File 0001-verify-using-a-nonce-from-the-system-not-the-card.patch of Package pam_pkcs11.37564

From cc51b3e2720ea862d500cab2ea517518ff39a497 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 25 May 2018 23:46:41 +0200
Subject: [PATCH 1/3] verify using a nonce from the system, not the card

Thanks to Eric Sesterhenn from X41 D-SEC GmbH
for reporting the problem.
---
 src/common/pkcs11_lib.c | 66 +++++++++++++++++------------------------
 1 file changed, 28 insertions(+), 38 deletions(-)

diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c
index 46a93bd..d4433f2 100644
--- a/src/common/pkcs11_lib.c
+++ b/src/common/pkcs11_lib.c
@@ -131,6 +131,34 @@ memcmp_pad_max(void *d1, size_t d1_len, void *d2, size_t d2_len,
 	return (0);
 }
 
+int get_random_value(unsigned char *data, int length)
+{
+  static const char *random_device = "/dev/urandom";
+  int rv, fh, l;
+
+  DBG2("reading %d random bytes from %s", length, random_device);
+  fh = open(random_device, O_RDONLY);
+  if (fh == -1) {
+    set_error("open() failed: %s", strerror(errno));
+    return -1;
+  }
+
+  l = 0;
+  while (l < length) {
+    rv = read(fh, data + l, length - l);
+    if (rv <= 0) {
+      close(fh);
+      set_error("read() failed: %s", strerror(errno));
+      return -1;
+    }
+    l += rv;
+  }
+  close(fh);
+  DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
+      data[1], data[2], data[length - 1]);
+  return 0;
+}
+
 
 #ifdef HAVE_NSS
 /*
@@ -834,16 +862,6 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data,
   return 0;
 }
 
-int get_random_value(unsigned char *data, int length)
-{
-  SECStatus rv = PK11_GenerateRandom(data,length);
-  if (rv != SECSuccess) {
-    DBG1("couldn't generate random number: %s", SECU_Strerror(PR_GetError()));
-  }
-  return (rv == SECSuccess) ? 0 : -1;
-}
-
-
 struct tuple_str {
     PRErrorCode	 errNum;
     const char * errString;
@@ -1778,32 +1796,4 @@ int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data,
       (*signature)[0], (*signature)[1], (*signature)[2], (*signature)[*signature_length - 1]);
   return 0;
 }
-
-int get_random_value(unsigned char *data, int length)
-{
-  static const char *random_device = "/dev/urandom";
-  int rv, fh, l;
-
-  DBG2("reading %d random bytes from %s", length, random_device);
-  fh = open(random_device, O_RDONLY);
-  if (fh == -1) {
-    set_error("open() failed: %s", strerror(errno));
-    return -1;
-  }
-
-  l = 0;
-  while (l < length) {
-    rv = read(fh, data + l, length - l);
-    if (rv <= 0) {
-      close(fh);
-      set_error("read() failed: %s", strerror(errno));
-      return -1;
-    }
-    l += rv;
-  }
-  close(fh);
-  DBG5("random-value[%d] = [%02x:%02x:%02x:...:%02x]", length, data[0],
-      data[1], data[2], data[length - 1]);
-  return 0;
-}
 #endif /* HAVE_NSS */
-- 
2.18.0