make pkcs11_module option "slot_description" a substring match

[AngusMcGyver]

Hi there

Problem description
A while ago i discovered that the slot_description in the pkcs11_module not working as intended, cause the string which is compared to also have the slot id inside.

Furthermore we use Yubikey as smartcard in our company for authentication. Over the years we got different versions. Some users have Yubikey NEO, some Yubikey 4 and now there are Yubikey 5 as well. On top of that there are users with smartcards from our customers to authenticate on external systems.

So it would be very nice to have a substring match over a full match for the slot_description field in config file.

Testsetup
System: Ubuntu 20.04
opensc version 0.20.0-3 amd64
libpam-pkcs11version 0.6.11-2 amd64

inserted smartcards on the system:

• Slot 0: Yubikey NEO OTP+CCID
• Slot 1: Yubikey NEO OTP+U2F+CCID
• Slot 2: Yubikey 4 OTP+CCID
• Slot 3: Gemalto PC Twin Reader with customer smartcard

# opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey NEO OTP+U2F+CCID 00 00
1    Yes             Yubico Yubikey NEO OTP+CCID 01 00
2    Yes             Yubico Yubikey 4 OTP+CCID 02 00
3    Yes             Gemalto PC Twin Reader (922FBFB3) 03 00`

relevant part of pam_pkcs11 config:

# cat /etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11 {
  ...
  use_pkcs11_module = yubikey;
  pkcs11_module yubikey {
    module = /usr/lib/opensc-pkcs11.so;
    description = "OpenSC PKCS#11 module";
    slot_description = "Yubico Yubikey NEO OTP+CCID";
    #slot_num = 1;
    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;
    support_threads = false;
    cert_policy = ca,signature;
    #crl check disabled as workaround cause of segmentation fault, see https://github.com/OpenSC/pam_pkcs11/issues/42
    #cert_policy = ca,signature,crl_auto;
    token_type = "YubiKey";
  }
...

Steps to reproduce

# /usr/bin/pklogin_finder debug
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project                  
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework      
DEBUG:pkcs11_lib.c:1185: - library version: 0.20
DEBUG:pkcs11_lib.c:1077: number of slots (a): 5
DEBUG:pkcs11_lib.c:1100: number of slots (b): 5
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+U2F+CCID 00 00                           
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user1                   
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: fa199c6821e35273
DEBUG:pkcs11_lib.c:1136:   - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00                               
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user3                       
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136:   - flags: 2040d
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey 4 OTP+CCID 02 00                                 
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user2                          
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: c0fdcb8f44270042
DEBUG:pkcs11_lib.c:1136:   - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 4:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00                         
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: PKI Card (Card PIN)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: <CUSTOMER>                   
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15         
DEBUG:pkcs11_lib.c:1135:   - serial: 105003013405    
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 5:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00                         
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: PKI Card (Card PUK)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: <CUSTOMER>                   
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15         
DEBUG:pkcs11_lib.c:1135:   - serial: 105003013405    
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
DEBUG:pklogin_finder.c:95: no token available

Expected result
Find smartcard in slot 2 with test.user3 as its key description equal to slot_description in pam_pkcs11.conf (Yubico Yubikey NEO OTP+CCID).

Actual result
As you can see in debug, it adds a 01 00 at the end of the description, which represents the slot ID.
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00
and this resutls in
DEBUG:pklogin_finder.c:95: no token available

If i write this slot_description = "Yubico Yubikey NEO OTP+CCID 01 00"; into pam_pkcs11.conf then it will work, but only if the key is in slot 1. I guess this is not the idea behind the slot_description option, this way it is a more strict version of the alternate slot_num option.

Expected behavior after this request is implement
To change this to a substring match, would also solve the problem with the different Yubikey versions we have. So i can write simply `slot_description = "Yubico Yubikey " into pam_pkcs11.conf and every user can login with his Yubikey on every system.

I like to see the following mis-/matches

Examples of matches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+U2F+CCID"

description from debug: "Yubico Yubikey NEO OTP+CCID 01 00"
description in config : "Yubico Yubikey"

description from debug: "Yubico Yubikey 4 OTP+CCID 02 00"
description in config : "Yubico Yubikey"


Examples of mismatches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+CCID"

description from debug: "Gemalto PC Twin Reader (922FBFB3) 03 00"
description in config : "Yubico Yubikey"`

Very ugly workaround i'm using at the moment
Change the description of all Yubikeys in /etc/libccid_Info.plist on every workstation we have into
<string>Yubico Yubikey description with more then 64 characters to workaround the pkcs11 string matching problem</string>
and enter the following slot description into pam_pkcs11.conf
slot_description = "Yubico Yubikey description with more then 64 characters as wo..."
then it will match, cause the login_finder will cut it of at 64 chars

DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey description with more then 64 characters as wo...
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user3                       
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136:   - flags: 2040d