.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,2 @@
 SOURCES/opensc-0.20.0.tar.gz
+/opensc-0.20.0.tar.gz

.opensc.metadata

@@ -1 +0,0 @@
-86bf24a556837fa94d8f9b5aa4be3c9e55d4d94d SOURCES/opensc-0.20.0.tar.gz

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -0,0 +1,10 @@
+# recipients: cs-qe, spoore, jjelen
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}

opensc-0.23.0-mlock.patch

@@ -0,0 +1,186 @@
+From 968dc08ee846b483b061fb516bf2d06e99d459a9 Mon Sep 17 00:00:00 2001
+From: Davis Gallinghouse <davis@aramid.us>
+Date: Thu, 21 Nov 2024 10:24:18 -0600
+Subject: [PATCH 1/3] Allocate whole page(s) for each sc_mem_secure_alloc
+
+sc_mem_secure_alloc uses calloc to allocate memory, but then uses
+mlock to try to lock the allocated memory. calloc may not necessarily
+return a page-aligned pointer, even if we request a whole page of
+memory.
+
+Instead of relying on the libc allocator behavior, we directly call
+mmap (VirtualAlloc on Windows) to ensure we get whole page(s) to
+ourselves for sc_mem_secure_alloc.
+
+Fixes #3267
+---
+ src/libopensc/sc.c | 42 ++++++++++++------------------------------
+ 1 file changed, 12 insertions(+), 30 deletions(-)
+
+diff --git a/src/libopensc/sc.c b/src/libopensc/sc.c
+index cf3d86a022..c6c51fe1b9 100644
+--- a/src/libopensc/sc.c
++++ b/src/libopensc/sc.c
+@@ -54,7 +54,6 @@ static const char *sc_version = "(undef)";
+ #define PAGESIZE 0
+ #endif
+ #endif
+-static size_t page_size = PAGESIZE;
+ 
+ const char *sc_get_version(void)
+ {
+@@ -897,40 +896,22 @@ int _sc_parse_atr(sc_reader_t *reader)
+ 	return SC_SUCCESS;
+ }
+ 
+-static void init_page_size()
+-{
+-	if (page_size == 0) {
+-#ifdef _WIN32
+-		SYSTEM_INFO system_info;
+-		GetSystemInfo(&system_info);
+-		page_size = system_info.dwPageSize;
+-#else
+-		page_size = sysconf(_SC_PAGESIZE);
+-		if ((long) page_size < 0) {
+-			page_size = 0;
+-		}
+-#endif
+-	}
+-}
+-
+ void *sc_mem_secure_alloc(size_t len)
+ {
+ 	void *p;
+ 
+-	init_page_size();
+-	if (page_size > 0) {
+-		size_t pages = (len + page_size - 1) / page_size;
+-		len = pages * page_size;
+-	}
+-
+-	p = malloc(len);
+-	if (p == NULL) {
+-		return NULL;
+-	}
+ #ifdef _WIN32
+-	VirtualLock(p, len);
++	p = VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_READWRITE);
++	if (p != NULL)
++	{
++		VirtualLock(p, len);
++	}
+ #else
+-	mlock(p, len);
++	p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
++	if (p != NULL)
++	{
++		mlock(p, len);
++	}
+ #endif
+ 
+ 	return p;
+@@ -940,10 +921,11 @@ void sc_mem_secure_free(void *ptr, size_t len)
+ {
+ #ifdef _WIN32
+ 	VirtualUnlock(ptr, len);
++	VirtualFree(ptr, 0, MEM_RELEASE);
+ #else
+ 	munlock(ptr, len);
++	munmap(ptr, len);
+ #endif
+-	free(ptr);
+ }
+ 
+ void sc_mem_clear(void *ptr, size_t len)
+
+From c5037daf2af375177c4a77dafb2b9909ccadf9f5 Mon Sep 17 00:00:00 2001
+From: Davis Gallinghouse <davis@aramid.us>
+Date: Mon, 9 Dec 2024 10:53:15 -0600
+Subject: [PATCH 2/3] Fix code style violations
+
+---
+ src/libopensc/sc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/sc.c b/src/libopensc/sc.c
+index c6c51fe1b9..ec03af0b80 100644
+--- a/src/libopensc/sc.c
++++ b/src/libopensc/sc.c
+@@ -902,14 +902,12 @@ void *sc_mem_secure_alloc(size_t len)
+ 
+ #ifdef _WIN32
+ 	p = VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_READWRITE);
+-	if (p != NULL)
+-	{
++	if (p != NULL) {
+ 		VirtualLock(p, len);
+ 	}
+ #else
+ 	p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+-	if (p != NULL)
+-	{
++	if (p != NULL) {
+ 		mlock(p, len);
+ 	}
+ #endif
+
+From 137d49d843e3de6794d7df4cc97c59ee517ad44c Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Tue, 3 Dec 2024 22:28:06 +0100
+Subject: [PATCH 3/3] fixed usage of free() on data that was created with
+ sc_mem_secure_alloc
+
+This will crash applications, which, for example are importing a private
+key as reported here
+https://github.com/OpenSC/OpenSC/pull/3269#issuecomment-2495074344
+---
+ src/libopensc/pkcs15.c | 10 ++++------
+ src/libopensc/pkcs15.h |  4 ++++
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c
+index 3f3198d3bc..0876cf8f88 100644
+--- a/src/libopensc/pkcs15.c
++++ b/src/libopensc/pkcs15.c
+@@ -2736,13 +2736,9 @@ sc_pkcs15_make_absolute_path(const struct sc_path *parent, struct sc_path *child
+ 
+ void sc_pkcs15_free_object_content(struct sc_pkcs15_object *obj)
+ {
+-	if (obj->content.value && obj->content.len)   {
+-		if (SC_PKCS15_TYPE_AUTH & obj->type
+-			|| SC_PKCS15_TYPE_SKEY & obj->type
+-			|| SC_PKCS15_TYPE_PRKEY & obj->type) {
+-			/* clean everything that potentially contains a secret */
+-			sc_mem_clear(obj->content.value, obj->content.len);
+-			sc_mem_secure_free(obj->content.value, obj->content.len);
++	if (obj->content.value && obj->content.len) {
++		if (obj->content_free) {
++			obj->content_free(obj->content.value, obj->content.len);
+ 		} else {
+ 			free(obj->content.value);
+ 		}
+@@ -2772,6 +2769,7 @@ sc_pkcs15_allocate_object_content(struct sc_context *ctx, struct sc_pkcs15_objec
+ 			|| SC_PKCS15_TYPE_SKEY & obj->type
+ 			|| SC_PKCS15_TYPE_PRKEY & obj->type) {
+ 		tmp_buf = sc_mem_secure_alloc(len);
++		obj->content_free = sc_mem_secure_free;
+ 	} else {
+ 		tmp_buf = malloc(len);
+ 	}
+diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h
+index ce107c02a0..e4be6f12aa 100644
+--- a/src/libopensc/pkcs15.h
++++ b/src/libopensc/pkcs15.h
+@@ -486,6 +486,10 @@ struct sc_pkcs15_object {
+ 	struct sc_pkcs15_object *next, *prev; /* used only internally */
+ 
+ 	struct sc_pkcs15_der content;
++	/* Method for deallocating the object's content.value.
++	 * If no specific function for deallocation is given, then free() is used
++	 * to release content.value */
++	void (*content_free)(void *, size_t);
+ 
+ 	int session_object;	/* used internally. if nonzero, object is a session object. */
+ };
+

opensc.spec

@@ -3,7 +3,7 @@
 
 Name:           opensc
 Version:        0.20.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Smart card library and applications
 
 Group:          System Environment/Libraries
@@ -81,6 +81,8 @@ Patch22:        %{name}-0.23.0-pkcs15init.patch
 # https://github.com/OpenSC/OpenSC/pull/2948
 # https://github.com/OpenSC/OpenSC/pull/3016
 Patch23:        %{name}-0.23.0-constant-time-pkcs1.patch
+# https://github.com/OpenSC/OpenSC/pull/3281
+Patch24:        %{name}-0.23.0-mlock.patch
 
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
@@ -126,6 +128,7 @@ every software/card that does so, too.
 %patch21 -p1 -b .pin-bypass
 %patch22 -p1 -b .pkcs15init
 %patch23 -p1 -b .constant-time-pkcs1.5
+%patch24 -p1 -b .mlock
 
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .
@@ -284,6 +287,9 @@ fi
 
 
 %changelog
+* Tue May 12 2026 Jakub Jelen <jjelen@redhat.com> - 0.20.0-9
+- Avoid using mlock()/munlock() to unbreak opensc in chromium browsers (RHEL-149713)
+
 * Thu Feb 08 2024 Veronika Hanulikova <vhanulik@redhat.com> - 0.20.0-8
 - Fix CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding
 

plans/ci.fmf

@@ -0,0 +1,23 @@
+/fips-disabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/opensc
+      name: /plans/ci/fips-disabled-buildroot-disabled
+
+/fips-disabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/opensc
+      name: /plans/ci/fips-disabled-buildroot-enabled
+
+/fips-enabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/opensc
+      name: /plans/ci/fips-enabled-buildroot-disabled
+
+/fips-enabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/opensc
+      name: /plans/ci/fips-enabled-buildroot-enabled

sources

@@ -0,0 +1 @@
+SHA512 (opensc-0.20.0.tar.gz) = 71f71fa6062410e63c6c60f5b2d10d1d855cc6cc815ef0e42e42a1ddd25bbd52fc396c1e495ef54610f3243996dec84dacc8007b186deb670ed645b04ee6eda5