diff options
| author | Adrien Oliva | 2019-04-10 14:32:19 +0200 |
|---|---|---|
| committer | Adrien Oliva | 2019-04-10 14:32:19 +0200 |
| commit | e36eda36b7cb049f647d33ad888a428dcb323e89 (patch) | |
| tree | c6447d41ba01cc56b05b91b0c8d80e7fe924feb5 | |
| download | aur-poldi-ecc-dsa-git.tar.gz | |
Initial package creation
Based on Poldi-git package with additional patch to enable
support of ECC and DSA public keys.
Tested with a Nitrokey Start smartcard and a ECC ed25519 key.
| -rw-r--r-- | .SRCINFO | 32 | ||||
| -rw-r--r-- | 0001-Update-path-to-scdaemon.patch | 23 | ||||
| -rw-r--r-- | 0002-Support-ECC-and-DSA-pub-keys.patch | 148 | ||||
| -rw-r--r-- | PKGBUILD | 78 | ||||
| -rw-r--r-- | poldi-arch.patch | 26 | ||||
| -rw-r--r-- | poldi.install | 54 | ||||
| -rw-r--r-- | poldi.logrotate | 9 |
7 files changed, 370 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..af218c69a2d8 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,32 @@ +pkgbase = poldi-ecc-dsa-git + pkgdesc = PAM module for authentication using a smartcard + pkgver = r142.d9a9ff9 + pkgrel = 1 + url = http://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git + install = poldi.install + arch = i686 + arch = x86_64 + license = GPL + makedepends = git + makedepends = autoconf + makedepends = automake + depends = libgcrypt + depends = libgpg-error + depends = libksba + depends = pam + optdepends = logrotate: To avoid giant logfiles + conflicts = poldi + conflicts = poldi-git + backup = etc/poldi/poldi.conf + backup = etc/pam.d/system-auth-poldi + source = poldi::git://git.gnupg.org/poldi/ + source = 0001-Update-path-to-scdaemon.patch + source = 0002-Support-ECC-and-DSA-pub-keys.patch + source = poldi.logrotate + md5sums = SKIP + md5sums = 6ccfe3af0362bca96d1d85aa097b5f1d + md5sums = a91b462fc86511fe7e16bb0168fae48e + md5sums = 57009cc5211088396d2521fc1997792b + +pkgname = poldi-ecc-dsa-git + diff --git a/0001-Update-path-to-scdaemon.patch b/0001-Update-path-to-scdaemon.patch new file mode 100644 index 000000000000..ba58fe291b7c --- /dev/null +++ b/0001-Update-path-to-scdaemon.patch @@ -0,0 +1,23 @@ +From 097e6e2ad904f0c21870716e4c305a6d0aedb593 Mon Sep 17 00:00:00 2001 +From: Olivier Mehani <shtrom@ssji.net> +Date: Mon, 30 Apr 2018 21:06:38 +1000 +Subject: [PATCH] Update path to scdaemon + +Signed-off-by: Olivier Mehani <shtrom@ssji.net> +--- + conf/poldi.conf.skel | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/conf/poldi.conf.skel b/conf/poldi.conf.skel +index 3fed157..3babbb1 100644 +--- a/conf/poldi.conf.skel ++++ b/conf/poldi.conf.skel +@@ -11,4 +11,4 @@ log-file /var/log/poldi + debug + + # Specify SCDaemon executable +-scdaemon-program /usr/lib/gnupg2/scdaemon ++scdaemon-program /usr/lib/gnupg/scdaemon +-- +2.17.0 + diff --git a/0002-Support-ECC-and-DSA-pub-keys.patch b/0002-Support-ECC-and-DSA-pub-keys.patch new file mode 100644 index 000000000000..d426e460934e --- /dev/null +++ b/0002-Support-ECC-and-DSA-pub-keys.patch @@ -0,0 +1,148 @@ +From 5cf6de5ded961302afdfac5e0a7995ae456aaef2 Mon Sep 17 00:00:00 2001 +From: ap4y <mail@ap4y.me> +Date: Wed, 3 Apr 2019 21:59:31 +1300 +Subject: [PATCH] Support ECC and DSA pub keys + +--- + src/util/support.c | 90 ++++++++++++++++++++++++++++++++++++---------- + src/util/support.h | 7 ++++ + 2 files changed, 79 insertions(+), 18 deletions(-) + +diff --git a/src/util/support.c b/src/util/support.c +index 8e576c6..773f3d8 100644 +--- a/src/util/support.c ++++ b/src/util/support.c +@@ -86,26 +86,17 @@ challenge_verify_sexp (gcry_sexp_t sexp_key, + gpg_error_t err = GPG_ERR_NO_ERROR; + gcry_sexp_t sexp_signature = NULL; + gcry_sexp_t sexp_data = NULL; +- gcry_mpi_t mpi_signature = NULL; ++ int algo = pk_algo (sexp_key); + +- /* Convert buffers into MPIs. */ +- if (! err) +- { +- if (gcry_mpi_scan (&mpi_signature, GCRYMPI_FMT_USG, response, response_n, +- NULL)) +- err = gpg_error (GPG_ERR_BAD_MPI); +- } ++ if (algo == 0) ++ return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); ++ ++ err = challenge_data (&sexp_data, algo, challenge, challenge_n); + +- /* Create according S-Expressions. */ +- if (! err) +- err = gcry_sexp_build (&sexp_data, NULL, +- "(data (flags pkcs1) (hash sha1 %b))", +- challenge_n, challenge); + if (! err) +- err = gcry_sexp_build (&sexp_signature, NULL, "(sig-val (rsa (s %m)))", +- mpi_signature); ++ err = response_signature (&sexp_signature, algo, ++ response, response_n); + +- /* Verify. */ + if (! err) + err = gcry_pk_verify (sexp_signature, sexp_data, sexp_key); + +@@ -113,8 +104,6 @@ challenge_verify_sexp (gcry_sexp_t sexp_key, + gcry_sexp_release (sexp_data); + if (sexp_signature) + gcry_sexp_release (sexp_signature); +- if (mpi_signature) +- gcry_mpi_release (mpi_signature); + + return err; + } +@@ -387,4 +376,69 @@ my_strlen (const char *s) + return ret; + } + ++int ++pk_algo (gcry_sexp_t sexp_key) ++{ ++ gcry_sexp_t sexp_data; ++ char *algoname; ++ int algo; ++ ++ sexp_data = gcry_sexp_find_token (sexp_key, "public-key", 0); ++ if (!sexp_data) ++ return 0; ++ ++ gcry_sexp_t sexp_tmp = gcry_sexp_cadr (sexp_data); ++ gcry_sexp_release (sexp_data); ++ sexp_data = sexp_tmp; ++ ++ algoname = gcry_sexp_nth_string (sexp_data, 0); ++ gcry_sexp_release (sexp_data); ++ if (!algoname) ++ return 0; ++ ++ algo = gcry_pk_map_name (algoname); ++ xfree(algoname); ++ return algo; ++} ++ ++gpg_error_t ++challenge_data (gcry_sexp_t *data, int algo, ++ unsigned char *challenge, size_t challenge_n) ++{ ++ if (algo == GCRY_PK_ECC) ++ { ++ return gcry_sexp_build (data, NULL, ++ "(data (flags eddsa) (hash-algo sha512) (value %b))", ++ challenge_n, challenge); ++ } ++ ++ return gcry_sexp_build (data, NULL, ++ "(data (flags pkcs1) (hash sha1 %b))", ++ challenge_n, challenge); ++} ++ ++gpg_error_t ++response_signature (gcry_sexp_t *sig, int algo, ++ unsigned char *response, size_t response_n) ++{ ++ switch (algo) ++ { ++ case GCRY_PK_RSA: ++ return gcry_sexp_build (sig, NULL, ++ "(sig-val (rsa (s %b)))", ++ response_n, response); ++ case GCRY_PK_DSA: ++ return gcry_sexp_build (sig, NULL, ++ "(sig-val (dsa (r %b) (s %b)))", ++ response_n / 2, response, ++ response_n / 2, response + response_n / 2); ++ case GCRY_PK_ECC: ++ return gcry_sexp_build (sig, NULL, ++ "(sig-val (eddsa (r %b) (s %b)))", ++ response_n / 2, response, ++ response_n / 2, response + response_n / 2); ++ default: ++ return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); ++ } ++} + /* END */ +diff --git a/src/util/support.h b/src/util/support.h +index e25cf01..740ffa0 100644 +--- a/src/util/support.h ++++ b/src/util/support.h +@@ -71,6 +71,13 @@ void char_vector_free (char **a); + + int my_strlen (const char *s); + ++int pk_algo (gcry_sexp_t sexp_key); ++ ++gpg_error_t challenge_data (gcry_sexp_t *data, int algo, ++ unsigned char *challenge, size_t challenge_n); ++ ++gpg_error_t response_signature (gcry_sexp_t *sig, int algo, ++ unsigned char *response, size_t response_n); + #endif + + /* END */ +-- +2.20.1 + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..305c139b2374 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,78 @@ +# Based on poldi-git maintained by: Olivier Mehani <shtrom-arch@ssji.net> +# Patch that adds ECC and DSA comes from https://dev.gnupg.org/T4009 +# Maintainer: Adrien Oliva <olivaa@yapbreak.fr> + +_gitname=poldi +pkgname=${_gitname}-ecc-dsa-git +pkgver=r142.d9a9ff9 +pkgrel=1 +pkgdesc="PAM module for authentication using a smartcard" +arch=('i686' 'x86_64') +url="http://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git" +license=("GPL") +depends=('libgcrypt' 'libgpg-error' 'libksba' 'pam') +makedepends=('git' 'autoconf' 'automake') +optdepends=('logrotate: To avoid giant logfiles') +options=() +backup=("etc/poldi/poldi.conf" "etc/pam.d/system-auth-poldi") +install=poldi.install +conflicts=("poldi" "poldi-git") +source=("${_gitname}::git://git.gnupg.org/${_gitname}/" + # "poldi-arch.patch" + "0001-Update-path-to-scdaemon.patch" + "0002-Support-ECC-and-DSA-pub-keys.patch" + "poldi.logrotate") + +pkgver() { + cd "${srcdir}/${_gitname}" + printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" +} + +prepare() { + cd "$srcdir/${_gitname}" + # sed -i \ + # -e 's!\(#define GNUPG_DEFAULT_SCD\).*!\1 "/usr/lib/gnupg/scdaemon"!' \ + # $srcdir/${_gitname}/config.h.in + # Note sure how this file should be generated... + sed -i /version.texi/d doc/poldi.texi + # patch -p1 < ../poldi-arch.patch + patch -p1 < ../0001-Update-path-to-scdaemon.patch + patch -p1 < ../0002-Support-ECC-and-DSA-pub-keys.patch + ./autogen.sh +} + +build() { + cd "$srcdir/${_gitname}" + + ./configure --prefix=/usr --with-pam-module-directory=/usr/lib/security --sysconfdir=/etc + make CFLAGS+=-lgpg-error +} + +package() { + cd "$srcdir/${_gitname}" + + make DESTDIR="$pkgdir" install + make DESTDIR="$pkgdir" install-conf-skeleton + + install -d -m 755 "$pkgdir/usr/share" + mv "$pkgdir/etc/poldi" "$pkgdir/usr/share/poldi" + rmdir $pkgdir/etc + install -D -m 644 "$pkgdir/usr/share/poldi/poldi.conf" "$pkgdir/etc/poldi/poldi.conf" + + install -d -m 755 "$pkgdir/usr/lib/security" + cp src/pam/pam_poldi.so "$pkgdir/usr/lib/security/" + install -d -m 755 "$pkgdir/usr/bin" + cp tests/pam-test "$pkgdir/usr/bin/pam-test-poldi" + + install -d -m 755 "$pkgdir/etc/pam.d" + echo -e "auth\tsufficient\tpam_poldi.so" > $pkgdir/etc/pam.d/system-auth-poldi + + install -d -m 755 "$pkgdir/etc/logrotate.d" + install -m 755 ${srcdir}/poldi.logrotate $pkgdir/etc/logrotate.d/poldi + + rm "$pkgdir/usr/share/info/dir" +} +md5sums=('SKIP' + '6ccfe3af0362bca96d1d85aa097b5f1d' + 'a91b462fc86511fe7e16bb0168fae48e' + '57009cc5211088396d2521fc1997792b') diff --git a/poldi-arch.patch b/poldi-arch.patch new file mode 100644 index 000000000000..149401f47936 --- /dev/null +++ b/poldi-arch.patch @@ -0,0 +1,26 @@ +diff -ur poldi-0.4-orig/src/util/support.c poldi-0.4/src/util/support.c +--- poldi-0.4-orig/src/util/support.c 2008-11-10 11:10:19.000000000 +0000 ++++ poldi-0.4/src/util/support.c 2008-11-10 11:10:38.000000000 +0000 +@@ -20,6 +20,7 @@ + + #include "util-local.h" + ++#include <limits.h> + #include <stdio.h> + #include <stdlib.h> + #include <assert.h> +--- poldi-0.4.1-orig/conf/poldi.conf.skel 2013-11-21 12:06:29.740052210 +1100 ++++ poldi-0.4.1/conf/poldi.conf.skel 2013-11-21 12:05:35.573383899 +1100 +@@ -5,10 +5,10 @@ + auth-method localdb + + # Specify the log file: +-log-file /home/moritz/logs/poldi.txt ++log-file /var/log/poldi.log + + # Enable debugging messages + debug + + # Specify SCDaemon executable +-scdaemon-program /usr/bin/scdaemon ++scdaemon-program /usr/lib/gnupg/scdaemon diff --git a/poldi.install b/poldi.install new file mode 100644 index 000000000000..27a60c0e469b --- /dev/null +++ b/poldi.install @@ -0,0 +1,54 @@ +## arg 1: the new package version +pre_install() { + # do nothing here + /bin/true +} + +infodir=/usr/share/info + + +## arg 1: the new package version +post_install() { + for file in ${filelist[@]}; do + install-info $infodir/$file $infodir/dir 2> /dev/null + done + + echo + echo "*** Poldi is now installed." + echo + echo "A PAM configuration file has been installed as '/etc/pam.d/system-auth-poldi'." + echo -e "To enable its use, you need to put 'auth include system-auth-poldi'\nin the relevant files (/etc/pam.d/system-auth is a good starting point)." + echo + echo "You can test the installation with 'pam-test-poldi SERVICE'." + echo +} + +## arg 1: the new package version +## arg 2: the old package version +pre_upgrade() { + # do nothing here + /bin/true +} + +## arg 1: the new package version +## arg 2: the old package version +post_upgrade() { + for file in ${filelist[@]}; do + install-info $infodir/$file $infodir/dir 2> /dev/null + done +} + +## arg 1: the old package version +pre_remove() { + for file in ${filelist[@]}; do + install-info --delete $infodir/$file $infodir/dir 2> /dev/null + done +} + +## arg 1: the old package version +post_remove() { + # do nothing here + /bin/true +} + +# vim:set ts=2 sw=2 et: diff --git a/poldi.logrotate b/poldi.logrotate new file mode 100644 index 000000000000..9240a79a20c5 --- /dev/null +++ b/poldi.logrotate @@ -0,0 +1,9 @@ +/var/log/poldi.log { + weekly + rotate 4 + missingok + notifempty + compress + copytruncate +} + |