24766235 Change to build PAM_PKCS11 with the pcsclite=yes option for 32 bit s11u3-sru
authorIvo Raisr <ivo.raisr@oracle.com>
Sat, 26 Nov 2016 14:44:47 -0800
branchs11u3-sru
changeset 7455 cefc5b17cc4b
parent 7454 66df0d7fd2ad
child 7456 8450ef71c436
24766235 Change to build PAM_PKCS11 with the pcsclite=yes option for 32 bit 24897765 err_display_time and quiet options are placed incorrectly in pam_pkcs11.conf 24790022 Fix spelling and grammar errors in pam_pkcs11.c messages
components/pam_pkcs11/Makefile
components/pam_pkcs11/pam_pkcs11.conf
components/pam_pkcs11/patches/04-message_error_fix.patch
--- a/components/pam_pkcs11/Makefile	Sat Nov 26 05:55:27 2016 -0800
+++ b/components/pam_pkcs11/Makefile	Sat Nov 26 14:44:47 2016 -0800
@@ -79,10 +79,9 @@
 CONFIGURE_OPTIONS += --with-confdir=/etc/security/pam_pkcs11
 CONFIGURE_OPTIONS += --docdir=/etc/security/pam_pkcs11
 CONFIGURE_OPTIONS += OPENSSL_LIBS="-lssl -lcrypto -lsocket"
-CONFIGURE_OPTIONS.32 += --with-pcsclite=no
-CONFIGURE_OPTIONS.64 += --with-pcsclite=yes
-CONFIGURE_OPTIONS.64 += PCSC_CFLAGS="-I/usr/include/PCSC"
-CONFIGURE_OPTIONS.64 += PCSC_LIBS="-lpcsclite"
+CONFIGURE_OPTIONS += --with-pcsclite=yes
+CONFIGURE_OPTIONS += PCSC_CFLAGS="-I/usr/include/PCSC"
+CONFIGURE_OPTIONS += PCSC_LIBS="-lpcsclite"
 
 # We install only the MozillaLDAP variant. We will cherry-pick binaries built
 # against OpenLDAP out of the build directory to avoid re-installing
@@ -92,6 +91,8 @@
 INSTALL_32_and_64 = $(INSTALL_32) $(INSTALL_64)
 
 # common targets
+configure:	$(CONFIGURE_32_and_64)
+
 build:		$(BUILD_32_and_64)
 
 install:	$(INSTALL_32_and_64)
@@ -104,4 +105,3 @@
 REQUIRED_PACKAGES += shell/bash
 REQUIRED_PACKAGES += system/library
 REQUIRED_PACKAGES += system/linker
-
--- a/components/pam_pkcs11/pam_pkcs11.conf	Sat Nov 26 05:55:27 2016 -0800
+++ b/components/pam_pkcs11/pam_pkcs11.conf	Sat Nov 26 14:44:47 2016 -0800
@@ -13,6 +13,13 @@
   # Filename of the PKCS #11 module. The default value is "default"
   use_pkcs11_module = default;
 
+  # The err_display_time option suspends execution for an interval of time
+  # in seconds after each PAM message is shown. 
+  err_display_time = 0;
+
+  # The quiet option can be used to disable error messages.
+  quiet = false;
+
   pkcs11_module default {
     module = /usr/lib/$ISA/libpkcs11.so;
     description = "Solaris PKCS#11 Cryptographic Framework library";
@@ -79,13 +86,6 @@
     # The value of the token_type parameter will be used in the user prompt
     # messages.  The default value is "Smart card".
     token_type = "Secure token";
-
-    # The err_display_time option suspends execution for an interval of time
-    # in seconds after each PAM message is shown. 
-    err_display_time = 0;
-
-    # The quiet option can be used to disable error messages.
-    quiet = false;
   }
 
   # Which mappers ( Cert to login ) to use?
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pam_pkcs11/patches/04-message_error_fix.patch	Sat Nov 26 14:44:47 2016 -0800
@@ -0,0 +1,59 @@
+#
+# This patch is to fix one spelling error and some message problems in PAM
+# prompt, so that they will comply to the Solaris message style.
+# 
+# The authentication spelling error has been already fixed in the latest
+# upstream source, so there is no need to contribute back this spelling error
+# fix. We will remove the spelling error change from this patch, when we 
+# upgrade this module to a new release that contains the spelling error fix.
+#
+# Changes from smartcard to "smart card" in pam_prompt messages are for
+# Solaris message style compliance and they are Solaris specific. 
+#
+--- pam_pkcs11-0.6.8_ORIG/src/pam_pkcs11/pam_pkcs11.c	Tue Oct  4 12:22:18 2016
++++ pam_pkcs11-0.6.8_NEW/src/pam_pkcs11/pam_pkcs11.c	Thu Oct 27 15:56:06 2016
[email protected]@ -199,7 +199,7 @@
+   char **issuer, **serial;
+   const char *login_token_name = NULL;
+ 
+-  pam_prompt(pamh, PAM_TEXT_INFO , NULL, _("Smartcard authentification starts"));
++  pam_prompt(pamh, PAM_TEXT_INFO , NULL, _("Smart card authentication starts"));
+ 
+   /* first of all check whether debugging should be enabled */
+   for (i = 0; i < argc; i++)
[email protected]@ -392,7 +392,7 @@
+       }
+     } else if (user) {
+ 		if (!configuration->quiet) {
+-			pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2308: No smartcard found"));
++			pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2308: No smart card found"));
+ 			sleep(configuration->err_display_time);
+ 		}
+ 
[email protected]@ -419,7 +419,7 @@
+       if (rv != 0) {
+         /* user gave us a user id and no smart card go to next module */
+ 		if (!configuration->quiet) {
+-			pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2310: No smartcard found"));
++			pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2310: No smart card found"));
+ 			sleep(configuration->err_display_time);
+ 		}
+ 
[email protected]@ -495,7 +495,7 @@
+ 			pam_syslog(pamh, LOG_ERR,
+ 					"password length is zero but the 'nullok' argument was not defined.");
+ 			if (!configuration->quiet) {
+-				pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smartcard PIN not allowed."));
++				pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smart card PIN not allowed."));
+ 				sleep(configuration->err_display_time);
+ 			}
+ 			return PAM_AUTH_ERR;
[email protected]@ -523,7 +523,7 @@
+       ERR1("open_pkcs11_login() failed: %s", get_error());
+ 		if (!configuration->quiet) {
+ 			pam_syslog(pamh, LOG_ERR, "open_pkcs11_login() failed: %s", get_error());
+-			pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smartcard PIN"));
++			pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smart card PIN"));
+ 			sleep(configuration->err_display_time);
+ 		}
+       goto auth_failed_nopw;