opensc-0.24.0-1

2023-12-14 10:47:42 +01:00 · 2023-12-14 10:47:42 +01:00 · 11e1462e9e
commit 11e1462e9e
parent 8e7b497263
6 changed files with 13 additions and 277 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,3 +10,4 @@
 /opensc-0.21.0.tar.gz
 /opensc-0.22.0.tar.gz
 /opensc-0.23.0.tar.gz
+/opensc-0.24.0.tar.gz
--- a/opensc-0.19.0-pinpad.patch
+++ b/opensc-0.19.0-pinpad.patch
@ -1,10 +1,9 @@
-diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf
--- opensc-0.19.0/etc/opensc.conf.pinpad	2018-10-22 14:31:12.082963540 +0200
-+++ opensc-0.19.0/etc/opensc.conf	2018-10-22 14:33:59.939410701 +0200
-@@ -4,4 +4,9 @@ app default {
- 	framework pkcs15 {
- 		# use_file_caching = public;
- 	}
+--- opensc-0.24.0/etc/opensc.conf	2023-12-13 10:44:39.000000000 +0100
+++ opensc-0.24.0/etc/opensc.conf.pinpad	2023-12-14 13:31:40.723607168 +0100
+@@ -1,4 +1,9 @@
+ app default {
+ 	# debug = 3;
+ 	# debug_file = opensc-debug.txt;
 +	reader_driver pcsc {
 +		# The pinpad is disabled by default,
 +		# because of many broken readers out there
--- a/opensc-0.23.0-cardos-buffer-overrun.patch
+++ b/opensc-0.23.0-cardos-buffer-overrun.patch
@ -1,49 +0,0 @@
-From 3bf3ab2f9091f984cda6dd910654ccbbe3f06a40 Mon Sep 17 00:00:00 2001
-From: fullwaywang <fullwaywang@tencent.com>
-Date: Mon, 29 May 2023 10:38:48 +0800
-Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
- overrun bug. Fixes #2785
-
---
- src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
-index 9715cf390f..f41f73c349 100644
--- a/src/pkcs15init/pkcs15-cardos.c
-+++ b/src/pkcs15init/pkcs15-cardos.c
-@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- 	sc_apdu_t apdu;
-         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
-         int       r;
-	const u8  *p = rbuf, *q;
-+	const u8  *p = rbuf, *q, *pp;
- 	size_t    len, tlen = 0, ilen = 0;
- 
- 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
-@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- 		return 0;
- 
- 	while (len != 0) {
-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-		if (p == NULL)
-+		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-+		if (pp == NULL)
- 			return 0;
- 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
- 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
- 			/* and Package Number 0x07					*/
-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
-+			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
- 			if (q == NULL || ilen != 4)
- 				return 0;
- 			if (q[0] == 0x07)
-@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
- 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
- 			/* and Package Number 0x02					*/
-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
-+			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
- 			if (q == NULL || ilen != 4)
- 				return 0;
- 			if (q[0] == 0x02)
--- a/opensc-0.23.0-pkcs11-tool-import.patch
+++ b/opensc-0.23.0-pkcs11-tool-import.patch
@ -1,212 +0,0 @@
-From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Thu, 1 Dec 2022 20:08:53 +0100
-Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
-
---
- src/tools/pkcs11-tool.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
-index aae205fe2c..cfee8526d5 100644
--- a/src/tools/pkcs11-tool.c
-+++ b/src/tools/pkcs11-tool.c
-@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
- 		RSA_get0_factors(r, &r_p, &r_q);
- 		RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
- #else
-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
-+		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
-			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
- 			util_fatal("OpenSSL error during RSA private key parsing");
-+			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
- 		}
- #endif
- 		RSA_GET_BN(rsa, private_exponent, r_d);
-
-From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Thu, 1 Dec 2022 20:11:41 +0100
-Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
-
---
- src/tools/pkcs11-tool.c | 15 ++++++---------
- 1 file changed, 6 insertions(+), 9 deletions(-)
-
-diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
-index cfee8526d5..f2e6b1dd91 100644
--- a/src/tools/pkcs11-tool.c
-+++ b/src/tools/pkcs11-tool.c
-@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
- 	const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
- 	r = EVP_PKEY_get1_RSA(pkey);
- 	if (!r) {
-		if (private)
-			util_fatal("OpenSSL error during RSA private key parsing");
-		else
-			util_fatal("OpenSSL error during RSA public key parsing");
-+		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
-+			ERR_error_string(ERR_peek_last_error(), NULL));
- 	}
- 
- 	RSA_get0_key(r, &r_n, &r_e, NULL);
-@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
- 	BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
- 	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
- 		EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
-		if (private)
-			util_fatal("OpenSSL error during RSA private key parsing");
-		else
-			util_fatal("OpenSSL error during RSA public key parsing");
-+		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
-+			ERR_error_string(ERR_peek_last_error(), NULL));
- 	 }
- #endif
- 	RSA_GET_BN(rsa, modulus, r_n);
-@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
-			util_fatal("OpenSSL error during RSA private key parsing");
- 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
-+			util_fatal("OpenSSL error during RSA private key parsing: %s",
-+				ERR_error_string(ERR_peek_last_error(), NULL));
- 		}
- #endif
- 		RSA_GET_BN(rsa, private_exponent, r_d);
-
-From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Thu, 1 Dec 2022 20:38:31 +0100
-Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
-
---
- tests/Makefile.am                | 10 ++++---
- tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
- 2 files changed, 54 insertions(+), 4 deletions(-)
- create mode 100755 tests/test-pkcs11-tool-import.sh
-
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index d378e2ee00..9d8a24c321 100644
--- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
-                       test-pkcs11-tool-test-threads.sh \
-                       test-pkcs11-tool-sign-verify.sh \
-                       test-pkcs11-tool-allowed-mechanisms.sh \
-                      test-pkcs11-tool-sym-crypt-test.sh\
-                      test-pkcs11-tool-unwrap-wrap-test.sh
-+                      test-pkcs11-tool-sym-crypt-test.sh \
-+                      test-pkcs11-tool-unwrap-wrap-test.sh \
-+                      test-pkcs11-tool-import.sh
- 
- .NOTPARALLEL:
- TESTS = \
-@@ -25,8 +26,9 @@ TESTS = \
-         test-pkcs11-tool-test.sh \
-         test-pkcs11-tool-test-threads.sh \
-         test-pkcs11-tool-allowed-mechanisms.sh \
-        test-pkcs11-tool-sym-crypt-test.sh\
-        test-pkcs11-tool-unwrap-wrap-test.sh
-+        test-pkcs11-tool-sym-crypt-test.sh \
-+        test-pkcs11-tool-unwrap-wrap-test.sh \
-+        test-pkcs11-tool-import.sh
- XFAIL_TESTS = \
-         test-pkcs11-tool-test-threads.sh \
-         test-pkcs11-tool-test.sh
-diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
-new file mode 100755
-index 0000000000..76ff8e51be
--- /dev/null
-+++ b/tests/test-pkcs11-tool-import.sh
-@@ -0,0 +1,48 @@
-+#!/bin/bash
-+SOURCE_PATH=${SOURCE_PATH:-..}
-+
-+source $SOURCE_PATH/tests/common.sh
-+
-+echo "======================================================="
-+echo "Setup SoftHSM"
-+echo "======================================================="
-+if [[ ! -f $P11LIB ]]; then
-+    echo "WARNING: The SoftHSM is not installed. Can not run this test"
-+    exit 77;
-+fi
-+card_setup
-+
-+ID="0100"
-+OPTS=""
-+for KEYTYPE in "RSA" "EC"; do
-+    echo "======================================================="
-+    echo "Generate and import $KEYTYPE keys"
-+    echo "======================================================="
-+    if [ "$KEYTYPE" == "RSA" ]; then
-+        ID="0100"
-+    elif [ "$KEYTYPE" == "EC" ]; then
-+        ID="0200"
-+        OPTS="-pkeyopt ec_paramgen_curve:P-521"
-+    fi
-+    openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
-+    assert $? "Failed to generate private $KEYTYPE key"
-+    $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
-+        --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
-+    assert $? "Failed to write private $KEYTYPE key"
-+
-+    openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
-+    assert $? "Failed to convert private $KEYTYPE key to public"
-+    $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
-+        -p $PIN --module $P11LIB
-+    assert $? "Failed to write public $KEYTYPE key"
-+    # certificate import already tested in all other tests
-+
-+    rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
-+done
-+
-+echo "======================================================="
-+echo "Cleanup"
-+echo "======================================================="
-+card_cleanup
-+
-+exit $ERRORS
-
-From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jakuje@gmail.com>
-Date: Fri, 2 Dec 2022 18:07:43 +0100
-Subject: [PATCH 4/4] Simplify the new test
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
---
- tests/test-pkcs11-tool-import.sh | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
-index 76ff8e51be..c90b3b4926 100755
--- a/tests/test-pkcs11-tool-import.sh
-+++ b/tests/test-pkcs11-tool-import.sh
-@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
- fi
- card_setup
- 
-ID="0100"
-OPTS=""
- for KEYTYPE in "RSA" "EC"; do
-     echo "======================================================="
-     echo "Generate and import $KEYTYPE keys"
-     echo "======================================================="
-    if [ "$KEYTYPE" == "RSA" ]; then
-        ID="0100"
-    elif [ "$KEYTYPE" == "EC" ]; then
-+    ID="0100"
-+    OPTS=""
-+    if [ "$KEYTYPE" == "EC" ]; then
-         ID="0200"
-         OPTS="-pkeyopt ec_paramgen_curve:P-521"
-     fi
-
--- a/opensc.spec
+++ b/opensc.spec
@ -1,6 +1,6 @@
 Name:           opensc
-Version:        0.23.0
-Release:        5%{?dist}
+Version:        0.24.0
+Release:        1%{?dist}
 Summary:        Smart card library and applications

 License:        LGPL-2.1-or-later AND BSD 3-Clause
@ -10,10 +10,6 @@ Source1:        opensc.module
 Patch1:         opensc-0.19.0-pinpad.patch
 # File caching by default (#2000626)
 Patch8:         %{name}-0.22.0-file-cache.patch
-# https://github.com/OpenSC/OpenSC/pull/2656
-Patch9:         %{name}-0.23.0-pkcs11-tool-import.patch
-# https://github.com/OpenSC/OpenSC/pull/2787
-Patch10:        %{name}-0.23.0-cardos-buffer-overrun.patch

 BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
@ -53,8 +49,6 @@ every software/card that does so, too.
 %setup -q
 %patch1 -p1 -b .pinpad
 %patch8 -p1 -b .file-cache
-%patch9 -p1 -b .pkcs11-tool-import
-%patch10 -p1 -b .cardos-buffer-overrun

 # The test-pkcs11-tool-allowed-mechanisms already works in Fedora
 sed -i -e '/XFAIL_TESTS/,$ {
@ -203,6 +197,9 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*


 %changelog
+* Thu Dec 14 2023 Veronika Hanulikova <vhanulik@redhat.com> - 0.24.0-1
+- New upstream release (#2240701)
+
 * Tue Aug 08 2023 Veronika Hanulikova <vhanulik@redhat.com> - 0.23.0-5
 - Fix buffer overrun vulnerability (#2211088), fixes CVE-2023-2977

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (opensc-0.23.0.tar.gz) = cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b
+SHA512 (opensc-0.24.0.tar.gz) = 0fd2ea858874ae0b85c8fe8c4b920988693a47ca95b26449a1e95f86e17b76000f236c1f75d63ee133306e01a965155da5e14c1b8a59053b85026ecb58fb97bb