Attachment #7000 for bug #33226

View | Details | Raw Unified | Return to bug 33226
Collapse All | Expand All

Lines 2-8 Link Here

(-)a/.gear/pam_pkcs11.spec (-1 / +8 lines)
2		2
3	Name: pam_pkcs11	3	Name: pam_pkcs11
4	Version: 0.6.9	4	Version: 0.6.9
5	Release: alt2.M70T.0.M70C.1	5	Release: alt2.M70T.1.elvis.1
6		6
7	Summary: PKCS #11 PAM Module and Login Tools	7	Summary: PKCS #11 PAM Module and Login Tools
8	Group: System/Base	8	Group: System/Base
Lines 20-25 Patch6: %name-%version-option-ask_pin.patch Link Here
20		20
21	Patch70: use-autoconf-2.68.patch	21	Patch70: use-autoconf-2.68.patch
22		22
		23	Patch80: %name-%version-gost-elvis.patch
		24
23	BuildRequires: docbook-style-xsl flex libldap-devel libpam-devel libpcsclite-devel libssl-devel xsltproc	25	BuildRequires: docbook-style-xsl flex libldap-devel libpam-devel libpcsclite-devel libssl-devel xsltproc
24	BuildRequires: doxygen	26	BuildRequires: doxygen
25	BuildRequires: docbook-dtds	27	BuildRequires: docbook-dtds
Lines 75-80 as a separate package. Link Here
75	%patch6 -p1	77	%patch6 -p1
76		78
77	%patch70 -p1	79	%patch70 -p1
		80	%patch80 -p1
78		81
79	# fixup configs	82	# fixup configs
80	sed -i -e '	83	sed -i -e '
Lines 157-162 rm %buildroot/%_lib//.la Link Here
157	/%_lib/%name/ldap_mapper.so	160	/%_lib/%name/ldap_mapper.so
158		161
159	%changelog	162	%changelog
		163	* Fri Jan 27 2017 Max Kosmach <max@elvis.ru> 0.6.9-alt2.M70T.1.elvis.1
		164	- Add support for GOST certificates
		165
		166
160	* Tue Nov 22 2016 Ivan Zakharyaschev <imz@altlinux.org> 0.6.9-alt2.M70T.0.M70C.1	167	* Tue Nov 22 2016 Ivan Zakharyaschev <imz@altlinux.org> 0.6.9-alt2.M70T.0.M70C.1
161	- Build for c7	168	- Build for c7
162		169

Lines 9-11 diff: @name@-@version@:. @name@-@version@-ru.po:. name=@name@-@version@-ru.po.pa Link Here

(-)a/.gear/rules (+1 lines)
9	diff: @name@-@version@:. @name@-@version@-buffer:. name=@name@-@version@-buffer.patch	9	diff: @name@-@version@:. @name@-@version@-buffer:. name=@name@-@version@-buffer.patch
10	diff: @name@-@version@-buffer:. @name@-@version@-ask-pin-later:. name=@name@-@version@-ask-pin-later.patch	10	diff: @name@-@version@-buffer:. @name@-@version@-ask-pin-later:. name=@name@-@version@-ask-pin-later.patch
11	diff: @name@-@version@-ask-pin-later:. @name@-@version@-ask-pin-later-with-option-ask_pin:. name=@name@-@version@-option-ask_pin.patch	11	diff: @name@-@version@-ask-pin-later:. @name@-@version@-ask-pin-later-with-option-ask_pin:. name=@name@-@version@-option-ask_pin.patch
		12	diff: @name@-@version@-c7:. e6719bdc84366f615ad5cb6d714f881a38f8162a:. name=@name@-@version@-gost-elvis.patch

Lines 6-8 Link Here

(-)a/.gear/tags/list (+1 lines)
6	4198e4bc3818a76e9fa71842a847a356f9873749 pam_pkcs11-0.6.9-buffer	6	4198e4bc3818a76e9fa71842a847a356f9873749 pam_pkcs11-0.6.9-buffer
7	9a268c67b78e8a668d26a37b41bd2db39675914f pam_pkcs11-0.6.9-ask-pin-later	7	9a268c67b78e8a668d26a37b41bd2db39675914f pam_pkcs11-0.6.9-ask-pin-later
8	8247217c608dee7c3d429fce61068c4cde7df07e pam_pkcs11-0.6.9-ask-pin-later-with-option-ask_pin	8	8247217c608dee7c3d429fce61068c4cde7df07e pam_pkcs11-0.6.9-ask-pin-later-with-option-ask_pin
		9	7dd57ca145e86bce86957c65594f0aed4036cee1 pam_pkcs11-0.6.9-c7





#: src/pam_pkcs11/pam_pkcs11.c:387
msgid "Error 2306: No suitable token available"
msgstr "Ошибка 2306: Нет подходящего токена"

#: src/pam_pkcs11/pam_pkcs11.c:401
#, c-format


#: src/pam_pkcs11/pam_pkcs11.c:422
msgid "Error 2308: No smartcard found"
msgstr "Ошибка 2308: Не найдена смарт-карта"

#: src/pam_pkcs11/pam_pkcs11.c:449
msgid "Error 2310: No smartcard found"
msgstr "Ошибка 2310: Не найдена смарт-карта"

#: src/pam_pkcs11/pam_pkcs11.c:459
#, c-format


#: src/pam_pkcs11/pam_pkcs11.c:553
msgid "Error 2320: Wrong smartcard PIN"
msgstr "Ошибка 2320: Неверный ПИН"

#: src/pam_pkcs11/pam_pkcs11.c:565
msgid "Error 2322: No certificate found"
msgstr "Ошибка 2322: Не найден сертификат"

#: src/pam_pkcs11/pam_pkcs11.c:580
msgid "verifying certificate"
msgstr "Проверка сертификата"

#: src/pam_pkcs11/pam_pkcs11.c:593
msgid "Error 2324: Certificate has expired"
msgstr "Ошибка 2324: Истек срок действия сертификата"

#: src/pam_pkcs11/pam_pkcs11.c:597
msgid "Error 2326: Certificate not yet valid"
msgstr "Ошибка 2326: Срок действия сертификата еще не наступил"

#: src/pam_pkcs11/pam_pkcs11.c:601
msgid "Error 2328: Certificate signature invalid"
msgstr "Ошибка 2328: Неверная подпись сертификата"

#: src/pam_pkcs11/pam_pkcs11.c:605
msgid "Error 2330: Certificate invalid"
msgstr "Ошибка 2330: Неверный сертификат"

#: src/pam_pkcs11/pam_pkcs11.c:640
msgid "Error 2332: setting PAM userentry failed"


#: src/pam_pkcs11/pam_pkcs11.c:656
msgid "Error 2334: No matching user"
msgstr "Ошибка 2334: Нет подходящего пользователя"

#: src/pam_pkcs11/pam_pkcs11.c:677
msgid "Error 2336: No matching certificate found"
msgstr "Ошибка 2336: Нет подходящего сертификата"

#: src/pam_pkcs11/pam_pkcs11.c:686
msgid "Checking signature"
msgstr "Проверка подписи"

#: src/pam_pkcs11/pam_pkcs11.c:706
msgid "Error 2338: Getting random value failed"


#: src/pam_pkcs11/pam_pkcs11.c:720
msgid "Error 2340: Signing failed"
msgstr "Ошибка 2340: Не удалось сформировать подпись"

#: src/pam_pkcs11/pam_pkcs11.c:739
msgid "Error 2342: Verifying signature failed"
msgstr "Ошибка 2342: Не удалось проверить подпись"

#: src/pam_pkcs11/pam_pkcs11.c:886
msgid "Cannot change the password on your smart card."




  int rv;
  EVP_PKEY *pubkey;
  EVP_MD_CTX *md_ctx = NULL;
  const EVP_MD* md;
  int nid;
  /* get the public-key */
  pubkey = X509_get_pubkey(x509);
  if (pubkey == NULL) {
    set_error("X509_get_pubkey() failed: %s", ERR_error_string(ERR_get_error(), NULL));
    return -1;
  }

  nid = OBJ_obj2nid(x509->cert_info->key->algor->algorithm);
  if( NID_id_GostR3410_2001 == nid )
    md = EVP_get_digestbyname("md_gost94");
  else
    md = EVP_sha1();
  if (!md) {
    set_error("unsupported key algorithm, nid: %d", nid);
    return -1;
  }

  md_ctx = EVP_MD_CTX_create();
  /* verify the signature */
  EVP_VerifyInit(md_ctx, md);
  EVP_VerifyUpdate(md_ctx, data, data_length);
  rv = EVP_VerifyFinal(md_ctx, signature, signature_length, pubkey);
  EVP_PKEY_free(pubkey);

  DBG("signature is valid");
  return 0;
}

int verify_eku_sc_logon(X509 * x509)
{
  static unsigned char id_kp_sc_logon[] = {0x2b, 6, 1, 4, 1, 0x82, 0x37, 20, 2, 2}; // 1.3.6.1.4.1.311.20.2.2
  int rv = 0;
  EXTENDED_KEY_USAGE* eku = X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL);
  if( NULL != eku )
  {
    int i = 0, n = sk_ASN1_OBJECT_num(eku);
    for( ; i < n; ++i )
    {
      ASN1_OBJECT* extobj = sk_ASN1_OBJECT_value( eku, i );
      if( NULL == extobj )
        continue;
      if( sizeof(id_kp_sc_logon) == extobj->length
          && 0 == memcmp(extobj->data, id_kp_sc_logon, sizeof(id_kp_sc_logon)) )
      {
        rv = 1;
        break;
      }
    }
    EXTENDED_KEY_USAGE_free(eku);
  }
  return rv;
}

#endif

Lines 54-59 struct cert_policy_st { Link Here

(-)a/src/common/cert_vfy.h (+3 lines)
54	const char *crl_dir;	54	const char *crl_dir;
55	const char *nss_dir;	55	const char *nss_dir;
56	int ocsp_policy;	56	int ocsp_policy;
		57	int eku_sc_logon_policy;
57	};	58	};
58		59
59	#ifndef __CERT_VFY_C	60	#ifndef __CERT_VFY_C
Lines 81-86 CERTVFY_EXTERN int verify_certificate(X509 * x509, cert_policy *policy); Link Here
81	*/	82	*/
82	CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char data, int data_length, unsigned char signature, int signature_length);	83	CERTVFY_EXTERN int verify_signature(X509 * x509, unsigned char data, int data_length, unsigned char signature, int signature_length);
83		84
		85	CERTVFY_EXTERN int verify_eku_sc_logon(X509 * x509);
		86
84	#undef CERTVFY_EXTERN	87	#undef CERTVFY_EXTERN
85		88
86	#endif /* __CERT_VFY_H_ */	89	#endif /* __CERT_VFY_H_ */




#include "error.h"
#include "cert_info.h"
#include "pkcs11_lib.h"
#include <openssl/conf.h>

/*
 * this functions is completely common between both implementation.

{
  /* arg is ignored for OPENSSL */
  (void)policy;
  OPENSSL_config(NULL);
  OpenSSL_add_all_algorithms();
  ERR_load_crypto_strings();
  return 0;

int get_private_key(pkcs11_handle_t *h, cert_object_t *cert) {
  CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
  CK_BBOOL key_sign = CK_TRUE;
  CK_ATTRIBUTE attr;
  CK_ATTRIBUTE key_template[] = {
    {CKA_CLASS, &key_class, sizeof(key_class)}
    ,

  }

  cert->private_key = object;
  attr.type = CKA_KEY_TYPE;
  attr.ulValueLen = sizeof(cert->key_type);
  attr.pValue = &(cert->key_type);
  rv = h->fl->C_GetAttributeValue(h->session, object, &attr,1);
  if (rv != CKR_OK) {
    set_error("C_GetAttributeValue() failed: 0x%08lX", rv);
    return -1;
  }
  
  DBG1("C_GetAttributeValue keytype: %x",cert->key_type);

  return 0;


    case CKK_RSA:
      mechanism.mechanism = CKM_RSA_PKCS;
      break;
    case CKK_GOSTR3410:
      mechanism.mechanism = CKM_GOSTR3410_WITH_GOSTR3411;
      break;
    default:
      set_error("unsupported key type %d", cert->type);
      return -1;
  }
  /* compute hash-value */
  if( CKK_RSA == cert->key_type ) {
    SHA1(data, length, &hash[15]);
    DBG5("hash[%ld] = [...:%02x:%02x:%02x:...:%02x]", sizeof(hash),
        hash[15], hash[16], hash[17], hash[sizeof(hash) - 1]);
  }
  /* sign the token */
  DBG2("C_SignInit: mech: %x, keytype: %x", mechanism.mechanism, cert->key_type);
  rv = h->fl->C_SignInit(h->session, &mechanism, cert->private_key);
  if (rv != CKR_OK) {
    set_error("C_SignInit() failed: 0x%08lX", rv);
    return -1;
  }
  *signature = NULL;
  *signature_length = 256;
  while (*signature == NULL) {
    *signature = malloc(*signature_length);
    if (*signature == NULL) {
      set_error("not enough free memory available");
      return -1;
    }
    if( CKK_RSA == cert->key_type )
      rv = h->fl->C_Sign(h->session, hash, sizeof(hash), *signature, signature_length);
    else
      rv = h->fl->C_Sign(h->session, data, length, *signature, signature_length);
    if (rv == CKR_BUFFER_TOO_SMALL) {
      /* increase signature length as long as it it to short */
      free(*signature);

Lines 383-388 typedef CK_ULONG CK_KEY_TYPE; Link Here

(-)a/src/common/rsaref/pkcs11t.h (+20 lines)
383	#define CKK_CDMF 0x0000001E	383	#define CKK_CDMF 0x0000001E
384	#define CKK_AES 0x0000001F	384	#define CKK_AES 0x0000001F
385		385
		386	/* Elvis */
		387	#define CKK_GOSTR3410 0x00000030
		388	#define CKK_GOSTR3411 0x00000031
		389	#define CKK_GOST28147 0x00000032
		390
386	#define CKK_VENDOR_DEFINED 0x80000000	391	#define CKK_VENDOR_DEFINED 0x80000000
387		392
388		393
Lines 774-779 typedef CK_ULONG CK_MECHANISM_TYPE; Link Here
774	#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001	779	#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
775	#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002	780	#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
776		781
		782	/* Elvis */
		783	#define CKM_GOSTR3410_KEY_PAIR_GEN 0x00001200
		784	#define CKM_GOSTR3410 0x00001201
		785	#define CKM_GOSTR3410_WITH_GOSTR3411 0x00001202
		786	#define CKM_GOSTR3410_KEY_WRAP 0x00001203
		787	#define CKM_GOSTR3410_DERIVE 0x00001204
		788	#define CKM_GOSTR3411 0x00001210
		789	#define CKM_GOSTR3411_HMAC 0x00001211
		790	#define CKM_GOST28147_KEY_GEN 0x00001220
		791	#define CKM_GOST28147_ECB 0x00001221
		792	#define CKM_GOST28147 0x00001222
		793	#define CKM_GOST28147_MAC 0x00001223
		794	#define CKM_GOST28147_KEY_WRAP 0x00001224
		795
		796
777	#define CKM_VENDOR_DEFINED 0x80000000	797	#define CKM_VENDOR_DEFINED 0x80000000
778		798
779	typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;	799	typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;

Lines 91-96 static void display_config (void) { Link Here

(-)a/src/pam_pkcs11/pam_config.c (+8 lines)
91	DBG1("crl_policy %d",configuration.policy.crl_policy);	91	DBG1("crl_policy %d",configuration.policy.crl_policy);
92	DBG1("signature_policy %d",configuration.policy.signature_policy);	92	DBG1("signature_policy %d",configuration.policy.signature_policy);
93	DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);	93	DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);
		94	DBG1("eku_sc_logon_policy %d",configuration.policy.eku_sc_logon_policy);
94	DBG1("err_display_time %d", configuration.err_display_time);	95	DBG1("err_display_time %d", configuration.err_display_time);
95	DBG1("ask_pin %d",configuration.ask_pin);	96	DBG1("ask_pin %d",configuration.ask_pin);
96	}	97	}
Lines 192-197 static void parse_config_file(void) { Link Here
192	configuration.policy.global_ca_policy=0;	193	configuration.policy.global_ca_policy=0;
193	configuration.policy.ca_policy=0;	194	configuration.policy.ca_policy=0;
194	configuration.policy.signature_policy=0;	195	configuration.policy.signature_policy=0;
		196	configuration.policy.eku_sc_logon_policy=0;
195	break;	197	break;
196	} else if ( !strcmp(policy_list->data,"crl_auto") ) {	198	} else if ( !strcmp(policy_list->data,"crl_auto") ) {
197	configuration.policy.crl_policy=CRLP_AUTO;	199	configuration.policy.crl_policy=CRLP_AUTO;
Lines 207-212 static void parse_config_file(void) { Link Here
207	configuration.policy.ca_policy=1;	209	configuration.policy.ca_policy=1;
208	} else if ( !strcmp(policy_list->data,"signature") ) {	210	} else if ( !strcmp(policy_list->data,"signature") ) {
209	configuration.policy.signature_policy=1;	211	configuration.policy.signature_policy=1;
		212	} else if ( !strcmp(policy_list->data,"eku_sclogon") ) {
		213	configuration.policy.eku_sc_logon_policy=1;
210	} else {	214	} else {
211	DBG1("Invalid CRL policy: %s",policy_list->data);	215	DBG1("Invalid CRL policy: %s",policy_list->data);
212	}	216	}
Lines 340-345 struct configuration_st pk_configure( int argc, const char *argv ) { Link Here
340	configuration.policy.ca_policy=0;	344	configuration.policy.ca_policy=0;
341	configuration.policy.signature_policy=0;	345	configuration.policy.signature_policy=0;
342	configuration.policy.ocsp_policy=OCSP_NONE;	346	configuration.policy.ocsp_policy=OCSP_NONE;
		347	configuration.policy.eku_sc_logon_policy=0;
343	}	348	}
344	if (strstr(argv[i],"crl_online")) {	349	if (strstr(argv[i],"crl_online")) {
345	configuration.policy.crl_policy=CRLP_ONLINE;	350	configuration.policy.crl_policy=CRLP_ONLINE;
Lines 359-364 struct configuration_st pk_configure( int argc, const char *argv ) { Link Here
359	if (strstr(argv[i],"signature")) {	364	if (strstr(argv[i],"signature")) {
360	configuration.policy.signature_policy=1;	365	configuration.policy.signature_policy=1;
361	}	366	}
		367	if (strstr(argv[i],"eku_sclogon")) {
		368	configuration.policy.eku_sc_logon_policy=1;
		369	}
362	continue;	370	continue;
363	}	371	}
364		372

Lines 532-538 PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons Link Here

(-)a/src/pam_pkcs11/pam_pkcs11.c (-1 / +6 lines)
532	if (!configuration->quiet) {	532	if (!configuration->quiet) {
533	pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("verifying certificate"));	533	pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("verifying certificate"));
534	}	534	}
535		535	if (configuration->policy.eku_sc_logon_policy) {
		536	if (!verify_eku_sc_logon(x509)) {
		537	DBG("Certificate does not contain EKU Smart Card Logon");
		538	continue; /* try next certificate */
		539	}
		540	}
536	/* verify certificate (date, signature, CRL, ...) */	541	/* verify certificate (date, signature, CRL, ...) */
537	rv = verify_certificate(x509,&configuration->policy);	542	rv = verify_certificate(x509,&configuration->policy);
538	if (rv < 0) {	543	if (rv < 0) {

Return to bug 33226

Lines 32-38 Link Here

(-)a/src/common/pkcs11_lib.c (-7 / +27 lines)
32	#include "error.h"	32	#include "error.h"
33	#include "cert_info.h"	33	#include "cert_info.h"
34	#include "pkcs11_lib.h"	34	#include "pkcs11_lib.h"
35		35	#include <openssl/conf.h>
36		36
37	/*	37	/*
38	* this functions is completely common between both implementation.	38	* this functions is completely common between both implementation.
Lines 979-984 int crypto_init(cert_policy *policy) Link Here
979	{	979	{
980	/* arg is ignored for OPENSSL */	980	/* arg is ignored for OPENSSL */
981	(void)policy;	981	(void)policy;
		982	OPENSSL_config(NULL);
982	OpenSSL_add_all_algorithms();	983	OpenSSL_add_all_algorithms();
983	ERR_load_crypto_strings();	984	ERR_load_crypto_strings();
984	return 0;	985	return 0;
Lines 1671-1676 getlist_error: Link Here
1671	int get_private_key(pkcs11_handle_t h, cert_object_t cert) {	1672	int get_private_key(pkcs11_handle_t h, cert_object_t cert) {
1672	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;	1673	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
1673	CK_BBOOL key_sign = CK_TRUE;	1674	CK_BBOOL key_sign = CK_TRUE;
		1675	CK_ATTRIBUTE attr;
1674	CK_ATTRIBUTE key_template[] = {	1676	CK_ATTRIBUTE key_template[] = {
1675	{CKA_CLASS, &key_class, sizeof(key_class)}	1677	{CKA_CLASS, &key_class, sizeof(key_class)}
1676	,	1678	,
Lines 1718-1724 int get_private_key(pkcs11_handle_t h, cert_object_t cert) { Link Here
1718	}	1720	}
1719		1721
1720	cert->private_key = object;	1722	cert->private_key = object;
1721	cert->key_type = CKK_RSA;	1723	attr.type = CKA_KEY_TYPE;
		1724	attr.ulValueLen = sizeof(cert->key_type);
		1725	attr.pValue = &(cert->key_type);
		1726	rv = h->fl->C_GetAttributeValue(h->session, object, &attr,1);
		1727	if (rv != CKR_OK) {
		1728	set_error("C_GetAttributeValue() failed: 0x%08lX", rv);
		1729	return -1;
		1730	}
		1731
		1732	DBG1("C_GetAttributeValue keytype: %x",cert->key_type);
1722		1733
1723	return 0;	1734	return 0;
1724		1735
Lines 1759-1787 int sign_value(pkcs11_handle_t h, cert_object_t cert, CK_BYTE *data, Link Here
1759	case CKK_RSA:	1770	case CKK_RSA:
1760	mechanism.mechanism = CKM_RSA_PKCS;	1771	mechanism.mechanism = CKM_RSA_PKCS;
1761	break;	1772	break;
		1773	case CKK_GOSTR3410:
		1774	mechanism.mechanism = CKM_GOSTR3410_WITH_GOSTR3411;
		1775	break;
1762	default:	1776	default:
1763	set_error("unsupported key type %d", cert->type);	1777	set_error("unsupported key type %d", cert->type);
1764	return -1;	1778	return -1;
1765	}	1779	}
1766	/* compute hash-value */	1780	/* compute hash-value */
1767	SHA1(data, length, &hash[15]);	1781	if( CKK_RSA == cert->key_type ) {
1768	DBG5("hash[%ld] = [...:%02x:%02x:%02x:...:%02x]", sizeof(hash),	1782	SHA1(data, length, &hash[15]);
1769	hash[15], hash[16], hash[17], hash[sizeof(hash) - 1]);	1783	DBG5("hash[%ld] = [...:%02x:%02x:%02x:...:%02x]", sizeof(hash),
		1784	hash[15], hash[16], hash[17], hash[sizeof(hash) - 1]);
		1785	}
1770	/* sign the token */	1786	/* sign the token */
		1787	DBG2("C_SignInit: mech: %x, keytype: %x", mechanism.mechanism, cert->key_type);
1771	rv = h->fl->C_SignInit(h->session, &mechanism, cert->private_key);	1788	rv = h->fl->C_SignInit(h->session, &mechanism, cert->private_key);
1772	if (rv != CKR_OK) {	1789	if (rv != CKR_OK) {
1773	set_error("C_SignInit() failed: 0x%08lX", rv);	1790	set_error("C_SignInit() failed: 0x%08lX", rv);
1774	return -1;	1791	return -1;
1775	}	1792	}
1776	*signature = NULL;	1793	*signature = NULL;
1777	*signature_length = 128;	1794	*signature_length = 256;
1778	while (*signature == NULL) {	1795	while (*signature == NULL) {
1779	signature = malloc(signature_length);	1796	signature = malloc(signature_length);
1780	if (*signature == NULL) {	1797	if (*signature == NULL) {
1781	set_error("not enough free memory available");	1798	set_error("not enough free memory available");
1782	return -1;	1799	return -1;
1783	}	1800	}
1784	rv = h->fl->C_Sign(h->session, hash, sizeof(hash), *signature, signature_length);	1801	if( CKK_RSA == cert->key_type )
		1802	rv = h->fl->C_Sign(h->session, hash, sizeof(hash), *signature, signature_length);
		1803	else
		1804	rv = h->fl->C_Sign(h->session, data, length, *signature, signature_length);
1785	if (rv == CKR_BUFFER_TOO_SMALL) {	1805	if (rv == CKR_BUFFER_TOO_SMALL) {
1786	/* increase signature length as long as it it to short */	1806	/* increase signature length as long as it it to short */
1787	free(*signature);	1807	free(*signature);

Lines 36-42 msgstr "" Link Here

(-)a/po/ru.po (-15 / +15 lines)
36		36
37	#: src/pam_pkcs11/pam_pkcs11.c:387	37	#: src/pam_pkcs11/pam_pkcs11.c:387
38	msgid "Error 2306: No suitable token available"	38	msgid "Error 2306: No suitable token available"
39	msgstr ""	39	msgstr "Ошибка 2306: Нет подходящего токена"
40		40
41	#: src/pam_pkcs11/pam_pkcs11.c:401	41	#: src/pam_pkcs11/pam_pkcs11.c:401
42	#, c-format	42	#, c-format
Lines 49-59 msgstr "Пожалуйста, вставьте токен." Link Here
49		49
50	#: src/pam_pkcs11/pam_pkcs11.c:422	50	#: src/pam_pkcs11/pam_pkcs11.c:422
51	msgid "Error 2308: No smartcard found"	51	msgid "Error 2308: No smartcard found"
52	msgstr ""	52	msgstr "Ошибка 2308: Не найдена смарт-карта"
53		53
54	#: src/pam_pkcs11/pam_pkcs11.c:449	54	#: src/pam_pkcs11/pam_pkcs11.c:449
55	msgid "Error 2310: No smartcard found"	55	msgid "Error 2310: No smartcard found"
56	msgstr ""	56	msgstr "Ошибка 2310: Не найдена смарт-карта"
57		57
58	#: src/pam_pkcs11/pam_pkcs11.c:459	58	#: src/pam_pkcs11/pam_pkcs11.c:459
59	#, c-format	59	#, c-format
Lines 93-123 msgstr "" Link Here
93		93
94	#: src/pam_pkcs11/pam_pkcs11.c:553	94	#: src/pam_pkcs11/pam_pkcs11.c:553
95	msgid "Error 2320: Wrong smartcard PIN"	95	msgid "Error 2320: Wrong smartcard PIN"
96	msgstr ""	96	msgstr "Ошибка 2320: Неверный ПИН"
97		97
98	#: src/pam_pkcs11/pam_pkcs11.c:565	98	#: src/pam_pkcs11/pam_pkcs11.c:565
99	msgid "Error 2322: No certificate found"	99	msgid "Error 2322: No certificate found"
100	msgstr ""	100	msgstr "Ошибка 2322: Не найден сертификат"
101		101
102	#: src/pam_pkcs11/pam_pkcs11.c:580	102	#: src/pam_pkcs11/pam_pkcs11.c:580
103	msgid "verifying certificate"	103	msgid "verifying certificate"
104	msgstr ""	104	msgstr "Проверка сертификата"
105		105
106	#: src/pam_pkcs11/pam_pkcs11.c:593	106	#: src/pam_pkcs11/pam_pkcs11.c:593
107	msgid "Error 2324: Certificate has expired"	107	msgid "Error 2324: Certificate has expired"
108	msgstr ""	108	msgstr "Ошибка 2324: Истек срок действия сертификата"
109		109
110	#: src/pam_pkcs11/pam_pkcs11.c:597	110	#: src/pam_pkcs11/pam_pkcs11.c:597
111	msgid "Error 2326: Certificate not yet valid"	111	msgid "Error 2326: Certificate not yet valid"
112	msgstr ""	112	msgstr "Ошибка 2326: Срок действия сертификата еще не наступил"
113		113
114	#: src/pam_pkcs11/pam_pkcs11.c:601	114	#: src/pam_pkcs11/pam_pkcs11.c:601
115	msgid "Error 2328: Certificate signature invalid"	115	msgid "Error 2328: Certificate signature invalid"
116	msgstr ""	116	msgstr "Ошибка 2328: Неверная подпись сертификата"
117		117
118	#: src/pam_pkcs11/pam_pkcs11.c:605	118	#: src/pam_pkcs11/pam_pkcs11.c:605
119	msgid "Error 2330: Certificate invalid"	119	msgid "Error 2330: Certificate invalid"
120	msgstr ""	120	msgstr "Ошибка 2330: Неверный сертификат"
121		121
122	#: src/pam_pkcs11/pam_pkcs11.c:640	122	#: src/pam_pkcs11/pam_pkcs11.c:640
123	msgid "Error 2332: setting PAM userentry failed"	123	msgid "Error 2332: setting PAM userentry failed"
Lines 125-139 msgstr "" Link Here
125		125
126	#: src/pam_pkcs11/pam_pkcs11.c:656	126	#: src/pam_pkcs11/pam_pkcs11.c:656
127	msgid "Error 2334: No matching user"	127	msgid "Error 2334: No matching user"
128	msgstr ""	128	msgstr "Ошибка 2334: Нет подходящего пользователя"
129		129
130	#: src/pam_pkcs11/pam_pkcs11.c:677	130	#: src/pam_pkcs11/pam_pkcs11.c:677
131	msgid "Error 2336: No matching certificate found"	131	msgid "Error 2336: No matching certificate found"
132	msgstr ""	132	msgstr "Ошибка 2336: Нет подходящего сертификата"
133		133
134	#: src/pam_pkcs11/pam_pkcs11.c:686	134	#: src/pam_pkcs11/pam_pkcs11.c:686
135	msgid "Checking signature"	135	msgid "Checking signature"
136	msgstr ""	136	msgstr "Проверка подписи"
137		137
138	#: src/pam_pkcs11/pam_pkcs11.c:706	138	#: src/pam_pkcs11/pam_pkcs11.c:706
139	msgid "Error 2338: Getting random value failed"	139	msgid "Error 2338: Getting random value failed"
Lines 141-151 msgstr "" Link Here
141		141
142	#: src/pam_pkcs11/pam_pkcs11.c:720	142	#: src/pam_pkcs11/pam_pkcs11.c:720
143	msgid "Error 2340: Signing failed"	143	msgid "Error 2340: Signing failed"
144	msgstr ""	144	msgstr "Ошибка 2340: Не удалось сформировать подпись"
145		145
146	#: src/pam_pkcs11/pam_pkcs11.c:739	146	#: src/pam_pkcs11/pam_pkcs11.c:739
147	msgid "Error 2342: Verifying signature failed"	147	msgid "Error 2342: Verifying signature failed"
148	msgstr ""	148	msgstr "Ошибка 2342: Не удалось проверить подпись"
149		149
150	#: src/pam_pkcs11/pam_pkcs11.c:886	150	#: src/pam_pkcs11/pam_pkcs11.c:886
151	msgid "Cannot change the password on your smart card."	151	msgid "Cannot change the password on your smart card."

Lines 491-506 int verify_signature(X509 * x509, unsigned char *data, int data_length, Link Here

(-)a/src/common/cert_vfy.c (-3 / +41 lines)
491	int rv;	491	int rv;
492	EVP_PKEY *pubkey;	492	EVP_PKEY *pubkey;
493	EVP_MD_CTX *md_ctx = NULL;	493	EVP_MD_CTX *md_ctx = NULL;
494		494	const EVP_MD* md;
		495	int nid;
495	/* get the public-key */	496	/* get the public-key */
496	pubkey = X509_get_pubkey(x509);	497	pubkey = X509_get_pubkey(x509);
497	if (pubkey == NULL) {	498	if (pubkey == NULL) {
498	set_error("X509_get_pubkey() failed: %s", ERR_error_string(ERR_get_error(), NULL));	499	set_error("X509_get_pubkey() failed: %s", ERR_error_string(ERR_get_error(), NULL));
499	return -1;	500	return -1;
500	}	501	}
501	md_ctx = EVP_MD_CTX_new();	502
		503	nid = OBJ_obj2nid(x509->cert_info->key->algor->algorithm);
		504	if( NID_id_GostR3410_2001 == nid )
		505	md = EVP_get_digestbyname("md_gost94");
		506	else
		507	md = EVP_sha1();
		508	if (!md) {
		509	set_error("unsupported key algorithm, nid: %d", nid);
		510	return -1;
		511	}
		512
		513	md_ctx = EVP_MD_CTX_create();
502	/* verify the signature */	514	/* verify the signature */
503	EVP_VerifyInit(md_ctx, EVP_sha1());	515	EVP_VerifyInit(md_ctx, md);
504	EVP_VerifyUpdate(md_ctx, data, data_length);	516	EVP_VerifyUpdate(md_ctx, data, data_length);
505	rv = EVP_VerifyFinal(md_ctx, signature, signature_length, pubkey);	517	rv = EVP_VerifyFinal(md_ctx, signature, signature_length, pubkey);
506	EVP_PKEY_free(pubkey);	518	EVP_PKEY_free(pubkey);
Lines 512-515 int verify_signature(X509 * x509, unsigned char *data, int data_length, Link Here
512	DBG("signature is valid");	524	DBG("signature is valid");
513	return 0;	525	return 0;
514	}	526	}
		527
		528	int verify_eku_sc_logon(X509 * x509)
		529	{
		530	static unsigned char id_kp_sc_logon[] = {0x2b, 6, 1, 4, 1, 0x82, 0x37, 20, 2, 2}; // 1.3.6.1.4.1.311.20.2.2
		531	int rv = 0;
		532	EXTENDED_KEY_USAGE* eku = X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL);
		533	if( NULL != eku )
		534	{
		535	int i = 0, n = sk_ASN1_OBJECT_num(eku);
		536	for( ; i < n; ++i )
		537	{
		538	ASN1_OBJECT* extobj = sk_ASN1_OBJECT_value( eku, i );
		539	if( NULL == extobj )
		540	continue;
		541	if( sizeof(id_kp_sc_logon) == extobj->length
		542	&& 0 == memcmp(extobj->data, id_kp_sc_logon, sizeof(id_kp_sc_logon)) )
		543	{
		544	rv = 1;
		545	break;
		546	}
		547	}
		548	EXTENDED_KEY_USAGE_free(eku);
		549	}
		550	return rv;
		551	}
		552
515	#endif	553	#endif