diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57ae1b0 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libcacard-2.7.0.tar.xz diff --git a/.libcacard.metadata b/.libcacard.metadata new file mode 100644 index 0000000..457d166 --- /dev/null +++ b/.libcacard.metadata @@ -0,0 +1 @@ +85b85d33e5f2c68f3a792f09cae21de64edc91c0 SOURCES/libcacard-2.7.0.tar.xz diff --git a/SOURCES/libcacard-2.7.0-caching-keys.patch b/SOURCES/libcacard-2.7.0-caching-keys.patch new file mode 100644 index 0000000..8c8a3b9 --- /dev/null +++ b/SOURCES/libcacard-2.7.0-caching-keys.patch @@ -0,0 +1,124 @@ +From 2c10ae315375730020108cbcae0c282d0d6eff5f Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 26 Aug 2019 17:42:06 +0200 +Subject: [PATCH 1/2] vcard_emul_nss: Drop the key caching to simplify error + handling + +It could happen with PKCS#11 modules that (correctly) invalidate object +handles after logout (which was introduced in 0d3a683a), that the handles +are not valid when we try to use the objects again. + +This is trying to address this use case, which I noticed was breaking +CI with SoftHSM PKCS#11 modules. + +Signed-off-by: Jakub Jelen +--- + src/vcard_emul_nss.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/src/vcard_emul_nss.c b/src/vcard_emul_nss.c +index e8f5c56..f788964 100644 +--- a/src/vcard_emul_nss.c ++++ b/src/vcard_emul_nss.c +@@ -52,7 +52,6 @@ typedef enum { + struct VCardKeyStruct { + CERTCertificate *cert; + PK11SlotInfo *slot; +- SECKEYPrivateKey *key; + VCardEmulTriState failedX509; + }; + +@@ -155,10 +154,6 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert) + key = g_new(VCardKey, 1); + key->slot = PK11_ReferenceSlot(slot); + key->cert = CERT_DupCertificate(cert); +- /* NOTE: if we aren't logged into the token, this could return NULL */ +- /* NOTE: the cert is a temp cert, not necessarily the cert in the token, +- * use the DER version of this function */ +- key->key = PK11_FindKeyByDERCert(slot, cert, NULL); + key->failedX509 = VCardEmulUnknown; + return key; + } +@@ -170,10 +165,6 @@ vcard_emul_delete_key(VCardKey *key) + if (!nss_emul_init || (key == NULL)) { + return; + } +- if (key->key) { +- SECKEY_DestroyPrivateKey(key->key); +- key->key = NULL; +- } + if (key->cert) { + CERT_DestroyCertificate(key->cert); + } +@@ -189,12 +180,8 @@ vcard_emul_delete_key(VCardKey *key) + static SECKEYPrivateKey * + vcard_emul_get_nss_key(VCardKey *key) + { +- if (key->key) { +- return key->key; +- } + /* NOTE: if we aren't logged into the token, this could return NULL */ +- key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL); +- return key->key; ++ return PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL); + } + + /* +-- +2.22.0 + + +From 06587ef683373690f61540935b4516b4f23238ea Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 27 Aug 2019 12:38:45 +0200 +Subject: [PATCH 2/2] tests: Reproducer for pkcs11 modules invalidating object + handles on logout + +Signed-off-by: Jakub Jelen +--- + tests/hwtests.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/tests/hwtests.c b/tests/hwtests.c +index cd9a33b..39decfb 100644 +--- a/tests/hwtests.c ++++ b/tests/hwtests.c +@@ -339,6 +339,26 @@ static void test_sign_bad_data_x509(void) + vreader_free(reader); /* get by id ref */ + } + ++/* This is a regression test for issues with PKCS#11 tokens ++ * invalidating object handles after logout (such as softhsm). ++ * See: https://bugzilla.mozilla.org/show_bug.cgi?id=1576642 ++ */ ++static void test_sign_logout_sign(void) ++{ ++ VReader *reader = vreader_get_reader_by_id(0); ++ ++ g_assert_nonnull(reader); ++ ++ test_login(); ++ test_sign(); ++ ++ /* This implicitly logs out the user */ ++ test_login(); ++ test_sign(); ++ ++ vreader_free(reader); /* get by id ref */ ++} ++ + static void libcacard_finalize(void) + { + VReader *reader = vreader_get_reader_by_id(0); +@@ -374,6 +394,7 @@ int main(int argc, char *argv[]) + g_test_add_func("/hw-tests/sign-bad-data", test_sign_bad_data_x509); + g_test_add_func("/hw-tests/empty-applets", test_empty_applets); + g_test_add_func("/hw-tests/get-response", test_get_response); ++ g_test_add_func("/hw-tests/sign-logout-sign", test_sign_logout_sign); + + ret = g_test_run(); + +-- +2.22.0 + + diff --git a/SOURCES/libcacard-2.7.0-install-vscclient.patch b/SOURCES/libcacard-2.7.0-install-vscclient.patch new file mode 100644 index 0000000..e8fd68e --- /dev/null +++ b/SOURCES/libcacard-2.7.0-install-vscclient.patch @@ -0,0 +1,25 @@ +diff --git a/Makefile.am b/Makefile.am +index 0edcfe869f2593b3e0837fd01f8f52b5c01da755..16ec30cf6c473a8f865f26b51f63451a340251a1 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -61,7 +61,9 @@ endif + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = libcacard.pc + +-bin_PROGRAMS = vscclient ++include $(srcdir)/build-aux/glib-tap.mk ++ ++noinst_PROGRAMS += vscclient + vscclient_SOURCES = src/vscclient.c + vscclient_LDADD = libcacard.la $(GTHREAD_LIBS) $(PCSC_LIBS) + vscclient_CFLAGS = $(AM_CPPFLAGS) $(GTHREAD_CFLAGS) $(PCSC_CFLAGS) +@@ -70,8 +72,6 @@ if OS_WIN32 + vscclient_CFLAGS += -D__USE_MINGW_ANSI_STDIO=1 + endif + +-include $(srcdir)/build-aux/glib-tap.mk +- + tests/softhsm2.conf: + $(AM_V_GEN)(cd tests/ && $(abs_srcdir)/tests/setup-softhsm2.sh) + + diff --git a/SOURCES/libcacard-2.7.0-s390.patch b/SOURCES/libcacard-2.7.0-s390.patch new file mode 100644 index 0000000..45d620c --- /dev/null +++ b/SOURCES/libcacard-2.7.0-s390.patch @@ -0,0 +1,44 @@ +diff --git a/src/cac-aca.c b/src/cac-aca.c +index 9e305a8..e66b089 100644 +--- a/src/cac-aca.c ++++ b/src/cac-aca.c +@@ -60,7 +60,7 @@ struct acr_entry { + struct acr_access_method access_methods[MAX_ACCESS_METHODS]; + }; + struct acr_table { +- unsigned int num_entries; ++ unsigned char num_entries; + struct acr_entry entries[]; + }; + +diff --git a/tests/libcacard.c b/tests/libcacard.c +index 0c6cca1..18ccf6f 100644 +--- a/tests/libcacard.c ++++ b/tests/libcacard.c +@@ -179,7 +179,7 @@ static void parse_acr(uint8_t *buf, int buflen) + { + uint8_t *p, *p_end; + int have_applet_information = 0; +- int num_entries = 0, num_entries_expected = -1; ++ uint8_t num_entries = 0, num_entries_expected = 255; + + p = buf; + p_end = p + buflen - 2; +@@ -204,7 +204,7 @@ static void parse_acr(uint8_t *buf, int buflen) + case 0x81: /* Num Applet/Objects */ + case 0x91: /* Num AMP Entries */ + case 0x94: /* Num Service Applet Entries */ +- g_assert_cmpint(num_entries_expected, ==, -1); ++ g_assert_cmpint(num_entries_expected, ==, 255); + g_assert_cmpint(num_entries, ==, 0); + num_entries_expected = *p; + break; +@@ -230,7 +230,7 @@ static void parse_acr(uint8_t *buf, int buflen) + /* Every response needs to have exactly one applet information tag */ + g_assert_cmpint(have_applet_information, ==, 1); + /* The number of entries in the second tag matches the number of entries later */ +- if (num_entries_expected != -1) { ++ if (num_entries_expected != 255) { + g_assert_cmpint(num_entries, ==, num_entries_expected); + } + /* nothing left to read */ diff --git a/SPECS/libcacard.spec b/SPECS/libcacard.spec new file mode 100644 index 0000000..458eaba --- /dev/null +++ b/SPECS/libcacard.spec @@ -0,0 +1,103 @@ +Name: libcacard +Version: 2.7.0 +Release: 1%{?dist} +Epoch: 40 +Summary: Common Access Card (CAC) Emulation + +Group: Development/Libraries +License: GPLv2+ and LGPLv2+ and BSD +URL: http://www.spice-space.org/page/Libcacard +Source0: http://www.spice-space.org/download/%{name}/%{name}-%{version}.tar.xz +Patch10: libcacard-2.7.0-install-vscclient.patch +# https://gitlab.freedesktop.org/spice/libcacard/merge_requests/5 +Patch11: libcacard-2.7.0-caching-keys.patch +# https://gitlab.freedesktop.org/spice/libcacard/merge_requests/6 +Patch12: libcacard-2.7.0-s390.patch + + + +BuildRequires: glib2-devel +BuildRequires: nss-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: nss-tools +BuildRequires: softhsm +BuildRequires: opensc +BuildRequires: gnutls-utils +BuildRequires: autoconf-archive + +Obsoletes: libcacard-rhev + +%description +Common Access Card (CAC) emulation library. + + +%package tools +Summary: CAC Emulation tools +Group: Development/Libraries +Requires: libcacard = %{epoch}:%{version}-%{release} +Obsoletes: libcacard-tools-rhev + +%description tools +CAC emulation tools. + + +%package devel +Summary: CAC Emulation devel +Group: Development/Libraries +Requires: libcacard = %{epoch}:%{version}-%{release} +Obsoletes: libcacard-devel-rhev + +%description devel +CAC emulation development files. + +%prep +%setup -q +%patch10 -p1 -R -b .vscclient +%patch11 -p1 -b .caching +%patch12 -p1 -b .s390 + + +%build +autoreconf +%configure +make %{?_smp_mflags} + + +%install +%make_install + +find $RPM_BUILD_ROOT -name "libcacard.so*" -exec chmod +x \{\} \; +find $RPM_BUILD_ROOT -name '*.la' -or -name '*.a' | xargs rm -f + +%check +# Do not run the tests on s390x, which fails +%ifnarch s390x +sed -i "s!/usr/lib64/!%{_libdir}/!" tests/setup-softhsm2.sh +make check V=1 +%endif + +%files +%defattr(-,root,root,-) +%{_libdir}/libcacard.so.* + +%files tools +%defattr(-,root,root,-) +%{_bindir}/vscclient + +%files devel +%defattr(-,root,root,-) +%{_includedir}/cacard +%{_libdir}/libcacard.so +%{_libdir}/pkgconfig/libcacard.pc + + +%changelog +* Wed Sep 11 2019 Jakub Jelen - 2.7.0-1 +- New upstream releas supporting CACv2 with improver compatibility with Windows guests (#917867) + +* Fri Mar 18 2016 Miroslav Rezanina - 2.5.2-2.el7 +- Obsolete libcacard-rhev (bz#1315953) + +* Fri Jan 29 2016 Miroslav Rezanina - 2.5.2-1.el7 +- Initial build