From 0c9295dbc42d2bb9ddfc8c696819b9fb5cb9086f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 06:09:25 +0000 Subject: import opensc-0.16.0-8.20170227git777e2a3.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3b06172 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/opensc-0.16.0-git777e2a3.zip diff --git a/.opensc.metadata b/.opensc.metadata new file mode 100644 index 0000000..36a688c --- /dev/null +++ b/.opensc.metadata @@ -0,0 +1 @@ +508b0ff2ed863ba71cda081b4df1ed00af428748 SOURCES/opensc-0.16.0-git777e2a3.zip diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/opensc-0.16.0-cac-alt.patch b/SOURCES/opensc-0.16.0-cac-alt.patch new file mode 100644 index 0000000..fccdbf9 --- /dev/null +++ b/SOURCES/opensc-0.16.0-cac-alt.patch @@ -0,0 +1,204 @@ +From 6dc118e1c3b89c50cda1998de1d62fa6fa666e60 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 3 Nov 2017 10:55:35 +0100 +Subject: [PATCH 1/3] Enable CAC ALT token card operations + +--- + src/libopensc/card-cac.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index 82f5c7869..bc0a754a5 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -229,6 +229,12 @@ static int cac_add_object_to_list(list_t *list, const cac_object_t *object) + #define CAC_1_RID "\xA0\x00\x00\x00\x79" + #define CAC_1_CM_AID "\xA0\x00\x00\x00\x30\x00\00" + ++static const sc_path_t cac_ACA_Path = { ++ "", 0, ++ 0,0,SC_PATH_TYPE_DF_NAME, ++ { CAC_TO_AID(CAC_1_RID "\x10\x00") } ++}; ++ + static const sc_path_t cac_CCC_Path = { + "", 0, + 0,0,SC_PATH_TYPE_DF_NAME, +@@ -284,6 +290,8 @@ static const cac_object_t cac_1_objects[] = { + static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]); + + ++static int cac_select_ACA(sc_card_t *card); ++ + /* + * use the object id to find our object info on the object in our CAC-1 list + */ +@@ -815,6 +823,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) + case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS: + return cac_final_iterator(&priv->general_list); + case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS: ++ /* select ACA to be able to verify PIN */ ++ cac_select_ACA(card); + return cac_final_iterator(&priv->pki_list); + } + +@@ -1157,6 +1167,12 @@ static int cac_select_CCC(sc_card_t *card) + return cac_select_file_by_type(card, &cac_CCC_Path, NULL, SC_CARD_TYPE_CAC_II); + } + ++/* Select ACA in non-standard location */ ++static int cac_select_ACA(sc_card_t *card) ++{ ++ return cac_select_file_by_type(card, &cac_ACA_Path, NULL, SC_CARD_TYPE_CAC_II); ++} ++ + static int cac_path_from_cardurl(sc_card_t *card, sc_path_t *path, cac_card_url_t *val, int len) + { + if (len < 10) { +@@ -1476,6 +1492,23 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize) + } + } + ++ /* Even some ALT tokens can be missing CCC so we should try with ACA */ ++ r = cac_select_ACA(card); ++ if (r == SC_SUCCESS) { ++ r = cac_find_first_pki_applet(card, &index); ++ if (r == SC_SUCCESS) { ++ priv = cac_new_private_data(); ++ if (!priv) ++ return SC_ERROR_OUT_OF_MEMORY; ++ r = cac_populate_cac_1(card, index, priv); ++ if (r == SC_SUCCESS) { ++ card->type = SC_CARD_TYPE_CAC_II; ++ card->drv_data = priv; ++ return r; ++ } ++ } ++ } ++ + /* is this a CAC-1 specified in DoD "CAC Applet Developer Guide" version 1.0 September 2002 */ + r = cac_find_first_pki_applet(card, &index); + if (r == SC_SUCCESS) { + +From 68c52640a3eff078243fd2db627cf2d12fdd37de Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 6 Nov 2017 12:37:40 +0100 +Subject: [PATCH 2/3] Add the ACA path to the PIN structure if we have one + +--- + src/libopensc/card-cac.c | 25 +++++++++++++++++++------ + src/libopensc/cardctl.h | 1 + + src/libopensc/pkcs15-cac.c | 6 ++++++ + 3 files changed, 26 insertions(+), 6 deletions(-) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index bc0a754a5..178150d35 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -169,6 +169,7 @@ typedef struct cac_private_data { + cac_object_t *pki_current; /* current pki object _ctl function */ + list_t general_list; /* list of general containers */ + cac_object_t *general_current; /* current object for _ctl function */ ++ sc_path_t *aca_path; /* ACA path to be selected before pin verification */ + } cac_private_data_t; + + #define CAC_DATA(card) ((cac_private_data_t*)card->drv_data) +@@ -207,6 +208,7 @@ static void cac_free_private_data(cac_private_data_t *priv) + { + free(priv->cac_id); + free(priv->cache_buf); ++ free(priv->aca_path); + list_destroy(&priv->pki_list); + list_destroy(&priv->general_list); + free(priv); +@@ -289,9 +291,6 @@ static const cac_object_t cac_1_objects[] = { + + static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]); + +- +-static int cac_select_ACA(sc_card_t *card); +- + /* + * use the object id to find our object info on the object in our CAC-1 list + */ +@@ -793,11 +792,21 @@ static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* seri + if (priv->cac_id_len) { + serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR); + memcpy(serial->value, priv->cac_id, priv->cac_id_len); +- SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS); ++ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS); + } + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND); + } + ++static int cac_get_ACA_path(sc_card_t *card, sc_path_t *path) ++{ ++ cac_private_data_t * priv = CAC_DATA(card); ++ ++ SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL); ++ if (priv->aca_path) { ++ *path = *priv->aca_path; ++ } ++ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS); ++} + + static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) + { +@@ -810,6 +819,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) + LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); + } + switch(cmd) { ++ case SC_CARDCTL_CAC_GET_ACA_PATH: ++ return cac_get_ACA_path(card, (sc_path_t *) ptr); + case SC_CARDCTL_GET_SERIALNR: + return cac_get_serial_nr_from_CUID(card, (sc_serial_number_t *) ptr); + case SC_CARDCTL_CAC_INIT_GET_GENERIC_OBJECTS: +@@ -823,8 +834,6 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) + case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS: + return cac_final_iterator(&priv->general_list); + case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS: +- /* select ACA to be able to verify PIN */ +- cac_select_ACA(card); + return cac_final_iterator(&priv->pki_list); + } + +@@ -1502,6 +1511,10 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize) + return SC_ERROR_OUT_OF_MEMORY; + r = cac_populate_cac_1(card, index, priv); + if (r == SC_SUCCESS) { ++ priv->aca_path = malloc(sizeof(sc_path_t)); ++ if (!priv->aca_path) ++ return SC_ERROR_OUT_OF_MEMORY; ++ memcpy(priv->aca_path, &cac_ACA_Path, sizeof(sc_path_t)); + card->type = SC_CARD_TYPE_CAC_II; + card->drv_data = priv; + return r; +diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h +index b647b0537..b610eacc7 100644 +--- a/src/libopensc/cardctl.h ++++ b/src/libopensc/cardctl.h +@@ -220,6 +220,7 @@ enum { + SC_CARDCTL_CAC_INIT_GET_CERT_OBJECTS, + SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT, + SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS, ++ SC_CARDCTL_CAC_GET_ACA_PATH, + + /* + * AuthentIC v3 +diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c +index fd463a9b4..ff87a2345 100644 +--- a/src/libopensc/pkcs15-cac.c ++++ b/src/libopensc/pkcs15-cac.c +@@ -250,6 +250,12 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1); + pin_obj.flags = pins[i].obj_flags; + ++ /* get the ACA path in case it needs to be selected before PIN verify */ ++ r = sc_card_ctl(card, SC_CARDCTL_CAC_GET_ACA_PATH, &pin_info.path); ++ if (r < 0) { ++ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r); ++ } ++ + r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info); + if (r < 0) + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r); diff --git a/SOURCES/opensc-0.16.0-cardos.patch b/SOURCES/opensc-0.16.0-cardos.patch new file mode 100644 index 0000000..0b7bdfa --- /dev/null +++ b/SOURCES/opensc-0.16.0-cardos.patch @@ -0,0 +1,240 @@ +From bc496dfa59c1cfbc5c47c76511d5c6b7eff5cc6c Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 26 Jan 2017 17:11:24 +0100 +Subject: [PATCH 1/4] Set security context for CardOS 5.3 with p1=0x41 (as + Coolkey does) + +--- + src/libopensc/card-cardos.c | 16 +++++++++++----- + src/libopensc/cards.h | 1 + + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index 0c14b32..008ce5c 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -59,7 +59,7 @@ static struct sc_atr_table cardos_atrs[] = { + /* CardOS v5.0 */ + { "3b:d2:18:00:81:31:fe:58:c9:01:14", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL}, + /* CardOS v5.3 */ +- { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL}, ++ { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL}, + { NULL, NULL, NULL, 0, 0, NULL } + }; + +@@ -84,6 +84,8 @@ static int cardos_match_card(sc_card_t *card) + return 1; + if (card->type == SC_CARD_TYPE_CARDOS_V5_0) + return 1; ++ if (card->type == SC_CARD_TYPE_CARDOS_V5_3) ++ return 1; + if (card->type == SC_CARD_TYPE_CARDOS_M4_2) { + int rv; + sc_apdu_t apdu; +@@ -195,7 +197,8 @@ static int cardos_init(sc_card_t *card) + || card->type == SC_CARD_TYPE_CARDOS_M4_2B + || card->type == SC_CARD_TYPE_CARDOS_M4_2C + || card->type == SC_CARD_TYPE_CARDOS_M4_4 +- || card->type == SC_CARD_TYPE_CARDOS_V5_0) { ++ || card->type == SC_CARD_TYPE_CARDOS_V5_0 ++ || card->type == SC_CARD_TYPE_CARDOS_V5_3) { + rsa_2048 = 1; + card->caps |= SC_CARD_CAP_APDU_EXT; + } +@@ -230,7 +233,7 @@ static int cardos_init(sc_card_t *card) + _sc_card_add_rsa_alg(card, 2048, flags, 0); + } + +- if (card->type == SC_CARD_TYPE_CARDOS_V5_0) { ++ if (card->type >= SC_CARD_TYPE_CARDOS_V5_0) { + /* Starting with CardOS 5, the card supports PIN query commands */ + card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO; + } +@@ -249,7 +252,7 @@ static const struct sc_card_error cardos_errors[] = { + { 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"}, + { 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"}, + +-/* the card doesn't now thic combination of ins+cla+p1+p2 */ ++/* the card doesn't now this combination of ins+cla+p1+p2 */ + /* i.e. command will never work */ + { 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"}, + { 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, +@@ -781,6 +784,8 @@ cardos_set_security_env(sc_card_t *card, + if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) { + cardos_restore_security_env(card, 0x30); + apdu.p1 = 0xF1; ++ } else if (card->type == SC_CARD_TYPE_CARDOS_V5_3) { ++ apdu.p1 = 0x41; + } else { + apdu.p1 = 0x01; + } +@@ -1235,7 +1240,8 @@ cardos_logout(sc_card_t *card) + || card->type == SC_CARD_TYPE_CARDOS_M4_2C + || card->type == SC_CARD_TYPE_CARDOS_M4_3 + || card->type == SC_CARD_TYPE_CARDOS_M4_4 +- || card->type == SC_CARD_TYPE_CARDOS_V5_0) { ++ || card->type == SC_CARD_TYPE_CARDOS_V5_0 ++ || card->type == SC_CARD_TYPE_CARDOS_V5_3) { + sc_apdu_t apdu; + int r; + sc_path_t path; +diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h +index d71c02f..9f8f641 100644 +--- a/src/libopensc/cards.h ++++ b/src/libopensc/cards.h +@@ -47,6 +47,7 @@ enum { + SC_CARD_TYPE_CARDOS_CIE_V1, /* Italian CIE (eID) v1 */ + SC_CARD_TYPE_CARDOS_M4_4, + SC_CARD_TYPE_CARDOS_V5_0, ++ SC_CARD_TYPE_CARDOS_V5_3, + + /* flex/cyberflex drivers */ + SC_CARD_TYPE_FLEX_BASE = 2000, +-- +2.9.3 + + +From 5dec534cf07e45ffb0209a53d6145022ecd9259a Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 30 Jan 2017 14:33:05 +0100 +Subject: [PATCH 2/4] Do not emulate signatures in CardOS 5.3 + +Remove the bogus SC_ALGORITHM_NEED_USAGE which prevents using the +actual implementation in cardos_compute_signature(). + +It might be bogus also in previous version, but I don't have a way +to verify against these cards. +--- + src/libopensc/card-cardos.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index 008ce5c..a21e67a 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -177,11 +177,13 @@ static int cardos_init(sc_card_t *card) + card->cla = 0x00; + + /* Set up algorithm info. */ +- flags = SC_ALGORITHM_NEED_USAGE +- | SC_ALGORITHM_RSA_RAW ++ flags = SC_ALGORITHM_RSA_RAW + | SC_ALGORITHM_RSA_HASH_NONE + | SC_ALGORITHM_ONBOARD_KEY_GEN + ; ++ if (card->type != SC_CARD_TYPE_CARDOS_V5_3) ++ flags |= SC_ALGORITHM_NEED_USAGE; ++ + _sc_card_add_rsa_alg(card, 512, flags, 0); + _sc_card_add_rsa_alg(card, 768, flags, 0); + _sc_card_add_rsa_alg(card, 1024, flags, 0); +@@ -252,7 +254,7 @@ static const struct sc_card_error cardos_errors[] = { + { 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"}, + { 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"}, + +-/* the card doesn't now this combination of ins+cla+p1+p2 */ ++/* the card doesn't know this combination of ins+cla+p1+p2 */ + /* i.e. command will never work */ + { 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"}, + { 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, +-- +2.9.3 + + +From 057197c7abf29715a2b7793045c35adf2a34dc17 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 10 Mar 2017 16:37:43 +0100 +Subject: [PATCH 3/4] Hack for returning the padding back in CardOS 5.3 + +--- + src/libopensc/card-cardos.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index a21e67a..39ec4ac 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -979,6 +979,30 @@ cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen, + } + + static int ++cardos_decipher(struct sc_card *card, ++ const u8 * crgram, size_t crgram_len, ++ u8 * out, size_t outlen) ++{ ++ int r; ++ u8 *tmp = NULL; ++ size_t tmp_len = crgram_len; ++ ++ assert(card != NULL && crgram != NULL && out != NULL); ++ LOG_FUNC_CALLED(card->ctx); ++ ++ tmp = malloc(tmp_len); ++ r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len); ++ ++ /* add bogus padding, because the card removes it */ ++ if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, ++ tmp, r, out, &outlen, crgram_len) != SC_SUCCESS) ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); ++ out[1] = 0x02; /* this is encryption-padding */ ++ ++ LOG_FUNC_RETURN(card->ctx, outlen); ++} ++ ++static int + cardos_lifecycle_get(sc_card_t *card, int *mode) + { + sc_apdu_t apdu; +@@ -1278,6 +1302,7 @@ static struct sc_card_driver * sc_get_driver(void) + cardos_ops.set_security_env = cardos_set_security_env; + cardos_ops.restore_security_env = cardos_restore_security_env; + cardos_ops.compute_signature = cardos_compute_signature; ++ cardos_ops.decipher = cardos_decipher; + + cardos_ops.list_files = cardos_list_files; + cardos_ops.check_sw = cardos_check_sw; +-- +2.9.3 + + +From 515f761f5564e91302ce672d30a24d6e6738e349 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 13 Mar 2017 15:15:48 +0100 +Subject: [PATCH 4/4] With older cards, use iso decipher + +--- + src/libopensc/card-cardos.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index 39ec4ac..d479065 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -992,10 +992,22 @@ cardos_decipher(struct sc_card *card, + + tmp = malloc(tmp_len); + r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len); ++ if (r < 0) ++ LOG_FUNC_RETURN(card->ctx, r); ++ ++ if (card->type != SC_CARD_TYPE_CARDOS_V5_3) { ++ /* XXX */ ++ memcpy(out, tmp, tmp_len); ++ outlen = tmp_len; ++ free(tmp); ++ LOG_FUNC_RETURN(card->ctx, r); ++ } + + /* add bogus padding, because the card removes it */ +- if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, +- tmp, r, out, &outlen, crgram_len) != SC_SUCCESS) ++ r = sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, ++ tmp, r, out, &outlen, crgram_len); ++ free(tmp); ++ if (r != SC_SUCCESS) + LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); + out[1] = 0x02; /* this is encryption-padding */ + +-- +2.9.3 + diff --git a/SOURCES/opensc-0.16.0-coolkey-labels.patch b/SOURCES/opensc-0.16.0-coolkey-labels.patch new file mode 100644 index 0000000..81c9450 --- /dev/null +++ b/SOURCES/opensc-0.16.0-coolkey-labels.patch @@ -0,0 +1,68 @@ +From a4b6b9630eb2ee684bbf1560a93b3075c7eb58ab Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 4 Jul 2017 14:25:50 +0200 +Subject: [PATCH] [coolkey] Copy labels from certificate objects to the keys + +--- + src/libopensc/pkcs15-coolkey.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c +index 5064a0f4f..a5f457acd 100644 +--- a/src/libopensc/pkcs15-coolkey.c ++++ b/src/libopensc/pkcs15-coolkey.c +@@ -484,7 +484,7 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) + sc_card_t *card = p15card->card; + sc_serial_number_t serial; + int count; +- ++ struct sc_pkcs15_object *obj; + + SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); + +@@ -558,6 +558,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) + + + memset(&obj_obj, 0, sizeof(obj_obj)); ++ /* coolkey applets have label only on the certificates, ++ * but we should copy it also to the keys maching the same ID */ + coolkey_get_attribute_bytes(card, &coolkey_obj, CKA_LABEL, (u8 *)obj_obj.label, &len, sizeof(obj_obj.label)); + coolkey_get_flags(card, &coolkey_obj, &obj_obj.flags); + if (obj_obj.flags & SC_PKCS15_CO_FLAG_PRIVATE) { +@@ -677,6 +679,35 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) + } + r = (card->ops->card_ctl)(card, SC_CARDCTL_COOLKEY_FINAL_GET_OBJECTS, &count); + ++ /* Iterate over all the created objects and fill missing labels */ ++ for (obj = p15card->obj_list; obj != NULL; obj = obj->next) { ++ struct sc_pkcs15_id *id = NULL; ++ struct sc_pkcs15_object *cert_object; ++ ++ /* label non-empty -- do not overwrite */ ++ if (obj->label[0] != '\0') ++ continue; ++ ++ switch (obj->type & SC_PKCS15_TYPE_CLASS_MASK) { ++ case SC_PKCS15_TYPE_PUBKEY: ++ id = &((struct sc_pkcs15_pubkey_info *)obj->data)->id; ++ break; ++ case SC_PKCS15_TYPE_PRKEY: ++ id = &((struct sc_pkcs15_prkey_info *)obj->data)->id; ++ break; ++ default: ++ /* We do not care about other objects */ ++ continue; ++ } ++ r = sc_pkcs15_find_cert_by_id(p15card, id, &cert_object); ++ if (r != 0) ++ continue; ++ ++ sc_log(card->ctx, "Copy label \"%s\" from cert to key object", ++ cert_object->label); ++ memcpy(obj->label, cert_object->label, SC_PKCS15_MAX_LABEL_SIZE); ++ } ++ + LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); + } + + diff --git a/SOURCES/opensc-0.16.0-coverity.patch b/SOURCES/opensc-0.16.0-coverity.patch new file mode 100644 index 0000000..dbc3c1c --- /dev/null +++ b/SOURCES/opensc-0.16.0-coverity.patch @@ -0,0 +1,643 @@ +From 15163e6212aaf6b2dd5d7b432e5b13ca39496110 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 28 Feb 2017 16:12:31 +0100 +Subject: [PATCH 1/3] Coverity fixes for: + +card-cac.c + * CLANG_WARNING: The left operand of '<' is a garbage value +card-coolkey.c + * CLANG_WARNING: overwriting variable + * CPPCHECK_WARNING: memory leak / overwrite variable + * CLANG_WARNING: null pointer dereference + * UNUSED_VALUE: unused return value +card-gids.c + * CLANG_WARNING: Branch condition evaluates to a garbage value + * SIZEOF_MISMATCH: suspicious_sizeof +card-myeid.c + * RESOURCE_LEAK: Variable "buf" going out of scope leaks the storage it points to. + * CLANG_WARNING: overwriting variable + * (rewrite not to confuse coverity) +pkcs15-cac.c + * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to. +pkcs15-coolkey.c + * UNUSED_VALUE: unused return value +pkcs15-piv.c + * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to. +pkcs15-sc-hsm.c + * DEADCODE +pkcs11/framework-pkcs15.c + * RESOURCE_LEAK: Variable "p15_cert" going out of scope leaks the storage it points to. +pkcs15init/pkcs15-lib.c + * CLANG_WARNING: Assigned value is garbage or undefined +pkcs15init/pkcs15-myeid.c + * UNREACHABLE: Probably wrong placement of code block +tests/p15dump.c + * IDENTICAL_BRANCHES +pkcs15-init.c + * CLANG_WARNING: Potential leak of memory pointed to by 'args.der_encoded.value' +pkcs15-tool.c + * RESOURCE_LEAK: Variable "cert" going out of scope leaks the storage it points to. + * MISSING_BREAK: The above case falls through to this one. +sc-hsm-tool.c + * CLANG_WARNING: Potential leak of memory pointed to by 'sp' +westcos-tool.c + * FORWARD_NULL: Passing null pointer "pin" to "unlock_pin", which dereferences it. + * (rewrite not to confuse coverity) +--- + src/libopensc/card-cac.c | 2 +- + src/libopensc/card-coolkey.c | 7 +++++-- + src/libopensc/card-entersafe.c | 2 +- + src/libopensc/card-gids.c | 7 ++++++- + src/libopensc/card-myeid.c | 20 ++++++++++++-------- + src/libopensc/iso7816.c | 1 + + src/libopensc/pkcs15-cac.c | 5 ++++- + src/libopensc/pkcs15-coolkey.c | 2 ++ + src/libopensc/pkcs15-piv.c | 3 ++- + src/libopensc/pkcs15-sc-hsm.c | 6 ++---- + src/pkcs11/framework-pkcs15.c | 7 ++++++- + src/pkcs15init/pkcs15-lib.c | 2 +- + src/pkcs15init/pkcs15-myeid.c | 4 ++-- + src/tests/p15dump.c | 3 +-- + src/tools/pkcs15-init.c | 4 +++- + src/tools/pkcs15-tool.c | 11 ++++++++--- + src/tools/sc-hsm-tool.c | 2 ++ + src/tools/westcos-tool.c | 6 +++--- + 18 files changed, 62 insertions(+), 32 deletions(-) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index d5f8585..788fb52 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -467,7 +467,7 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l + size_t left = 0; + size_t len, next_len; + sc_apdu_t apdu; +- int r; ++ int r = SC_SUCCESS; + + + /* get the size */ +diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c +index c44febe..7672028 100644 +--- a/src/libopensc/card-coolkey.c ++++ b/src/libopensc/card-coolkey.c +@@ -1369,7 +1369,7 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj) + { + int r; + size_t buf_len = obj->length; +- u8 *new_obj_data = malloc(buf_len); ++ u8 *new_obj_data = NULL; + sc_cardctl_coolkey_object_t *obj_entry; + coolkey_private_data_t * priv = COOLKEY_DATA(card); + +@@ -1413,7 +1413,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut + const u8 *obj = attribute->object->data; + const u8 *attr = NULL; + size_t buf_len = attribute->object->length; +- coolkey_object_header_t *object_head = (coolkey_object_header_t *)obj; ++ coolkey_object_header_t *object_head; + int attribute_count,i; + attribute->attribute_data_type = SC_CARDCTL_COOLKEY_ATTR_TYPE_STRING; + attribute->attribute_length = 0; +@@ -1434,6 +1434,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut + if (buf_len <= sizeof(coolkey_v0_object_header_t)) { + return SC_ERROR_CORRUPTED_DATA; + } ++ object_head = (coolkey_object_header_t *)obj; + object_record_type = object_head->record_type; + /* make sure it's a type we recognize */ + if ((object_record_type != COOLKEY_V1_OBJECT) && (object_record_type != COOLKEY_V0_OBJECT)) { +@@ -2183,6 +2184,8 @@ static int coolkey_initialize(sc_card_t *card) + continue; + } + r = coolkey_add_object(priv, object_id, NULL, object_len, 0); ++ if (r != SC_SUCCESS) ++ sc_log(card->ctx, "coolkey_add_object() returned %d", r); + + } + if (r != SC_ERROR_FILE_END_REACHED) { +diff --git a/src/libopensc/card-entersafe.c b/src/libopensc/card-entersafe.c +index 6e18252..1fe4102 100644 +--- a/src/libopensc/card-entersafe.c ++++ b/src/libopensc/card-entersafe.c +@@ -487,7 +487,7 @@ static int entersafe_select_fid(sc_card_t *card, + sc_file_t **file_out) + { + int r; +- sc_file_t *file=0; ++ sc_file_t *file = NULL; + sc_path_t path; + + memset(&path, 0, sizeof(sc_path_t)); +diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c +index 51db9af..4db09f5 100644 +--- a/src/libopensc/card-gids.c ++++ b/src/libopensc/card-gids.c +@@ -668,6 +668,7 @@ static int gids_get_crypto_identifier_from_key_ref(sc_card_t *card, const unsign + if (index >= recordsnum) { + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS); + } ++ *cryptoidentifier = 0x00; /* initialize to zero */ + if (records[index].wKeyExchangeKeySizeBits == 1024 || records[index].wSigKeySizeBits == 1024) { + *cryptoidentifier = GIDS_RSA_1024_IDENTIFIER; + return SC_SUCCESS; +@@ -878,12 +879,16 @@ static int gids_read_public_key (struct sc_card *card , unsigned int algorithm, + if (keydata != NULL) { + rsa_key.modulus.data = (u8*) keydata; + rsa_key.modulus.len = len; ++ } else { ++ rsa_key.modulus.len = 0; + } + + keydata = sc_asn1_find_tag(card->ctx, keytemplate, tlen, GIDS_PUBKEY_TAG_EXPONENT, &len); + if (keydata != NULL) { + rsa_key.exponent.data = (u8*) keydata; + rsa_key.exponent.len = len; ++ } else { ++ rsa_key.exponent.len = 0; + } + + if (rsa_key.exponent.len && rsa_key.modulus.len) { +@@ -1453,7 +1458,7 @@ static int gids_import_key(sc_card_t *card, sc_pkcs15_object_t *object, sc_pkcs1 + SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_NORMAL, r, "unable to put the private key - key greater than 2048 bits ?"); + r = SC_SUCCESS; + err: +- sc_mem_clear(buffer, sizeof(buffer)); ++ sc_mem_clear(buffer, buflen); + LOG_FUNC_RETURN(card->ctx, r); + } + +diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c +index 0e75486..65c108f 100644 +--- a/src/libopensc/card-myeid.c ++++ b/src/libopensc/card-myeid.c +@@ -846,20 +846,24 @@ myeid_convert_ec_signature(struct sc_context *ctx, size_t s_len, unsigned char * + if (sig_len != (datalen - len_size - 1)) /* validate size of the DER structure */ + return SC_ERROR_INVALID_DATA; + +- buf = calloc(1, (s_len + 7)/8*2); ++ /* test&fail early */ ++ buflen = (s_len + 7)/8*2; ++ if (buflen > datalen) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ ++ buf = calloc(1, buflen); + if (!buf) + LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); +- buflen = (s_len + 7)/8*2; + + r = sc_asn1_sig_value_sequence_to_rs(ctx, data, datalen, buf, buflen); +- if (r < 0) ++ if (r < 0) { + free(buf); +- LOG_TEST_RET(ctx, r, "Failed to cenvert Sig-Value to the raw RS format"); +- +- if (buflen > datalen) +- LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ sc_log(ctx, "Failed to convert Sig-Value to the raw RS format"); ++ return r; ++ } + + memmove(data, buf, buflen); ++ free(buf); + return buflen; + } + +@@ -868,7 +872,7 @@ static int + myeid_compute_signature(struct sc_card *card, const u8 * data, size_t datalen, + u8 * out, size_t outlen) + { +- struct sc_context *ctx = card->ctx; ++ struct sc_context *ctx; + struct sc_apdu apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + u8 sbuf[SC_MAX_APDU_BUFFER_SIZE]; +diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c +index 296cf69..2539d1c 100644 +--- a/src/libopensc/iso7816.c ++++ b/src/libopensc/iso7816.c +@@ -392,6 +392,7 @@ iso7816_process_fci(struct sc_card *card, struct sc_file *file, + sc_log(ctx, " type: %s", type); + sc_log(ctx, " EF structure: %d", byte & 0x07); + sc_log(ctx, " tag 0x82: 0x%02x", byte); ++ /* FIXME: check return value? */ + sc_file_set_type_attr(file, &byte, 1); + } + } +diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c +index 4894fe4..e0fa50b 100644 +--- a/src/libopensc/pkcs15-cac.c ++++ b/src/libopensc/pkcs15-cac.c +@@ -292,7 +292,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + struct sc_pkcs15_object pubkey_obj; + struct sc_pkcs15_object prkey_obj; + sc_pkcs15_der_t cert_der; +- sc_pkcs15_cert_t *cert_out; ++ sc_pkcs15_cert_t *cert_out = NULL; + + r = (card->ops->card_ctl)(card, SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT, &obj_info); + +@@ -352,12 +352,14 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + + r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info); + if (r < 0) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, " Failed to add cert obj r=%d",r); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + /* set the token name to the name of the CN of the first certificate */ +@@ -393,6 +395,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + usage, pubkey_info.usage, prkey_info.usage); + if (cert_out->key->algorithm != SC_ALGORITHM_RSA) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"unsupported key.algorithm %d", cert_out->key->algorithm); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } else { + pubkey_info.modulus_length = cert_out->key->u.rsa.modulus.len * 8; +diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c +index 487be19..de4920b 100644 +--- a/src/libopensc/pkcs15-coolkey.c ++++ b/src/libopensc/pkcs15-coolkey.c +@@ -667,6 +667,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) + } + + r = sc_pkcs15emu_object_add(p15card, obj_type, &obj_obj, obj_info); ++ if (r != SC_SUCCESS) ++ sc_log(card->ctx, "sc_pkcs15emu_object_add() returned %d", r); + fail: + if (key) { sc_pkcs15_free_pubkey(key); } + +diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c +index bf72df0..5bd0fdf 100644 +--- a/src/libopensc/pkcs15-piv.c ++++ b/src/libopensc/pkcs15-piv.c +@@ -710,7 +710,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + struct sc_pkcs15_cert_info cert_info; + struct sc_pkcs15_object cert_obj; + sc_pkcs15_der_t cert_der; +- sc_pkcs15_cert_t *cert_out; ++ sc_pkcs15_cert_t *cert_out = NULL; + + ckis[i].cert_found = 0; + ckis[i].key_alg = -1; +@@ -761,6 +761,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + /* +diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c +index 938ea9d..3f6b6e4 100644 +--- a/src/libopensc/pkcs15-sc-hsm.c ++++ b/src/libopensc/pkcs15-sc-hsm.c +@@ -460,6 +460,7 @@ static int sc_pkcs15emu_sc_hsm_get_ec_public_key(struct sc_context *ctx, sc_cvc_ + memcpy(pubkey->u.ec.params.der.value, ecp->der.value, ecp->der.len); + pubkey->u.ec.params.der.len = ecp->der.len; + ++ /* FIXME: check return value? */ + sc_pkcs15_fix_ec_parameters(ctx, &pubkey->u.ec.params); + + return SC_SUCCESS; +@@ -627,11 +628,8 @@ static int sc_pkcs15emu_sc_hsm_add_prkd(sc_pkcs15_card_t * p15card, u8 keyid) { + + len = sizeof efbin; + r = read_file(p15card, fid, efbin, &len); +- LOG_TEST_RET(card->ctx, r, "Could not read EF"); + +- if (r < 0) { +- return SC_SUCCESS; +- } ++ LOG_TEST_RET(card->ctx, r, "Could not read EF"); + + if (efbin[0] == 0x67) { /* Decode CSR and create public key object */ + sc_pkcs15emu_sc_hsm_add_pubkey(p15card, efbin, len, key_info, prkd.label); +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 0c89d47..732e1e5 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -571,8 +571,11 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj + /* Certificate object */ + rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object, + cert, &pkcs15_cert_ops, sizeof(struct pkcs15_cert_object)); +- if (rv < 0) ++ if (rv < 0) { ++ if (p15_cert != NULL) ++ sc_pkcs15_free_certificate(p15_cert); + return rv; ++ } + + object->cert_info = p15_info; + object->cert_data = p15_cert; +@@ -643,6 +646,8 @@ __pkcs15_create_pubkey_object(struct pkcs15_fw_data *fw_data, + object->pub_data = p15_key; + if (p15_key && object->pub_info->modulus_length == 0 && p15_key->algorithm == SC_ALGORITHM_RSA) + object->pub_info->modulus_length = 8 * p15_key->u.rsa.modulus.len; ++ } else if (pubkey->emulated && (fw_data->p15_card->flags & SC_PKCS15_CARD_FLAG_EMULATED)) { ++ sc_pkcs15_free_pubkey(p15_key); + } + + if (pubkey_object != NULL) +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index c2fc2df..d1558e2 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -760,7 +760,7 @@ sc_pkcs15init_add_app(struct sc_card *card, struct sc_profile *profile, + struct sc_pkcs15_object *pin_obj = NULL; + struct sc_app_info *app; + struct sc_file *df = profile->df_info->file; +- int r; ++ int r = SC_SUCCESS; + + LOG_FUNC_CALLED(ctx); + p15card->card = card; +diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c +index 9ed515d..6c93545 100644 +--- a/src/pkcs15init/pkcs15-myeid.c ++++ b/src/pkcs15init/pkcs15-myeid.c +@@ -510,10 +510,10 @@ myeid_store_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card, + keybits = key_info->field_length; + else + key_info->field_length = keybits; +- break; +- ++ + if (sc_card_find_ec_alg(p15card->card, keybits, &prkey->u.ec.params.id) == NULL) + LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Unsupported algorithm or key size"); ++ break; + default: + LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Store key failed: Unsupported key type"); + break; +diff --git a/src/tests/p15dump.c b/src/tests/p15dump.c +index 17ab86b..da8b4a3 100644 +--- a/src/tests/p15dump.c ++++ b/src/tests/p15dump.c +@@ -30,8 +30,7 @@ static int dump_objects(const char *what, int type) + printf("failed.\n"); + fprintf(stderr, "Error enumerating %s: %s\n", + what, sc_strerror(count)); +- if (SC_SUCCESS != sc_unlock(card)) +- return 1; ++ sc_unlock(card); + return 1; + } + if (count == 0) { +diff --git a/src/tools/pkcs15-init.c b/src/tools/pkcs15-init.c +index a1b183d..a4fb1a9 100644 +--- a/src/tools/pkcs15-init.c ++++ b/src/tools/pkcs15-init.c +@@ -1318,8 +1318,10 @@ do_store_data_object(struct sc_profile *profile) + args.der_encoded.value = data; + args.der_encoded.len = datalen; + r = sc_lock(p15card->card); +- if (r < 0) ++ if (r < 0) { ++ free(data); + return r; ++ } + r = sc_pkcs15init_store_data_object(p15card, profile, &args, NULL); + sc_unlock(p15card->card); + } +diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c +index 092b9d9..e146753 100644 +--- a/src/tools/pkcs15-tool.c ++++ b/src/tools/pkcs15-tool.c +@@ -793,15 +793,18 @@ static int read_public_key(void) + + if (r == SC_ERROR_OBJECT_NOT_FOUND) { + fprintf(stderr, "Public key with ID '%s' not found.\n", opt_pubkey); +- return 2; ++ r = 2; ++ goto out; + } + if (r < 0) { + fprintf(stderr, "Public key enumeration failed: %s\n", sc_strerror(r)); +- return 1; ++ r = 1; ++ goto out; + } + if (!pubkey) { + fprintf(stderr, "Public key not available\n"); +- return 1; ++ r = 1; ++ goto out; + } + + r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len); +@@ -813,6 +816,7 @@ static int read_public_key(void) + free(pem_key.value); + } + ++out: + if (cert) + sc_pkcs15_free_certificate(cert); + else if (pubkey) +@@ -2097,6 +2101,7 @@ int main(int argc, char * const argv[]) + break; + case OPT_USE_PINPAD_DEPRECATED: + fprintf(stderr, "'--no-prompt' is deprecated , use '--use-pinpad' instead.\n"); ++ /* fallthrough */ + case OPT_USE_PINPAD: + opt_use_pinpad = 1; + break; +diff --git a/src/tools/sc-hsm-tool.c b/src/tools/sc-hsm-tool.c +index cce855f..029d991 100644 +--- a/src/tools/sc-hsm-tool.c ++++ b/src/tools/sc-hsm-tool.c +@@ -697,6 +697,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas + memset(inbuf, 0, sizeof(inbuf)); + if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) { + fprintf(stderr, "Input aborted\n"); ++ free(shares); + return -1; + } + p = (sp->x); +@@ -706,6 +707,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas + memset(inbuf, 0, sizeof(inbuf)); + if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) { + fprintf(stderr, "Input aborted\n"); ++ free(shares); + return -1; + } + binlen = 64; +diff --git a/src/tools/westcos-tool.c b/src/tools/westcos-tool.c +index 29b75dd..ff3d5e6 100644 +--- a/src/tools/westcos-tool.c ++++ b/src/tools/westcos-tool.c +@@ -91,8 +91,6 @@ static int finalize = 0; + static int install_pin = 0; + static int overwrite = 0; + +-static const char *pin = NULL; +-static const char *puk = NULL; + static char *cert = NULL; + + static int keylen = 0; +@@ -260,7 +258,7 @@ static int unlock_pin(sc_card_t *card, + } + else + { +- if(pin == NULL || puk == NULL) ++ if(pin_value == NULL || puk_value == NULL) + { + return SC_ERROR_INVALID_ARGUMENTS; + } +@@ -372,6 +370,8 @@ int main(int argc, char *argv[]) + RSA *rsa = NULL; + BIGNUM *bn = NULL; + BIO *mem = NULL; ++ static const char *pin = NULL; ++ static const char *puk = NULL; + + while (1) + { + +From e73b2ad2e01cbcc3fdee471ce9692ab95a83b8a0 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 1 Mar 2017 09:45:17 +0100 +Subject: [PATCH 2/3] Sanitize call to sc_pkcs15_free_certificate() + +--- + src/libopensc/pkcs15-cac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c +index e0fa50b..61c6430 100644 +--- a/src/libopensc/pkcs15-cac.c ++++ b/src/libopensc/pkcs15-cac.c +@@ -352,7 +352,8 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); +- sc_pkcs15_free_certificate(cert_out); ++ if (cert_out != NULL) ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + + +From bdf452210f7fdbefe91df910025142b2e48b8ebc Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 1 Mar 2017 15:23:17 +0100 +Subject: [PATCH 3/3] Sanitize call to sc_pkcs15_free_certificate() in PIV too + +--- + src/libopensc/pkcs15-piv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c +index 5bd0fdf..f6b6742 100644 +--- a/src/libopensc/pkcs15-piv.c ++++ b/src/libopensc/pkcs15-piv.c +@@ -761,7 +761,8 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); +- sc_pkcs15_free_certificate(cert_out); ++ if (cert_out != NULL) ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + /* +From 389ffe590986c6ed42fa810874a52a51bac3ca26 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 23 Mar 2017 12:16:46 +0100 +Subject: [PATCH 1/3] Coverity: FORWARD_NULL -- copy&paste error + +--- + src/tools/gids-tool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/gids-tool.c b/src/tools/gids-tool.c +index 029c53f..84073b6 100644 +--- a/src/tools/gids-tool.c ++++ b/src/tools/gids-tool.c +@@ -277,7 +277,7 @@ static int changeAdminKey(sc_card_t* card, const char *so_pin, const char* new_k + + if (new_key == NULL) { + printf("Enter new admin key (48 hexadecimal characters) : "); +- util_getpass(&_so_pin, NULL, stdin); ++ util_getpass(&_new_key, NULL, stdin); + printf("\n"); + } else { + _new_key = (char *)new_key; +-- +2.9.3 + + +From 1133efa4fe4d9a0267486cadbd3f6d144c584645 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 23 Mar 2017 15:14:35 +0100 +Subject: [PATCH 2/3] CLANG_WARNING: Call to 'malloc' has an allocation size of + 0 bytes + +--- + src/scconf/scconf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/scconf/scconf.c b/src/scconf/scconf.c +index 7fcc301..678df3e 100644 +--- a/src/scconf/scconf.c ++++ b/src/scconf/scconf.c +@@ -411,6 +411,8 @@ char *scconf_list_strdup(const scconf_list * list, const char *filler) + if (filler) { + len += scconf_list_array_length(list) * (strlen(filler) + 1); + } ++ if (len == 0) ++ return NULL; + buf = malloc(len); + if (!buf) { + return NULL; +-- +2.9.3 + + +From f82bc2008d58348cafcbba30623fcb55dab5cb3a Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 23 Mar 2017 15:46:42 +0100 +Subject: [PATCH 3/3] Avoid malloc with 0 argument + +--- + src/libopensc/card-cac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index 788fb52..6a5b5af 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -670,12 +670,12 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx, + r = sc_decompress_alloc(&priv->cache_buf, &priv->cache_buf_len, + cert_ptr, cert_len, COMPRESSION_AUTO); + #else +- sc_log(card->ctx, "PIV compression not supported, no zlib"); ++ sc_log(card->ctx, "CAC compression not supported, no zlib"); + r = SC_ERROR_NOT_SUPPORTED; + #endif + if (r) + goto done; +- } else { ++ } else if (cert_len > 0) { + priv->cache_buf = malloc(cert_len); + if (priv->cache_buf == NULL) { + r = SC_ERROR_OUT_OF_MEMORY; +@@ -683,6 +683,9 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx, + } + priv->cache_buf_len = cert_len; + memcpy(priv->cache_buf, cert_ptr, cert_len); ++ } else { ++ sc_log(card->ctx, "Can't read zero-length certificate"); ++ goto done; + } + break; + default: +-- +2.9.3 + + diff --git a/SOURCES/opensc-0.16.0-infinite-loop.patch b/SOURCES/opensc-0.16.0-infinite-loop.patch new file mode 100644 index 0000000..732314d --- /dev/null +++ b/SOURCES/opensc-0.16.0-infinite-loop.patch @@ -0,0 +1,62 @@ +From 645f678af24fc1e0f1559e0384f57f8fd35836b4 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 21 Jul 2017 11:30:47 +0200 +Subject: [PATCH 1/4] cac: Make the retransmitted APDU valid by restoring the + resplen + +--- + src/libopensc/card-cac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index ed15ba0a8..47f9aaf0c 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -1106,6 +1106,7 @@ static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc + r = sc_check_sw(card, apdu.sw1, apdu.sw2); + if (apdu.sw1 == 0x6A && apdu.sw2 == 0x86) { + apdu.p2 = 0x00; ++ apdu.resplen = sizeof(buf); + if (sc_transmit_apdu(card, &apdu) == SC_SUCCESS) + r = sc_check_sw(card, apdu.sw1, apdu.sw2); + } + +From a57407a5257b24edf313a4839c523a19cd8b0dc5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 21 Jul 2017 13:09:14 +0200 +Subject: [PATCH 2/4] cac: Check SWs for all the APDUs and report the errors to + underlying layers + +--- + src/libopensc/card-cac.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index 47f9aaf0c..f3b64a33d 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -390,9 +390,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2, + goto err; + } + +- if (apdu.sw1 == 0x61) { +- r = sc_check_sw(card, apdu.sw1, apdu.sw2); +- } ++ r = sc_check_sw(card, apdu.sw1, apdu.sw2); + + if (r < 0) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Card returned error "); +diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c +--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old 2017-12-19 10:39:08.662925868 +0100 ++++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c 2017-12-19 10:39:58.665293224 +0100 +@@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card + if (r < 0) { + goto fail; + } ++ if (len == 0) { ++ r = SC_ERROR_FILE_NOT_FOUND; ++ goto fail; ++ } + } + *out_len = size; + *out_buf = out; diff --git a/SOURCES/opensc-0.16.0-labels-from-dn.patch b/SOURCES/opensc-0.16.0-labels-from-dn.patch new file mode 100644 index 0000000..e0ed69d --- /dev/null +++ b/SOURCES/opensc-0.16.0-labels-from-dn.patch @@ -0,0 +1,137 @@ +From 066fdce95a3a58e312f52c4e14536b4b3a4f5e26 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 9 May 2017 16:46:16 +0200 +Subject: [PATCH 1/3] If the underlying PKCS#15 structure does not provide + label for a certificate, try to use DN from the certificate. + +--- + src/libopensc/libopensc.exports | 1 + + src/pkcs11/framework-pkcs15.c | 31 +++++++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+) + +diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports +index 18f80374f..36cf57023 100644 +--- a/src/libopensc/libopensc.exports ++++ b/src/libopensc/libopensc.exports +@@ -208,6 +208,7 @@ sc_pkcs15_free_prkey_info + sc_pkcs15_free_pubkey + sc_pkcs15_free_pubkey_info + sc_pkcs15_get_application_by_type ++sc_pkcs15_get_name_from_dn + sc_pkcs15_get_object_guid + sc_pkcs15_get_object_id + sc_pkcs15_get_objects +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 42c509356..f9063c8cc 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -553,6 +553,30 @@ public_key_created(struct pkcs15_fw_data *fw_data, const struct sc_pkcs15_id *id + return SC_ERROR_OBJECT_NOT_FOUND; + } + ++static void ++pkcs15_cert_extract_label(struct pkcs15_cert_object *cert) ++{ ++ if (!cert || !cert->cert_p15obj || !cert->cert_data) ++ return; ++ ++ sc_log(context, "pkcs15_cert_extract_label() called. Current label: %s", cert->cert_p15obj->label); ++ ++ /* if we didn't get a label, set one based on the CN */ ++ if (*cert->cert_p15obj->label == '\0') { /* can't be NULL -- static array */ ++ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }}; ++ u8 *cn_name = NULL; ++ size_t cn_len = 0; ++ int rv = sc_pkcs15_get_name_from_dn(context, ++ cert->cert_data->subject, cert->cert_data->subject_len, ++ &cn_oid, &cn_name, &cn_len); ++ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name); ++ if (rv == SC_SUCCESS) { ++ memcpy(cert->cert_p15obj->label, cn_name, cn_len); ++ cert->cert_p15obj->label[cn_len] = '\0'; ++ } ++ free(cn_name); ++ } ++} + + static int + __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_object *cert, +@@ -606,6 +627,9 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj + obj2->pub_genfrom = object; + object->cert_pubkey = obj2; + ++ /* Find missing labels for certificate */ ++ pkcs15_cert_extract_label(object); ++ + if (cert_object != NULL) + *cert_object = (struct pkcs15_any_object *) object; + +@@ -877,6 +901,9 @@ check_cert_data_read(struct pkcs15_fw_data *fw_data, struct pkcs15_cert_object * + if (!obj2->pub_data) + rv = sc_pkcs15_pubkey_from_cert(context, &cert->cert_data->data, &obj2->pub_data); + ++ /* Find missing labels for certificate */ ++ pkcs15_cert_extract_label(cert); ++ + /* now that we have the cert and pub key, lets see if we can bind anything else */ + pkcs15_bind_related_objects(fw_data); + +@@ -3165,6 +3192,10 @@ pkcs15_cert_get_attribute(struct sc_pkcs11_session *session, void *object, CK_AT + *(CK_BBOOL*)attr->pValue = FALSE; + break; + case CKA_LABEL: ++ if (check_cert_data_read(fw_data, cert) != 0) { ++ attr->ulValueLen = 0; ++ return CKR_OK; ++ } + len = strnlen(cert->cert_p15obj->label, sizeof cert->cert_p15obj->label); + check_attribute_buffer(attr, len); + memcpy(attr->pValue, cert->cert_p15obj->label, len); + +From 4d8b75c1f0a901d661ed00b29175e2fdaee940ca Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 19 May 2017 17:52:09 +0200 +Subject: [PATCH 2/3] Properly check bounds for long DNs + +--- + src/pkcs11/framework-pkcs15.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index f9063c8cc..863ad02a1 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -566,8 +566,9 @@ pkcs15_cert_extract_label(struct pkcs15_cert_object *cert) + int rv = sc_pkcs15_get_name_from_dn(context, + cert->cert_data->subject, cert->cert_data->subject_len, + &cn_oid, &cn_name, &cn_len); +- sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name); + if (rv == SC_SUCCESS) { ++ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name); ++ cn_len = MIN(cn_len, SC_PKCS15_MAX_LABEL_SIZE-1); + memcpy(cert->cert_p15obj->label, cn_name, cn_len); + cert->cert_p15obj->label[cn_len] = '\0'; + } + +From 4621251bbff5cc1df826aa7fdc2aa7dfbae3c8ab Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 22 May 2017 09:46:56 +0200 +Subject: [PATCH 3/3] Missing include + +--- + src/pkcs11/framework-pkcs15.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 863ad02a1..ce890b7a1 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -22,6 +22,7 @@ + #include + #include + #include "libopensc/log.h" ++#include "libopensc/internal.h" + #include "libopensc/asn1.h" + #include "libopensc/cardctl.h" + #include "common/compat_strnlen.h" + diff --git a/SOURCES/opensc-0.16.0-lock.patch b/SOURCES/opensc-0.16.0-lock.patch new file mode 100644 index 0000000..aff8653 --- /dev/null +++ b/SOURCES/opensc-0.16.0-lock.patch @@ -0,0 +1,59 @@ +From 6b36a341c372f3dcec13c5ddee52fdb907a255a9 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 12 Apr 2017 17:42:54 +0200 +Subject: [PATCH 1/2] Make sure the lock is released when returning + +--- + src/pkcs11/framework-pkcs15.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 2f78a63..3441b99 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -487,12 +487,16 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) + goto out; + } + +- if (slot->p11card == NULL) +- return CKR_TOKEN_NOT_PRESENT; ++ if (slot->p11card == NULL) { ++ rv = CKR_TOKEN_NOT_PRESENT; ++ goto out; ++ } + + fw_data = (struct pkcs15_fw_data *) slot->p11card->fws_data[slot->fw_data_idx]; +- if (!fw_data) +- return sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo"); ++ if (!fw_data) { ++ rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo"); ++ goto out; ++ } + p15card = fw_data->p15_card; + + /* User PIN flags are cleared before re-calculation */ + +From 8e8f0ffdcc959f9dd7ea9036aea887917e961bd1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 12 Apr 2017 17:43:32 +0200 +Subject: [PATCH 2/2] pkcs11-tool: Do not use unitialized data when + C_GetTokenInfo() failed + +--- + src/tools/pkcs11-tool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index ef5d2a6..555029d 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -1105,6 +1105,9 @@ static void show_token(CK_SLOT_ID slot) + if (rv == CKR_TOKEN_NOT_RECOGNIZED) { + printf(" (token not recognized)\n"); + return; ++ } else if (rv != CKR_OK) { ++ printf("C_GetTokenInfo() failed: rv = %s\n", CKR2Str(rv)); ++ return; + } + if (!(info.flags & CKF_TOKEN_INITIALIZED) && (!verbose)) { + printf(" token state: uninitialized\n"); diff --git a/SOURCES/opensc-0.16.0-piv-cardholder-name.patch b/SOURCES/opensc-0.16.0-piv-cardholder-name.patch new file mode 100644 index 0000000..e1c358e --- /dev/null +++ b/SOURCES/opensc-0.16.0-piv-cardholder-name.patch @@ -0,0 +1,121 @@ +From bac1ced89dde5780ecb5014b3887e4fd81c7d81c Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 18 Aug 2017 13:49:57 +0200 +Subject: [PATCH 1/3] Use shorter PIN name for default PIN to accomodate Card + Holder name in future + +--- + src/libopensc/pkcs15-piv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c +index d38d7ba73..7f9015dcc 100644 +--- a/src/libopensc/pkcs15-piv.c ++++ b/src/libopensc/pkcs15-piv.c +@@ -359,7 +359,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + }; + + static const pindata pins[] = { +- { "01", "PIV Card Holder pin", "", 0x80, ++ { "01", "PIN", "", 0x80, + /* label, flag and ref will change if using global pin */ + SC_PKCS15_PIN_TYPE_ASCII_NUMERIC, + 8, 4, 8, +@@ -932,7 +932,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + pin_info.attrs.pin.reference = pin_ref; + pin_info.attrs.pin.flags &= ~SC_PKCS15_PIN_FLAG_LOCAL; + label = "Global PIN"; +- } ++ } + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label); + strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1); + pin_obj.flags = pins[i].obj_flags; + +From 74b070128c27e24aa67db041a049a9eee5dddcd6 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 18 Aug 2017 14:18:00 +0200 +Subject: [PATCH 2/3] Get cardholder name from the first certificate + +--- + src/libopensc/pkcs15-piv.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c +index 7f9015dcc..6f3c9199d 100644 +--- a/src/libopensc/pkcs15-piv.c ++++ b/src/libopensc/pkcs15-piv.c +@@ -613,7 +613,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + char buf[SC_MAX_SERIALNR * 2 + 1]; + common_key_info ckis[PIV_NUM_CERTS_AND_KEYS]; + int follows_nist_fascn = 0; +- ++ char *token_name = NULL; + + SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); + +@@ -765,6 +765,30 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + sc_pkcs15_free_certificate(cert_out); + continue; + } ++ ++ /* set the token name to the name of the CN of the first certificate */ ++ if (!token_name) { ++ u8 * cn_name = NULL; ++ size_t cn_len = 0; ++ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }}; ++ r = sc_pkcs15_get_name_from_dn(card->ctx, cert_out->subject, ++ cert_out->subject_len, &cn_oid, &cn_name, &cn_len); ++ if (r == SC_SUCCESS) { ++ token_name = malloc (cn_len+1); ++ if (!token_name) { ++ sc_pkcs15_free_certificate(cert_out); ++ free(cn_name); ++ SC_FUNC_RETURN(card->ctx, ++ SC_ERROR_OUT_OF_MEMORY, r); ++ } ++ memcpy(token_name, cn_name, cn_len); ++ free(cn_name); ++ token_name[cn_len] = 0; ++ free(p15card->tokeninfo->label); ++ p15card->tokeninfo->label = token_name; ++ } ++ } ++ + /* + * get keyUsage if present save in ckis[i] + * Will only use it if this in a non FED issued card + +From 78c2b7b970a8c2d841552926a7f4c386c31abeb8 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 21 Aug 2017 13:43:08 +0200 +Subject: [PATCH 3/3] Do not add non-informative PIN to the token label + +--- + src/pkcs11/framework-pkcs15.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 5b3cb32e5..8ded1125b 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -1024,6 +1024,7 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot, + struct sc_pkcs15_auth_info *pin_info = NULL; + char label[64]; + ++ sc_log(context, "Called"); + pkcs15_init_token_info(p15card, &slot->token_info); + slot->token_info.flags |= CKF_TOKEN_INITIALIZED; + if (auth != NULL) +@@ -1048,9 +1049,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot, + pin_info = NULL; + } + else { +- if (auth->label[0]) ++ if (auth->label[0] && strncmp(auth->label, "PIN", 4) != 0) + snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label); + else ++ /* The PIN label is empty or says just non-useful "PIN" */ + snprintf(label, sizeof(label), "%s", p15card->tokeninfo->label); + slot->token_info.flags |= CKF_LOGIN_REQUIRED; + } + diff --git a/SOURCES/opensc-0.16.0-simpletlv.patch b/SOURCES/opensc-0.16.0-simpletlv.patch new file mode 100644 index 0000000..04d1e7f --- /dev/null +++ b/SOURCES/opensc-0.16.0-simpletlv.patch @@ -0,0 +1,21 @@ +commit 602279acecb9aaff1154ac1e2993562741a57281 +Author: Jakub Jelen +Date: Tue Jan 2 11:08:31 2018 +0100 + + Skip correctly two bytes after reading 2b size + +diff --git a/src/libopensc/simpletlv.c b/src/libopensc/simpletlv.c +index f526a1cd..ab0401b5 100644 +--- a/src/libopensc/simpletlv.c ++++ b/src/libopensc/simpletlv.c +@@ -90,8 +90,9 @@ sc_simpletlv_read_tag(u8 **buf, size_t buflen, u8 *tag_out, size_t *taglen) + *taglen = 0; + return SC_ERROR_INVALID_ARGUMENTS; + } ++ /* skip two bytes (the size) */ + len = lebytes2ushort(p); +- p++; ++ p+=2; + } + *taglen = len; + *buf = p; diff --git a/SOURCES/opensc.module b/SOURCES/opensc.module new file mode 100644 index 0000000..2071097 --- /dev/null +++ b/SOURCES/opensc.module @@ -0,0 +1,8 @@ +# This file describes how to load the opensc module +# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html + +# This is a relative path, which means it will be loaded from +# the p11-kit default path which is usually $(libdir)/pkcs11. +# Doing it this way allows for packagers to package opensc for +# 32-bit and 64-bit and make them parallel installable +module: opensc-pkcs11.so diff --git a/SOURCES/pkcs11-switch.sh b/SOURCES/pkcs11-switch.sh new file mode 100755 index 0000000..f29565c --- /dev/null +++ b/SOURCES/pkcs11-switch.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +# Paths, names and functions definitions +NSSDB="/etc/pki/nssdb/" +COOLKEY_NAME="CoolKey PKCS #11 Module" +COOLKEY_LIBRARY="libcoolkeypk11.so" +OPENSC_NAME="OpenSC PKCS #11 Module" +OPENSC_LIBRARY="opensc-pkcs11.so" + +add_module() { + NAME="$1" + LIBRARY="$2" + modutil -add "$NAME" -dbdir "$NSSDB" -libfile "$LIBRARY" +} +remove_module() { + NAME="$1" + modutil -delete "$NAME" -dbdir "$NSSDB" -force +} + +# Parse arguments. If wrong, print usage +TARGET="$1" +if [ "$TARGET" = "" ]; then + # Print currently installed module + PRINT_CURRENT="1" +elif [ "$TARGET" = "opensc" ] || [ "$TARGET" = "coolkey" ]; then + : # Correct arguments +else + echo "Simple tool to switch between OpenSC and Coolkey PKCS#11 modules in main NSS DB." + echo "Usage: $0 [coolkey|opensc]" + echo " [coolkey|opensc] says which of the modules should be used." + echo " The other one will be removed from database." + echo + echo " If there is no argument specified, prints the current module in NSS DB" + exit 255 +fi + +if [ ! -x /usr/bin/modutil ]; then + echo "The modutil is not installed. Please install package nss-util" + exit 255 +fi + +# Find the current library in NSS DB +CURRENT="" # none +LIBS=$(modutil -rawlist -dbdir "$NSSDB" | grep "^library=") +if echo "$LIBS" | grep "$COOLKEY_NAME" > /dev/null; then + CURRENT="coolkey" +fi +if echo "$LIBS" | grep "$OPENSC_NAME" > /dev/null; then + if [ -n "$CURRENT" ]; then + CURRENT="opensc coolkey" + echo "There are both modules in NSS DB, which is not recommended." + echo "I will remove the other." + else + CURRENT="opensc" + fi +fi + +if [ "$PRINT_CURRENT" = "1" ]; then + echo "$CURRENT" + exit 0 +fi + +# Do we need to change something? +if [ "$CURRENT" = "$TARGET" ]; then + echo "The requested module is already in the NSS DB" + exit 0 +fi + +# Do the actual change +if [ "$TARGET" = "opensc" ]; then + add_module "$OPENSC_NAME" "$OPENSC_LIBRARY" + remove_module "$COOLKEY_NAME" +fi +if [ "$TARGET" = "coolkey" ]; then + add_module "$COOLKEY_NAME" "$COOLKEY_LIBRARY" + remove_module "$OPENSC_NAME" +fi diff --git a/SPECS/opensc.spec b/SPECS/opensc.spec new file mode 100644 index 0000000..db1479f --- /dev/null +++ b/SPECS/opensc.spec @@ -0,0 +1,535 @@ +%global commit0 777e2a3751e3f6d53f056c98e9e20e42af674fb1 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + +Name: opensc +Version: 0.16.0 +Release: 8.20170227git%{shortcommit0}%{?dist} +Summary: Smart card library and applications + +Group: System Environment/Libraries +License: LGPLv2+ +URL: https://github.com/OpenSC/OpenSC/wiki +Source0: https://github.com/OpenSC/OpenSC/archive/%{commit0}.zip#/%{name}-%{version}-git%{shortcommit0}.zip +Source1: opensc.module +Source2: pkcs11-switch.sh +Patch0: opensc-0.16.0-coverity.patch +Patch1: opensc-0.16.0-cardos.patch +Patch2: opensc-0.16.0-lock.patch +# Use label from certificate DN if there is none (#1448555) +Patch3: opensc-0.16.0-labels-from-dn.patch +# Use Cardholder name in the token label (#1449740) +Patch4: opensc-0.16.0-piv-cardholder-name.patch +# Avoid infinite loop when reading CAC cards (#1473335) +Patch5: opensc-0.16.0-infinite-loop.patch +# Workaround for CAC Alt tokens (#1473418) +Patch6: opensc-0.16.0-cac-alt.patch +# Copy labels from certificate (#1448555) +Patch7: opensc-0.16.0-coolkey-labels.patch +# Properly parse multi-byte length (#1473418) +Patch8: opensc-0.16.0-simpletlv.patch + +BuildRequires: pcsc-lite-devel +BuildRequires: readline-devel +BuildRequires: openssl-devel +BuildRequires: /usr/bin/xsltproc +BuildRequires: docbook-style-xsl +BuildRequires: autoconf automake libtool +Requires: pcsc-lite-libs%{?_isa} +Requires: pcsc-lite +Obsoletes: mozilla-opensc-signer < 0.12.0 +Obsoletes: opensc-devel < 0.12.0 + +%description +OpenSC provides a set of libraries and utilities to work with smart cards. Its +main focus is on cards that support cryptographic operations, and facilitate +their use in security applications such as authentication, mail encryption and +digital signatures. OpenSC implements the PKCS#11 API so applications +supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On +the card OpenSC implements the PKCS#15 standard and aims to be compatible with +every software/card that does so, too. + + +%prep +%setup -q -n OpenSC-%{commit0} +%patch0 -p1 -b .coverity +%patch1 -p1 -b .cardos +%patch2 -p1 -b .lock +%patch3 -p1 -b .label +%patch4 -p1 -b .cardholder +%patch5 -p1 -b .infinite +%patch6 -p1 -b .cac-alt +%patch7 -p1 -b .coolkey-labels +%patch8 -p1 -b .simpletlv + +cp -p src/pkcs15init/README ./README.pkcs15init +cp -p src/scconf/README.scconf . +# No {_libdir} here to avoid multilib conflicts; it's just an example +sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.in + + +%build +autoreconf -fvi +sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in +sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths +%configure --disable-static \ + --disable-assert \ + --enable-pcsc \ + --enable-sm \ + --with-pcsc-provider=libpcsclite.so.1 +make %{?_smp_mflags} V=1 + + +%install +make install DESTDIR=$RPM_BUILD_ROOT +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf +install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf +install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module +install -Dpm 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/pkcs11-switch +# use NEWS file timestamp as reference for configuration file +touch -r NEWS $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf + +find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" | xargs rm + +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc + +# Upstream considers libopensc API internal and no longer ships +# public headers and pkgconfig files. +# Remove the symlink as nothing is supposed to link against libopensc. +rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so +rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so +%if 0%{?rhel} +rm -rf %{buildroot}%{_sysconfdir}/bash_completion.d/ +%endif + + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + + +%files +%defattr(-,root,root,-) +%doc COPYING NEWS README* + +%if ! 0%{?rhel} +%{_sysconfdir}/bash_completion.d/* +%endif + +%config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf +%{_datadir}/p11-kit/modules/opensc.module +%{_bindir}/cardos-tool +%{_bindir}/cryptoflex-tool +%{_bindir}/eidenv +%{_bindir}/iasecc-tool +%{_bindir}/gids-tool +%{_bindir}/netkey-tool +%{_bindir}/openpgp-tool +%{_bindir}/opensc-explorer +%{_bindir}/opensc-tool +%{_bindir}/piv-tool +%{_bindir}/pkcs11-tool +%{_bindir}/pkcs11-switch +%{_bindir}/pkcs15-crypt +%{_bindir}/pkcs15-init +%{_bindir}/pkcs15-tool +%{_bindir}/sc-hsm-tool +%{_bindir}/dnie-tool +%{_bindir}/westcos-tool +%{_libdir}/lib*.so.* +%{_libdir}/opensc-pkcs11.so +%{_libdir}/pkcs11-spy.so +%{_libdir}/onepin-opensc-pkcs11.so +%{_libdir}/pkgconfig/*.pc +%%dir %{_libdir}/pkcs11 +%{_libdir}/pkcs11/opensc-pkcs11.so +%{_libdir}/pkcs11/onepin-opensc-pkcs11.so +%{_libdir}/pkcs11/pkcs11-spy.so +%{_datadir}/opensc/ +%{_mandir}/man1/cardos-tool.1* +%{_mandir}/man1/cryptoflex-tool.1* +%{_mandir}/man1/eidenv.1* +%{_mandir}/man1/gids-tool.1* +%{_mandir}/man1/iasecc-tool.1* +%{_mandir}/man1/netkey-tool.1* +%{_mandir}/man1/openpgp-tool.1* +%{_mandir}/man1/opensc-explorer.* +%{_mandir}/man1/opensc-tool.1* +%{_mandir}/man1/piv-tool.1* +%{_mandir}/man1/pkcs11-tool.1* +%{_mandir}/man1/pkcs15-crypt.1* +%{_mandir}/man1/pkcs15-init.1* +%{_mandir}/man1/pkcs15-tool.1* +%{_mandir}/man1/sc-hsm-tool.1* +%{_mandir}/man1/westcos-tool.1* +%{_mandir}/man1/dnie-tool.1* +%{_mandir}/man5/*.5* + + +%changelog +* Wed Jan 03 2018 Jakub Jelen - 0.16.0-8.20170227git +- Copy labels from certificate (#1448555) +- Avoid infinite loop in CAC driver when reading non-CAC cards (#1473335) +- Properly parse Simple TLV structures in CAC driver (#1473418) + +* Tue Nov 07 2017 Jakub Jelen - 0.16.0-7.20170227git +- Fix issues reported by Coverity +- Use upstream accepted fix for CAC Alt tokens (#1473418) + +* Fri Nov 03 2017 Jakub Jelen - 0.16.0-6.20170227git +- Use label from certificate DN if there is none (#1448555) +- Use Cardholder name in the token label (#1449740) +- Avoid infinite loop when reading CAC cards (#1473335) +- Workaround for CAC Alt tokens (#1473418) + +* Thu May 18 2017 Jakub Jelen - 0.16.0-5.20170227git +- Add missing pkcs11-switch script + +* Thu Apr 13 2017 Jakub Jelen - 0.16.0-4.20170227git +- Release aquired lock for uninitialized ASEPCOS cards (#1376090) + +* Thu Mar 23 2017 Jakub Jelen - 0.16.0-3.20170227git +- Fix more issues identified by Coverity scan + +* Thu Mar 23 2017 Jakub Jelen - 0.16.0-2.20170227git +- Add support for CardOS 5.3 +- Fix coverity issues +- Provide simple tool to swith PKCS#11 library in NSS DB + +* Tue Jan 10 2017 Jakub Jelen - 0.16.0-1.20170110git +- Rebase to OpenSC master with support for CAC cards (#1373164) + +* Thu Feb 25 2016 Nikos Mavrogiannopoulos 0.14.0-2 +- Export PKCS#11 symbols from spy library (#1283305) + +* Thu Apr 23 2015 Nikos Mavrogiannopoulos 0.14.0-1 +- Updated to opensc 0.14.0 + +* Fri Mar 14 2014 Nikos Mavrogiannopoulos 0.13.0-9 +- Configuration file includes arch to allow it operate under multilib + +* Mon Mar 10 2014 Nikos Mavrogiannopoulos 0.13.0-8 +- Ensure that variables are in scope when used (#1062307) + +* Tue Feb 25 2014 Nikos Mavrogiannopoulos 0.13.0-7 +- Corrected path of opensc.module (#1060034) + +* Fri Jan 24 2014 Daniel Mach - 0.13.0-6 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 0.13.0-5 +- Mass rebuild 2013-12-27 + +* Fri Mar 08 2013 Stef Walter - 0.13.0-4 +- Use the standard name format for p11-kit module configs +- Put the p11-kit module config is the system location + +* Thu Feb 14 2013 Fedora Release Engineering - 0.13.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Jan 13 2013 Kalev Lember - 0.13.0-2 +- Backport an upstream patch for fixing pkcs15 cert length calculation + +* Thu Jan 03 2013 Milan Broz - 0.13.0-1 +- Update to 0.13.0 (#890770) +- Remove no longer provided onepin-opensc-pkcs11.so. +- Add iasecc-tool, openpgp-tool and sc-hsm-tool. + +* Fri Jul 27 2012 Tomas Mraz - 0.12.2-6 +- Add a configuration file for p11-kit (#840504) + +* Fri Jul 20 2012 Fedora Release Engineering - 0.12.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Mar 4 2012 Peter Robinson - 0.12.2-4 +- Add patch for dso + +* Fri Jan 13 2012 Fedora Release Engineering - 0.12.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Aug 17 2011 Tomas Mraz - 0.12.2-2 +- Rebuilt to fix trailing slashes in filelist from rpmbuild bug + +* Tue Jul 19 2011 Kalev Lember - 0.12.2-1 +- Update to 0.12.2 (#722659) + +* Wed May 18 2011 Kalev Lember - 0.12.1-1 +- Update to 0.12.1 (#705743) +- Removed BR libtool-ltdl-devel to build with glibc's libdl instead + +* Tue Apr 12 2011 Tomas Mraz - 0.12.0-4 +- drop multilib conflicting and duplicated doc file (#695368) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.12.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 03 2011 Kalev Lember - 0.12.0-2 +- Disabled asserts + +* Mon Jan 03 2011 Kalev Lember - 0.12.0-1 +- Update to 0.12.0 +- Removed and obsoleted mozilla-opensc-signer and opensc-devel subpackages +- Dropped patches which are now upstreamed +- It is no longer possible to build in both pcsc-lite and openct support, + so opensc now gets built exclusively with pcsc-lite. + +* Tue Dec 21 2010 Tomas Mraz - 0.11.13-6 +- fix buffer overflow on rogue card serial numbers + +* Tue Oct 19 2010 Tomas Mraz - 0.11.13-5 +- own the _libdir/pkcs11 subdirectory (#644527) + +* Tue Sep 7 2010 Tomas Mraz - 0.11.13-4 +- fix build with new pcsc-lite + +* Wed Aug 11 2010 Rex Dieter - 0.11.13-3 +- build against libassuan1 (f14+) + +* Wed Jun 9 2010 Tomas Mraz - 0.11.13-2 +- replace file dependency (#601943) + +* Tue Feb 16 2010 Kalev Lember - 0.11.13-1 +- new upstream version + +* Sun Feb 14 2010 Kalev Lember - 0.11.12-2 +- Added patch to fix linking with the new --no-add-needed default (#564758) + +* Mon Dec 21 2009 Kalev Lember - 0.11.12-1 +- new upstream version +- replaced %%define with %%global +- BR clean up from items not applicable to current Fedora releases + +* Tue Dec 8 2009 Michael Schwendt - 0.11.11-2 +- Explicitly BR libassuan-static in accordance with the Packaging + Guidelines (libassuan-devel is still static-only). + +* Thu Nov 19 2009 Tomas Mraz - 0.11.11-1 +- new upstream version + +* Tue Sep 29 2009 Tomas Mraz - 0.11.9-2 +- fix multilib conflict in the configuration file (#526269) + +* Wed Sep 09 2009 Tomas Mraz - 0.11.9-1 +- new upstream version + +* Fri Aug 21 2009 Tomas Mraz - 0.11.8-5 +- rebuilt with new openssl + +* Mon Jul 27 2009 Tomas Mraz - 0.11.8-4 +- Depend on specific arch of pcsc-lite-libs (reported by Kalev Lember) + +* Sat Jul 25 2009 Fedora Release Engineering - 0.11.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 15 2009 Tomas Mraz - 0.11.8-2 +- Rebuilt with new openct + +* Mon May 11 2009 Tomas Mraz - 0.11.8-1 +- new upstream version - fixes security issue + +* Fri Feb 27 2009 Tomas Mraz - 0.11.7-1 +- new upstream version - fixes CVE-2009-0368 + +* Thu Feb 26 2009 Fedora Release Engineering - 0.11.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Jan 15 2009 Tomas Mraz - 0.11.6-2 +- Add explicit requires for pcsc-lite-libs. Dlopen libpcsclite with the full + soname. + +* Tue Sep 2 2008 Tomas Mraz - 0.11.6-1 +- Update to latest upstream, fixes CVE-2008-2235 + +* Thu Apr 10 2008 Hans de Goede - 0.11.4-5 +- BuildRequire libassuan-devel instead of libassuan-static (bz 441812) + +* Tue Feb 19 2008 Fedora Release Engineering - 0.11.4-4 +- Autorebuild for GCC 4.3 + +* Wed Dec 05 2007 Release Engineering - 0.11.4-3 + - Rebuild for deps + +* Wed Dec 5 2007 Ville Skyttä - 0.11.4-2 +- Rebuild. + +* Mon Sep 10 2007 Ville Skyttä - 0.11.4-1 +- 0.11.4. + +* Mon Aug 20 2007 Ville Skyttä - 0.11.4-0.1.rc1 +- 0.11.4-rc1, pkcs11-tool usage message fix applied upstream. +- License: LGPLv2+ + +* Thu Jul 26 2007 Ville Skyttä - 0.11.3-2 +- Fix pkcs11-tool usage message crash (#249702). + +* Tue Jul 17 2007 Ville Skyttä - 0.11.3-1 +- 0.11.3. + +* Sat Jun 30 2007 Ville Skyttä - 0.11.3-0.1.pre2 +- 0.11.3-pre2. + +* Thu Jun 21 2007 Ville Skyttä - 0.11.3-0.1.pre1 +- 0.11.3-pre1. + +* Sun May 6 2007 Ville Skyttä - 0.11.2-2 +- Add explicit build dependency on ncurses-devel. + +* Sat May 5 2007 Ville Skyttä - 0.11.2-1 +- 0.11.2. + +* Tue Apr 24 2007 Ville Skyttä - 0.11.2-0.3.rc2 +- 0.11.2-rc2. + +* Fri Mar 23 2007 Ville Skyttä - 0.11.2-0.3.rc1 +- 0.11.2-rc1. + +* Thu Mar 15 2007 Ville Skyttä - 0.11.2-0.2.pre6 +- 0.11.2-pre6. + +* Tue Mar 6 2007 Ville Skyttä - 0.11.2-0.2.pre4 +- 0.11.2-pre4. +- Require pinentry-gui instead of the pinentry executable in signer. + +* Sun Dec 3 2006 Ville Skyttä - 0.11.2-0.1.pre3 +- 0.11.2-pre3. +- Build with new libassuan. +- Don't run autotools during build. +- Adjust to readline/termcap/ncurses changes. + +* Sat Oct 14 2006 Ville Skyttä - 0.11.1-6 +- Rebuild with new libassuan. + +* Sun Oct 8 2006 Ville Skyttä - 0.11.1-5 +- Rebuild with new libassuan. + +* Mon Oct 2 2006 Ville Skyttä - 0.11.1-4 +- Rebuild. + +* Tue Sep 26 2006 Ville Skyttä - 0.11.1-3 +- Rebuild with new libassuan. + +* Sat Sep 2 2006 Ville Skyttä - 0.11.1-2 +- Rebuild. + +* Wed May 31 2006 Ville Skyttä - 0.11.1-1 +- 0.11.1. +- Avoid some multilib conflicts. + +* Sun May 7 2006 Ville Skyttä - 0.11.0-2 +- Sync example paths in openct.conf with ctapi-common. +- Update URL. + +* Thu May 4 2006 Ville Skyttä - 0.11.0-1 +- 0.11.0. + +* Thu Apr 27 2006 Ville Skyttä - 0.11.0-0.1.rc2 +- 0.11.0-rc2. + +* Sat Apr 22 2006 Ville Skyttä - 0.11.0-0.1.rc1 +- 0.11.0-rc1. + +* Mon Mar 6 2006 Ville Skyttä - 0.10.1-3 +- Rebuild. + +* Wed Feb 15 2006 Ville Skyttä - 0.10.1-2 +- Avoid standard rpaths on lib64 archs. + +* Sun Jan 8 2006 Ville Skyttä - 0.10.1-1 +- 0.10.1. + +* Wed Nov 9 2005 Ville Skyttä - 0.10.0-1 +- 0.10.0. +- Adapt to modularized X.Org. + +* Wed Oct 26 2005 Ville Skyttä - 0.10.0-0.1.rc2 +- 0.10.0-rc2. +- Install signer plugin only to plugin dir. + +* Sat Oct 22 2005 Ville Skyttä - 0.10.0-0.1.rc1 +- 0.10.0-rc1. + +* Wed Oct 19 2005 Ville Skyttä - 0.10.0-0.1.beta2.rc1 +- 0.10.0-beta2-rc1. +- Specfile cleanups. + +* Tue Apr 26 2005 Ville Skyttä - 0.9.6-2 +- 0.9.6, build patch applied upstream. +- Package summary and description improvements. +- Drop explicit openct dependency. + +* Fri Mar 18 2005 Ville Skyttä - 0.9.4-3 +- Fix FC4 build. +- Rename opensc-pam to pam_opensc per package naming guidelines. + +* Wed Feb 9 2005 Michael Schwendt - 0.9.4-2 +- Substitute hardcoded 'lib' in OpenSSL checks for multi-lib platforms. +- Use --with-plugin-dir instead of --with-plugin-path (fixes x86_64). + +* Thu Feb 3 2005 Ville Skyttä - 0.9.4-1 +- Drop unnecessary Epochs, pre-FC1 compat cruft, and no longer relevant + --with(out) rpmbuild options. +- Exclude *.la. + +* Wed Nov 3 2004 Ville Skyttä - 0:0.9.4-0.fdr.1 +- Update to 0.9.4, parallel build patch applied upstream. +- Patch to fix library paths and LDFLAGS. +- Don't require mozilla, but the plugin dir in signer. +- Build with dependency tracking disabled. + +* Tue Jul 27 2004 Ville Skyttä - 0:0.9.2-0.fdr.2 +- Building the signer plugin can be disabled with "--without signer". + Thanks to Fritz Elfert for the idea. +- Update description. + +* Sun Jul 25 2004 Ville Skyttä - 0:0.9.2-0.fdr.1 +- Update to 0.9.2, old patches applied upstream. +- Add patch to fix parallel builds. +- Convert man pages to UTF-8. + +* Thu Jul 22 2004 Ville Skyttä - 0:0.9.1-0.fdr.1 +- Update to 0.9.1 (preview). + +* Thu Jul 1 2004 Ville Skyttä - 0:0.9.0-0.fdr.0.1.alpha +- Update to 0.9.0-alpha. + +* Sat May 1 2004 Ville Skyttä - 0:0.8.1-0.fdr.8 +- Rebuild with libassuan 0.6.5. + +* Sat Jan 31 2004 Ville Skyttä - 0:0.8.1-0.fdr.7 +- Rebuild with libassuan 0.6.3. +- Add gdm example to PAM quickstart. + +* Mon Jan 19 2004 Ville Skyttä - 0:0.8.1-0.fdr.6 +- Use /%%{_lib} instead of hardcoding /lib. + +* Sat Dec 20 2003 Ville Skyttä - 0:0.8.1-0.fdr.5 +- Split PAM support into a subpackage. +- Rebuild with libassuan 0.6.2. + +* Sun Nov 23 2003 Ville Skyttä - 0:0.8.1-0.fdr.4 +- Rebuild with libassuan 0.6.1. +- Include PAM quickstart doc snippet. + +* Fri Nov 14 2003 Ville Skyttä - 0:0.8.1-0.fdr.3 +- Require OpenCT. + +* Fri Oct 17 2003 Ville Skyttä - 0:0.8.1-0.fdr.2 +- Install example config files as documentation. + +* Tue Oct 14 2003 Ville Skyttä - 0:0.8.1-0.fdr.1 +- Update to 0.8.1. + +* Wed Aug 27 2003 Ville Skyttä - 0:0.8.0-0.fdr.2 +- Signer can be built with oldssl too. + +* Wed Aug 27 2003 Ville Skyttä - 0:0.8.0-0.fdr.1 +- Update to 0.8.0. + +* Wed Jul 30 2003 Ville Skyttä - 0:0.8.0-0.fdr.0.2.cvs20030730 +- Update to 20030730. +- Clean up %%docs. +- Include *.la (uses ltdl). +- Own the %%{_libdir}/pkcs11 directory. +- Disable signer; assuan has disappeared from the tarball :( + +* Fri May 23 2003 Ville Skyttä - 0:0.8.0-0.fdr.0.1.rc1 +- First build.