rpms
/
opensc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c9s
rpms:c8-beta
rpms:c9-beta
rpms:c8s
rpms:imports/c9/opensc-0.23.0-4.el9_3
rpms:imports/c8/opensc-0.20.0-8.el8_9
rpms:imports/c9/opensc-0.23.0-3.el9_3
rpms:imports/c8/opensc-0.20.0-7.el8_9
rpms:imports/c8-beta/opensc-0.20.0-6.el8
rpms:imports/c9-beta/opensc-0.23.0-2.el9
rpms:imports/c9/opensc-0.22.0-2.el9
rpms:imports/c9-beta/opensc-0.22.0-2.el9
rpms:imports/c9-beta/opensc-0.22.0-1.el9
rpms:imports/c8-beta/opensc-0.20.0-4.el8
rpms:imports/c8-beta/opensc-0.20.0-2.el8
rpms:imports/c8-beta/opensc-0.19.0-7.el8
rpms:imports/c8-beta/opensc-0.19.0-5.el8
rpms:imports/c8s/opensc-0.20.0-4.el8
rpms:imports/c8s/opensc-0.20.0-3.el8
rpms:imports/c8s/opensc-0.20.0-2.el8
rpms:imports/c8s/opensc-0.20.0-1.el8
rpms:imports/c8s/opensc-0.19.0-7.el8
rpms:imports/c8/opensc-0.20.0-4.el8
rpms:imports/c8/opensc-0.20.0-2.el8
rpms:imports/c8/opensc-0.19.0-7.el8
rpms:imports/c8/opensc-0.19.0-5.el8
rpms:imports/c8/opensc-0.19.0-4.el8
...
pull from: rpms:c9
Branches Tags
rpms:c9
rpms:c8
rpms:c9s
rpms:c8-beta
rpms:c9-beta
rpms:c8s
rpms:imports/c9/opensc-0.23.0-4.el9_3
rpms:imports/c8/opensc-0.20.0-8.el8_9
rpms:imports/c9/opensc-0.23.0-3.el9_3
rpms:imports/c8/opensc-0.20.0-7.el8_9
rpms:imports/c8-beta/opensc-0.20.0-6.el8
rpms:imports/c9-beta/opensc-0.23.0-2.el9
rpms:imports/c9/opensc-0.22.0-2.el9
rpms:imports/c9-beta/opensc-0.22.0-2.el9
rpms:imports/c9-beta/opensc-0.22.0-1.el9
rpms:imports/c8-beta/opensc-0.20.0-4.el8
rpms:imports/c8-beta/opensc-0.20.0-2.el8
rpms:imports/c8-beta/opensc-0.19.0-7.el8
rpms:imports/c8-beta/opensc-0.19.0-5.el8
rpms:imports/c8s/opensc-0.20.0-4.el8
rpms:imports/c8s/opensc-0.20.0-3.el8
rpms:imports/c8s/opensc-0.20.0-2.el8
rpms:imports/c8s/opensc-0.20.0-1.el8
rpms:imports/c8s/opensc-0.19.0-7.el8
rpms:imports/c8/opensc-0.20.0-4.el8
rpms:imports/c8/opensc-0.20.0-2.el8
rpms:imports/c8/opensc-0.19.0-7.el8
rpms:imports/c8/opensc-0.19.0-5.el8
rpms:imports/c8/opensc-0.19.0-4.el8

No commits in common. "c8" and "c9" have entirely different histories.
c8 ... c9

23 changed files with 4298 additions and 5971 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/opensc-0.20.0.tar.gz
SOURCES/opensc-0.23.0.tar.gz

2
.opensc.metadata
View File

@ -1 +1 @@
86bf24a556837fa94d8f9b5aa4be3c9e55d4d94d SOURCES/opensc-0.20.0.tar.gz
5a5367ef33efcc35ed420b191b4d1bc3aa34a538 SOURCES/opensc-0.23.0.tar.gz

1848
SOURCES/opensc-0.19.0-idprime.patch
View File

File diff suppressed because it is too large Load Diff

2
SOURCES/opensc-0.19.0-pinpad.patch
View File

@ -3,7 +3,7 @@ diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf
+++ opensc-0.19.0/etc/opensc.conf 2018-10-22 14:33:59.939410701 +0200
@@ -4,4 +4,9 @@ app default {
framework pkcs15 {
# use_file_caching = true;
# use_file_caching = public;
}
+ reader_driver pcsc {
+ # The pinpad is disabled by default,

31
SOURCES/opensc-0.20.0-CVE-2020-26570.patch
View File

@ -1,31 +0,0 @@
commit 6903aebfddc466d966c7b865fae34572bf3ed23e
Author: Frank Morgner <frankmorgner@gmail.com>
Date: Thu Jul 30 02:21:17 2020 +0200
Heap-buffer-overflow WRITE
fixes https://oss-fuzz.com/testcase-detail/5088104168554496
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index a873aaa0..2fb32b8d 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -271,11 +271,15 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
rv = sc_read_binary(card, 0, *out, sz, 0);
}
else {
- int rec;
- int offs = 0;
- int rec_len = file->record_length;
+ size_t rec;
+ size_t offs = 0;
+ size_t rec_len = file->record_length;
for (rec = 1; ; rec++) {
+ if (rec > file->record_count) {
+ rv = 0;
+ break;
+ }
rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR);
if (rv == SC_ERROR_RECORD_NOT_FOUND) {
rv = 0;

42
SOURCES/opensc-0.20.0-CVE-2020-26571.patch
View File

@ -1,42 +0,0 @@
commit ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43
Author: Frank Morgner <frankmorgner@gmail.com>
Date: Mon May 18 17:25:32 2020 +0200
fixed invalid read
fixes https://oss-fuzz.com/testcase-detail/5765246676631552
diff --git a/src/libopensc/pkcs15-gemsafeGPK.c b/src/libopensc/pkcs15-gemsafeGPK.c
index e13f3b87..4b80daf2 100644
--- a/src/libopensc/pkcs15-gemsafeGPK.c
+++ b/src/libopensc/pkcs15-gemsafeGPK.c
@@ -205,7 +205,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
u8 sysrec[7];
int num_keyinfo = 0;
- keyinfo kinfo[8]; /* will loook for 8 keys */
+ keyinfo kinfo[9]; /* will look for 9 keys */
u8 modulus_buf[ 1 + 1024 / 8]; /* tag+modulus */
u8 *cp;
char buf[256];
@@ -255,9 +255,9 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
/* There may be more then one key in the directory. */
/* we need to find them so we can associate them with the */
- /* the certificate. The files are 0007 to 000f */
+ /* the certificate. The files are 0007 to 000F */
- for (i = 7; i < 16; i++) {
+ for (i = 0x7; i <= 0xF; i++) {
path.value[0] = 0x00;
path.value[1] = i;
path.len = 2;
@@ -297,7 +297,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
while (j--)
*cp++ = modulus_buf[j + 1];
num_keyinfo++;
- }
+ }
/* Get the gemsafe data with the cert */
sc_format_path("3F000200004", &path);

21
SOURCES/opensc-0.20.0-CVE-2020-26572.patch
View File

@ -1,21 +0,0 @@
commit 9d294de90d1cc66956389856e60b6944b27b4817
Author: Frank Morgner <frankmorgner@gmail.com>
Date: Thu Jun 4 10:04:10 2020 +0200
prevent out of bounds write
fixes https://oss-fuzz.com/testcase-detail/5226571123392512
diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c
index 673c2493..e88c80bd 100644
--- a/src/libopensc/card-tcos.c
+++ b/src/libopensc/card-tcos.c
@@ -623,6 +623,8 @@ static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len,
apdu.data = sbuf;
apdu.lc = apdu.datalen = crgram_len+1;
sbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);
+ if (sizeof sbuf - 1 < crgram_len)
+ return SC_ERROR_INVALID_ARGUMENTS;
memcpy(sbuf+1, crgram, crgram_len);
r = sc_transmit_apdu(card, &apdu);

102
SOURCES/opensc-0.20.0-cac-pin-change.patch
View File

@ -1,102 +0,0 @@
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index 099923e5..61e69c88 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -1793,7 +1793,7 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
}
r = cac_process_ACA(card, priv);
if (r == SC_SUCCESS) {
- card->type = SC_CARD_TYPE_CAC_II;
+ card->type = SC_CARD_TYPE_CAC_ALT_HID;
card->drv_data = priv;
return r;
}
@@ -1869,6 +1869,8 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
* FIPS 201 4.1.6.1 (numeric only) and * FIPS 140-2
* (6 character minimum) requirements.
*/
+ sc_apdu_t apdu;
+ u8 sbuf[SC_MAX_APDU_BUFFER_SIZE];
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
if (data->cmd == SC_PIN_CMD_CHANGE) {
@@ -1881,6 +1883,18 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
return SC_ERROR_INVALID_DATA;
}
}
+
+ /* We can change the PIN of Giesecke & Devrient CAC ALT tokens
+ * with a bit non-standard APDU */
+ if (card->type == SC_CARD_TYPE_CAC_ALT_HID) {
+ int r = 0;
+ r = iso7816_build_pin_apdu(card, &apdu, data, sbuf, sizeof(sbuf));
+ if (r < 0)
+ return r;
+ /* it requires P1 = 0x01 completely against the ISO specs */
+ apdu.p1 = 0x01;
+ data->apdu = &apdu;
+ }
}
return iso_drv->ops->pin_cmd(card, data, tries_left);
diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
index 0ec25a46..16846d15 100644
--- a/src/libopensc/cards.h
+++ b/src/libopensc/cards.h
@@ -244,6 +244,7 @@ enum {
SC_CARD_TYPE_CAC_GENERIC,
SC_CARD_TYPE_CAC_I,
SC_CARD_TYPE_CAC_II,
+ SC_CARD_TYPE_CAC_ALT_HID,
/* nPA cards */
SC_CARD_TYPE_NPA = 34000,
diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
index b1a0e88f..d41613b2 100644
--- a/src/libopensc/iso7816.c
+++ b/src/libopensc/iso7816.c
@@ -1017,7 +1017,7 @@ iso7816_decipher(struct sc_card *card,
}
-static int
+int
iso7816_build_pin_apdu(struct sc_card *card, struct sc_apdu *apdu,
struct sc_pin_cmd_data *data, u8 *buf, size_t buf_len)
{
diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
index b519c5d5..8ebf9fbd 100644
--- a/src/libopensc/opensc.h
+++ b/src/libopensc/opensc.h
@@ -1664,6 +1664,19 @@ int iso7816_update_binary_sfid(sc_card_t *card, unsigned char sfid,
* */
int iso7816_logout(sc_card_t *card, unsigned char pin_reference);
+/*
+ * @brief Format PIN APDU for modifiction by card driver
+ *
+ * @param[in] card card
+ * @param[in] apdu apdu structure to update with PIN APDU
+ * @param[in] data pin command data to set into the APDU
+ * @param[in] buf buffer for APDU data field
+ * @param[in] buf_len maximum buffer length
+ */
+int
+iso7816_build_pin_apdu(struct sc_card *card, struct sc_apdu *apdu,
+ struct sc_pin_cmd_data *data, u8 *buf, size_t buf_len);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
index ccb27994..05056ea9 100644
--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
@@ -79,6 +79,7 @@ static const char * cac_get_name(int type)
switch (type) {
case SC_CARD_TYPE_CAC_I: return ("CAC I");
case SC_CARD_TYPE_CAC_II: return ("CAC II");
+ case SC_CARD_TYPE_CAC_ALT_HID: return ("CAC ALT HID");
default: break;
}
return ("CAC");

102
SOURCES/opensc-0.20.0-calloc0.patch
View File

@ -1,102 +0,0 @@
From f1bcadfbe9d156adbe509b0860511ee41add0c67 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Tue, 10 Mar 2020 12:13:29 +0100
Subject: [PATCH] pkcs11: don't try to allocate 0 byte with calloc
fixes #1978
---
src/pkcs11/pkcs11-global.c | 7 ++++++-
win32/Make.rules.mak | 4 ++--
win32/winconfig.h.in | 2 ++
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/pkcs11/pkcs11-global.c b/src/pkcs11/pkcs11-global.c
index a3260314f8..671890309f 100644
--- a/src/pkcs11/pkcs11-global.c
+++ b/src/pkcs11/pkcs11-global.c
@@ -456,6 +456,13 @@ CK_RV C_GetSlotList(CK_BBOOL tokenPresent, /* only slots with token prese
card_detect_all();
+ if (list_empty(&virtual_slots)) {
+ sc_log(context, "returned 0 slots\n");
+ *pulCount = 0;
+ rv = CKR_OK;
+ goto out;
+ }
+
found = calloc(list_size(&virtual_slots), sizeof(CK_SLOT_ID));
if (found == NULL) {
diff --git a/win32/Make.rules.mak b/win32/Make.rules.mak
index 4f4971a72d..c6b1aac340 100644
--- a/win32/Make.rules.mak
+++ b/win32/Make.rules.mak
@@ -1,7 +1,7 @@
OPENSC_FEATURES = pcsc
#Include support for minidriver
-MINIDRIVER_DEF = /DENABLE_MINIDRIVER
+#MINIDRIVER_DEF = /DENABLE_MINIDRIVER
#Build MSI with the Windows Installer XML (WIX) toolkit, requires WIX >= 3.9
!IF "$(WIX)" == ""
@@ -33,7 +33,7 @@ WIX_LIBS = "$(WIX)\SDK\$(WIXVSVER)\lib\$(PLATFORM)\dutil.lib" "$(WIX)\SDK\$(WIXV
SM_DEF = /DENABLE_SM
#Build with debugging support
-#DEBUG_DEF = /DDEBUG
+DEBUG_DEF = /DDEBUG
# If you want support for OpenSSL (needed for pkcs15-init tool, software hashing in PKCS#11 library and verification):
# - download and build OpenSSL
diff --git a/win32/winconfig.h.in b/win32/winconfig.h.in
index 94ed9b5475..fa682c5bcc 100644
--- a/win32/winconfig.h.in
+++ b/win32/winconfig.h.in
@@ -103,6 +103,8 @@
#define DEFAULT_ONEPIN_PKCS11_PROVIDER "@DEFAULT_ONEPIN_PKCS11_PROVIDER@"
#endif
+#define PKCS11_THREAD_LOCKING
+
#ifndef DEFAULT_SM_MODULE
#define DEFAULT_SM_MODULE "@DEFAULT_SM_MODULE@"
#endif
commit 500ecd3d127975379e2310626c3ce94c3e7035ea
Author: Jakub Jelen <jjelen@redhat.com>
Date: Wed Nov 25 13:49:08 2020 +0100
pkcs11-tool: Avoid calloc with 0 argument
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 4015aaf1..89244795 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -1270,15 +1270,18 @@ static void list_slots(int tokens, int refresh, int print)
if (rv != CKR_OK)
p11_fatal("C_GetSlotList(NULL)", rv);
free(p11_slots);
- p11_slots = calloc(p11_num_slots, sizeof(CK_SLOT_ID));
- if (p11_slots == NULL) {
- perror("calloc failed");
- exit(1);
+ p11_slots = NULL;
+ if (p11_num_slots > 0) {
+ p11_slots = calloc(p11_num_slots, sizeof(CK_SLOT_ID));
+ if (p11_slots == NULL) {
+ perror("calloc failed");
+ exit(1);
+ }
+ rv = p11->C_GetSlotList(tokens, p11_slots, &p11_num_slots);
+ if (rv != CKR_OK)
+ p11_fatal("C_GetSlotList()", rv);
}
- rv = p11->C_GetSlotList(tokens, p11_slots, &p11_num_slots);
- if (rv != CKR_OK)
- p11_fatal("C_GetSlotList()", rv);
}
if (!print)

1338
SOURCES/opensc-0.20.0-cardos.patch
View File

File diff suppressed because it is too large Load Diff

85
SOURCES/opensc-0.20.0-file-cache.patch
View File

@ -1,85 +0,0 @@
From 2a28dcd3f6e4af7a5b2d7d7810b26b6321dd1bf1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 10 Nov 2020 14:44:43 +0100
Subject: [PATCH 1/3] ctx: Use more standard cache directory
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
---
src/libopensc/ctx.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/libopensc/ctx.c b/src/libopensc/ctx.c
index 6b57170f01..d6058c070e 100644
--- a/src/libopensc/ctx.c
+++ b/src/libopensc/ctx.c
@@ -1008,7 +1008,12 @@ int sc_get_cache_dir(sc_context_t *ctx, char *buf, size_t bufsize)
}
#ifndef _WIN32
- cache_dir = ".eid/cache";
+ cache_dir = getenv("XDG_CACHE_HOME");
+ if (cache_dir != NULL && cache_dir[0] != '\0') {
+ snprintf(buf, bufsize, "%s/%s", cache_dir, "opensc");
+ return SC_SUCCESS;
+ }
+ cache_dir = ".cache/opensc";
homedir = getenv("HOME");
#else
cache_dir = "eid-cache";
@@ -1020,7 +1025,7 @@ int sc_get_cache_dir(sc_context_t *ctx, char *buf, size_t bufsize)
homedir = temp_path;
}
#endif
- if (homedir == NULL)
+ if (homedir == NULL || homedir[0] == '\0')
return SC_ERROR_INTERNAL;
if (snprintf(buf, bufsize, "%s/%s", homedir, cache_dir) < 0)
return SC_ERROR_BUFFER_TOO_SMALL;
From 7c1c6f6be47f55693647827259edcacc98761371 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 10 Nov 2020 15:07:42 +0100
Subject: [PATCH 3/3] doc: Update documentation about the cache location
---
doc/files/opensc.conf.5.xml.in | 9 +++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/doc/files/opensc.conf.5.xml.in b/doc/files/opensc.conf.5.xml.in
index 118922a877..791f11669a 100644
--- a/doc/files/opensc.conf.5.xml.in
+++ b/doc/files/opensc.conf.5.xml.in
@@ -1116,12 +1116,17 @@ app <replaceable>application</replaceable> {
<itemizedlist>
<listitem>
<para>
- <filename><envar>HOME</envar>/.eid/cache/</filename> (Unix)
+ <filename><envar>$XDG_CACHE_HOME</envar>/opensc/</filename> (If <envar>$XDG_CACHE_HOME</envar> is defined)
</para>
</listitem>
<listitem>
<para>
- <filename><envar>USERPROFILE</envar>\.eid-cache\</filename> (Windows)
+ <filename><envar>$HOME</envar>/.cache/opensc/</filename> (Unix)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename><envar>$USERPROFILE</envar>\.eid-cache\</filename> (Windows)
</para>
</listitem>
</itemizedlist>
diff -up opensc-0.20.0/etc/opensc.conf.file-cache opensc-0.20.0/etc/opensc.conf
--- opensc-0.20.0/etc/opensc.conf.file-cache 2020-11-20 16:49:30.995526825 +0100
+++ opensc-0.20.0/etc/opensc.conf 2020-11-20 16:50:07.665053280 +0100
@@ -2,7 +2,7 @@ app default {
# debug = 3;
# debug_file = opensc-debug.txt;
framework pkcs15 {
- # use_file_caching = true;
+ use_file_caching = true;
}
reader_driver pcsc {
# The pinpad is disabled by default,

25
SOURCES/opensc-0.20.0-idprime.patch
View File

@ -1,25 +0,0 @@
From 34dad7f543f006ad269ce1f935a9e8d3e3a83db7 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 3 Feb 2020 16:40:51 +0100
Subject: [PATCH] idprime: Add missing terminator in ATR list
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20510
---
src/libopensc/card-idprime.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libopensc/card-idprime.c b/src/libopensc/card-idprime.c
index 744d5189b9..9f5adde9d2 100644
--- a/src/libopensc/card-idprime.c
+++ b/src/libopensc/card-idprime.c
@@ -52,6 +52,7 @@ static const struct sc_atr_table idprime_atrs[] = {
"ff:ff:00:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff",
"Gemalto IDPrime MD 8840, 3840, 3810, 840 and 830 Cards",
SC_CARD_TYPE_IDPRIME_GENERIC, 0, NULL },
+ { NULL, NULL, NULL, 0, 0, NULL }
};
static const sc_path_t idprime_path = {

24
SOURCES/opensc-0.20.0-label-padding.patch
View File

@ -1,24 +0,0 @@
commit 8d4af9eb0b799f22b25783e8e1b7af329b5a917b
Author: Frank Morgner <frankmorgner@gmail.com>
Date: Fri Jan 31 12:15:53 2020 +0100
pkcs11: fixed right padding of token label with ' '
fixes https://github.com/OpenSC/OpenSC/issues/1922
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index e94eeeff..a1951c2e 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -1122,9 +1122,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
max_tokeninfo_len);
slot->token_info.label[max_tokeninfo_len] = ' ';
slot->token_info.label[max_tokeninfo_len+1] = '(';
- slot->token_info.label[max_tokeninfo_len+2+pin_len] = ')';
strcpy_bp(slot->token_info.label+max_tokeninfo_len+2,
auth->label, pin_len);
+ strcpy_bp(slot->token_info.label+max_tokeninfo_len+2+pin_len,
+ ")", 32 - max_tokeninfo_len-2-pin_len);
}
} else {
/* PIN label is empty or just says non-useful "PIN",

2173
SOURCES/opensc-0.20.0-reader-removal.patch
View File

File diff suppressed because it is too large Load Diff

23
SOURCES/opensc-0.22.0-file-cache.patch Normal file
View File

@ -0,0 +1,23 @@
diff -up opensc-0.22.0/etc/opensc.conf.file-cache opensc-0.22.0/etc/opensc.conf
--- opensc-0.22.0/etc/opensc.conf.file-cache 2021-10-08 13:14:44.091772071 +0200
+++ opensc-0.22.0/etc/opensc.conf 2021-10-08 13:19:27.339051951 +0200
@@ -2,7 +2,7 @@ app default {
# debug = 3;
# debug_file = opensc-debug.txt;
framework pkcs15 {
- # use_file_caching = public;
+ use_file_caching = public;
}
reader_driver pcsc {
# The pinpad is disabled by default,
@@ -10,3 +10,10 @@ app default {
enable_pinpad = false;
}
}
+# the pkcs15-init is used for card initialization when the file caching
+# brings more trouble than use so disable that:
+app pkcs15-init {
+ framework pkcs15 {
+ use_file_caching = no;
+ }
+}

0
SOURCES/opensc-0.20.0-CVE-2023-2977.patch → SOURCES/opensc-0.23.0-cardos-pkcs15init.patch
View File

393
SOURCES/opensc-0.23.0-constant-time-pkcs1.patch → SOURCES/opensc-0.23.0-constant-time-pkcs1.5.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/common/Makefile.am b/src/common/Makefile.am
index 5153428dc..9ecbffe8f 100644
index 5153428dce..9ecbffe8fd 100644
--- a/src/common/Makefile.am
+++ b/src/common/Makefile.am
@@ -8,7 +8,8 @@ dist_noinst_DATA = \
@ -21,7 +21,7 @@ index 5153428dc..9ecbffe8f 100644
+ constant-time.h
check-local:
if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' -header-filter=.* $(TIDY_FILES) -- $(TIDY_FLAGS); fi
if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' --checks='$(TIDY_CHECKS)' -header-filter=.* $(addprefix $(srcdir)/,$(TIDY_FILES)) -- $(TIDY_FLAGS); fi
diff --git a/src/common/constant-time.h b/src/common/constant-time.h
new file mode 100644
index 0000000000..40c3e500c2
@ -163,18 +163,20 @@ index 0000000000..40c3e500c2
+
+#endif /* CONSTANT_TIME_H */
diff --git a/src/libopensc/internal.h b/src/libopensc/internal.h
index 74014235a..13eccfa1a 100644
index 7531260c14..2a98f0e966 100644
--- a/src/libopensc/internal.h
+++ b/src/libopensc/internal.h
@@ -168,6 +168,8 @@ int sc_pkcs1_strip_01_padding(struct sc_context *ctx, const u8 *in_dat, size_t i
u8 *out_dat, size_t *out_len);
int sc_pkcs1_strip_02_padding(struct sc_context *ctx, const u8 *data, size_t len,
@@ -175,8 +175,8 @@ int _sc_card_add_xeddsa_alg(struct sc_card *card, size_t key_length,
int sc_pkcs1_strip_01_padding(struct sc_context *ctx, const u8 *in_dat, size_t in_len,
u8 *out_dat, size_t *out_len);
-int sc_pkcs1_strip_02_padding(struct sc_context *ctx, const u8 *data, size_t len,
- u8 *out_dat, size_t *out_len);
+int sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const u8 *data,
+ unsigned int data_len, u8 *out, unsigned int *out_len);
int sc_pkcs1_strip_digest_info_prefix(unsigned int *algorithm,
const u8 *in_dat, size_t in_len, u8 *out_dat, size_t *out_len);
#ifdef ENABLE_OPENSSL
diff --git a/src/libopensc/padding.c b/src/libopensc/padding.c
index ca47733a4e..ddb3061134 100644
--- a/src/libopensc/padding.c
@ -185,7 +187,7 @@ index ca47733a4e..ddb3061134 100644
+#include "common/constant-time.h"
#include "internal.h"
#include "pkcs11/pkcs11.h"
/* TODO doxygen comments */
+#define SC_PKCS1_PADDING_MIN_SIZE 11
@ -305,13 +307,283 @@ index ca47733a4e..ddb3061134 100644
+ return constant_time_select(good, mlen, SC_ERROR_WRONG_PADDING);
}
/* add/remove DigestInfo prefix */
#ifdef ENABLE_OPENSSL
diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index 3391994abe..5248d9758a 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -4653,9 +4653,9 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_DATA pCardData,
"sc_pkcs15_decipher: DECRYPT-INFO dwVersion=%lu\n",
(unsigned long)pInfo->dwVersion);
if (pInfo->dwPaddingType == CARD_PADDING_PKCS1) {
- size_t temp = pInfo->cbData;
+ unsigned int temp = pInfo->cbData;
logprintf(pCardData, 2, "sc_pkcs15_decipher: stripping PKCS1 padding\n");
- r = sc_pkcs1_strip_02_padding(vs->ctx, pbuf2, pInfo->cbData, pbuf2, &temp);
+ r = sc_pkcs1_strip_02_padding_constant_time(vs->ctx, prkey_info->modulus_length / 8, pbuf2, pInfo->cbData, pbuf2, &temp);
pInfo->cbData = (DWORD) temp;
if (r < 0) {
logprintf(pCardData, 2, "Cannot strip PKCS1 padding: %i\n", r);
diff --git a/src/tests/unittests/Makefile.am b/src/tests/unittests/Makefile.am
index 7019ca7ba8..4c73911e48 100644
--- a/src/tests/unittests/Makefile.am
+++ b/src/tests/unittests/Makefile.am
@@ -6,8 +6,10 @@ include $(top_srcdir)/aminclude_static.a
clean-local: code-coverage-clean
distclean-local: code-coverage-dist-clean
-noinst_PROGRAMS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin decode_ecdsa_signature
-TESTS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin decode_ecdsa_signature
+noinst_PROGRAMS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin \
+ decode_ecdsa_signature strip_pkcs1_2_padding
+TESTS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin \
+ decode_ecdsa_signature strip_pkcs1_2_padding
noinst_HEADERS = torture.h
@@ -28,6 +30,7 @@ pkcs15filter_SOURCES = pkcs15-emulator-f
openpgp_tool_SOURCES = openpgp-tool.c $(top_builddir)/src/tools/openpgp-tool-helpers.c
hextobin_SOURCES = hextobin.c
decode_ecdsa_signature_SOURCES = decode_ecdsa_signature.c
+strip_pkcs1_2_paddingSOURCES = strip_pkcs1_2_padding.c
if ENABLE_ZLIB
noinst_PROGRAMS += compression
diff --git a/src/tests/unittests/Makefile.mak b/src/tests/unittests/Makefile.mak
index 2607546f57..6284b51af9 100644
--- a/src/tests/unittests/Makefile.mak
+++ b/src/tests/unittests/Makefile.mak
@@ -1,10 +1,11 @@
TOPDIR = ..\..\..
-TARGETS = asn1 compression pkcs15filter
+TARGETS = asn1 compression pkcs15filter strip_pkcs1_2_padding
OBJECTS = asn1.obj \
compression.obj \
- pkcs15-emulator-filter.obj
+ pkcs15-emulator-filter.obj \
+ strip_pkcs1_2_padding.obj \
$(TOPDIR)\win32\versioninfo.res
all: $(TARGETS)
diff --git a/src/tests/unittests/strip_pkcs1_2_padding.c b/src/tests/unittests/strip_pkcs1_2_padding.c
new file mode 100644
index 0000000000..f9561b936d
--- /dev/null
+++ b/src/tests/unittests/strip_pkcs1_2_padding.c
@@ -0,0 +1,204 @@
+#include "common/compat_strlcpy.c"
+#include "libopensc/log.c"
+#include "libopensc/padding.c"
+#include "torture.h"
+#include <cmocka.h>
+
+static void
+torture_long_output_buffer(void **state)
+{
+ unsigned int n = 14;
+ unsigned int in_len = 14;
+ unsigned char in[] = {0x00, 0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x00,
+ 'm', 's', 'g'};
+ unsigned int out_len = 3;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ unsigned char result_msg[] = {'m', 's', 'g'};
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, 3);
+ assert_memory_equal(out, result_msg, r);
+ free(out);
+}
+
+static void
+torture_short_output_buffer(void **state)
+{
+ unsigned int n = 14;
+ unsigned int in_len = 14;
+ unsigned char in[] = {0x00, 0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x00,
+ 'm', 's', 'g'};
+ unsigned int out_len = 1;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+ free(out);
+}
+
+static void
+torture_short_message_correct_padding(void **state)
+{
+ unsigned int n = 14;
+ unsigned int in_len = 14;
+ unsigned char in[] = {0x00, 0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x00,
+ 'm', 's', 'g'};
+ unsigned int out_len = 3;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ unsigned char result_msg[] = {'m', 's', 'g'};
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, 3);
+ assert_memory_equal(out, result_msg, r);
+ free(out);
+}
+
+static void
+torture_missing_first_zero(void **state)
+{
+ unsigned int n = 13;
+ unsigned int in_len = 13;
+ unsigned char in[] = {0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x00,
+ 'm', 's', 'g'};
+ unsigned int out_len = 10;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+ free(out);
+}
+
+static void
+torture_missing_two(void **state)
+{
+ unsigned int n = 13;
+ unsigned int in_len = 13;
+ unsigned char in[] = {0x00,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x00,
+ 'm', 's', 'g'};
+ unsigned int out_len = 10;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+ free(out);
+}
+
+static void
+torture_short_padding(void **state)
+{
+ unsigned int n = 13;
+ unsigned int in_len = 13;
+ unsigned char in[] = {0x00, 0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x00,
+ 'm', 's', 'g'};
+ unsigned int out_len = 10;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+ free(out);
+}
+
+static void
+torture_missing_second_zero(void **state)
+{
+ unsigned int n = 13;
+ unsigned int in_len = 13;
+ unsigned char in[] = {0x00, 0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 'm', 's', 'g'};
+ unsigned int out_len = 10;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+ free(out);
+}
+
+static void
+torture_missing_message(void **state)
+{
+ unsigned int n = 20;
+ unsigned int in_len = 11;
+ unsigned char in[] = {0x00, 0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x00};
+ unsigned int out_len = 11;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+ free(out);
+}
+
+static void
+torture_one_byte_message(void **state)
+{
+ unsigned int n = 12;
+ unsigned int in_len = 12;
+ unsigned char in[] = {0x00, 0x02,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x00,
+ 'm'};
+ unsigned int out_len = 1;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ unsigned char result_msg[] = {'m'};
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, 1);
+ assert_memory_equal(out, result_msg, r);
+ free(out);
+}
+
+static void
+torture_longer_padding(void **state)
+{
+ unsigned int n = 26;
+ unsigned int in_len = 26;
+ unsigned char in[] = {0x00, 0x02,
+ 0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11,
+ 0x00,
+ 0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a};
+ unsigned int out_len = 8;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ unsigned char result_msg[] = {0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a};
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, 8);
+ assert_memory_equal(out, result_msg, r);
+ free(out);
+}
+
+static void
+torture_empty_message(void **state)
+{
+ unsigned int n = 18;
+ unsigned int in_len = 18;
+ unsigned char in[] = {0x00, 0x02,
+ 0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11,
+ 0x00};
+ unsigned int out_len = 8;
+ unsigned char *out = calloc(out_len, sizeof(unsigned char));
+ int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+ assert_int_equal(r, 0);
+ free(out);
+}
+
+int
+main(void)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(torture_long_output_buffer),
+ cmocka_unit_test(torture_short_output_buffer),
+ cmocka_unit_test(torture_short_message_correct_padding),
+ cmocka_unit_test(torture_missing_first_zero),
+ cmocka_unit_test(torture_missing_two),
+ cmocka_unit_test(torture_short_padding),
+ cmocka_unit_test(torture_missing_second_zero),
+ cmocka_unit_test(torture_missing_message),
+ cmocka_unit_test(torture_one_byte_message),
+ cmocka_unit_test(torture_longer_padding),
+ cmocka_unit_test(torture_empty_message)};
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
index a019af460f..f7ee819d65 100644
--- a/src/libopensc/pkcs15-sec.c
+++ b/src/libopensc/pkcs15-sec.c
@@ -286,12 +286,14 @@ int sc_pkcs15_decipher(struct sc_pkcs15_
@@ -308,9 +308,10 @@ int sc_pkcs15_decipher(struct sc_pkcs15_
/* Strip any padding */
if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
@ -323,7 +595,12 @@ index a019af460f..f7ee819d65 100644
+ r = sc_pkcs1_strip_02_padding_constant_time(ctx, key_size / 8, out, s, out, &s);
+ /* for keeping PKCS#1 v1.5 depadding constant-time, do not log error here */
}
#ifdef ENABLE_OPENSSL
if (pad_flags & SC_ALGORITHM_RSA_PAD_OAEP)
@@ -332,7 +333,8 @@ int sc_pkcs15_decipher(struct sc_pkcs15_
LOG_TEST_RET(ctx, r, "Invalid OAEP padding");
}
#endif
- LOG_FUNC_RETURN(ctx, r);
+ /* do not log error code to prevent side channel attack */
+ return r;
@ -343,7 +620,7 @@ index f75a3dbaec..632681df63 100644
#include "config.h"
#include <stdlib.h>
#include <string.h>
@@ -4174,7 +4175,8 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
@@ -4395,7 +4396,8 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
struct pkcs15_fw_data *fw_data = NULL;
struct pkcs15_prkey_object *prkey;
unsigned char decrypted[512]; /* FIXME: Will not work for keys above 4096 bits */
@ -351,11 +628,11 @@ index f75a3dbaec..632681df63 100644
+ int rv, flags = 0, prkey_has_path = 0;
+ CK_ULONG mask, good, rv_pkcs11;
sc_log(context, "Initiating decryption.");
@@ -4246,27 +4248,54 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
if (pulDataLen == NULL) {
/* This is call from the C_DecyptInit function */
@@ -4484,27 +4486,53 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted));
pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted), pMechanism);
- if (rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
+ /* skip for PKCS#1 v1.5 padding prevent side channel attack */
@ -363,7 +640,7 @@ index f75a3dbaec..632681df63 100644
+ rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
if (reselect_app_df(fw_data->p15_card) == SC_SUCCESS)
rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted));
pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted), pMechanism);
sc_unlock(p11card->card);
@ -371,8 +648,8 @@ index f75a3dbaec..632681df63 100644
+ sc_log(context, "Decryption complete.");
- if (rv < 0)
- return sc_to_cryptoki_error(rv, "C_Decrypt");
+ /* Handle following code in constant-time
return sc_to_cryptoki_error(rv, "C_Decrypt");
+ * to prevent Marvin attack for PKCS#1 v1.5 padding. */
- buff_too_small = (*pulDataLen < (CK_ULONG)rv);
@ -382,13 +659,12 @@ index f75a3dbaec..632681df63 100644
- if (buff_too_small)
- return CKR_BUFFER_TOO_SMALL;
- memcpy(pData, decrypted, *pulDataLen);
-
- return CKR_OK;
+ /* only padding error must be handled in constant-time way,
+ * other error can be returned straight away */
+ if ((~constant_time_eq_i(rv, SC_ERROR_WRONG_PADDING) & constant_time_lt_s(sizeof(decrypted), (size_t)rv)))
+ return sc_to_cryptoki_error(rv, "C_Decrypt");
+
- return CKR_OK;
+ /* check rv for padding error */
+ good = ~constant_time_eq_i(rv, SC_ERROR_WRONG_PADDING);
+ rv_pkcs11 = sc_to_cryptoki_error(SC_ERROR_WRONG_PADDING, "C_Decrypt");
@ -418,7 +694,8 @@ index f75a3dbaec..632681df63 100644
+ /* do not log error code to prevent side channel attack */
+ return rv_pkcs11;
}
diff --git a/src/pkcs11/mechanism.c b/src/pkcs11/mechanism.c
index 03495265a4..d3f0434231 100644
@ -443,23 +720,86 @@ index 03495265a4..d3f0434231 100644
session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT);
return rv;
@@ -1110,10 +1113,12 @@ sc_pkcs11_decr_update(struct sc_pkcs11_s
rv = op->type->decrypt_update(op, pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
- /* terminate session for any error except CKR_BUFFER_TOO_SMALL */
- if (rv != CKR_OK && rv != CKR_BUFFER_TOO_SMALL)
+ /* terminate session for any return value except CKR_BUFFER_TOO_SMALL,
+ * perform check in time side-channel free way to prevent Marvin attack */
+ if (~constant_time_eq_s(rv, CKR_OK) & ~constant_time_eq_s(rv, CKR_BUFFER_TOO_SMALL))
session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT);
- LOG_FUNC_RETURN(context, (int)rv);
+ /* do not log error code to prevent side channel attack */
+ return rv;
}
CK_RV
@@ -1530,6 +1535,10 @@ sc_pkcs11_decrypt(sc_pkcs11_operation_t
if (pulDataLen)
*pulDataLen = ulDataLen;
+ /* Skip DecryptFinalize for PKCS#1 v1.5 padding to prevent time side-channel leakage */
+ if (((CK_MECHANISM_PTR)&operation->mechanism)->mechanism == CKM_RSA_PKCS)
+ return rv;
+
if (rv != CKR_OK)
return rv;
diff --git a/src/pkcs11/pkcs11-object.c b/src/pkcs11/pkcs11-object.c
index f04c0b4c56..b023911213 100644
--- a/src/pkcs11/pkcs11-object.c
+++ b/src/pkcs11/pkcs11-object.c
@@ -926,7 +926,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSessi
@@ -1034,7 +1034,8 @@ C_Decrypt(CK_SESSION_HANDLE hSession, /* the session's handle */
rv = reset_login_state(session->slot, rv);
}
- sc_log(context, "C_Decrypt() = %s", lookup_enum ( RV_T, rv ));
- SC_LOG_RV("C_Decrypt() = %s", rv);
+ /* do not log error code to prevent side channel attack */
+ sc_log(context, "C_Decrypt() finished");
+ SC_LOG("C_Decrypt()");
sc_pkcs11_unlock();
return rv;
}
@@ -1058,7 +1059,8 @@ C_DecryptUpdate(CK_SESSION_HANDLE hSession, /* the session's handle */
rv = sc_pkcs11_decr_update(session, pEncryptedPart, ulEncryptedPartLen,
pPart, pulPartLen);
- SC_LOG_RV("C_DecryptUpdate() = %s", rv);
+ /* do not log error code to prevent side channel attack */
+ SC_LOG("C_DecryptUpdate()");
sc_pkcs11_unlock();
return rv;
}
@@ -1086,7 +1088,8 @@ C_DecryptFinal(CK_SESSION_HANDLE hSession, /* the session's handle */
rv = reset_login_state(session->slot, rv);
}
- SC_LOG_RV("C_DecryptFinal() = %s", rv);
+ /* do not log error code to prevent side channel attack */
+ SC_LOG("C_DecryptFinal()");
sc_pkcs11_unlock();
return rv;
}
diff --git a/src/pkcs11/sc-pkcs11.h b/src/pkcs11/sc-pkcs11.h
index 66dfcdde67..510017ed2a 100644
--- a/src/pkcs11/sc-pkcs11.h
+++ b/src/pkcs11/sc-pkcs11.h
@@ -246,6 +246,11 @@ do {\
}\
} while(0)
+#define SC_LOG(fmt) \
+ do { \
+ sc_log(context, (fmt)); \
+ } while (0)
+
/* Debug virtual slots. S is slot to be highlighted or NULL
* C is a comment format string and args It will be preceded by "VSS " */
#define DEBUG_VSS(S, ...) do { sc_log(context,"VSS " __VA_ARGS__); _debug_virtual_slots(S); } while (0)
diff --git a/src/pkcs11/misc.c b/src/pkcs11/misc.c
index 5ca1176b1d..1d893d6181 100644
@ -482,4 +822,3 @@ index 5ca1176b1d..1d893d6181 100644
slot->login_user = -1;
pop_all_login_states(slot);
}

99
SOURCES/opensc-0.23.0-myeid-sym.patch Normal file
View File

@ -0,0 +1,99 @@
From cde2e050ec4f2f1b7db38429aa4e9c0f4656308c Mon Sep 17 00:00:00 2001
From: Peter Popovec <popovec.peter@gmail.com>
Date: Wed, 26 Apr 2023 13:22:09 +0200
Subject: [PATCH] NULL pointer fix
Thanks to the clang analyzer:
Null pointer passed to 2nd parameter expecting 'nonnull'
[clang-analyzer-core.NonNullParamChecker]
modified: src/libopensc/card-myeid.c
---
src/libopensc/card-myeid.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
index 31dd209f3..951c179f1 100644
--- a/src/libopensc/card-myeid.c
+++ b/src/libopensc/card-myeid.c
@@ -1973,6 +1973,9 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
return_len = block_size - pad_byte;
}
*outlen = return_len;
+ /* application can request buffer size or actual buffer size is too small */
+ if (out == NULL)
+ LOG_FUNC_RETURN(ctx, SC_SUCCESS);
if (return_len > *outlen)
LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
memcpy(out, priv->sym_plain_buffer, return_len);
@@ -2042,10 +2045,11 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
priv->sym_crypt_buffer_len = 0;
rest_len = 0;
}
- memcpy(sdata, data, apdu_datalen);
- data += apdu_datalen;
- datalen -= apdu_datalen;
-
+ if (data) {
+ memcpy(sdata, data, apdu_datalen);
+ data += apdu_datalen;
+ datalen -= apdu_datalen;
+ }
r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(ctx, r, "APDU transmit failed");
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
@@ -2084,7 +2088,8 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
/* save rest of data for next run */
priv->sym_crypt_buffer_len = datalen;
sc_log(ctx, "rest data len = %zu", datalen);
- memcpy(priv->sym_crypt_buffer, data, datalen);
+ if (data)
+ memcpy(priv->sym_crypt_buffer, data, datalen);
sc_log(ctx, "return data len = %zu", return_len);
*outlen = return_len;
return SC_SUCCESS;
--
2.41.0
From f1993dc4e0b33050b8f72a3558ee88b24c4063b2 Mon Sep 17 00:00:00 2001
From: Peter Popovec <popovec.peter@gmail.com>
Date: Tue, 27 Jun 2023 09:50:42 +0200
Subject: [PATCH] myeid: fixed CID 380538 Out-of-bounds read (OVERRUN)
also fixes output buffer size checking
---
src/libopensc/card-myeid.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
index 4ee424684..50e78ff1d 100644
--- a/src/libopensc/card-myeid.c
+++ b/src/libopensc/card-myeid.c
@@ -1986,18 +1986,20 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
sc_log(ctx, "Found padding byte %02x", pad_byte);
if (pad_byte == 0 || pad_byte > block_size)
LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
- sdata = priv->sym_plain_buffer + block_size - pad_byte;
+ sdata = priv->sym_plain_buffer + block_size;
for (i = 0; i < pad_byte; i++)
- if (sdata[i] != pad_byte)
+ if (*(--sdata) != pad_byte)
LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
return_len = block_size - pad_byte;
}
- *outlen = return_len;
/* application can request buffer size or actual buffer size is too small */
- if (out == NULL)
+ if (out == NULL) {
+ *outlen = return_len;
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
+ }
if (return_len > *outlen)
LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
+ *outlen = return_len;
memcpy(out, priv->sym_plain_buffer, return_len);
sc_log(ctx, "C_DecryptFinal %zu bytes", *outlen);
return SC_SUCCESS;
--
2.41.0

225
SOURCES/opensc-0.23.0-openpgp.patch Normal file
View File

@ -0,0 +1,225 @@
From 3b580b6fff9ac463ecc6e996cfaf573f62749368 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 14 Apr 2023 12:02:54 +0200
Subject: [PATCH 1/2] openpgp: identify OpenPGP compliance with bcd_version
rather than card type
---
src/libopensc/card-openpgp.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
index fad32f0ce7..2ea5dc9d36 100644
--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
@@ -1780,13 +1780,18 @@ pgp_get_pubkey_pem(sc_card_t *card, unsigned int tag, u8 *buf, size_t buf_len)
* p1: number of an instance (DO 7F21: 0x00 for AUT, 0x01 for DEC and 0x02 for SIG)
*/
static int
-pgp_select_data(sc_card_t *card, u8 p1){
+pgp_select_data(sc_card_t *card, u8 p1)
+{
sc_apdu_t apdu;
u8 apdu_data[6];
int r;
+ struct pgp_priv_data *priv = DRVDATA(card);
LOG_FUNC_CALLED(card->ctx);
+ if (priv->bcd_version < OPENPGP_CARD_3_0)
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
+
sc_log(card->ctx, "select data with: %u", p1);
// create apdu data (taken from spec: SELECT DATA 7.2.5.)
@@ -2179,8 +2184,7 @@ pgp_set_security_env(sc_card_t *card,
/* The SC_SEC_ENV_ALG_PRESENT is set always so let it pass for GNUK */
if ((env->flags & SC_SEC_ENV_ALG_PRESENT)
&& (env->algorithm != SC_ALGORITHM_RSA)
- && (priv->bcd_version < OPENPGP_CARD_3_0)
- && (card->type != SC_CARD_TYPE_OPENPGP_GNUK))
+ && (priv->bcd_version < OPENPGP_CARD_3_0))
LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS,
"only RSA algorithm supported");
@@ -2944,13 +2948,13 @@ pgp_update_card_algorithms(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *ke
{
sc_algorithm_info_t *algo;
u8 id = key_info->key_id;
+ struct pgp_priv_data *priv = DRVDATA(card);
LOG_FUNC_CALLED(card->ctx);
/* protect incompatible cards against non-RSA */
if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
- && card->type < SC_CARD_TYPE_OPENPGP_V3
- && card->type != SC_CARD_TYPE_OPENPGP_GNUK)
+ && priv->bcd_version < OPENPGP_CARD_3_0)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
if (id > card->algorithm_count) {
@@ -2992,13 +2996,13 @@ pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_info)
size_t apdu_le;
size_t resplen = 0;
int r = SC_SUCCESS;
+ struct pgp_priv_data *priv = DRVDATA(card);
LOG_FUNC_CALLED(card->ctx);
/* protect incompatible cards against non-RSA */
if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
- && card->type < SC_CARD_TYPE_OPENPGP_V3
- && card->type != SC_CARD_TYPE_OPENPGP_GNUK)
+ && priv->bcd_version < OPENPGP_CARD_3_0)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
if (key_info->algorithm == SC_OPENPGP_KEYALGO_EDDSA
&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
@@ -3358,13 +3362,13 @@ pgp_store_key(sc_card_t *card, sc_cardctl_openpgp_keystore_info_t *key_info)
u8 *data = NULL;
size_t len = 0;
int r;
+ struct pgp_priv_data *priv = DRVDATA(card);
LOG_FUNC_CALLED(card->ctx);
/* protect incompatible cards against non-RSA */
if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
- && card->type < SC_CARD_TYPE_OPENPGP_V3
- && card->type != SC_CARD_TYPE_OPENPGP_GNUK)
+ && priv->bcd_version < OPENPGP_CARD_3_0)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
/* Validate */
From 9eccc1494d8303ffe42beb772732df218875e3ac Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 14 Apr 2023 12:09:55 +0200
Subject: [PATCH 2/2] openpgp: ignore errors on SELECT DATA for OpenPGP 2 and
below
fixes https://github.com/OpenSC/OpenSC/issues/2752
---
src/libopensc/pkcs15-openpgp.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
index e2f3442238..9d3fd746a0 100644
--- a/src/libopensc/pkcs15-openpgp.c
+++ b/src/libopensc/pkcs15-openpgp.c
@@ -556,14 +556,9 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
memset(&cert_info, 0, sizeof(cert_info));
memset(&cert_obj, 0, sizeof(cert_obj));
- /* only try to SELECT DATA for OpenPGP >= v3 */
- if (card->type >= SC_CARD_TYPE_OPENPGP_V3) {
- r = sc_card_ctl(card, SC_CARDCTL_OPENPGP_SELECT_DATA, &i);
- if (r < 0) {
- free(buffer);
- LOG_TEST_RET(card->ctx, r, "Failed OpenPGP - select data");
- }
- }
+ /* try to SELECT DATA. Will only work for OpenPGP >= v3, errors are non-critical */
+ sc_card_ctl(card, SC_CARDCTL_OPENPGP_SELECT_DATA, &i);
+
sc_format_path(certs[i].path, &cert_info.path);
/* Certificate ID. We use the same ID as the authentication key */
commit e8fba322a2f4d06ec5c74fe80f9e2b0e9fdefec6
Author: Jakub Jelen <jjelen@redhat.com>
Date: Fri May 19 16:49:00 2023 +0200
openpgp: Fix fingerprint calculation
fixes https://github.com/OpenSC/OpenSC/issues/2775
diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
index cc454cef..496e38e6 100644
--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
@@ -2697,15 +2697,23 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
/* RSA */
if (key_info->algorithm == SC_OPENPGP_KEYALGO_RSA) {
+ unsigned short bytes_length = 0;
+
*p = 1; /* Algorithm ID, RSA */
p += 1;
+
+ /* Modulus */
+ bytes_length = BYTES4BITS(key_info->u.rsa.modulus_len);
ushort2bebytes(p, (unsigned short)key_info->u.rsa.modulus_len);
p += 2;
- memcpy(p, key_info->u.rsa.modulus, (BYTES4BITS(key_info->u.rsa.modulus_len)));
- p += (key_info->u.rsa.modulus_len >> 3);
- ushort2bebytes(++p, (unsigned short)key_info->u.rsa.exponent_len);
+ memcpy(p, key_info->u.rsa.modulus, bytes_length);
+ p += bytes_length;
+
+ /* Exponent */
+ bytes_length = BYTES4BITS(key_info->u.rsa.exponent_len);
+ ushort2bebytes(p, (unsigned short)key_info->u.rsa.exponent_len);
p += 2;
- memcpy(p, key_info->u.rsa.exponent, (BYTES4BITS(key_info->u.rsa.exponent_len)));
+ memcpy(p, key_info->u.rsa.exponent, bytes_length);
}
/* ECC */
else if (key_info->algorithm == SC_OPENPGP_KEYALGO_ECDH
commit 891f10e49de1a5ee038b1cb2fb59dce40429e6c2
Author: Jakub Jelen <jjelen@redhat.com>
Date: Fri May 19 17:53:35 2023 +0200
openpgp: Fix modulus length calculation in pkc15init layer
diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h
index 5a0a19c5..ba685a30 100644
--- a/src/libopensc/pkcs15.h
+++ b/src/libopensc/pkcs15.h
@@ -373,7 +373,7 @@ struct sc_pkcs15_prkey_info {
unsigned int usage, access_flags;
int native, key_reference;
/* convert to union if other types are supported */
- size_t modulus_length; /* RSA */
+ size_t modulus_length; /* RSA, in bits */
size_t field_length; /* EC in bits */
unsigned int algo_refs[SC_MAX_SUPPORTED_ALGORITHMS];
diff --git a/src/pkcs15init/pkcs15-openpgp.c b/src/pkcs15init/pkcs15-openpgp.c
index c75bcbda..3e060be5 100644
--- a/src/pkcs15init/pkcs15-openpgp.c
+++ b/src/pkcs15init/pkcs15-openpgp.c
@@ -235,7 +235,7 @@ static int openpgp_generate_key_rsa(sc_card_t *card, sc_pkcs15_object_t *obj,
/* Prepare buffer */
key_info.u.rsa.modulus_len = required->modulus_length;
- key_info.u.rsa.modulus = calloc(required->modulus_length >> 3, 1);
+ key_info.u.rsa.modulus = calloc(BYTES4BITS(required->modulus_length), 1);
if (key_info.u.rsa.modulus == NULL)
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_ENOUGH_MEMORY);
@@ -252,18 +252,18 @@ static int openpgp_generate_key_rsa(sc_card_t *card, sc_pkcs15_object_t *obj,
pubkey->algorithm = SC_ALGORITHM_RSA;
sc_log(ctx, "Set output modulus info");
- pubkey->u.rsa.modulus.len = key_info.u.rsa.modulus_len;
- pubkey->u.rsa.modulus.data = calloc(key_info.u.rsa.modulus_len, 1);
+ pubkey->u.rsa.modulus.len = BYTES4BITS(key_info.u.rsa.modulus_len);
+ pubkey->u.rsa.modulus.data = calloc(pubkey->u.rsa.modulus.len, 1);
if (pubkey->u.rsa.modulus.data == NULL)
goto err;
- memcpy(pubkey->u.rsa.modulus.data, key_info.u.rsa.modulus, key_info.u.rsa.modulus_len);
+ memcpy(pubkey->u.rsa.modulus.data, key_info.u.rsa.modulus, BYTES4BITS(key_info.u.rsa.modulus_len));
sc_log(ctx, "Set output exponent info");
- pubkey->u.rsa.exponent.len = key_info.u.rsa.exponent_len;
- pubkey->u.rsa.exponent.data = calloc(BYTES4BITS(key_info.u.rsa.exponent_len), 1);
+ pubkey->u.rsa.exponent.len = BYTES4BITS(key_info.u.rsa.exponent_len);
+ pubkey->u.rsa.exponent.data = calloc(pubkey->u.rsa.exponent.len, 1);
if (pubkey->u.rsa.exponent.data == NULL)
goto err;
- memcpy(pubkey->u.rsa.exponent.data, key_info.u.rsa.exponent, BYTES4BITS(key_info.u.rsa.exponent_len));
+ memcpy(pubkey->u.rsa.exponent.data, key_info.u.rsa.exponent, pubkey->u.rsa.exponent.len);
err:
free(key_info.u.rsa.modulus);

3047
SOURCES/opensc-0.23.0-openssl-ctx.patch Normal file
View File

File diff suppressed because it is too large Load Diff

212
SOURCES/opensc-0.23.0-pkcs11-tool-import.patch Normal file
View File

@ -0,0 +1,212 @@
From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 1 Dec 2022 20:08:53 +0100
Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
---
src/tools/pkcs11-tool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index aae205fe2c..cfee8526d5 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
RSA_get0_factors(r, &r_p, &r_q);
RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
#else
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
+ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
util_fatal("OpenSSL error during RSA private key parsing");
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
}
#endif
RSA_GET_BN(rsa, private_exponent, r_d);
From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 1 Dec 2022 20:11:41 +0100
Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
---
src/tools/pkcs11-tool.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index cfee8526d5..f2e6b1dd91 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
r = EVP_PKEY_get1_RSA(pkey);
if (!r) {
- if (private)
- util_fatal("OpenSSL error during RSA private key parsing");
- else
- util_fatal("OpenSSL error during RSA public key parsing");
+ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
+ ERR_error_string(ERR_peek_last_error(), NULL));
}
RSA_get0_key(r, &r_n, &r_e, NULL);
@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
- if (private)
- util_fatal("OpenSSL error during RSA private key parsing");
- else
- util_fatal("OpenSSL error during RSA public key parsing");
+ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
+ ERR_error_string(ERR_peek_last_error(), NULL));
}
#endif
RSA_GET_BN(rsa, modulus, r_n);
@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
- util_fatal("OpenSSL error during RSA private key parsing");
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+ util_fatal("OpenSSL error during RSA private key parsing: %s",
+ ERR_error_string(ERR_peek_last_error(), NULL));
}
#endif
RSA_GET_BN(rsa, private_exponent, r_d);
From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 1 Dec 2022 20:38:31 +0100
Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
---
tests/Makefile.am | 10 ++++---
tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+), 4 deletions(-)
create mode 100755 tests/test-pkcs11-tool-import.sh
diff --git a/tests/Makefile.am b/tests/Makefile.am
index d378e2ee00..9d8a24c321 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
test-pkcs11-tool-test-threads.sh \
test-pkcs11-tool-sign-verify.sh \
test-pkcs11-tool-allowed-mechanisms.sh \
- test-pkcs11-tool-sym-crypt-test.sh\
- test-pkcs11-tool-unwrap-wrap-test.sh
+ test-pkcs11-tool-sym-crypt-test.sh \
+ test-pkcs11-tool-unwrap-wrap-test.sh \
+ test-pkcs11-tool-import.sh
.NOTPARALLEL:
TESTS = \
@@ -25,8 +26,9 @@ TESTS = \
test-pkcs11-tool-test.sh \
test-pkcs11-tool-test-threads.sh \
test-pkcs11-tool-allowed-mechanisms.sh \
- test-pkcs11-tool-sym-crypt-test.sh\
- test-pkcs11-tool-unwrap-wrap-test.sh
+ test-pkcs11-tool-sym-crypt-test.sh \
+ test-pkcs11-tool-unwrap-wrap-test.sh \
+ test-pkcs11-tool-import.sh
XFAIL_TESTS = \
test-pkcs11-tool-test-threads.sh \
test-pkcs11-tool-test.sh
diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
new file mode 100755
index 0000000000..76ff8e51be
--- /dev/null
+++ b/tests/test-pkcs11-tool-import.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+SOURCE_PATH=${SOURCE_PATH:-..}
+
+source $SOURCE_PATH/tests/common.sh
+
+echo "======================================================="
+echo "Setup SoftHSM"
+echo "======================================================="
+if [[ ! -f $P11LIB ]]; then
+ echo "WARNING: The SoftHSM is not installed. Can not run this test"
+ exit 77;
+fi
+card_setup
+
+ID="0100"
+OPTS=""
+for KEYTYPE in "RSA" "EC"; do
+ echo "======================================================="
+ echo "Generate and import $KEYTYPE keys"
+ echo "======================================================="
+ if [ "$KEYTYPE" == "RSA" ]; then
+ ID="0100"
+ elif [ "$KEYTYPE" == "EC" ]; then
+ ID="0200"
+ OPTS="-pkeyopt ec_paramgen_curve:P-521"
+ fi
+ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
+ assert $? "Failed to generate private $KEYTYPE key"
+ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
+ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
+ assert $? "Failed to write private $KEYTYPE key"
+
+ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
+ assert $? "Failed to convert private $KEYTYPE key to public"
+ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
+ -p $PIN --module $P11LIB
+ assert $? "Failed to write public $KEYTYPE key"
+ # certificate import already tested in all other tests
+
+ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
+done
+
+echo "======================================================="
+echo "Cleanup"
+echo "======================================================="
+card_cleanup
+
+exit $ERRORS
From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jakuje@gmail.com>
Date: Fri, 2 Dec 2022 18:07:43 +0100
Subject: [PATCH 4/4] Simplify the new test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
---
tests/test-pkcs11-tool-import.sh | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
index 76ff8e51be..c90b3b4926 100755
--- a/tests/test-pkcs11-tool-import.sh
+++ b/tests/test-pkcs11-tool-import.sh
@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
fi
card_setup
-ID="0100"
-OPTS=""
for KEYTYPE in "RSA" "EC"; do
echo "======================================================="
echo "Generate and import $KEYTYPE keys"
echo "======================================================="
- if [ "$KEYTYPE" == "RSA" ]; then
- ID="0100"
- elif [ "$KEYTYPE" == "EC" ]; then
+ ID="0100"
+ OPTS=""
+ if [ "$KEYTYPE" == "EC" ]; then
ID="0200"
OPTS="-pkeyopt ec_paramgen_curve:P-521"
fi

161
SOURCES/opensc-0.23.0-pkcs15init.patch
View File

@ -343,6 +343,115 @@ index 70a28048b..1eeeda064 100644
--
2.42.0
From 609164045facaeae193feb48d9c2fc5cc4321e8a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 16 Nov 2023 09:55:47 +0100
Subject: [PATCH] epass2003: Avoid heap buffer overflow
Removes also needless malloc & memcpy instead of returning the first
allocated buffer.
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64215
---
src/libopensc/card-epass2003.c | 30 +++++++++++++++---------------
src/libopensc/cardctl.h | 1 +
src/pkcs15init/pkcs15-epass2003.c | 7 ++++---
3 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c
index ed2ec649b..76ba339e6 100644
--- a/src/libopensc/card-epass2003.c
+++ b/src/libopensc/card-epass2003.c
@@ -3082,11 +3082,21 @@ epass2003_gen_key(struct sc_card *card, sc_epass2003_gen_key_data * data)
if (len < apdu.resplen)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
- if(256 == len)
+ if(256 == len) /* ECC 256 bit */
{
- int xCoordinateLen = rbuf[1];
- int yCoordinateLen = rbuf[2+xCoordinateLen+1];
- unsigned char * tmp =(u8 *)malloc(xCoordinateLen + yCoordinateLen);
+ size_t xCoordinateLen = rbuf[1];
+ size_t yCoordinateLen;
+ unsigned char *tmp;
+
+ if (2 + xCoordinateLen + 1 >= apdu.resplen) {
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
+ }
+ yCoordinateLen = rbuf[2 + xCoordinateLen + 1];
+ if (2 + xCoordinateLen + 2 + yCoordinateLen >= apdu.resplen) {
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
+ }
+ data->modulus_len = xCoordinateLen + yCoordinateLen;
+ tmp = (u8 *)malloc(data->modulus_len);
if(!tmp)
{
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
@@ -3109,17 +3119,7 @@ epass2003_gen_key(struct sc_card *card, sc_epass2003_gen_key_data * data)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
}
- data->modulus = (u8 *) malloc(xCoordinateLen + yCoordinateLen);
- if (!data->modulus)
- {
- free(tmp);
- LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
- }
- else
- {
- memcpy(data->modulus, tmp, xCoordinateLen+yCoordinateLen);
- free(tmp);
- }
+ data->modulus = tmp;
}
else
{
diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h
index 9ce90ec15..acefbee5c 100644
--- a/src/libopensc/cardctl.h
+++ b/src/libopensc/cardctl.h
@@ -833,6 +833,7 @@ typedef struct sc_epass2003_gen_key_data_st {
int pukey_id;
size_t key_length;
u8 *modulus;
+ int modulus_len;
} sc_epass2003_gen_key_data;
diff --git a/src/pkcs15init/pkcs15-epass2003.c b/src/pkcs15init/pkcs15-epass2003.c
index b9b9a1156..92bf46895 100644
--- a/src/pkcs15init/pkcs15-epass2003.c
+++ b/src/pkcs15init/pkcs15-epass2003.c
@@ -638,10 +638,11 @@ static int epass2003_pkcs15_generate_key(struct sc_profile *profile,
gendat.pukey_id = pukf->id;
gendat.key_length = keybits;
gendat.modulus = NULL;
+ gendat.modulus_len = 0;
r = sc_card_ctl(card, SC_CARDCTL_ENTERSAFE_GENERATE_KEY, &gendat);
SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_VERBOSE, r,
"generate RSA key pair failed");
-
+
if (!gendat.modulus) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
@@ -679,8 +680,8 @@ static int epass2003_pkcs15_generate_key(struct sc_profile *profile,
}
pubkey->u.ec.ecpointQ.value[0] = 0x04;
- memcpy(&pubkey->u.ec.ecpointQ.value[1], gendat.modulus, 64);
- pubkey->u.ec.ecpointQ.len = 65;
+ memcpy(&pubkey->u.ec.ecpointQ.value[1], gendat.modulus, gendat.modulus_len);
+ pubkey->u.ec.ecpointQ.len = gendat.modulus_len;
free(pubkey->u.ec.params.named_curve);
pubkey->u.ec.params.named_curve = NULL;
--
2.42.0
From 8fc2c20c3f895569eeb58328bb882aec07325d3b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 7 Nov 2023 17:48:27 +0100
@ -853,3 +962,55 @@ index 168894abd..feb9ebe18 100644
--
2.42.0
From b5f6370a35f151497838628f78111087eb8e7ff1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Wed, 3 May 2023 16:47:44 +0200
Subject: [PATCH] Fix cycling fuzz pkcs11 test
---
src/tests/fuzzing/fuzz_pkcs11.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/fuzzing/fuzz_pkcs11.c b/src/tests/fuzzing/fuzz_pkcs11.c
index b2a4c985e..b6e05c9ad 100644
--- a/src/tests/fuzzing/fuzz_pkcs11.c
+++ b/src/tests/fuzzing/fuzz_pkcs11.c
@@ -509,7 +509,7 @@ static void test_verify(const uint8_t *data, size_t size)
memcpy(in_buffer, verify_data, verify_data_size);
p11->C_Verify(session, in_buffer, verify_data_size, sig_buffer, sig_len);
} else {
- while (size > 0) {
+ while (verify_data_size > 0) {
to_process = verify_data_size < sizeof(in_buffer) ? verify_data_size : sizeof(in_buffer);
verify_data_size -= to_process;
memcpy(in_buffer, data, to_process);
--
2.42.0
From ffbff25ec6c6d0ad3f8df76f57210698f7947fc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Fri, 11 Aug 2023 09:44:57 +0200
Subject: [PATCH] fuzz_pkcs11.c: Use valid data for verify
Thanks OSS-Fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60971
---
src/tests/fuzzing/fuzz_pkcs11.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/fuzzing/fuzz_pkcs11.c b/src/tests/fuzzing/fuzz_pkcs11.c
index b6e05c9ad..fdc163b48 100644
--- a/src/tests/fuzzing/fuzz_pkcs11.c
+++ b/src/tests/fuzzing/fuzz_pkcs11.c
@@ -512,7 +512,7 @@ static void test_verify(const uint8_t *data, size_t size)
while (verify_data_size > 0) {
to_process = verify_data_size < sizeof(in_buffer) ? verify_data_size : sizeof(in_buffer);
verify_data_size -= to_process;
- memcpy(in_buffer, data, to_process);
+ memcpy(in_buffer, verify_data, to_process);
verify_data += to_process;
if (p11->C_VerifyUpdate(session, in_buffer, to_process) != CKR_OK)
--
2.42.0

312
SPECS/opensc.spec
View File

@ -2,64 +2,33 @@
%define nssdb %{_sysconfdir}/pki/nssdb
Name: opensc
Version: 0.20.0
Release: 8%{?dist}
Version: 0.23.0
Release: 4%{?dist}
Summary: Smart card library and applications
Group: System Environment/Libraries
License: LGPLv2+
URL: https://github.com/OpenSC/OpenSC/wiki
Source0: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
Source1: opensc.module
Patch6: opensc-0.19.0-pinpad.patch
# https://github.com/OpenSC/OpenSC/pull/1772
Patch8: opensc-0.19.0-idprime.patch
# https://github.com/OpenSC/OpenSC/pull/1987
Patch9: opensc-0.20.0-cardos.patch
# https://github.com/OpenSC/OpenSC/pull/2129
Patch10: opensc-0.20.0-cac-pin-change.patch
# https://github.com/OpenSC/OpenSC/commit/6903aebf
Patch11: opensc-0.20.0-CVE-2020-26570.patch
# https://github.com/OpenSC/OpenSC/commit/ed55fcd2
Patch12: opensc-0.20.0-CVE-2020-26571.patch
# https://github.com/OpenSC/OpenSC/commit/9d294de9
Patch13: opensc-0.20.0-CVE-2020-26572.patch
# https://github.com/OpenSC/OpenSC/commit/8d4af9eb
Patch14: opensc-0.20.0-label-padding.patch
# https://github.com/OpenSC/OpenSC/commit/f1bcadfb
# https://github.com/OpenSC/OpenSC/pull/2166
Patch15: opensc-0.20.0-calloc0.patch
# https://github.com/OpenSC/OpenSC/pull/2148
# + configuration change by default
Patch16: opensc-0.20.0-file-cache.patch
# https://github.com/OpenSC/OpenSC/pull/1929
Patch17: opensc-0.20.0-idprime.patch
# https://github.com/OpenSC/OpenSC/pull/2787
Patch18: opensc-0.20.0-CVE-2023-2977.patch
# 31d8c2dfd14ed01b430def2f46cc718ef4b595fc
# 8f4a6c703b5ae7d4f44cf33c85330171afa917bf
# https://github.com/OpenSC/OpenSC/pull/1970 without the first and last commits
# https://github.com/OpenSC/OpenSC/pull/1923
# https://github.com/OpenSC/OpenSC/pull/2051
# https://github.com/OpenSC/OpenSC/pull/2077
# https://github.com/OpenSC/OpenSC/pull/2418
# https://github.com/OpenSC/OpenSC/pull/2600
# c2e00e9071952b30ed6d58d9b7670eb3d93ea6fb
# https://github.com/OpenSC/OpenSC/pull/2740
## OpenSC notify build issues
# 5e79a2a4abdd523cfff19824718bbb0d8ced7320
# 843779fe6e0f345f483f9ce9c9739913502391eb
# 7936bdef15c71139a6a6159cabaf9e6101565add
# 1202eceeefd5ffab45648d41ed0a3076cac10920
# 295f399304644e6b0acde267ac410d0aae4a1aee
# ca01aa7a8edc8280a5ceadebb472c2e3c198d8c2
Patch19: opensc-0.20.0-reader-removal.patch
Patch1: opensc-0.19.0-pinpad.patch
# File caching by default (#2000626)
Patch8: %{name}-0.22.0-file-cache.patch
# https://github.com/OpenSC/OpenSC/pull/2656
Patch9: %{name}-0.23.0-pkcs11-tool-import.patch
# https://github.com/OpenSC/OpenSC/pull/2712
Patch10: %{name}-0.23.0-openssl-ctx.patch
# https://github.com/OpenSC/OpenSC/pull/2753
# https://github.com/OpenSC/OpenSC/commit/e8fba322a2f4d06ec5c74fe80f9e2b0e9fdefec6
# https://github.com/OpenSC/OpenSC/commit/891f10e49de1a5ee038b1cb2fb59dce40429e6c2
Patch11: %{name}-0.23.0-openpgp.patch
# https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
Patch12: %{name}-0.23.0-cardos-pkcs15init.patch
# https://github.com/OpenSC/OpenSC/commit/bff98ff078a99e6864ba1a598fd7dc9af4a9476b
# https://github.com/OpenSC/OpenSC/commit/0875c69295ef28b45fb682b37cede58fc36b7a1a
Patch20: %{name}-0.23.0-cache-offsets.patch
Patch13: %{name}-0.23.0-cache-offsets.patch
# https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7
# https://github.com/OpenSC/OpenSC/commit/80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f
Patch21: %{name}-0.23.0-pin-bypass.patch
Patch14: %{name}-0.23.0-pin-bypass.patch
# https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7
# https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651
# https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e
@ -70,32 +39,47 @@ Patch21: %{name}-0.23.0-pin-bypass.patch
# https://github.com/OpenSC/OpenSC/commit/e7f81d86dcdc751f4737f4b29a99bfc54d29c5c9
# https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1
# https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec
# https://github.com/OpenSC/OpenSC/commit/013a807492568bf9907cfb3df41f130ac83c7b9
# https://github.com/OpenSC/OpenSC/commit/4013a807492568bf9907cfb3df41f130ac83c7b9
# https://github.com/OpenSC/OpenSC/commit/09164045facaeae193feb48d9c2fc5cc4321e8a
# https://github.com/OpenSC/OpenSC/commit/fc2c20c3f895569eeb58328bb882aec07325d3b
# https://github.com/OpenSC/OpenSC/commit/3b9129bd3cfc6ac57d5554e015c3df85f5076dc
# https://github.com/OpenSC/OpenSC/commit/bda61d0d276dc98b9d1d1e6810bbd21d19e3859
# https://github.com/OpenSC/OpenSC/commit/a4921ab23fd0853f327517636c50de947548161
# https://github.com/OpenSC/OpenSC/commit/085994384a7171c5c68f6718d9db10ed77c5af1
# https://github.com/OpenSC/OpenSC/commit/0f0985f6343eeac4044661d56807ee9286db42c
Patch22: %{name}-0.23.0-pkcs15init.patch
# https://github.com/OpenSC/OpenSC/commit/5f6370a35f151497838628f78111087eb8e7ff1
# https://github.com/OpenSC/OpenSC/commit/fbff25ec6c6d0ad3f8df76f57210698f7947fc3
Patch15: %{name}-0.23.0-pkcs15init.patch
# https://github.com/OpenSC/OpenSC/commit/cde2e050ec4f2f1b7db38429aa4e9c0f4656308c
# https://github.com/OpenSC/OpenSC/commit/f1993dc4e0b33050b8f72a3558ee88b24c4063b2
Patch16: %{name}-0.23.0-myeid-sym.patch
# https://github.com/OpenSC/OpenSC/pull/2948
# https://github.com/OpenSC/OpenSC/pull/3016
Patch23: %{name}-0.23.0-constant-time-pkcs1.patch
Patch17: %{name}-0.23.0-constant-time-pkcs1.5.patch
BuildRequires: make
BuildRequires: pcsc-lite-devel
BuildRequires: readline-devel
BuildRequires: openssl-devel
BuildRequires: /usr/bin/xsltproc
BuildRequires: docbook-style-xsl
BuildRequires: autoconf automake libtool gcc
BuildRequires: desktop-file-utils
BuildRequires: bash-completion
BuildRequires: zlib-devel
# For tests
BuildRequires: libcmocka-devel
BuildRequires: vim-common
%if ! 0%{?rhel}
BuildRequires: softhsm
%endif
BuildRequires: openssl
Requires: pcsc-lite-libs%{?_isa}
Requires: pcsc-lite
Obsoletes: mozilla-opensc-signer < 0.12.0
Obsoletes: opensc-devel < 0.12.0
Obsoletes: coolkey <= 1.1.0-36
# The simclist is bundled in upstream
Provides: bundled(simclist) = 1.5
%description
OpenSC provides a set of libraries and utilities to work with smart cards. Its
@ -109,23 +93,17 @@ every software/card that does so, too.
%prep
%setup -q
%patch6 -p1 -b .pinpad
%patch8 -p1 -b .idprime
%patch9 -p1 -b .cardos
%patch10 -p1 -b .cac-pin-change
%patch11 -p1 -b .CVE-2020-26570
%patch12 -p1 -b .CVE-2020-26571
%patch13 -p1 -b .CVE-2020-26572
%patch14 -p1 -b .padding
%patch15 -p1 -b .calloc0
%patch16 -p1 -b .file-cache
%patch17 -p1 -b .idprime
%patch18 -p1 -b .CVE-2023-2977
%patch19 -p1 -b .reader-removal
%patch20 -p1 -b .cache-offsets
%patch21 -p1 -b .pin-bypass
%patch22 -p1 -b .pkcs15init
%patch23 -p1 -b .constant-time-pkcs1.5
%patch1 -p1 -b .pinpad
%patch8 -p1 -b .file-cache
%patch9 -p1 -b .pkcs11-tool-import
%patch10 -p1 -b .ossl3context
%patch11 -p1 -b .openpgp
%patch12 -p1 -b .cardos-pkcs15init
%patch13 -p1 -b .cache-offsets
%patch14 -p1 -b .pin-bypass
%patch15 -p1 -b .pkcs15init
%patch16 -p1 -b .myeid-sym
%patch17 -p1 -b .constant-time-pkcs1
cp -p src/pkcs15init/README ./README.pkcs15init
cp -p src/scconf/README.scconf .
@ -135,25 +113,30 @@ sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.example.
%build
autoreconf -fvi
%ifarch %{ix86} ppc s390
%ifarch %{ix86}
sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
%endif
sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
%configure --disable-static \
%set_build_flags
CFLAGS="$CFLAGS -Wstrict-aliasing=2 -Wno-deprecated-declarations"
%configure --disable-static \
--disable-autostart-items \
--disable-notify \
--disable-assert \
--enable-pcsc \
--disable-tests \
--enable-sm \
--with-pcsc-provider=libpcsclite.so.1
make %{?_smp_mflags} V=1
--enable-cmocka \
--enable-sm
%make_build
%check
make check
%install
make install DESTDIR=$RPM_BUILD_ROOT
%make_install
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module
%ifarch %{ix86} ppc s390
%ifarch %{ix86}
# To avoid multilib issues, move these files on 32b intel architectures
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf
install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
@ -175,51 +158,29 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc
# public headers and pkgconfig files.
# Remove the symlink as nothing is supposed to link against libopensc.
rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so
# remove the .pc file so we do not confuse users #1673139
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/*.pc
rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so
%if 0%{?rhel} && 0%{?rhel} < 7
rm -rf %{buildroot}%{_datadir}/bash-completion/
%endif
# the npa-tool builds to nothing since we do not have OpenPACE library
rm -rf %{buildroot}%{_bindir}/npa-tool
rm -rf %{buildroot}%{_mandir}/man1/npa-tool.1*
# We use p11-kit for pkcs11 modules registration
# the pkcs11-register is not applicable to Fedora/RHEL where we use p11-kit
rm -rf %{buildroot}%{_bindir}/pkcs11-register
# It is even missing the manual page
#rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1*
rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1*
desktop-file-validate %{buildroot}/%{_datadir}/applications/org.opensc.notify.desktop
# Remove the notification files
rm %{buildroot}%{_datadir}/applications/org.opensc.notify.desktop
rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
%post
/sbin/ldconfig
# Remove our PKCS#11 module from NSS DB, if there is NSS installed, because
# it is already loaded by p11-kit-proxy. Using both of them can cause
# race conditions and hard-to-debug problems
# TODO Remove with F30 or so
if [ -x /usr/bin/modutil ]; then
isThere=`modutil -rawlist -dbdir %{nssdb} | grep %{opensc_module} || echo NO`
if [ ! "$isThere" == "NO" ]; then
modutil -delete %{opensc_module} -dbdir %{nssdb} -force || :
fi
isThere=`modutil -rawlist -dbdir sql:%{nssdb} | grep %{opensc_module} || echo NO`
if [ ! "$isThere" == "NO" ]; then
modutil -delete %{opensc_module} -dbdir sql:%{nssdb} -force || :
fi
fi
%postun
/sbin/ldconfig
%files
%doc COPYING NEWS README*
%if ! 0%{?rhel} || 0%{?rhel} >= 7
%{_datadir}/bash-completion/*
%endif
%ifarch %{ix86} ppc s390
%ifarch %{ix86}
%{_mandir}/man5/opensc-%{_arch}.conf.5*
%else
%config(noreplace) %{_sysconfdir}/opensc.conf
@ -227,6 +188,9 @@ fi
%endif
%config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf
# Co-owned with p11-kit so it is not hard dependency
%dir %{_datadir}/p11-kit
%dir %{_datadir}/p11-kit/modules
%{_datadir}/p11-kit/modules/opensc.module
%{_bindir}/cardos-tool
%{_bindir}/cryptoflex-tool
@ -238,7 +202,6 @@ fi
%{_bindir}/opensc-explorer
%{_bindir}/opensc-tool
%{_bindir}/opensc-asn1
%{_bindir}/opensc-notify
%{_bindir}/piv-tool
%{_bindir}/pkcs11-tool
%{_bindir}/pkcs15-crypt
@ -248,13 +211,11 @@ fi
%{_bindir}/dnie-tool
%{_bindir}/westcos-tool
%{_bindir}/egk-tool
%{_datadir}/applications/org.opensc.notify.desktop
%{_bindir}/goid-tool
%{_libdir}/lib*.so.*
%{_libdir}/opensc-pkcs11.so
%{_libdir}/pkcs11-spy.so
%{_libdir}/onepin-opensc-pkcs11.so
%{_libdir}/pkgconfig/*.pc
%%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/opensc-pkcs11.so
%{_libdir}/pkcs11/onepin-opensc-pkcs11.so
@ -264,13 +225,13 @@ fi
%{_mandir}/man1/cryptoflex-tool.1*
%{_mandir}/man1/eidenv.1*
%{_mandir}/man1/gids-tool.1*
%{_mandir}/man1/goid-tool.1*
%{_mandir}/man1/iasecc-tool.1*
%{_mandir}/man1/netkey-tool.1*
%{_mandir}/man1/openpgp-tool.1*
%{_mandir}/man1/opensc-explorer.*
%{_mandir}/man1/opensc-tool.1*
%{_mandir}/man1/opensc-asn1.1*
%{_mandir}/man1/opensc-notify.1*
%{_mandir}/man1/piv-tool.1*
%{_mandir}/man1/pkcs11-tool.1*
%{_mandir}/man1/pkcs15-crypt.1*
@ -284,62 +245,113 @@ fi
%changelog
* Thu Feb 08 2024 Veronika Hanulikova <vhanulik@redhat.com> - 0.20.0-8
* Thu Feb 08 2024 Veronika Hanulikova <vhanulik@redhat.com> - 0.23.0-4
- Fix CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding
* Thu Nov 30 2023 Jakub Jelen <jjelen@redhat.com> - 0.20.0-7
- Fix file caching with different offsets (RHEL-4077)
* Thu Nov 30 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-3
- Fix file caching with different offsets (RHEL-4079)
- Fix CVE-2023-40660: Potential PIN bypass
- Fix CVE-2023-40661: Dynamic analyzers reports in pkcs15init
- Fix CVE-2023-5992: Marvin: Side-channel leaks while stripping encryption PKCS#1.5 padding
- Fix CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys
- Fix CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding
* Tue Jul 11 2023 Jakub Jelen <jjelen@redhat.com> - 0.20.0-6
- Fix introduced issues tagged by coverity (RHEL-765)
* Thu May 25 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-2
- Fix regression in handling OpenPGP cards
- Fix CVE-2023-2977: buffer overrun in pkcs15init for cardos
* Thu Jun 15 2023 Jakub Jelen <jjelen@redhat.com> - 0.20.0-5
- Avoid potential crash because of missing list terminator (#2196234)
- Fix CVE-2023-2977: potential buffer overrun in pkcs15 cardos_have_verifyrc_package (#2211093)
- Backport upstream changes regarding to reader removal (#2097048)
* Wed Mar 08 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-1
- Rebase to latest 0.23.0 release (#2100409)
- Use separate OpenSSL context to work better from inside of OpenSSL providers
* Fri Nov 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-4
- Use file cache by default (#1892810)
- Avoid calloc with 0 argument (#1895401)
* Fri Oct 08 2021 Jakub Jelen <jjelen@redhat.com> - 0.22.0-2
- Unbreak detection of unentrolled smart cards (#2007029)
- Enable file caching by default except for pkcs15-init (#2000626)
* Tue Oct 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-3
- Support PIN change for HID Alt tokens (#1830901)
- Fix CVE-2020-26570, CVE-2020-26571 and CVE-2020-26572
- Fix right padding of token labels of some cards (#1877973)
* Wed Aug 11 2021 Jakub Jelen <jjelen@redhat.com> - 0.22.0-1
- New upstream release (#1970534)
* Wed May 27 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-2
- Unbreak different CardOS 5 configurations supporting raw RSA (#1830856)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.21.0-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Apr 22 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-1
- Rebase to current upstream release (#1810660)
* Thu Jul 15 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-8
- Fix issue with handling EC keys in OpenSSL 3.0 (#1953480)
* Mon Nov 25 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-7
- Unbreak RSA-PSS mechanisms in -6 release (#1775673)
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.21.0-7
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Thu Nov 14 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-6
- Add support for Gemalto IDPrime smart cards (#1657970)
- Fix 2k RSA key operations with Coolkey (#1766712)
* Mon May 24 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-6
- Build against OpenSSL 3.0 (#1953480)
* Thu Apr 18 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-5
- Avoid multilib issues (#1693380)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.21.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Dec 12 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-4
- Unbreak the Dual CAC cards in PIV driver (#1651748)
- Fix few more corner cases for handling different types of padding (#1595626)
- Unbreak signature verification in pkcs11-tool (#1651748)
* Thu Feb 25 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-4
- Couple of more issues of strict aliasing (#1930652)
* Tue Feb 23 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-3
- Unbreak with gcc11 (#1930652)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.21.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 0.21.0-1
- New upstream release (#1884886)
* Fri Oct 30 2020 Jeff Law <law@redhat.com> - 0.20.0-9
- Fix potentially uninitialized array reference exposed by gcc-11
* Wed Aug 19 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 0.20.0-8
- Drop useless ldconfig scriptlets
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.20.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed May 13 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-6
- Unbreak CardOS 5.x support (#1830528)
* Mon Feb 10 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-5
- Unbreak build on gcc10 with -fno-common (#1799836)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.20.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 10 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-3
- Drop the notification support for now
* Fri Jan 10 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-2
- Cleanup spec file
- Split notify support to separate subpackage
* Thu Jan 02 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-1
- New upstream release (#1749357)
- Fixes for various security issues identified by fuzzing (#1765223, #1765231, #1782520, #1782951, #1782956)
* Mon Sep 30 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-8
- Correctly mention bundled simclist library
- Add missing zlib build requires (#1756326)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.19.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Mar 27 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-6
- Make OpenSC multilib again by moving the offending files on ix86 arch
- Do not ship packageconfig files to avoid inadvertent linking against pkcs11 modules (#1673139)
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.19.0-5
- Rebuild for readline 8.0
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.19.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 31 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-3
- Unbreak the RSA-PSS mechanisms (#1595626)
- Unbreak the signing using hashed mechanisms in CardOS and others (#1644338)
- Unbreak the RSA-PSS mechanisms
- Unbreak the signing using hashed mechanisms in CardOS and others
* Mon Oct 22 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-2
- Avoid mismatching coolkey cards for muscle ones (#1588722)
- Implement legacy CAC1 driver (#1638052)
- Disable pinpad
- Fixup verification after RSA-PSS implementation
- Fix verification after implementing RSA-PSS mechanisms
- Disable pinpad by default
* Tue Sep 25 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-1
- New upstream release fixing various CVE-2018-16418 - 16421, 16423 - 16427
@ -599,7 +611,7 @@ fi
- Autorebuild for GCC 4.3
* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 0.11.4-3
- Rebuild for deps
- Rebuild for deps
* Wed Dec 5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-2
- Rebuild.