24766235 Change to build PAM_PKCS11 with the pcsclite=yes option for 32 bit
24790022 Fix spelling and grammar errors in pam_pkcs11.c messages
24766229 add module specification requirement to the pam_pkcs11(7) man page
24897765 err_display_time and quiet options are placed incorrectly in pam_pkcs11.conf
24790509 pam_pkcs11 will fail after upgrade to s12 if openldap_mapper.so is used
--- a/components/pam_pkcs11/Makefile Wed Nov 02 19:15:09 2016 -0700
+++ b/components/pam_pkcs11/Makefile Wed Nov 02 20:44:19 2016 -0700
@@ -52,6 +52,7 @@
CONFIGURE_BINDIR.32= $(USRLIB.32)/pam_pkcs11
CONFIGURE_BINDIR.64= $(USRLIB.64)/pam_pkcs11
CPPFLAGS += -I$(USRINCDIR)/openldap
+CFLAGS += -DMODULE_ISA_FIX -DUPGRADE_BUG_FIX
CONFIGURE_OPTIONS += --datarootdir=$(ETCDIR)/security
CONFIGURE_OPTIONS += --localedir=$(USRSHARELOCALEDIR)
CONFIGURE_OPTIONS += --localstatedir=$(VARDIR)
@@ -59,11 +60,8 @@
CONFIGURE_OPTIONS += --with-confdir=/etc/security/pam_pkcs11
CONFIGURE_OPTIONS += --docdir=/etc/security/pam_pkcs11
CONFIGURE_OPTIONS += OPENSSL_LIBS="$(OPENSSL_LIBS)"
+CONFIGURE_OPTIONS += --with-pcsclite=yes
CONFIGURE_OPTIONS += PCSC_CFLAGS="-I /usr/include/PCSC"
-CONFIGURE_OPTIONS.32 += CFLAGS="$(CFLAGS) -DMODULE_ISA_FIX"
-CONFIGURE_OPTIONS.32 += --with-pcsclite=no
-CONFIGURE_OPTIONS.64 += CFLAGS="$(CFLAGS) -DMODULE_ISA_FIX -D_LP64"
-CONFIGURE_OPTIONS.64 += --with-pcsclite=yes
REQUIRED_PACKAGES += library/openldap
REQUIRED_PACKAGES += library/security/openssl
--- a/components/pam_pkcs11/files/pam_pkcs11.7 Wed Nov 02 19:15:09 2016 -0700
+++ b/components/pam_pkcs11/files/pam_pkcs11.7 Wed Nov 02 20:44:19 2016 -0700
@@ -1,7 +1,7 @@
'\" te
.\" Portions Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
.\" This manual page is derived from documentation obtained from the OpenSC organization (www.opensc-project.org). This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it is useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-.TH pam_pkcs11 7 "30 Aug 2016" "SunOS 5.12" "Standards, Environments, and Macros"
+.TH pam_pkcs11 7 "14 Oct 2016" "SunOS 5.12" "Standards, Environments, and Macros"
.SH NAME
pam_pkcs11 \- PAM Authentication Module for the PKCS#11 token libraries
.SH SYNOPSIS
@@ -230,7 +230,9 @@
.sp
.RE
.RS +4
-The $ISA token in all the module paths is replaced by an implementation defined directory name which defines the path relative to the calling program's instruction set architecture. This allows the pam_pkcs11 module to support both 32 and 64 bit applications co-exist concurrently in the system. For example, for the "module = /usr/lib/$ISA/libpkcs11.so" option, at run time, /usr/lib/64/libpkcs11.so will be loaded for 64 bit applications and /usr/lib/32/libpkcs11.so for 32 bit applications.
+All the modules (PKCS#11 module and mapper modules) specified in the /etc/security/pam_pkcs11/pam_pkcs11.conf configuration file need to be delivered in both 32-bit and 64-bit forms.
+.sp
+The $ISA (instruction set architecture) token in all the module paths is replaced by an implementation-defined directory name which defines the path relative to the calling program's instruction set architecture. The $ISA token should be used in all the module paths. This allows the pam_pkcs11 module to support both 32 and 64 bit applications concurrently on the system. For example, for the "module = /usr/lib/$ISA/libpkcs11.so" option, at run time, /usr/lib/64/libpkcs11.so will be loaded for 64-bit applications and /usr/lib/32/libpkcs11.so for 32-bit applications.
.RE
.SH OPTIONS
.sp
@@ -414,4 +416,4 @@
\fBcard_eventmgr\fR(1), \fBpkcs11_inspect\fR(1), \fBpklogin_finder\fR(1), \fBcryptoadm\fR(8), \fBlibpkcs11\fR(3LIB)\fBlibpkcs11\fR(3LIB)\fBpam_sm_authenticate\fR(3PAM), \fBpam.conf\fR(5), \fBattributes\fR(7), \fBpkcs11_softtoken\fR(7)
.sp
.LP
-\fIPAM-PKCS11 User Manual\fR, available at the \fBhttp://www.opensc-project.org/\fR web site, under the \fBPAM PKCS#11\fR link.
+\fIPAM-PKCS11 User Manual\fR, available at /usr/share/doc/pam_pkcs11/pam_pkcs11.html.
--- a/components/pam_pkcs11/pam_pkcs11.conf Wed Nov 02 19:15:09 2016 -0700
+++ b/components/pam_pkcs11/pam_pkcs11.conf Wed Nov 02 20:44:19 2016 -0700
@@ -13,6 +13,13 @@
# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = default;
+ # The err_display_time option suspends execution for an interval of time
+ # in seconds after each PAM message is shown.
+ err_display_time = 0;
+
+ # The quiet option can be used to disable error messages.
+ quiet = false;
+
pkcs11_module default {
module = /usr/lib/$ISA/libpkcs11.so;
description = "Solaris PKCS#11 Cryptographic Framework library";
@@ -79,13 +86,6 @@
# The value of the token_type parameter will be used in the user prompt
# messages. The default value is "Smart card".
token_type = "Secure token";
-
- # The err_display_time option suspends execution for an interval of time
- # in seconds after each PAM message is shown.
- err_display_time = 0;
-
- # The quiet option can be used to disable error messages.
- quiet = false;
}
# Which mappers ( Cert to login ) to use?
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pam_pkcs11/patches/04-message_error_fix.patch Wed Nov 02 20:44:19 2016 -0700
@@ -0,0 +1,59 @@
+#
+# This patch is to fix one spelling error and some message problems in PAM
+# prompt, so that they will comply to the Solaris message style.
+#
+# The authentication spelling error has been already fixed in the latest
+# upstream source, so there is no need to contribute back this spelling error
+# fix. We will remove the spelling error change from this patch, when we
+# upgrade this module to a new release that contains the spelling error fix.
+#
+# Changes from smartcard to "smart card" in pam_prompt messages are for
+# Solaris message style compliance and they are Solaris specific.
+#
+--- pam_pkcs11-0.6.8_ORIG/src/pam_pkcs11/pam_pkcs11.c Tue Oct 4 12:22:18 2016
++++ pam_pkcs11-0.6.8_NEW/src/pam_pkcs11/pam_pkcs11.c Thu Oct 27 15:56:06 2016
+@@ -199,7 +199,7 @@
+ char **issuer, **serial;
+ const char *login_token_name = NULL;
+
+- pam_prompt(pamh, PAM_TEXT_INFO , NULL, _("Smartcard authentification starts"));
++ pam_prompt(pamh, PAM_TEXT_INFO , NULL, _("Smart card authentication starts"));
+
+ /* first of all check whether debugging should be enabled */
+ for (i = 0; i < argc; i++)
+@@ -392,7 +392,7 @@
+ }
+ } else if (user) {
+ if (!configuration->quiet) {
+- pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2308: No smartcard found"));
++ pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2308: No smart card found"));
+ sleep(configuration->err_display_time);
+ }
+
+@@ -419,7 +419,7 @@
+ if (rv != 0) {
+ /* user gave us a user id and no smart card go to next module */
+ if (!configuration->quiet) {
+- pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2310: No smartcard found"));
++ pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2310: No smart card found"));
+ sleep(configuration->err_display_time);
+ }
+
+@@ -495,7 +495,7 @@
+ pam_syslog(pamh, LOG_ERR,
+ "password length is zero but the 'nullok' argument was not defined.");
+ if (!configuration->quiet) {
+- pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smartcard PIN not allowed."));
++ pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smart card PIN not allowed."));
+ sleep(configuration->err_display_time);
+ }
+ return PAM_AUTH_ERR;
+@@ -523,7 +523,7 @@
+ ERR1("open_pkcs11_login() failed: %s", get_error());
+ if (!configuration->quiet) {
+ pam_syslog(pamh, LOG_ERR, "open_pkcs11_login() failed: %s", get_error());
+- pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smartcard PIN"));
++ pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smart card PIN"));
+ sleep(configuration->err_display_time);
+ }
+ goto auth_failed_nopw;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pam_pkcs11/patches/05-upgrade_bug_fix.patch Wed Nov 02 20:44:19 2016 -0700
@@ -0,0 +1,115 @@
+#
+# In S11U3 releases, two versions of LDAP mapper modules are provided:
+# - ldap_mapper.so (built with Mozilla LDAP)
+# - openldap_mapper.so (built with OpenLDAP)
+#
+# However, on S12, because Mozilla LDAP is EOL'ed, only one LDAP mapper module
+# is provided:
+# - ldap_mapper.so (built with OpenLDAP)
+#
+# If openldap_mapper.so is used in pam_pkcs11.conf on S11U3, then pam_pkcs11
+# will fail to load the LDAP module after upgrade to S12.
+#
+# To resolve this upgrade issue, on S12, if openldap_mapper.so is specified in
+# pam_pkcs11.conf file, then we will load ldap_mapper.so instead.
+#
+# This patch is Solaris specific and is for S12+ only.
+#
+--- pam_pkcs11-0.6.8_ISA/src/pam_pkcs11/mapper_mgr.c Thu Oct 13 15:01:46 2016
++++ pam_pkcs11-0.6.8_NEW/src/pam_pkcs11/mapper_mgr.c Tue Nov 1 20:09:41 2016
+@@ -42,6 +42,41 @@
+ #include <sys/param.h>
+ #endif
+
++#ifdef UPGRADE_BUG_FIX
++#include <sys/utsname.h>
++#include <strings.h>
++#include <libgen.h>
++#include <syslog.h>
++
++#define LDAP_MAPPER_MODULE "ldap_mapper.so"
++#define OPENLDAP_MAPPER_MODULE "openldap_mapper.so"
++
++/*
++ * Return 1, if the system is running S12 or later, otherwise return 0.
++ */
++static int is_S12(void) {
++ struct utsname unstr;
++ struct utsname *un = &unstr;
++ char *ptr;
++
++ (void) uname(un);
++ DBG1("System is %s\n", un->release);
++
++ /* Make sure the major number is 5 */
++ ptr = un->release;
++ if (strncmp(ptr, "5", 1) != 0)
++ return 0;
++
++ /* Check the minor number */
++ ptr = ptr + 2;
++ if (atoi(ptr) >= 12) {
++ return 1;
++ } else {
++ return 0;
++ }
++}
++#endif /* UPGRADE_BUG_FIX */
++
+ struct mapper_listitem *root_mapper_list;
+
+ /*
+@@ -100,17 +135,49 @@
+ }
+ } else if (blk) { /* assume dynamic module */
+ DBG1("Loading dynamic module for mapper '%s'",name);
++
+ #ifdef MODULE_ISA_FIX
+ if (expand_isa_path(libname, real_libname, sizeof (real_libname))) {
+ DBG1("Problem in module path %s", libname);
+ return NULL;
+ } else {
+- DBG1("Module path is %s", real_libname);
++ DBG1("Module path is %s", real_libname);
+ }
+- handler= dlopen(real_libname, RTLD_NOW);
+-#else
++
++#ifdef UPGRADE_BUG_FIX
++ /*
++ * If the system is running S12+ and openldap_mapper.so is used
++ * for the ldap mapper module, then we will replace it with
++ * ldap_mapper.so.
++ */
++ if (is_S12() && (strcmp(name, "ldap") == 0) &&
++ (strcmp(basename(real_libname), OPENLDAP_MAPPER_MODULE) == 0)) {
++ char tmp_libname[MAXPATHLEN];
++ int len1, len2;
++
++ len1 = strlen(real_libname);
++ len2 = strlen(OPENLDAP_MAPPER_MODULE);
++ (void) strlcpy(tmp_libname, real_libname, len1 - len2 + 1);
++ (void) strlcat(tmp_libname, LDAP_MAPPER_MODULE, MAXPATHLEN);
++ (void) strncpy(real_libname, tmp_libname, MAXPATHLEN);
++
++ syslog(LOG_ERR,"pam_pkcs11: openldap_mapper.so is not "
++ "available on S12, so ldap_mapper.so is loaded instead, "
++ "because ldap_mapper.so is built with OpenLDAP libraries "
++ "on S12.");
++
++ DBG("Warning: openldap_mapper.so is not available on S12, so "
++ "ldap_mapper.so is loaded instead, because ldap_mapper.so "
++ "is built with OpenLDAP libraries on S12.");
++
++ DBG1("Module path is changed to %s", real_libname);
++ }
++#endif /* UPGRADE_BUG_FIX */
++ handler= dlopen(real_libname,RTLD_NOW);
++#else
+ handler= dlopen(libname,RTLD_NOW);
+-#endif
++#endif /* MODULE_ISA_FIX */
++
+ if (!handler) {
+ DBG3("dlopen failed for module: %s path: %s Error: %s",name,libname,dlerror());
+ return NULL;