam_pkcs11/archive/pam_pkcs11-%{version}.tar.gz
-# Source0-md5: e09e5e54ca92e0610e70eef9170e2355
+# Source0-md5: 8ededc8acdcc6084ad52ee03bdf9e4d3
+Patch0: %{name}-openssl.patch
URL: https://github.com/OpenSC/pam_pkcs11
BuildRequires: autoconf >= 2.69
BuildRequires: automake
@@ -49,6 +50,7 @@ zdalnie CRL.
%prep
%setup -q -n pam_pkcs11-pam_pkcs11-%{version}
+%patch0 -p1
%build
%{__gettextize}
diff --git a/pam-pam_pkcs11-openssl.patch b/pam-pam_pkcs11-openssl.patch
new file mode 100644
index 0000000..34d7a48
--- /dev/null
+++ b/pam-pam_pkcs11-openssl.patch
@@ -0,0 +1,94 @@
+--- pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c.orig 2018-09-11 23:06:08.000000000 +0200
++++ pam_pkcs11-pam_pkcs11-0.6.10/src/common/cert_vfy.c 2019-04-22 17:53:17.862358165 +0200
+@@ -143,20 +143,25 @@
+ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx)
+ {
+ int rv;
+- X509_OBJECT obj;
++ X509_OBJECT *obj = X509_OBJECT_new();
+ EVP_PKEY *pkey = NULL;
+ X509 *issuer_cert;
+
++ if (obj == NULL) {
++ set_error("X509_OBJECT allocation failed");
++ return -1;
++ }
+ /* get issuer certificate */
+- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj);
++ rv = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj);
+ if (rv <= 0) {
+ set_error("getting the certificate of the crl-issuer failed");
++ X509_OBJECT_free(obj);
+ return -1;
+ }
+ /* extract public key and verify signature */
+- issuer_cert = X509_OBJECT_get0_X509((&obj));
++ issuer_cert = X509_OBJECT_get0_X509(obj);
+ pkey = X509_get_pubkey(issuer_cert);
+- X509_OBJECT_free_contents(&obj);
++ X509_OBJECT_free(obj);
+ if (pkey == NULL) {
+ set_error("getting the issuer's public key failed");
+ return -1;
+@@ -202,14 +207,13 @@
+ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy)
+ {
+ int rv, i, j;
+- X509_OBJECT obj;
++ X509_OBJECT *obj;
+ X509_REVOKED *rev = NULL;
+ STACK_OF(DIST_POINT) * dist_points;
+ DIST_POINT *point;
+ GENERAL_NAME *name;
+ X509_CRL *crl;
+ X509 *x509_ca = NULL;
+- EVP_PKEY crl_pkey;
+
+ DBG1("crl policy: %d", policy);
+ if (policy == CRLP_NONE) {
+@@ -227,27 +231,39 @@
+ } else if (policy == CRLP_OFFLINE) {
+ /* OFFLINE */
+ DBG("looking for an dedicated local crl");
+- rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj);
++ obj = X509_OBJECT_new();
++ if (obj == NULL) {
++ set_error("X509_OBJECT allocation failed");
++ return -1;
++ }
++ rv = X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj);
+ if (rv <= 0) {
+ set_error("no dedicated crl available");
++ X509_OBJECT_free(obj);
+ return -1;
+ }
+- crl = X509_OBJECT_get0_X509_CRL((&obj));
+- X509_OBJECT_free_contents(&obj);
++ crl = X509_OBJECT_get0_X509_CRL(obj);
++ X509_OBJECT_free(obj);
+ } else if (policy == CRLP_ONLINE) {
+ /* ONLINE */
+ DBG("extracting crl distribution points");
+ dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL);
+ if (dist_points == NULL) {
+ /* if there is not crl distribution point in the certificate hava a look at the ca certificate */
+- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj);
++ obj = X509_OBJECT_new();
++ if (obj == NULL) {
++ set_error("X509_OBJECT allocation failed");
++ return -1;
++ }
++ rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj);
+ if (rv <= 0) {
+ set_error("no dedicated ca certificate available");
++ X509_OBJECT_free(obj);
+ return -1;
+ }
+- x509_ca = X509_OBJECT_get0_X509((&obj));
++ x509_ca = X509_OBJECT_get0_X509(obj);
+ dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL);
+- X509_OBJECT_free_contents(&obj);
++ X509_OBJECT_free(obj);
+ if (dist_points == NULL) {
+ set_error("neither the user nor the ca certificate does contain a crl distribution point");
+ return -1;
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/pam-pam_pkcs11.git/commitdiff/e170801f051378529242a06d81493459fd2b6284
More information about the pld-cvs-commit
mailing list