[pkg-opensc-commit] [pam-p11] 02/66: initial checkin of pam_p11
Eric Dorland
eric at moszumanska.debian.org
Tue Jun 13 04:06:47 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository pam-p11.
commit 5222291b9a3599eec4fd46f80da103352212efe7
Author: Andreas Jellinghaus <andreas at ionisiert.de>
Date: Thu Aug 25 21:10:16 2005 +0000
initial checkin of pam_p11
---
COPYING | 504 ++++++++++++++++++++++++++++++++++++++++++++++
Makefile.am | 11 +
aclocal/Makefile.am | 5 +
bootstrap | 11 +
configure.ac | 48 +++++
doc/MailingLists.html | 45 +++++
doc/Makefile.am | 8 +
doc/OperatingSystems.html | 11 +
doc/QuickStart.html | 122 +++++++++++
doc/README | 10 +
doc/ResourcesLinks.html | 26 +++
doc/export-wiki.sh | 34 ++++
doc/export-wiki.xsl | 58 ++++++
doc/index.html | 59 ++++++
doc/trac.css | 360 +++++++++++++++++++++++++++++++++
src/Makefile.am | 28 +++
src/base64.c | 172 ++++++++++++++++
src/match_opensc.c | 97 +++++++++
src/match_openssh.c | 292 +++++++++++++++++++++++++++
src/pam_p11.c | 349 ++++++++++++++++++++++++++++++++
src/test.c | 14 ++
21 files changed, 2264 insertions(+)
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..b1e3f5a
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,504 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL. It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+ This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it. You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+ When we speak of free software, we are referring to freedom of use,
+not price. Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+ To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights. These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+ For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you. You must make sure that they, too, receive or can get the source
+code. If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it. And you must show them these terms so they know their rights.
+
+ We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+ To protect each distributor, we want to make it very clear that
+there is no warranty for the free library. Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+ Finally, software patents pose a constant threat to the existence of
+any free program. We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder. Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+ Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License. This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License. We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+ When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library. The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom. The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+ We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License. It also provides other free software developers Less
+of an advantage over competing non-free programs. These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries. However, the Lesser license provides advantages in certain
+special circumstances.
+
+ For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard. To achieve this, non-free programs must be
+allowed to use the library. A more frequent case is that a free
+library does the same job as widely used non-free libraries. In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+ In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software. For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+ Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+ The precise terms and conditions for copying, distribution and
+modification follow. Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library". The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+ GNU LESSER GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+ A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+ The "Library", below, refers to any such software library or work
+which has been distributed under these terms. A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language. (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+ "Source code" for a work means the preferred form of the work for
+making modifications to it. For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+ Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it). Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+ 1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+ You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+ 2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) The modified work must itself be a software library.
+
+ b) You must cause the files modified to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ c) You must cause the whole of the work to be licensed at no
+ charge to all third parties under the terms of this License.
+
+ d) If a facility in the modified Library refers to a function or a
+ table of data to be supplied by an application program that uses
+ the facility, other than as an argument passed when the facility
+ is invoked, then you must make a good faith effort to ensure that,
+ in the event an application does not supply such function or
+ table, the facility still operates, and performs whatever part of
+ its purpose remains meaningful.
+
+ (For example, a function in a library to compute square roots has
+ a purpose that is entirely well-defined independent of the
+ application. Therefore, Subsection 2d requires that any
+ application-supplied function or table used by this function must
+ be optional: if the application does not supply it, the square
+ root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library. To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License. (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.) Do not make any other change in
+these notices.
+
+ Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+ This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+ 4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+ If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library". Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+ However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library". The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+ When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library. The
+threshold for this to be true is not precisely defined by law.
+
+ If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work. (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+ Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+ 6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+ You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License. You must supply a copy of this License. If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License. Also, you must do one
+of these things:
+
+ a) Accompany the work with the complete corresponding
+ machine-readable source code for the Library including whatever
+ changes were used in the work (which must be distributed under
+ Sections 1 and 2 above); and, if the work is an executable linked
+ with the Library, with the complete machine-readable "work that
+ uses the Library", as object code and/or source code, so that the
+ user can modify the Library and then relink to produce a modified
+ executable containing the modified Library. (It is understood
+ that the user who changes the contents of definitions files in the
+ Library will not necessarily be able to recompile the application
+ to use the modified definitions.)
+
+ b) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (1) uses at run time a
+ copy of the library already present on the user's computer system,
+ rather than copying library functions into the executable, and (2)
+ will operate properly with a modified version of the library, if
+ the user installs one, as long as the modified version is
+ interface-compatible with the version that the work was made with.
+
+ c) Accompany the work with a written offer, valid for at
+ least three years, to give the same user the materials
+ specified in Subsection 6a, above, for a charge no more
+ than the cost of performing this distribution.
+
+ d) If distribution of the work is made by offering access to copy
+ from a designated place, offer equivalent access to copy the above
+ specified materials from the same place.
+
+ e) Verify that the user has already received a copy of these
+ materials or that you have already sent this user a copy.
+
+ For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it. However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+ It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system. Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+ 7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+ a) Accompany the combined library with a copy of the same work
+ based on the Library, uncombined with any other library
+ facilities. This must be distributed under the terms of the
+ Sections above.
+
+ b) Give prominent notice with the combined library of the fact
+ that part of it is a work based on the Library, and explaining
+ where to find the accompanying uncombined form of the same work.
+
+ 8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License. Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License. However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+ 9. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Library or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+ 10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+ 11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all. For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded. In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+ 13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation. If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+ 14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission. For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this. Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+ NO WARRANTY
+
+ 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Libraries
+
+ If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change. You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+ To apply these terms, attach the following notices to the library. It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the library's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the
+ library `Frob' (a library for tweaking knobs) written by James Random Hacker.
+
+ <signature of Ty Coon>, 1 April 1990
+ Ty Coon, President of Vice
+
+That's all there is to it!
+
+
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..f7536c5
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,11 @@
+SUBDIRS = . aclocal src
+
+EXTRA_DIST = COPYING INSTALL bootstrap
+
+AUTOMAKE_OPTIONS = foreign
+
+MAINTAINERCLEANFILES = \
+ Makefile.in config.h.in configure \
+ install-sh ltmain.sh missing mkinstalldirs \
+ compile depcomp config.log config.status \
+ config.guess config.sub acinclude.m4 aclocal.m4
diff --git a/aclocal/Makefile.am b/aclocal/Makefile.am
new file mode 100644
index 0000000..64ad78a
--- /dev/null
+++ b/aclocal/Makefile.am
@@ -0,0 +1,5 @@
+# Process this file with automake to create Makefile.in
+
+MAINTAINERCLEANFILES = Makefile.in
+
+EXTRA_DIST =
diff --git a/bootstrap b/bootstrap
new file mode 100755
index 0000000..4e964bd
--- /dev/null
+++ b/bootstrap
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+set -x
+if test -f Makefile; then
+ make distclean
+fi
+rm -rf *.cache *.m4 config.guess config.log \
+config.status config.sub depcomp ltmain.sh
+(cat aclocal/*.m4 > acinclude.m4 2> /dev/null)
+autoreconf --verbose --install
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..eb4e719
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,48 @@
+# $Id$
+
+# Require autoconf 2.52
+AC_PREREQ(2.52)
+
+# Process this file with autoconf to produce a configure script.
+AC_INIT(pam_p11,"WIP")
+AC_CONFIG_SRCDIR([src/pam_p11.c])
+AC_CANONICAL_TARGET([])
+AM_INIT_AUTOMAKE(pam_p11, "0.1")
+
+AM_MAINTAINER_MODE
+
+# Checks for programs.
+AC_PROG_CC
+AC_PROG_CXX
+AC_PROG_LIBTOOL
+AC_PROG_INSTALL
+AC_PROG_LN_S
+
+# Checks for header files.
+AC_HEADER_STDC
+AC_CHECK_HEADERS([string.h syslog.h fcntl.h unistd.h])
+
+# Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_TYPE_SIZE_T
+
+# Checks for library functions.
+AC_FUNC_MALLOC
+AC_FUNC_REALLOC
+AC_FUNC_STAT
+AC_FUNC_VPRINTF
+AC_CHECK_FUNCS([memset strdup strerror])
+
+# Checks for libraries.
+AC_CHECK_LIB(pam, pam_get_item, , AC_MSG_ERROR(could not locate pam libraries))
+
+# Check and set OpenSSL paths
+PKG_CHECK_MODULES(OPENSSL, openssl, [], [ AC_MSG_ERROR(openssl not found) ])
+PKG_CHECK_MODULES(LIBP11, libp11, [], [ AC_MSG_ERROR(libp11 not found) ])
+
+AC_CONFIG_FILES([
+Makefile
+aclocal/Makefile
+src/Makefile
+])
+AC_OUTPUT
diff --git a/doc/MailingLists.html b/doc/MailingLists.html
new file mode 100644
index 0000000..53e78cd
--- /dev/null
+++ b/doc/MailingLists.html
@@ -0,0 +1,45 @@
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>MailingLists - simple pam module based on libp11 - Trac</title><style type="text/css">
+ @import url(trac.css);
+ </style></head><body><div class="wikipage">
+ <div id="searchable"><h1>Mailing lists</h1>
+<ul><li>opensc-annouce - Announcements of new releases, bugfixes and security warnings
+</li><li>opensc-devel - Discussion of developement issues for OpenSC, OpenCT and SCB
+</li><li>opensc-user - Discussion of end-user questions for OpenSC, OpenCT and SCB
+</li><li>opensc-commits - commit notifications for all projects hosted at opensc.org
+</li></ul><p>
+To subscribe, unsubscribe or browse the archive, please visit
+our <a class="ext-link" title="http://www.opensc.org/cgi-bin/mailman/listinfo" href="http://www.opensc.org/cgi-bin/mailman/listinfo" shape="rect">mailing list manager</a>.
+</p>
+<p>
+Please:
+</p>
+<ul><li>Post to one of these mailing list.
+</li><li>Do not post to several lists, one is enough, we read all of them.
+</li><li>Do not send carbon copies to the developers. We read all postings on the mailing list.
+</li><li>Do not mail developers directly, we read all the mailing lists and the bugs address.
+</li></ul><p>
+Direct email is more work for us. Also see
+<a class="ext-link" title="http://www.eyrie.org/~eagle/faqs/questions.html" href="http://www.eyrie.org/~eagle/faqs/questions.html" shape="rect">this faq</a> for explanations why.
+</p>
+<p>
+If you are subscribed to the mailing list, your posting will be distributed
+immideatly. If you are not subscribed, it will be put on hold, till someone has
+reviewed it so we can filter spam. We usualy review postings at least once a day,
+so be patient. You can also cancel the posting, subscribe to the mailing list
+and post again.
+</p>
+<h2>Bug reports</h2>
+<p>
+Please file bug reports using the <a class="ext-link" title="http://www.opensc.org/libp11/newticket" href="http://www.opensc.org/libp11/newticket" shape="rect">new ticket</a> link.
+You can also send bug reports to bugs at opensc.org via email.
+</p>
+<h2>Greylisting</h2>
+<p>
+The opensc.org and lists.opensc.org mail servers are protected from spam by using a mechanism
+called greylisting. Usualy this only causes a short delay for the first mail we receive from
+you, and no trouble at all. Still if for whatever reason you cannot send mail to opensc.org,
+please contact Andreas Jellinghaus at aj at dungeon.inka.de. Thanks.
+</p>
+</div>
+ </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
diff --git a/doc/Makefile.am b/doc/Makefile.am
new file mode 100644
index 0000000..f37a5c2
--- /dev/null
+++ b/doc/Makefile.am
@@ -0,0 +1,8 @@
+# Process this file with automake to create Makefile.in
+
+MAINTAINERCLEANFILES = Makefile.in
+
+EXTRA_DIST = README export-wiki.sh export-wiki.xsl $(HTML)
+
+HTML= MailingLists.html OperatingSystems.html QuickStart.html \
+ ResourcesLinks.html index.html trac.css
diff --git a/doc/OperatingSystems.html b/doc/OperatingSystems.html
new file mode 100644
index 0000000..78aade6
--- /dev/null
+++ b/doc/OperatingSystems.html
@@ -0,0 +1,11 @@
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>OperatingSystems - simple pam module based on libp11 - Trac</title><style type="text/css">
+ @import url(trac.css);
+ </style></head><body><div class="wikipage">
+ <div id="searchable"><h1>Operating Systems</h1>
+<p>
+Libp11 is still under development, once it works we will add each operating system here.
+So far libp11 is not part of any linux distribution.
+</p>
+</div>
+ </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
diff --git a/doc/QuickStart.html b/doc/QuickStart.html
new file mode 100644
index 0000000..18b0d65
--- /dev/null
+++ b/doc/QuickStart.html
@@ -0,0 +1,122 @@
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>QuickStart - simple pam module based on libp11 - Trac</title><style type="text/css">
+ @import url(trac.css);
+ </style></head><body><div class="wikipage">
+ <div id="searchable"><h1>Installing pam_p11</h1>
+<p>
+Installation is quite easy:
+</p>
+<pre class="wiki" xml:space="preserve">wget http://www.opensc.org/files/pam_p11-0.1.tar.gz
+tar xfvz pam_p11-0.1.tar.gz
+cd pam_p11-0.1
+./configure --prefix=/usr --libdir=/lib/
+make
+make install
+</pre><p>
+is all you need. Pam_p11 depends on pkg-config, openssl, libp11 and pam.
+If you don't have pkg-config installed, please do so and try again.
+If pkg-config is not found, please change your PATH environment setting.
+If openssl is not installed, please do so. If openssl is not found, please
+change your PKG_CONFIG_PATH environment setting to include the directory
+with "openssl.pc" or "libp11.pc" file. Some linux distributions split
+openssl into a runtime package and a development package, you need to
+install both. Same might be true for pam and libp11.
+</p>
+<h1>Using pam_p11_opensc</h1>
+<p>
+To use pam_p11_opensc with some application like login, edit /etc/pam.d/login
+and replace
+</p>
+<pre class="wiki" xml:space="preserve">auth required pam_unix.so nullok
+</pre><p>
+with
+</p>
+<pre class="wiki" xml:space="preserve">auth required pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
+</pre><p>
+Replace <tt>/usr/lib/opensc-pkcs11.so</tt> with your PKCS#11 implementation.
+</p>
+<p>
+Also while testing it is best to keep a door open, i.e. allow also
+login via passwords. To try pam_p11_opensc first and then password put
+into your pam configuration:
+</p>
+<pre class="wiki" xml:space="preserve">auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
+auth required pam_unix.so nullok
+</pre><p>
+Also each user needs to create a <tt>~/.eid/</tt> directory and create
+a file <tt>~/.eid/authorized_certificates</tt>. You can do that via
+</p>
+<pre class="wiki" xml:space="preserve">mkdir ~/.eid
+chmod 0755 ~/.eid
+pkcs15-tool -r 45 > ~/.eid/authorized_certificates
+chmod 0644 ~/.eid/authorized_certificates
+</pre><p>
+This example uses the "pkcs15-tool" command from opensc to read the
+default user certificate (id 45) from the smart card in reader 0.
+</p>
+<p>
+It is very important that only the user of the file can write to it.
+You can have any number of certificates in that file. The certificates
+need to be in "pem" format. "der" format is currently not supported.
+</p>
+<p>
+Pam_p11_opensc is the successor of the OpenSC pam_opensc module (eid mode).
+It is 100% compatible, but has fewer bugs. Using pam_opensc is discouraged.
+</p>
+<h1>Using pam_p11_openssh</h1>
+<p>
+To use pam_p11_openssh with some application like login, edit /etc/pam.d/login
+and replace
+</p>
+<pre class="wiki" xml:space="preserve">auth required pam_unix.so nullok
+</pre><p>
+with
+</p>
+<pre class="wiki" xml:space="preserve">auth required pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
+</pre><p>
+Replace <tt>/usr/lib/opensc-pkcs11.so</tt> with your PKCS#11 implementation.
+</p>
+<p>
+Also while testing it is best to keep a door open, i.e. allow also
+login via passwords. To try pam_p11_opensc first and then password put
+into your pam configuration:
+</p>
+<pre class="wiki" xml:space="preserve">auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
+auth required pam_unix.so nullok
+</pre><p>
+Also each user needs to create a <tt>~/.ssh/</tt> directory and create
+a file <tt>~/.ssh/authorized_keys</tt>. You can do that via
+</p>
+<pre class="wiki" xml:space="preserve">mkdir ~/.ssh
+chmod 0755 ~/.ssh
+ssh-keygen -D 0 > ~/.ssh/authorized_keys
+chmod 0644 ~/.ssh/authorized_keys
+</pre><p>
+This example uses the "ssh-keygen" command from openssh to read the
+default user public key (id 45) from the smart card in reader 0.
+Note that this tool prints the public keys in two formats: ssh v1 and
+ssh v2 format. It is recommended to edit the file and delete one of
+those two lines. Also you might want to add a comment / identifier
+at the end of the line.
+</p>
+<p>
+It is very important that only the user of the file can write to it.
+You can have any number of public keys in that file.
+</p>
+<p>
+Note it is currently not possible to convert existing ssh keys into
+pem format and store them on a smart card. (To be precize: OpenSC
+has no such functionality, not sure about other implementations.)
+</p>
+<h2>Security Note</h2>
+<p>
+Both pam_p11 modules are plain, they simple compare rsa public keys
+and request the cryptographic token to sign some random data and
+verifiy the signature with the public key. No CA chain checking is done,
+no CRL is looked at, and they don't know what OCSP is. This works fine
+for small installations, but if you want any of those features, please
+have a look at <a class="ext-link" title="http://www.opensc.org/pam_pkcs11" href="http://www.opensc.org/pam_pkcs11" shape="rect">Pam_pkcs11</a> for a fully
+fledged pam module for smart card authentication.
+</p>
+</div>
+ </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
diff --git a/doc/README b/doc/README
new file mode 100644
index 0000000..33febed
--- /dev/null
+++ b/doc/README
@@ -0,0 +1,10 @@
+This directory contains a snapshot of the pam_p11 Wiki
+=====================================================
+
+The original wiki page is at http://www.opensc.org/pam_p11/
+and includes a bug tracker and source browser.
+
+The wiki was transformed to html using the export-wiki shell
+script and xsl style sheet. The original version is at
+ http://www.twdata.org/trac-howto/
+
diff --git a/doc/ResourcesLinks.html b/doc/ResourcesLinks.html
new file mode 100644
index 0000000..3564679
--- /dev/null
+++ b/doc/ResourcesLinks.html
@@ -0,0 +1,26 @@
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>ResourcesLinks - simple pam module based on libp11 - Trac</title><style type="text/css">
+ @import url(trac.css);
+ </style></head><body><div class="wikipage">
+ <div id="searchable"><h1>Resources, Links</h1>
+<p>
+<a class="ext-link" title="http://www.rsasecurity.com/rsalabs/" href="http://www.rsasecurity.com/rsalabs/" shape="rect">RSA Labs</a> defined the Public Key Cryptography Standards (PKCS).
+</p>
+<p>
+<a class="ext-link" title="http://www.rsasecurity.com/rsalabs/node.asp?id=2133" href="http://www.rsasecurity.com/rsalabs/node.asp?id=2133" shape="rect">PKCS#11</a> defines an API to use software modules
+that give access to cryptographic token hardware.
+</p>
+<p>
+We think PKCS#11 is not easy to use, so we use
+<a class="ext-link" title="http://www.opensc.org/libp11/" href="http://www.opensc.org/libp11/" shape="rect">libp11</a>, a thin layer on top of PKCS#11 API.
+</p>
+<p>
+Pam_p11 is tested with <a class="ext-link" title="http://www.opensc.org/opensc/" href="http://www.opensc.org/opensc/" shape="rect">OpenSC</a>, but should
+work fine with other implementations of PKCS#11, too.
+</p>
+<p>
+[<a class="ext-link" title="http://www.kernel.org/pub/linux/libs/pam/" href="http://www.kernel.org/pub/linux/libs/pam/" shape="rect">http://www.kernel.org/pub/linux/libs/pam/</a> Linux-PAM (Pluggable Authentication
+Modules for Linux)] has the source code and documentation for PAM on linux.
+</p>
+</div>
+ </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
diff --git a/doc/export-wiki.sh b/doc/export-wiki.sh
new file mode 100755
index 0000000..6d3c19d
--- /dev/null
+++ b/doc/export-wiki.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+export SERVER=http://www.opensc.org
+export WIKI=pam_p11/wiki
+export XSL=export-wiki.xsl
+
+test -f `basename $0`
+
+rm -rf *.html *.css
+
+wget $SERVER/$WIKI/TitleIndex -O TitleIndex.tmp
+
+grep "\"/$WIKI/[^\"]*\"" TitleIndex.tmp \
+ |sed -e "s#.*\"/$WIKI/\([^\"]*\)\".*#\1#g" \
+ > WikiWords.tmp
+sed -e /^Trac/d -e /^Wiki/d -e /^TitleIndex/d -e /^RecentChanges/d \
+ -e /^CamelCase/d -e /^SandBox/d -i WikiWords.tmp
+
+for A in WikiStart `cat WikiWords.tmp`
+do
+ F=`echo $A|sed -e 's/\//_/g'`
+ wget $SERVER/$WIKI/$A -O $F.tmp
+ xsltproc --output $F.html $XSL $F.tmp
+ sed -e "s#<a href=\"/$WIKI/\([^\"]*\)\"#<a href=\"\1.html\"#g" \
+ -i $F.html
+done
+
+mv WikiStart.html index.html
+
+wget http://www.opensc.org/trac/css/trac.css
+
+rm *.tmp
diff --git a/doc/export-wiki.xsl b/doc/export-wiki.xsl
new file mode 100644
index 0000000..145befb
--- /dev/null
+++ b/doc/export-wiki.xsl
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0"
+xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+xmlns="http://www.w3.org/1999/xhtml"
+xmlns:html="http://www.w3.org/1999/xhtml">
+ <xsl:output method="html" indent="yes"/>
+
+ <xsl:template match="/">
+ <xsl:apply-templates />
+ </xsl:template>
+
+ <xsl:template match="/html:html">
+ <html>
+ <head>
+ <title><xsl:value-of select="/html:html/html:head/html:title" /></title>
+ <style type="text/css">
+ @import url(trac.css);
+ </style>
+ </head>
+ <body>
+ <xsl:apply-templates select="//html:div[@class='wikipage']" />
+ <div class="footer">
+ <hr />
+ <p><a href="index.html">Back to Index</a></p>
+ </div>
+ </body>
+ </html>
+ </xsl:template>
+
+ <xsl:template match="/pages">
+ <html>
+ <head>
+ <title>Wiki Index</title>
+ <style type="text/css">
+ @import url(trac.css);
+ </style>
+ </head>
+ <body>
+ <h1>Index of Wiki Pages</h1>
+ <ul>
+ <xsl:apply-templates select="page" />
+ </ul>
+ </body>
+ </html>
+ </xsl:template>
+
+ <xsl:template match="page">
+ <li><a href="{.}.html"><xsl:value-of select="." /></a></li>
+ </xsl:template>
+
+ <xsl:template match="node()|@*" priority="-1">
+ <xsl:copy>
+ <xsl:apply-templates select="@*|node()"/>
+ </xsl:copy>
+ </xsl:template>
+
+</xsl:stylesheet>
+
diff --git a/doc/index.html b/doc/index.html
new file mode 100644
index 0000000..47fadbf
--- /dev/null
+++ b/doc/index.html
@@ -0,0 +1,59 @@
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>simple pam module based on libp11 - Trac</title><style type="text/css">
+ @import url(trac.css);
+ </style></head><body><div class="wikipage">
+ <div id="searchable"><h1>Welcome to pam_p11</h1>
+<p>
+Pam_p11 is a plugable authentication module (pam) package for using
+crpytographic tokes such as smart cards and usb crypto tokens for
+authentication.
+</p>
+<p>
+Pam_p11 uses <a class="ext-link" title="http://www.opensc.org/libp11/" href="http://www.opensc.org/libp11/" shape="rect">libp11</a> to access any
+PKCS#11 module. It should be compatible with any implementation,
+but it is primarely developed using <a class="ext-link" title="http://www.opensc.org/opensc/" href="http://www.opensc.org/opensc/" shape="rect">OpenSC</a>.
+</p>
+<p>
+Pam_p11 implements two authentication modules:
+</p>
+<ul><li>pam_p11_openssh authenticates the user using his openssh
+<tt>~/.ssh/authorized_keys</tt> file.
+</li><li>pam_p11_opensc authenticates the user using certificates found in
+<tt>~/.eid/authorized_certificates</tt>. It is compatible with the
+older opensc "pam_opensc" authentication module (eid mode).
+</li></ul><p>
+Pam_p11 is very simple, it has no config file, no options other than the
+PKCS#11 module file, does not know about certificate chains,
+certificate authorities, revocation lists or OCSP.
+Perfect for the small installation with no frills.
+</p>
+<h2>License</h2>
+<p>
+Libp11 is Open Source software licensed under the <a class="ext-link" title="http://www.gnu.org/licenses/licenses.html#LGPL" href="http://www.gnu.org/licenses/licenses.html#LGPL" shape="rect">GNU LGPL license version 2.1 or later</a>.
+</p>
+<p>
+Pam_p11 uses pam, openssl, libp11 and OpenSC
+(or any other implementation of pkcs11).
+</p>
+<blockquote>
+<p>
+Thanks to all those projects, without it would not be possible.
+</p>
+</blockquote>
+<h2>Authors</h2>
+<p>
+Pam_p11 was written by Andreas Jellinghaus, but the code was mostly assembled
+from several sources. Credit goes to (in alphabetical order)
+</p>
+<p>
+Andreas Jellinghaus, Antti Tapaninen, Juan Antonio Martinez, Juha Yrjölä,
+Kevin Stefanik, Ludovic Rousseau, Mario Strasser, Markus Friedl, Olaf Kirch,
+Tatu Ylonen, Timo Sirainen.
+</p>
+<h2>Starting Points</h2>
+<ul><li><a href="OperatingSystems.html" shape="rect">OperatingSystems</a> -- Pam_p11 should work with any PAM implementation.
+</li><li><a href="QuickStart.html" shape="rect">QuickStart</a> -- How to install pam_p11 and how to use it in your applications.
+</li><li><a href="MailingLists.html" shape="rect">MailingLists</a> -- How to contact us.
+</li><li><a href="ResourcesLinks.html" shape="rect">ResourcesLinks</a> -- Standards, Documents, etc.
+</li></ul></div>
+ </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
diff --git a/doc/trac.css b/doc/trac.css
new file mode 100644
index 0000000..8d9604d
--- /dev/null
+++ b/doc/trac.css
@@ -0,0 +1,360 @@
+/* Trac CSS */
+body {
+ background: #fff;
+ color: #000;
+ margin: 10px;
+}
+body, th, td {
+ font: normal 13px verdana,arial,'Bitstream Vera Sans',helvetica,sans-serif;
+}
+h1, h2, h3, h4 {
+ font-family: arial,verdana,'Bitstream Vera Sans',helvetica,sans-serif;
+ font-weight: bold;
+ letter-spacing: -0.018em;
+}
+h1 { font-size: 19px; margin: .15em 1em 0 0 }
+h2 { font-size: 16px }
+h3 { font-size: 14px }
+hr { border: none; border-top: 1px solid #ccb; margin: 2em 0 }
+address { font-style: normal }
+img { border: none }
+
+.underline { text-decoration: underline; }
+ol.loweralpha { list-style-type: lower-alpha }
+ol.upperalpha { list-style-type: upper-alpha }
+ol.lowerroman { list-style-type: lower-roman }
+ol.upperroman { list-style-type: upper-roman }
+ol.arabic { list-style-type: decimal }
+
+/* Link styles */
+:link, :visited {
+ text-decoration: none;
+ color: #b00;
+ border-bottom: 1px dotted #bbb;
+}
+:link:hover, :visited:hover {
+ background-color: #eee;
+ color: #555;
+}
+h1 :link, h1 :visited ,h2 :link, h2 :visited, h3 :link, h3 :visited,
+h4 :link, h4 :visited, h5 :link, h5 :visited, h6 :link, h6 :visited {
+ color: inherit;
+}
+
+.ext-link { background: url(../extlink.gif) no-repeat 0 58%; padding-left: 16px }
+* html .ext-link { background-position: 0 .35em } /* IE hack, see #937 */
+
+/* Forms */
+input, textarea, select { margin: 2px }
+input, select { vertical-align: middle }
+input[type=submit], input[type=reset] {
+ background: #eee;
+ color: #222;
+ border: 1px outset #ccc;
+ padding: .1em .5em;
+}
+input[type=submit]:hover, input[type=reset]:hover { background: #ccb }
+input[type=text], input.textwidget, textarea {
+ background: #fff;
+ color: #000;
+ border: 1px solid #d7d7d7;
+}
+input[type=text], input.textwidget { padding: .25em .5em }
+input[type=text]:focus, textarea:focus { border: 1px solid #886 }
+option { border-bottom: 1px dotted #d7d7d7 }
+fieldset { border: 1px solid #d7d7d7; padding: .5em; margin: 0 }
+fieldset.iefix { border: none; padding: 0; margin: 0 }
+* html fieldset.iefix { width: 98% }
+fieldset.iefix p { margin: 0 }
+legend { color: #999; padding: 0 .25em; font-size: 90%; font-weight: bold }
+label.disabled { color: #d7d7d7 }
+.buttons { margin: .5em .5em .5em 0 }
+.buttons form, .buttons form div { display: inline }
+.buttons input { margin: 1em .5em .1em 0 }
+
+/* Header */
+#header hr { display: none }
+#header img { border: none; margin: 0 0 -3em }
+#header :link, #header :visited, #header :link:hover, #header :visited:hover {
+ background: transparent;
+ margin-bottom: 2px;
+ border: none;
+}
+
+/* Quick search */
+#search {
+ clear: both;
+ font-size: 10px;
+ height: 2.2em;
+ margin: 0 0 1em;
+ text-align: right;
+}
+#search input { font-size: 10px }
+#search label { display: none }
+
+/* Navigation */
+.nav h2, .nav hr { display: none }
+.nav ul { font-size: 10px; list-style: none; margin: 0; text-align: right }
+.nav li {
+ border-right: 1px solid #d7d7d7;
+ display: inline;
+ padding: 0 .75em;
+ white-space: nowrap;
+}
+.nav li.last { border-right: none }
+
+/* Main navigation bar */
+#mainnav {
+ background: #f7f7f7 url(../topbar_gradient.png) 0 0;
+ border: 1px solid #000;
+ font: normal 10px verdana,'Bitstream Vera Sans',helvetica,arial,sans-serif;
+ margin: .66em 0 .33em;
+ padding: .2em 0;
+}
+#mainnav li { border-right: none; padding: .25em 0 }
+#mainnav :link, #mainnav :visited {
+ background: url(../dots.gif) 0 0 no-repeat;
+ border-right: 1px solid #fff;
+ border-bottom: none;
+ border-left: 1px solid #555;
+ color: #000;
+ padding: .2em 20px;
+}
+* html #mainnav :link, * html #mainnav :visited { background-position: 1px 0 }
+#mainnav :link:hover, #mainnav :visited:hover {
+ background-color: #ccc;
+ border-right: 1px solid #ddd;
+}
+#mainnav .active:link, #mainnav .active:visited {
+ background: #333 url(../topbar_gradient2.png) 0 0 repeat-x;
+ border-top: none;
+ border-right: 1px solid #000;
+ color: #eee;
+ font-weight: bold;
+}
+#mainnav .active:link:hover, #mainnav .active:visited:hover {
+ border-right: 1px solid #000;
+}
+
+/* Context-dependent navigation links */
+#ctxtnav { height: 1em }
+#ctxtnav li ul {
+ background: #f7f7f7;
+ color: #ccc;
+ border: 1px solid;
+ padding: 0;
+ display: inline;
+ margin: 0;
+}
+#ctxtnav li li { padding: 0; }
+#ctxtnav li li :link, #ctxtnav li li :visited { padding: 0 1em }
+#ctxtnav li li :link:hover, #ctxtnav li li :visited:hover {
+ background: #bba;
+ color: #fff;
+}
+
+/* Alternate links */
+#altlinks { clear: both; text-align: center }
+#altlinks h3 { font-size: 12px; letter-spacing: normal; margin: 0 }
+#altlinks ul { list-style: none; margin: 0; padding: 0 0 1em }
+#altlinks li {
+ border-right: 1px solid #d7d7d7;
+ display: inline;
+ font-size: 11px;
+ line-height: 16px;
+ padding: 0 1em;
+ white-space: nowrap;
+}
+#altlinks li.last { border-right: none }
+#altlinks li :link, #altlinks li :visited {
+ background-position: 0 -1px;
+ background-repeat: no-repeat;
+ border: none;
+}
+#altlinks li a.ics { background-image: url(../ics.png); padding-left: 22px }
+#altlinks li a.rss { background-image: url(../xml.png); padding-left: 42px }
+
+/* Footer */
+#footer {
+ clear: both;
+ color: #bbb;
+ font-size: 10px;
+ border-top: 1px solid;
+ height: 31px;
+ padding: .25em 0;
+}
+#footer :link, #footer :visited { color: #bbb; }
+#footer hr { display: none }
+#footer #tracpowered { border: 0; float: left }
+#footer #tracpowered:hover { background: transparent }
+#footer p { margin: 0 }
+#footer p.left {
+ float: left;
+ margin-left: 1em;
+ padding: 0 1em;
+ border-left: 1px solid #d7d7d7;
+ border-right: 1px solid #d7d7d7;
+}
+#footer p.right {
+ float: right;
+ text-align: right;
+}
+
+#content { padding-bottom: 2em; position: relative }
+
+#help {
+ clear: both;
+ color: #999;
+ font-size: 90%;
+ margin: 1em;
+ text-align: right;
+}
+#help :link, #help :visited { cursor: help }
+#help hr { display: none }
+
+/* Page preferences form */
+#prefs {
+ background: #f7f7f0;
+ border: 1px outset #998;
+ float: right;
+ font-size: 9px;
+ padding: .8em;
+ position: relative;
+ margin: 0 1em 1em;
+}
+* html #prefs { width: 26em } /* Set width only for IE */
+#prefs input, #prefs select { font-size: 9px; vertical-align: middle }
+#prefs fieldset { border: none; margin: .5em; padding: 0 }
+#prefs fieldset legend {
+ background: transparent;
+ color: #000;
+ font-size: 9px;
+ font-weight: normal;
+ margin: 0 0 0 -1.5em;
+ padding: 0;
+}
+#prefs .buttons { text-align: right }
+
+/* Wiki */
+a.missing:link,a.missing:visited { background: #fafaf0; color: #998 }
+a.missing:hover { color: #000; }
+
+#content.wiki { line-height: 140% }
+.wikitoolbar {
+ border: solid #d7d7d7;
+ border-width: 1px 1px 1px 0;
+ float: left;
+ height: 18px;
+}
+.wikitoolbar :link, .wikitoolbar :visited {
+ background: transparent url(../edit_toolbar.png) no-repeat;
+ border: 1px solid #fff;
+ border-left-color: #d7d7d7;
+ cursor: default;
+ display: block;
+ float: left;
+ width: 24px;
+ height: 16px;
+}
+.wikitoolbar :link:hover, .wikitoolbar :visited:hover {
+ background-color: transparent;
+ border: 1px solid #fb2;
+}
+.wikitoolbar a#em { background-position: 0 0 }
+.wikitoolbar a#strong { background-position: 0 -16px }
+.wikitoolbar a#heading { background-position: 0 -32px }
+.wikitoolbar a#link { background-position: 0 -48px }
+.wikitoolbar a#code { background-position: 0 -64px }
+.wikitoolbar a#hr { background-position: 0 -80px }
+
+/* Styles for the form for adding attachments. */
+#attachment .field { margin-top: 1.3em }
+#attachment label { padding-left: .2em }
+#attachment fieldset { margin-top: 2em }
+#attachment fieldset .field { float: left; margin: 0 1em .5em 0 }
+#attachment br { clear: left }
+
+/* Styles for tabular listings such as those used for displaying directory
+ contents and report results. */
+table.listing {
+ clear: both;
+ border-bottom: 1px solid #d7d7d7;
+ border-collapse: collapse;
+ border-spacing: 0;
+ margin-top: 1em;
+ width: 100%;
+}
+table.listing th { text-align: left; padding: 0 1em .1em 0; font-size: 12px }
+table.listing thead { background: #f7f7f0 }
+table.listing thead th {
+ border: 1px solid #d7d7d7;
+ border-bottom-color: #999;
+ font-size: 11px;
+ font-weight: bold;
+ padding: 2px .5em;
+ vertical-align: bottom;
+}
+table.listing thead th :link:hover, table.listing thead th :visited:hover {
+ background-color: transparent;
+}
+table.listing thead th a { border: none; padding-right: 12px }
+table.listing th.asc a, table.listing th.desc a { font-weight: bold }
+table.listing th.asc a, table.listing th.desc a {
+ background-position: 100% 50%;
+ background-repeat: no-repeat;
+}
+table.listing th.asc a { background-image: url(../asc.png) }
+table.listing th.desc a { background-image: url(../desc.png) }
+table.listing tbody td, table.listing tbody th {
+ border: 1px dotted #ddd;
+ padding: .33em .5em;
+ vertical-align: top;
+}
+table.listing tbody td a:hover, table.listing tbody th a:hover {
+ background-color: transparent;
+}
+table.listing tbody tr { border-top: 1px solid #ddd }
+table.listing tbody tr.even { background-color: #fcfcfc }
+table.listing tbody tr.odd { background-color: #f7f7f7 }
+table.listing tbody tr:hover { background: #eed !important }
+
+.wikipage p { margin-left: 1em }
+pre.wiki, pre.literal-block {
+ background: #f7f7f7;
+ border: 1px solid #d7d7d7;
+ margin: 1em 1.75em;
+ padding: .25em;
+ overflow: auto;
+}
+table.wiki {
+ border: 2px solid #ccc;
+ border-collapse: collapse;
+ border-spacing: 0;
+}
+table.wiki td { border: 1px solid #ccc; padding: .1em .25em; }
+
+/* Styles for the error page (and rst errors) */
+#content.error .message, div.system-message {
+ background: #fdc;
+ border: 2px solid #d00;
+ color: #500;
+ padding: .5em;
+ margin: 1em 0;
+}
+#content.error pre, div.system-message pre { margin-left: 1em; overflow: auto }
+div.system-message p { margin: 0; }
+div.system-message p.system-message-title { font-weight: bold; }
+
+/* Styles for search word highlighting */
+ at media screen {
+ .searchword0 { background: #ff9 }
+ .searchword1 { background: #cfc }
+ .searchword2 { background: #cff }
+ .searchword3 { background: #ccf }
+ .searchword4 { background: #fcf }
+}
+
+ at media print {
+ #header, #altlinks, #footer { display: none }
+ .nav, form, .buttons form { display: none }
+}
diff --git a/src/Makefile.am b/src/Makefile.am
new file mode 100644
index 0000000..c7d5e35
--- /dev/null
+++ b/src/Makefile.am
@@ -0,0 +1,28 @@
+AM_CFLAGS = -Wall -fno-strict-aliasing @OPENSSL_CFLAGS@ @LIBP11_CFLAGS@
+AM_LDFLAGS = @OPENSSL_LIBS@ @LIBP11_LIBS@ -module -avoid-version
+
+lib_LTLIBRARIES = pam_p11_openssh.la pam_p11_opensc.la
+
+pam_p11_openssh_la_SOURCES = pam_p11.c base64.c match_openssh.c
+pam_p11_openssh_la_LIBADD = @LIBSP11@
+
+pam_p11_opensc_la_SOURCES = pam_p11.c match_opensc.c
+pam_p11_opensc_la_LIBADD = @LIBSP11@
+
+noinst_PROGRAMS= test
+
+test_SOURCES=test.c
+test_LDADD=./.libs/pam_p11_openssh.so
+
+format:
+ indent -kr -i8 -ts8 -sob -l80 -ss -ncs *.c *.h
+
+install:
+ $(mkinstalldirs) $(DESTDIR)/$(libdir)/security
+ $(libLTLIBRARIES_INSTALL) $(top_builddir)/src/.libs/pam_p11_openssh.so $(DESTDIR)/$(libdir)/security
+ $(libLTLIBRARIES_INSTALL) $(top_builddir)/src/.libs/pam_p11_opensc.so $(DESTDIR)/$(libdir)/security
+
+uninstall:
+ $(RM) $(DESTDIR)/$(libdir)/security/pam_p11_openssh.so
+ $(RM) $(DESTDIR)/$(libdir)/security/pam_p11_opensc.so
+ @ rmdir $(DESTDIR)/$(libdir)/security
diff --git a/src/base64.c b/src/base64.c
new file mode 100644
index 0000000..50e91ba
--- /dev/null
+++ b/src/base64.c
@@ -0,0 +1,172 @@
+/*
+ * base64.c: Base64 converting functions
+ *
+ * Copyright (C) 2001, 2002 Juha Yrj�l� <juha.yrjola at iki.fi>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <assert.h>
+
+static const unsigned char base64_table[66] =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" "0123456789+/=";
+
+static const unsigned char bin_table[128] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xE0, 0xD0, 0xFF, 0xFF, 0xD0, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xE0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0x3E, 0xFF, 0xF2, 0xFF, 0x3F,
+ 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B,
+ 0x3C, 0x3D, 0xFF, 0xFF, 0xFF, 0xC0, 0xFF, 0xFF,
+ 0xFF, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+ 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,
+ 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
+ 0x17, 0x18, 0x19, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20,
+ 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
+ 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30,
+ 0x31, 0x32, 0x33, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+};
+
+static void to_base64(unsigned int i, unsigned char *out, unsigned int fillers)
+{
+ unsigned int s = 18, c;
+
+ for (c = 0; c < 4; c++) {
+ if (fillers >= 4 - c)
+ *out = base64_table[64];
+ else
+ *out = base64_table[(i >> s) & 0x3f];
+ out++;
+ s -= 6;
+ }
+}
+
+static int from_base64(const char *in, unsigned int *out, int *skip)
+{
+ unsigned int res = 0, c, s = 18;
+ const char *in0 = in;
+
+ for (c = 0; c < 4; c++, in++) {
+ unsigned char b;
+ int k = *in;
+
+ if (k < 0)
+ return -1;
+ if (k == 0 && c == 0)
+ return 0;
+ b = bin_table[k];
+ if (b == 0xC0) /* '=' */
+ break;
+ switch (b) {
+ case 0xD0: /* '\n' or '\r' */
+ c--;
+ continue;
+ }
+ if (b > 0x3f)
+ return -1;
+
+ res |= b << s;
+ s -= 6;
+ }
+ *skip = in - in0;
+ *out = res;
+ return c * 6 / 8;
+}
+
+int sc_base64_encode(const unsigned char *in, size_t len, unsigned char *out,
+ size_t outlen, size_t linelength)
+{
+ unsigned int chars = 0;
+ size_t i, c;
+
+ linelength -= linelength & 0x03;
+ if (linelength < 0)
+ return -1;
+ while (len >= 3) {
+ i = in[2] + (in[1] << 8) + (in[0] << 16);
+ in += 3;
+ len -= 3;
+ if (outlen < 4)
+ return -1;
+ to_base64(i, out, 0);
+ out += 4;
+ outlen -= 4;
+ chars += 4;
+ if (chars >= linelength && linelength > 0) {
+ if (outlen < 1)
+ return -1;
+ *out = '\n';
+ out++;
+ outlen--;
+ chars = 0;
+ }
+ }
+ i = c = 0;
+ while (c < len)
+ i |= *in++ << ((2 - c++) << 3);
+ if (len) {
+ if (outlen < 4)
+ return -1;
+ to_base64(i, out, 3 - len);
+ out += 4;
+ outlen -= 4;
+ chars += 4;
+ }
+ if (chars && linelength > 0) {
+ if (outlen < 1)
+ return -1;
+ *out = '\n';
+ out++;
+ outlen--;
+ }
+ if (outlen < 1)
+ return -1;
+ *out = 0;
+
+ return 0;
+}
+
+int sc_base64_decode(const char *in, unsigned char *out, size_t outlen)
+{
+ int len = 0, r, skip;
+ unsigned int i;
+
+ while ((r = from_base64(in, &i, &skip)) > 0) {
+ int finished = 0, s = 16;
+
+ if (r < 3)
+ finished = 1;
+ while (r--) {
+ if (outlen <= 0)
+ return -1;
+ *out++ = i >> s;
+ s -= 8;
+ outlen--;
+ len++;
+ }
+ in += skip;
+ if (finished || *in == 0)
+ return len;
+ }
+ if (r == 0)
+ return len;
+ return -1;
+}
diff --git a/src/match_opensc.c b/src/match_opensc.c
new file mode 100644
index 0000000..cd599f2
--- /dev/null
+++ b/src/match_opensc.c
@@ -0,0 +1,97 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <openssl/bn.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+static void add_cert(X509 *cert, X509 ***certs, int *ncerts)
+{
+ X509 **certs2;
+ /* sanity checks */
+ if (!cert)
+ return;
+
+ if (!certs)
+ return;
+
+ if (!ncerts)
+ return;
+
+ /* no certs so far */
+ if (!*certs) {
+ *certs = malloc(sizeof(void *));
+ if (!*certs)
+ return;
+ *certs[0] = cert;
+ *ncerts = 1;
+ return;
+ }
+
+ /* enlarge */
+
+ certs2 = malloc(sizeof(void *) * ((*ncerts) + 1));
+ if (!certs2)
+ return;
+
+ memcpy(certs2, *certs, sizeof(void *) * (*ncerts));
+ certs2[*ncerts] = cert;
+
+ free(*certs);
+ *certs = certs2;
+ (*ncerts)++;
+}
+
+extern int match_user(X509 * x509, const char *login)
+{
+ char filename[PATH_MAX];
+ struct passwd *pw;
+ X509 **certs;
+ int ncerts, i, rc;
+ BIO *in;
+
+ if (!x509)
+ return -1;
+
+ if (!login)
+ return -1;
+
+ pw = getpwnam(login);
+ if (!pw || !pw->pw_dir)
+ return -1;
+
+ snprintf(filename, PATH_MAX, "%s/.eid/authorized_certificates", pw->pw_dir);
+
+ in = BIO_new(BIO_s_file());
+ if (!in)
+ return -1;
+
+ rc = BIO_read_filename(in, filename);
+ if (rc != 1) {
+ syslog(LOG_ERR,"BIO_read_filename from %s failed\n",filename);
+ return -1;
+ }
+
+ ncerts=0; certs=NULL;
+ for (;;) {
+ X509 *cert = PEM_read_bio_X509(in, NULL, 0, NULL);
+ if (cert)
+ add_cert(cert, &certs, &ncerts);
+ else
+ break;
+ }
+
+ BIO_free(in);
+
+ for (i = 0; i < ncerts; i++) {
+ if (X509_cmp(certs[i],x509) == 0)
+ return 1; /* FOUND */
+ }
+ return 0;
+}
diff --git a/src/match_openssh.c b/src/match_openssh.c
new file mode 100644
index 0000000..b83ed28
--- /dev/null
+++ b/src/match_openssh.c
@@ -0,0 +1,292 @@
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509.h>
+
+/* how to read the authorized_keys file and the key?
+ * see openssh source code auth2-pubkey.c user_key_allowed2
+ * and misc.c read_keyfile_line and key.c
+ */
+
+#define OPENSSH_LINE_MAX 8192 /* from openssh SSH_MAX_PUBKEY_BYTES */
+
+static EVP_PKEY *ssh1_line_to_key(char *line)
+{
+ EVP_PKEY *key;
+ RSA *rsa;
+ char *b, *e, *m, *c;
+
+ key = EVP_PKEY_new();
+ if (!key)
+ return NULL;
+
+ rsa = RSA_new();
+
+ if (!rsa)
+ goto err;
+
+ /* first digitstring: the bits */
+ b = line;
+
+ /* second digitstring: the exponent */
+ /* skip all digits */
+ for (e = b; *e >= '0' && *e <= '0'; e++) ;
+
+ /* must be a whitespace */
+ if (*e != ' ' && *e != '\t')
+ return NULL;
+
+ /* cut the string in two part */
+ *e = 0;
+ e++;
+
+ /* skip more whitespace */
+ while (*e == ' ' || *e == '\t')
+ e++;
+
+ /* third digitstring: the modulus */
+ /* skip all digits */
+ for (m = e; *m >= '0' && *m <= '0'; m++) ;
+
+ /* must be a whitespace */
+ if (*m != ' ' && *m != '\t')
+ return NULL;
+
+ /* cut the string in two part */
+ *m = 0;
+ m++;
+
+ /* skip more whitespace */
+ while (*m == ' ' || *m == '\t')
+ m++;
+
+ /* look for a comment after the modulus */
+ for (c = m; *c >= '0' && *c <= '0'; c++) ;
+
+ /* could be a whitespace or end of line */
+ if (*c != ' ' && *c != '\t' && *c != '\n' && *c != '\r' && *c != 0)
+ return NULL;
+
+ if (*c == ' ' || *c == '\t') {
+ *c = 0;
+ c++;
+
+ /* skip more whitespace */
+ while (*c == ' ' || *c == '\t')
+ c++;
+
+ if (*c && *c != '\r' && *c != '\n') {
+ /* we have a comment */
+ } else {
+ c = NULL;
+ }
+
+ } else {
+ *c = 0;
+ c = NULL;
+ }
+
+ /* ok, now we have b e m pointing to pure digit
+ * null terminated strings and maybe c pointing to a comment */
+
+ BN_dec2bn(&rsa->e, e);
+ BN_dec2bn(&rsa->n, m);
+
+ EVP_PKEY_assign_RSA(key, rsa);
+ return key;
+
+ err:
+ free(key);
+ return NULL;
+}
+
+extern int sc_base64_decode(const char *in, unsigned char *out, size_t outlen);
+
+static EVP_PKEY *ssh2_line_to_key(char *line)
+{
+ EVP_PKEY *key;
+ RSA *rsa;
+ unsigned char decoded[OPENSSH_LINE_MAX];
+ int len;
+
+ char *b, *c;
+ int i;
+
+ /* find the mime-blob */
+ b = line;
+
+ if (!b)
+ return NULL;
+
+ /* find the first whitespace */
+ while (*b && *b != ' ')
+ b++;
+
+ /* skip that whitespace */
+ b++;
+
+ /* find the end of the blob / comment */
+ for (c = b; *c && *c != ' ' && 'c' != '\t' && *c != '\r'
+ && *c != '\n'; c++) ;
+
+ *c = 0;
+
+ /* decode binary data */
+ if (sc_base64_decode(b, decoded, OPENSSH_LINE_MAX) < 0)
+ return NULL;
+
+ i = 0;
+
+ /* get integer from blob */
+ len =
+ (decoded[i] << 24) + (decoded[i + 1] << 16) +
+ (decoded[i + 2] << 8) + (decoded[i + 3]);
+ i += 4;
+
+ /* now: key_from_blob */
+ if (strncmp(&decoded[i], "ssh-rsa", 7) != 0)
+ return NULL;
+
+ i += len;
+
+ key = EVP_PKEY_new();
+ rsa = RSA_new();
+
+ /* get integer from blob */
+ len =
+ (decoded[i] << 24) + (decoded[i + 1] << 16) +
+ (decoded[i + 2] << 8) + (decoded[i + 3]);
+ i += 4;
+
+ /* get bignum */
+ rsa->e = BN_bin2bn(decoded + i, len, NULL);
+ i += len;
+
+ /* get integer from blob */
+ len =
+ (decoded[i] << 24) + (decoded[i + 1] << 16) +
+ (decoded[i + 2] << 8) + (decoded[i + 3]);
+ i += 4;
+
+ /* get bignum */
+ rsa->n = BN_bin2bn(decoded + i, len, NULL);
+
+ EVP_PKEY_assign_RSA(key, rsa);
+ return key;
+}
+
+static void add_key(EVP_PKEY * key, EVP_PKEY *** keys, int *nkeys)
+{
+ EVP_PKEY **keys2;
+ /* sanity checks */
+ if (!key)
+ return;
+
+ if (!keys)
+ return;
+
+ if (!nkeys)
+ return;
+
+ /* no keys so far */
+ if (!*keys) {
+ *keys = malloc(sizeof(void *));
+ if (!*keys)
+ return;
+ *keys[0] = key;
+ *nkeys = 1;
+ return;
+ }
+
+ /* enlarge */
+
+ keys2 = malloc(sizeof(void *) * ((*nkeys) + 1));
+ if (!keys2)
+ return;
+
+ memcpy(keys2, *keys, sizeof(void *) * (*nkeys));
+ keys2[*nkeys] = key;
+
+ free(*keys);
+ *keys = keys2;
+ (*nkeys)++;
+}
+
+extern int match_user(X509 * x509, const char *login)
+{
+ char filename[PATH_MAX];
+ char line[OPENSSH_LINE_MAX];
+ struct passwd *pw;
+ FILE *file;
+ EVP_PKEY **keys = NULL;
+ EVP_PKEY *authkey;
+ int nkeys = 0, i;
+
+ authkey = X509_get_pubkey(x509);
+ if (!authkey)
+ return 0;
+
+ pw = getpwnam(login);
+ if (!pw || !pw->pw_dir)
+ return -1;
+
+ snprintf(filename, PATH_MAX, "%s/.ssh/authorized_keys", pw->pw_dir);
+
+ file = fopen(filename, "r");
+ if (!file)
+ return -1;
+
+ for (;;) {
+ char *cp;
+ if (!fgets(line, OPENSSH_LINE_MAX, file))
+ break;
+
+ /* Skip leading whitespace, empty and comment lines. */
+ for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+
+ if (!*cp || *cp == '\n' || *cp == '#')
+ continue;
+
+ if (*cp >= '0' && *cp <= '9') {
+ /* ssh v1 key format */
+ EVP_PKEY *key = ssh1_line_to_key(cp);
+ if (key)
+ add_key(key, &keys, &nkeys);
+
+ }
+ if (strncmp("ssh-rsa", cp, 7) == 0) {
+ /* ssh v2 rsa key format */
+ EVP_PKEY *key = ssh2_line_to_key(cp);
+ if (key)
+ add_key(key, &keys, &nkeys);
+ }
+ }
+
+ fclose(file);
+
+ for (i = 0; i < nkeys; i++) {
+ RSA *authrsa, *rsa;
+
+ authrsa = EVP_PKEY_get1_RSA(authkey);
+ if (!authrsa)
+ continue; /* not RSA */
+
+ rsa = EVP_PKEY_get1_RSA(keys[i]);
+ if (!rsa)
+ continue; /* not RSA */
+
+ if (BN_cmp(rsa->e, authrsa->e) != 0)
+ continue;
+ if (BN_cmp(rsa->n, authrsa->n) != 0)
+ continue;
+ return 1; /* FOUND */
+ }
+ return 0;
+}
diff --git a/src/pam_p11.c b/src/pam_p11.c
new file mode 100644
index 0000000..43450bf
--- /dev/null
+++ b/src/pam_p11.c
@@ -0,0 +1,349 @@
+/*
+ * libp11 PAM Login Module
+ * Copyright (C) 2003 Mario Strasser <mast at gmx.net>,
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ */
+
+#include <syslog.h>
+#include <ctype.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <libp11.h>
+
+/* We have to make this definitions before we include the pam header files! */
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+#define PAM_SM_SESSION
+#define PAM_SM_PASSWORD
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+#ifndef PAM_EXTERN
+#define PAM_EXTERN extern
+#endif
+
+#define LOGNAME "pam_p11" /* name for log-file entries */
+
+#define RANDOM_SOURCE "/dev/urandom"
+#define RANDOM_SIZE 128
+#define MAX_SIGSIZE 256
+
+extern int match_user(X509 * x509, const char *login);
+
+/*
+* comodity function that returns 1 on null, empty o spaced string
+*/
+int is_spaced_str(const char *str)
+{
+ char *pt = (char *)str;
+ if (!str)
+ return 1;
+ if (!strcmp(str, ""))
+ return 1;
+ for (; *pt; pt++)
+ if (!isspace(*pt))
+ return 0;
+ return 1;
+}
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ int i, rv;
+ const char *user;
+ char *password;
+ char password_prompt[64];
+
+ struct pam_conv *conv;
+ struct pam_message msg;
+ struct pam_response *resp;
+ struct pam_message *(msgp[1]);
+
+ PKCS11_CTX *ctx;
+ PKCS11_SLOT *slot;
+ PKCS11_CERT *certs;
+ unsigned int ncerts;
+ PKCS11_KEY *authkey;
+ PKCS11_CERT *authcert;
+
+ EVP_PKEY *pubkey;
+
+ unsigned char random[RANDOM_SIZE];
+ unsigned char signature[MAX_SIGSIZE];
+ int fd;
+ unsigned siglen;
+
+ /* open log */
+ openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+
+ /* init openssl */
+ OpenSSL_add_all_algorithms();
+ ERR_load_crypto_strings();
+
+ ctx = PKCS11_CTX_new();
+
+ /* get user name */
+ rv = pam_get_user(pamh, &user, NULL);
+ if (rv != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_get_user() failed %s",
+ pam_strerror(pamh, rv));
+ return PAM_USER_UNKNOWN;
+ }
+
+ /* load pkcs #11 module */
+ rv = PKCS11_CTX_load(ctx, argv[0]);
+
+ if (rv) {
+ syslog(LOG_ERR, "loading pkcs11 engine failed");
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
+ /* get first slot with a token */
+ slot = PKCS11_find_token(ctx);
+ if (!slot || !slot->token) {
+ syslog(LOG_ERR, "no token available");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ /* get all certs */
+ rv = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
+ if (rv) {
+ syslog(LOG_ERR, "PKCS11_enumerate_certs failed");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+ if (ncerts <=0) {
+ syslog(LOG_ERR, "no certificates found");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ /* find a valid and matching certificates */
+ for (i = 0; i < ncerts; i++) {
+ authcert = &certs[i];
+ if (authcert != NULL) {
+ /* check whether the certificate matches the user */
+ rv = match_user(authcert->x509, user);
+ if (rv < 0) {
+ syslog(LOG_ERR, "match_user() failed");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ } else if (rv == 0) {
+ /* this is not the cert we are looking for */
+ authcert = NULL;
+ } else {
+ break;
+ }
+ }
+ }
+
+ if (!authcert) {
+ syslog(LOG_ERR, "not matching certificate found");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ if (!slot->token->loginRequired)
+ goto loggedin;
+
+ /* get password */
+ msgp[0] = &msg;
+
+ /* try to get stored item */
+ rv = pam_get_item(pamh, PAM_AUTHTOK, (void *)&password);
+ if (rv == PAM_SUCCESS && password) {
+ password = strdup(password);
+ } else {
+ /* get password */
+ sprintf(password_prompt, "Password for token %.32s: ",
+ slot->token->label);
+
+ /* ask the user for the password if variable text is set */
+ msg.msg_style = PAM_PROMPT_ECHO_OFF;
+ msg.msg = password_prompt;
+ rv = pam_get_item(pamh, PAM_CONV, (const void **)&conv);
+ if (rv != PAM_SUCCESS) {
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+ if ((conv == NULL) || (conv->conv == NULL)) {
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+ rv = conv->conv(1, (const struct pam_message **)msgp, &resp,
+ conv->appdata_ptr);
+ if (rv != PAM_SUCCESS) {
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+ if ((resp == NULL) || (resp[0].resp == NULL)) {
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+ password = strdup(resp[0].resp);
+ /* overwrite memory and release it */
+ memset(resp[0].resp, 0, strlen(resp[0].resp));
+ free(&resp[0]);
+ }
+
+ /* save password if variable nitem is set */
+ rv = pam_set_item(pamh, PAM_AUTHTOK, &password);
+ if (rv != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item failed");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ /* perform pkcs #11 login */
+ rv = PKCS11_login(slot, 0, password);
+ memset(password, 0, strlen(password));
+ free(password);
+ if (rv != 0) {
+ syslog(LOG_ERR, "PKCS11_login failed");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ loggedin:
+ /* get random bytes */
+ fd = open(RANDOM_SOURCE, O_RDONLY);
+ if (fd < 0) {
+ syslog(LOG_ERR, "fatal: cannot open RANDOM_SOURCE: ");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ rv = read(fd, random, RANDOM_SIZE);
+ if (rv < 0) {
+ syslog(LOG_ERR, "fatal: read from random source failed: ");
+ close(fd);
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ if (rv < RANDOM_SIZE) {
+ syslog(LOG_ERR, "fatal: read returned less than %d<%d bytes\n",
+ rv, RANDOM_SIZE);
+ close(fd);
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ close(fd);
+
+ authkey = PKCS11_find_key(authcert);
+ if (!authkey) {
+ syslog(LOG_ERR, "no key matching certificate available");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ /* ask for a sha1 hash of the random data, signed by the key */
+ siglen = MAX_SIGSIZE;
+ rv = PKCS11_sign(NID_sha1, random, RANDOM_SIZE, signature, &siglen,
+ authkey);
+ if (rv != 1) {
+ syslog(LOG_ERR, "fatal: pkcs11_sign failed\n");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ /* verify the signature */
+ pubkey = X509_get_pubkey(authcert->x509);
+ if (pubkey == NULL) {
+ syslog(LOG_ERR, "could not extract public key");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ /* now verify the result */
+ rv = RSA_verify(NID_sha1, random, RANDOM_SIZE,
+ signature, siglen, pubkey->pkey.rsa);
+ if (rv != 1) {
+ syslog(LOG_ERR, "fatal: RSA_verify failed\n");
+ rv = PAM_AUTHINFO_UNAVAIL;
+ goto out;
+ }
+
+ rv = PAM_SUCCESS;
+
+ out:
+ PKCS11_CTX_unload(ctx);
+ PKCS11_CTX_free(ctx);
+ return rv;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ /* Actually, we should return the same value as pam_sm_authenticate(). */
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+ syslog(LOG_WARNING,
+ "Function pam_sm_acct_mgmt() is not implemented in this module");
+ closelog();
+ return PAM_SERVICE_ERR;
+}
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+ syslog(LOG_WARNING,
+ "Function pam_sm_open_session() is not implemented in this module");
+ closelog();
+ return PAM_SERVICE_ERR;
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+ syslog(LOG_WARNING,
+ "Function pam_sm_close_session() is not implemented in this module");
+ closelog();
+ return PAM_SERVICE_ERR;
+}
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+ syslog(LOG_WARNING,
+ "Function pam_sm_chauthtok() is not implemented in this module");
+ closelog();
+ return PAM_SERVICE_ERR;
+}
+
+#ifdef PAM_STATIC
+/* static module data */
+struct pam_module _pam_group_modstruct = {
+ "pam_p11",
+ pam_sm_authenticate,
+ pam_sm_setcred,
+ pam_sm_acct_mgmt,
+ pam_sm_open_session,
+ pam_sm_close_session,
+ pam_sm_chauthtok
+};
+#endif
diff --git a/src/test.c b/src/test.c
new file mode 100644
index 0000000..a57ccd6
--- /dev/null
+++ b/src/test.c
@@ -0,0 +1,14 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+
+int main(int argc, char **argv)
+{
+ pam_handle_t *pamh = NULL;
+
+ pam_sm_authenticate(pamh, 0, 1, "/home/aj/opensc/lib/opensc-pkcs11.so");
+
+ exit(0);
+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/pam-p11.git
More information about the pkg-opensc-commit
mailing list