pool/opensc
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- - Security fix: [CVE-2024-8443, bsc#1230364]

Browse Source 
* opensc: heap buffer overflow in OpenPGP driver when generating key
    * Added patch: opensc-CVE-2024-8443.patch

- Security fix: [opensc-CVE-2024-45620, bsc#1230076]
- Security fix: [opensc-CVE-2024-45619, bsc#1230075]
- Security fix: [opensc-CVE-2024-45618, bsc#1230074]
- Security fix: [opensc-CVE-2024-45617, bsc#1230073]
- Security fix: [opensc-CVE-2024-45616, bsc#1230072]
- Security fix: [opensc-CVE-2024-45615, bsc#1230071]
  * opensc: pkcs15init: Usage of uninitialized values in libopensc and pkcs15init
  * opensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc
  * opensc: Uninitialized values after incorrect or missing checking return values of functions in libopensc
  * opensc: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init
  * opensc: Incorrect handling length of buffers or files in libopensc
  * opensc: Incorrect handling of the length of buffers or files in pkcs15init
  * Added patches:
    - opensc-CVE-2024-45615.patch
    - opensc-CVE-2024-45616.patch
    - opensc-CVE-2024-45617.patch
    - opensc-CVE-2024-45618.patch
    - opensc-CVE-2024-45619.patch
    - opensc-CVE-2024-45620.patch

OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=88
This commit is contained in:
Angel Yankov 2024-10-02 13:32:39 +00:00 committed by Git OBS Bridge
commit 24eb6f5b62
17 changed files with 2040 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

5
baselibs.conf Normal file
View File

@ -0,0 +1,5 @@
opensc
+/usr/lib(64)?/*.la
+/usr/lib(64)?/*.so*
+/usr/lib(64)?/pkcs11/*.so
requires "opensc = <version>"

3
opensc-0.25.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:23cbaae8bd7c8eb589b68c0a961dfb0d02007bea3165a3fc5efe2621d549b37b
size 2395579

111
opensc-CVE-2024-45615.patch Normal file
View File

@ -0,0 +1,111 @@
commit 5e4f26b510b04624386c54816bf26aacea0fe4a1
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date: Thu Jul 11 14:58:25 2024 +0200
cac: Fix uninitialized values
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_card/1,fuzz_pkcs11/6
Index: opensc-0.25.1/src/libopensc/card-cac.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-cac.c
+++ opensc-0.25.1/src/libopensc/card-cac.c
@@ -252,7 +252,7 @@ static int cac_apdu_io(sc_card_t *card,
size_t * recvbuflen)
{
int r;
- sc_apdu_t apdu;
+ sc_apdu_t apdu = {0};
u8 rbufinitbuf[CAC_MAX_SIZE];
u8 *rbuf;
size_t rbuflen;
@@ -389,13 +389,13 @@ fail:
static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t *out_len)
{
u8 params[2];
- u8 count[2];
+ u8 count[2] = {0};
u8 *out = NULL;
- u8 *out_ptr;
+ u8 *out_ptr = NULL;
size_t offset = 0;
size_t size = 0;
size_t left = 0;
- size_t len;
+ size_t len = 0;
int r;
params[0] = file_type;
@@ -458,7 +458,7 @@ static int cac_read_binary(sc_card_t *ca
const u8 *tl_ptr, *val_ptr, *tl_start;
u8 *tlv_ptr;
const u8 *cert_ptr;
- size_t tl_len, val_len, tlv_len;
+ size_t tl_len = 0, val_len = 0, tlv_len;
size_t len, tl_head_len, cert_len;
u8 cert_type, tag;
@@ -1519,7 +1519,7 @@ static int cac_parse_CCC(sc_card_t *card
static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth)
{
u8 *tl = NULL, *val = NULL;
- size_t tl_len, val_len;
+ size_t tl_len = 0, val_len = 0;
int r;
if (depth > CAC_MAX_CCC_DEPTH) {
Index: opensc-0.25.1/src/libopensc/card-piv.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-piv.c
+++ opensc-0.25.1/src/libopensc/card-piv.c
@@ -4425,7 +4425,7 @@ static int piv_get_challenge(sc_card_t *
const u8 *p;
size_t out_len = 0;
int r;
- unsigned int tag_out, cla_out;
+ unsigned int tag_out = 0, cla_out = 0;
piv_private_data_t * priv = PIV_DATA(card);
LOG_FUNC_CALLED(card->ctx);
Index: opensc-0.25.1/src/libopensc/pkcs15-cert.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/pkcs15-cert.c
+++ opensc-0.25.1/src/libopensc/pkcs15-cert.c
@@ -169,7 +169,7 @@ sc_pkcs15_get_name_from_dn(struct sc_con
for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) {
const u8 *ava, *dummy, *oidp;
struct sc_object_id oid;
- size_t ava_len, dummy_len, oid_len;
+ size_t ava_len = 0, dummy_len, oid_len = 0;
/* unwrap the set and point to the next ava */
ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len);
Index: opensc-0.25.1/src/libopensc/pkcs15-sc-hsm.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/pkcs15-sc-hsm.c
+++ opensc-0.25.1/src/libopensc/pkcs15-sc-hsm.c
@@ -386,7 +386,7 @@ int sc_pkcs15emu_sc_hsm_decode_cvc(sc_pk
struct sc_asn1_entry asn1_cvcert[C_ASN1_CVCERT_SIZE];
struct sc_asn1_entry asn1_cvc_body[C_ASN1_CVC_BODY_SIZE];
struct sc_asn1_entry asn1_cvc_pubkey[C_ASN1_CVC_PUBKEY_SIZE];
- unsigned int cla,tag;
+ unsigned int cla = 0, tag = 0;
size_t taglen;
const u8 *tbuf;
int r;
Index: opensc-0.25.1/src/pkcs15init/profile.c
===================================================================
--- opensc-0.25.1.orig/src/pkcs15init/profile.c
+++ opensc-0.25.1/src/pkcs15init/profile.c
@@ -1809,7 +1809,7 @@ do_pin_storedlength(struct state *cur, i
static int
do_pin_flags(struct state *cur, int argc, char **argv)
{
- unsigned int flags;
+ unsigned int flags = 0;
int i, r;
if (cur->pin->pin.auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)

233
opensc-CVE-2024-45616.patch Normal file
View File

@ -0,0 +1,233 @@
commit 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date: Thu Jul 11 15:27:19 2024 +0200
cardos: Fix uninitialized values
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_card/2
Index: opensc-0.25.1/src/libopensc/card-cardos.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-cardos.c
+++ opensc-0.25.1/src/libopensc/card-cardos.c
@@ -94,14 +94,14 @@ static void fixup_transceive_length(cons
static int cardos_match_card(sc_card_t *card)
{
- unsigned char atr[SC_MAX_ATR_SIZE];
+ unsigned char atr[SC_MAX_ATR_SIZE] = {0};
int i;
i = _sc_match_atr(card, cardos_atrs, &card->type);
if (i < 0)
return 0;
- memcpy(atr, card->atr.value, sizeof(atr));
+ memcpy(atr, card->atr.value, card->atr.len);
/* Do not change card type for CIE! */
if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1)
@@ -114,8 +114,8 @@ static int cardos_match_card(sc_card_t *
return 1;
if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
int rv;
- sc_apdu_t apdu;
- u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
+ sc_apdu_t apdu = {0};
+ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = {0};
/* first check some additional ATR bytes */
if ((atr[4] != 0xff && atr[4] != 0x02) ||
(atr[6] != 0x10 && atr[6] != 0x0a) ||
@@ -131,7 +131,7 @@ static int cardos_match_card(sc_card_t *
apdu.lc = 0;
rv = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
- if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00 || apdu.resplen < 2)
return 0;
if (apdu.resp[0] != atr[10] ||
apdu.resp[1] != atr[11])
Index: opensc-0.25.1/src/libopensc/card-cac1.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-cac1.c
+++ opensc-0.25.1/src/libopensc/card-cac1.c
@@ -92,12 +92,12 @@ static int cac_cac1_get_certificate(sc_c
if (apdu.sw1 != 0x63 || apdu.sw2 < 1) {
/* we've either finished reading, or hit an error, break */
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
- left -= len;
+ left -= apdu.resplen;
break;
}
/* Adjust the lengths */
- left -= len;
- out_ptr += len;
+ left -= apdu.resplen;
+ out_ptr += apdu.resplen;
len = MIN(left, apdu.sw2);
}
if (r < 0) {
Index: opensc-0.25.1/src/libopensc/card-oberthur.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-oberthur.c
+++ opensc-0.25.1/src/libopensc/card-oberthur.c
@@ -148,7 +148,7 @@ auth_select_aid(struct sc_card *card)
{
struct sc_apdu apdu;
unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];
- struct auth_private_data *data = (struct auth_private_data *) card->drv_data;
+ struct auth_private_data *data = (struct auth_private_data *)card->drv_data;
int rv, ii;
struct sc_path tmp_path;
@@ -165,6 +165,9 @@ auth_select_aid(struct sc_card *card)
rv = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+ if (apdu.resplen < 20) {
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Serial number has incorrect length");
+ }
card->serialnr.len = 4;
memcpy(card->serialnr.value, apdu.resp+15, 4);
Index: opensc-0.25.1/src/libopensc/card-gids.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-gids.c
+++ opensc-0.25.1/src/libopensc/card-gids.c
@@ -231,6 +231,7 @@ static int gids_get_DO(sc_card_t* card,
size_t datasize = 0;
const u8* p;
u8 buffer[MAX_GIDS_FILE_SIZE];
+ size_t buffer_len = sizeof(buffer);
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
sc_log(card->ctx,
@@ -244,14 +245,15 @@ static int gids_get_DO(sc_card_t* card,
apdu.data = data;
apdu.datalen = 04;
apdu.resp = buffer;
- apdu.resplen = sizeof(buffer);
+ apdu.resplen = buffer_len;
apdu.le = 256;
r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, r, "gids get data failed");
LOG_TEST_RET(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2), "invalid return");
+ buffer_len = apdu.resplen;
- p = sc_asn1_find_tag(card->ctx, buffer, sizeof(buffer), dataObjectIdentifier, &datasize);
+ p = sc_asn1_find_tag(card->ctx, buffer, buffer_len, dataObjectIdentifier, &datasize);
if (!p) {
LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
}
Index: opensc-0.25.1/src/libopensc/asn1.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/asn1.c
+++ opensc-0.25.1/src/libopensc/asn1.c
@@ -68,7 +68,7 @@ int sc_asn1_read_tag(const u8 ** buf, si
*buf = NULL;
- if (left == 0 || !p)
+ if (left == 0 || !p || buflen == 0)
return SC_ERROR_INVALID_ASN1_OBJECT;
if (*p == 0xff || *p == 0) {
/* end of data reached */
@@ -83,6 +83,8 @@ int sc_asn1_read_tag(const u8 ** buf, si
*/
cla = (*p & SC_ASN1_TAG_CLASS) | (*p & SC_ASN1_TAG_CONSTRUCTED);
tag = *p & SC_ASN1_TAG_PRIMITIVE;
+ if (left < 1)
+ return SC_ERROR_INVALID_ASN1_OBJECT;
p++;
left--;
if (tag == SC_ASN1_TAG_PRIMITIVE) {
Index: opensc-0.25.1/src/libopensc/card-dnie.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-dnie.c
+++ opensc-0.25.1/src/libopensc/card-dnie.c
@@ -1172,12 +1172,16 @@ static int dnie_compose_and_send_apdu(sc
if (file_out) {
/* finally process FCI response */
+ size_t len = apdu.resp[1];
sc_file_free(*file_out);
*file_out = sc_file_new();
if (*file_out == NULL) {
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
}
- res = card->ops->process_fci(card, *file_out, apdu.resp + 2, apdu.resp[1]);
+ if (apdu.resplen - 2 < len || len < 1) {
+ LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+ }
+ res = card->ops->process_fci(card, *file_out, apdu.resp + 2, len);
}
LOG_FUNC_RETURN(ctx, res);
}
@@ -1935,7 +1939,7 @@ static int dnie_process_fci(struct sc_ca
int *op = df_acl;
int n = 0;
sc_context_t *ctx = NULL;
- if ((card == NULL) || (card->ctx == NULL) || (file == NULL))
+ if ((card == NULL) || (card->ctx == NULL) || (file == NULL) || buflen == 0)
return SC_ERROR_INVALID_ARGUMENTS;
ctx = card->ctx;
LOG_FUNC_CALLED(ctx);
Index: opensc-0.25.1/src/libopensc/muscle.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/muscle.c
+++ opensc-0.25.1/src/libopensc/muscle.c
@@ -111,13 +111,15 @@ int sc_partial_read_object(sc_card_t *c
int msc_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *data, size_t dataLength)
{
- int r;
+ int r = 0;
unsigned int i;
size_t max_read_unit = MSC_MAX_READ;
- for(i = 0; i < dataLength; i += max_read_unit) {
+ for(i = 0; i < dataLength; i += r) {
r = msc_partial_read_object(card, objectId, offset + i, data + i, MIN(dataLength - i, max_read_unit));
LOG_TEST_RET(card->ctx, r, "Error in partial object read");
+ if (r == 0)
+ break;
}
return (int)dataLength;
}
@@ -154,7 +156,7 @@ int msc_create_object(sc_card_t *card, m
ushort2bebytes(buffer + 12, deleteAcl);
r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
- if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
+ if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
return (int)objectSize;
if(apdu.sw1 == 0x9C) {
if(apdu.sw2 == 0x01) {
@@ -170,7 +172,7 @@ int msc_create_object(sc_card_t *card, m
apdu.sw1, apdu.sw2);
}
msc_zero_object(card, objectId, objectSize);
- return (int)objectSize;
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED);
}
/* Update up to MSC_MAX_READ - 9 bytes */
Index: opensc-0.25.1/src/libopensc/card-entersafe.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-entersafe.c
+++ opensc-0.25.1/src/libopensc/card-entersafe.c
@@ -1479,7 +1479,9 @@ static int entersafe_get_serialnr(sc_car
r=entersafe_transmit_apdu(card, &apdu,0,0,0,0);
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
LOG_TEST_RET(card->ctx, sc_check_sw(card,apdu.sw1,apdu.sw2),"EnterSafe get SN failed");
-
+ if (apdu.resplen != 8)
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of SN");
+
card->serialnr.len=serial->len=8;
memcpy(card->serialnr.value,rbuf,8);
memcpy(serial->value,rbuf,8);

55
opensc-CVE-2024-45617.patch Normal file
View File

@ -0,0 +1,55 @@
commit fdb9e903eb124b6b18a5a9350a26eceb775585bc
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date: Tue Jul 16 14:05:36 2024 +0200
cac: Check return value when selecting AID
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_pkcs11/14
Index: opensc-0.22.0/src/libopensc/card-cac.c
===================================================================
--- opensc-0.22.0.orig/src/libopensc/card-cac.c
+++ opensc-0.22.0/src/libopensc/card-cac.c
@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card
/* Call without OID set will just select the AID without subsequent
* OID selection, which we need to figure out just now
*/
- cac_select_file_by_type(card, &new_object.path, NULL);
+ r = cac_select_file_by_type(card, &new_object.path, NULL);
+ LOG_TEST_RET(card->ctx, r, "Cannot select AID");
r = cac_get_properties(card, &prop);
- if (r < 0)
- return SC_ERROR_INTERNAL;
+ LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties");
for (i = 0; i < prop.num_objects; i++) {
/* don't fail just because we have more certs than we can support */
Index: opensc-0.22.0/src/libopensc/card-cardos.c
===================================================================
--- opensc-0.22.0.orig/src/libopensc/card-cardos.c
+++ opensc-0.22.0/src/libopensc/card-cardos.c
@@ -1277,7 +1277,7 @@ cardos_lifecycle_get(sc_card_t *card, in
LOG_TEST_RET(card->ctx, r, "Card returned error");
if (apdu.resplen < 1) {
- LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response");
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response");
}
r = SC_SUCCESS;
Index: opensc-0.22.0/src/libopensc/card-jpki.c
===================================================================
--- opensc-0.22.0.orig/src/libopensc/card-jpki.c
+++ opensc-0.22.0/src/libopensc/card-jpki.c
@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card,
u8 buf[4];
rc = sc_read_binary(card, 0, buf, 4, 0);
LOG_TEST_RET(card->ctx, rc, "SW Check failed");
+ if (rc < 4)
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short");
file = sc_file_new();
if (!file) {
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);

67
opensc-CVE-2024-45618.patch Normal file
View File

@ -0,0 +1,67 @@
commit 8632ec172beda894581d67eaa991e519a7874f7d
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date: Wed Jul 17 11:18:52 2024 +0200
pkcs15-tcos: Check return value of serial num conversion
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_pkcs15_encode/21
diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
index 4d02a98ee..2bd275c4f 100644
--- a/src/libopensc/pkcs15-tcos.c
+++ b/src/libopensc/pkcs15-tcos.c
@@ -531,10 +531,15 @@ int sc_pkcs15emu_tcos_init_ex(
/* get the card serial number */
r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
if (r < 0) {
- sc_log(ctx, "unable to get ICCSN\n");
+ sc_log(ctx, "unable to get ICCSN");
return SC_ERROR_WRONG_CARD;
}
- sc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0);
+ r = sc_bin_to_hex(serialnr.value, serialnr.len, serial, sizeof(serial), 0);
+ if (r != SC_SUCCESS) {
+ sc_log(ctx, "serial number invalid");
+ return SC_ERROR_INTERNAL;
+ }
+
serial[19] = '\0';
set_string(&p15card->tokeninfo->serial_number, serial);
commit f9d68660f032ad4d7803431d5fc7577ea8792ac3
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date: Wed Jul 17 14:56:22 2024 +0200
pkcs15-lib: Report transport key error
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_pkcs15init/17, fuzz_pkcs15init/18
diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
index 6574e8025..943d53e98 100644
--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
@@ -3831,13 +3831,15 @@ sc_pkcs15init_get_transport_key(struct sc_profile *profile, struct sc_pkcs15_car
if (callbacks.get_key) {
rv = callbacks.get_key(profile, type, reference, defbuf, defsize, pinbuf, pinsize);
LOG_TEST_RET(ctx, rv, "Cannot get key");
- }
- else if (rv >= 0) {
+ } else if (rv >= 0) {
if (*pinsize < defsize)
LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Get transport key error");
memcpy(pinbuf, data.key_data, data.len);
*pinsize = data.len;
+ } else {
+ /* pinbuf and pinsize were not filled */
+ LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Get transport key error");
}
memset(&auth_info, 0, sizeof(auth_info));

212
opensc-CVE-2024-45619.patch Normal file
View File

@ -0,0 +1,212 @@
commit f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date: Tue Jul 16 14:22:02 2024 +0200
pkcs15-tcos: Check number of read bytes for cert
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_pkcs11/15
Index: opensc-0.25.1/src/libopensc/pkcs15-tcos.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/pkcs15-tcos.c
+++ opensc-0.25.1/src/libopensc/pkcs15-tcos.c
@@ -45,6 +45,7 @@ static int insert_cert(
struct sc_pkcs15_cert_info cert_info;
struct sc_pkcs15_object cert_obj;
unsigned char cert[20];
+ size_t cert_len = 0;
int r;
memset(&cert_info, 0, sizeof(cert_info));
@@ -57,24 +58,31 @@ static int insert_cert(
strlcpy(cert_obj.label, label, sizeof(cert_obj.label));
cert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0;
- if(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){
- sc_log(ctx,
- "Select(%s) failed\n", path);
+ if (sc_select_file(card, &cert_info.path, NULL) != SC_SUCCESS) {
+ sc_log(ctx, "Select(%s) failed", path);
return 1;
}
- if(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){
- sc_log(ctx,
- "ReadBinary(%s) failed\n", path);
+ r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
+ if (r <= 0) {
+ sc_log(ctx, "ReadBinary(%s) failed\n", path);
return 2;
}
- if(cert[0]!=0x30 || cert[1]!=0x82){
- sc_log(ctx,
- "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
+ cert_len = r; /* actual number of read bytes */
+ if (cert_len < 7 || (size_t)(7 + cert[5]) > cert_len) {
+ sc_log(ctx, "Invalid certificate length");
+ return 3;
+ }
+ if (cert[0] != 0x30 || cert[1] != 0x82) {
+ sc_log(ctx, "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
return 3;
}
/* some certificates are prefixed by an OID */
- if(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){
+ if (cert[4] == 0x06 && cert[5] < 10 && cert[6 + cert[5]] == 0x30 && cert[7 + cert[5]] == 0x82) {
+ if ((size_t)(9 + cert[5]) > cert_len) {
+ sc_log(ctx, "Invalid certificate length");
+ return 3;
+ }
cert_info.path.index=6+cert[5];
cert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4;
} else {
@@ -82,12 +90,12 @@ static int insert_cert(
cert_info.path.count=(cert[2]<<8) + cert[3] + 4;
}
- r=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
- if(r!=SC_SUCCESS){
- sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed\n", path);
+ r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
+ if (r != SC_SUCCESS) {
+ sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed", path);
return 4;
}
- sc_log(ctx, "%s: OK, Index=%d, Count=%d\n", path, cert_info.path.index, cert_info.path.count);
+ sc_log(ctx, "%s: OK, Index=%d, Count=%d", path, cert_info.path.index, cert_info.path.count);
return 0;
}
Index: opensc-0.25.1/src/libopensc/pkcs15-gemsafeV1.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/pkcs15-gemsafeV1.c
+++ opensc-0.25.1/src/libopensc/pkcs15-gemsafeV1.c
@@ -169,6 +169,7 @@ static int gemsafe_get_cert_len(sc_card_
size_t objlen;
int certlen;
unsigned int ind, i=0;
+ int read_len;
sc_format_path(GEMSAFE_PATH, &path);
r = sc_select_file(card, &path, &file);
@@ -177,9 +178,11 @@ static int gemsafe_get_cert_len(sc_card_
sc_file_free(file);
/* Initial read */
- r = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
- if (r < 0)
+ read_len = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
+ if (read_len <= 2) {
+ sc_log(card->ctx, "Invalid size of object data: %d", read_len);
return SC_ERROR_INTERNAL;
+ }
/* Actual stored object size is encoded in first 2 bytes
* (allocated EF space is much greater!)
@@ -208,7 +211,7 @@ static int gemsafe_get_cert_len(sc_card_
* the private key.
*/
ind = 2; /* skip length */
- while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
+ while (ind + 1 < (size_t)read_len && ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
if (ibuf[ind+1] == 0xFE) {
gemsafe_prkeys[i].ref = ibuf[ind+4];
sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
@@ -235,7 +238,7 @@ static int gemsafe_get_cert_len(sc_card_
/* Read entire file, then dissect in memory.
* Gemalto ClassicClient seems to do it the same way.
*/
- iptr = ibuf + GEMSAFE_READ_QUANTUM;
+ iptr = ibuf + read_len;
while ((size_t)(iptr - ibuf) < objlen) {
r = sc_read_binary(card, (unsigned)(iptr - ibuf), iptr,
MIN(GEMSAFE_READ_QUANTUM, objlen - (iptr - ibuf)), 0);
@@ -243,7 +246,14 @@ static int gemsafe_get_cert_len(sc_card_
sc_log(card->ctx, "Could not read cert object");
return SC_ERROR_INTERNAL;
}
- iptr += GEMSAFE_READ_QUANTUM;
+ if (r == 0)
+ break;
+ read_len += r;
+ iptr += r;
+ }
+ if ((size_t)read_len < objlen) {
+ sc_log(card->ctx, "Could not read cert object");
+ return SC_ERROR_INTERNAL;
}
/* Search buffer for certificates, they start with 0x3082. */
Index: opensc-0.25.1/src/pkcs15init/pkcs15-setcos.c
===================================================================
--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-setcos.c
+++ opensc-0.25.1/src/pkcs15init/pkcs15-setcos.c
@@ -507,6 +507,9 @@ setcos_generate_key(struct sc_profile *p
r = sc_card_ctl(p15card->card, SC_CARDCTL_SETCOS_GETDATA, &data_obj);
LOG_TEST_RET(ctx, r, "Cannot get key modulus: 'SETCOS_GETDATA' failed");
+ if (data_obj.DataLen < 3 || data_obj.DataLen < pubkey->u.rsa.modulus.len)
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Cannot get key modulus: wrong length of raw key");
+
keybits = ((raw_pubkey[0] * 256) + raw_pubkey[1]); /* modulus bit length */
if (keybits != key_info->modulus_length) {
sc_log(ctx,
Index: opensc-0.25.1/src/pkcs15init/pkcs15-sc-hsm.c
===================================================================
--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-sc-hsm.c
+++ opensc-0.25.1/src/pkcs15init/pkcs15-sc-hsm.c
@@ -140,7 +140,7 @@ static int sc_hsm_determine_free_id(stru
LOG_TEST_RET(card->ctx, filelistlength, "Could not enumerate file and key identifier");
for (j = 0; j < 256; j++) {
- for (i = 0; i < filelistlength; i += 2) {
+ for (i = 0; i + 1 < filelistlength; i += 2) {
if ((filelist[i] == range) && (filelist[i + 1] == j)) {
break;
}
Index: opensc-0.25.1/src/libopensc/card-coolkey.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/card-coolkey.c
+++ opensc-0.25.1/src/libopensc/card-coolkey.c
@@ -1697,6 +1697,7 @@ static int coolkey_rsa_op(sc_card_t *car
u8 key_number;
size_t params_len;
u8 buf[MAX_COMPUTE_BUF + 2];
+ size_t buf_len;
u8 *buf_out;
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
@@ -1737,8 +1738,6 @@ static int coolkey_rsa_op(sc_card_t *car
ushort2bebytes(params.init.buf_len, 0);
} else {
/* The data fits in APDU. Copy it to the params object */
- size_t buf_len;
-
params.init.location = COOLKEY_CRYPT_LOCATION_APDU;
params_len = sizeof(params.init) + datalen;
@@ -1758,6 +1757,7 @@ static int coolkey_rsa_op(sc_card_t *car
if (r < 0) {
goto done;
}
+ buf_len = crypt_out_len_p;
if (datalen > MAX_COMPUTE_BUF) {
u8 len_buf[2];
@@ -1776,7 +1776,12 @@ static int coolkey_rsa_op(sc_card_t *car
priv->nonce, sizeof(priv->nonce));
} else {
- size_t out_length = bebytes2ushort(buf);
+ size_t out_length;
+ if (buf_len < 2) {
+ r = SC_ERROR_WRONG_LENGTH;
+ goto done;
+ }
+ out_length = bebytes2ushort(buf);
if (out_length > sizeof buf - 2) {
r = SC_ERROR_WRONG_LENGTH;
goto done;

73
opensc-CVE-2024-45620.patch Normal file
View File

@ -0,0 +1,73 @@
commit a1bcc6516f43d570899820d259b71c53f8049168
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date: Thu Jul 18 09:23:20 2024 +0200
pkcs15-starcos: Check length of file to be non-zero
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_pkcs15init/20
Index: opensc-0.25.1/src/pkcs15init/pkcs15-starcos.c
===================================================================
--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-starcos.c
+++ opensc-0.25.1/src/pkcs15init/pkcs15-starcos.c
@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profil
return r;
len = tfile->size;
sc_file_free(tfile);
+ if (len == 0)
+ return SC_ERROR_INTERNAL;
buf = malloc(len);
if (!buf)
return SC_ERROR_OUT_OF_MEMORY;
@@ -684,7 +686,7 @@ static int starcos_write_pukey(sc_profil
if (num_keys == 0xff)
num_keys = 0;
/* encode public key */
- keylen = starcos_encode_pukey(rsa, NULL, kinfo);
+ keylen = starcos_encode_pukey(rsa, NULL, kinfo);
if (!keylen) {
free(buf);
return SC_ERROR_INTERNAL;
Index: opensc-0.25.1/src/libopensc/iasecc-sdo.c
===================================================================
--- opensc-0.25.1.orig/src/libopensc/iasecc-sdo.c
+++ opensc-0.25.1/src/libopensc/iasecc-sdo.c
@@ -318,16 +318,26 @@ iasecc_se_parse(struct sc_card *card, un
LOG_FUNC_CALLED(ctx);
+ if (data_len < 1)
+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
if (*data == IASECC_SDO_TEMPLATE_TAG) {
size_size = iasecc_parse_size(data + 1, data_len - 1, &size);
LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+ if (data_len - 1 < size)
+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
+
data += size_size + 1;
data_len = size;
sc_log(ctx,
"IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %d",
size, size_size);
+ if (data_len < 3)
+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
if (*data != IASECC_SDO_TAG_HEADER)
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
@@ -759,6 +769,8 @@ iasecc_sdo_parse(struct sc_card *card, u
int rv;
LOG_FUNC_CALLED(ctx);
+ if (data == NULL || data_len < 2)
+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
if (*data == IASECC_SDO_TEMPLATE_TAG) {
size_size = iasecc_parse_size(data + 1, data_len - 1, &size);

78
opensc-CVE-2024-8443.patch Normal file
View File

@ -0,0 +1,78 @@
commit b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc
Author: Jakub Jelen <jjelen@redhat.com>
Date: Mon Aug 12 19:02:14 2024 +0200
openpgp: Do not accept non-matching key responses
When generating RSA key pair using PKCS#15 init, the driver could accept
responses relevant to ECC keys, which made further processing in the
pkcs15-init failing/accessing invalid parts of structures.
Thanks oss-fuzz!
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Index: opensc-0.22.0/src/libopensc/card-openpgp.c
===================================================================
--- opensc-0.22.0.orig/src/libopensc/card-openpgp.c
+++ opensc-0.22.0/src/libopensc/card-openpgp.c
@@ -2657,14 +2657,21 @@ pgp_calculate_and_store_fingerprint(sc_c
/* update the blob containing fingerprints (00C5) */
sc_log(card->ctx, "Updating fingerprint blob 00C5.");
fpseq_blob = pgp_find_blob(card, 0x00C5);
- if (fpseq_blob == NULL)
- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");
+ if (fpseq_blob == NULL) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");
+ }
+ if (20 * key_info->key_id > fpseq_blob->len) {
+ r = SC_ERROR_OBJECT_NOT_VALID;
+ LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough");
+ }
/* save the fingerprints sequence */
newdata = malloc(fpseq_blob->len);
- if (newdata == NULL)
- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,
- "Not enough memory to update fingerprint blob 00C5");
+ if (newdata == NULL) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5");
+ }
memcpy(newdata, fpseq_blob->data, fpseq_blob->len);
/* move p to the portion holding the fingerprint of the current key */
@@ -2778,6 +2785,9 @@ pgp_parse_and_set_pubkey_output(sc_card_
/* RSA modulus */
if (tag == 0x0081) {
+ if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+ }
if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len) /* modulus_len is in bits */
|| key_info->u.rsa.modulus == NULL) {
@@ -2793,6 +2803,9 @@ pgp_parse_and_set_pubkey_output(sc_card_
}
/* RSA public exponent */
else if (tag == 0x0082) {
+ if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+ }
if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len) /* exponent_len is in bits */
|| key_info->u.rsa.exponent == NULL) {
@@ -2808,6 +2821,10 @@ pgp_parse_and_set_pubkey_output(sc_card_
}
/* ECC public key */
else if (tag == 0x0086) {
+ if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA &&
+ key_info->algorithm != SC_OPENPGP_KEYALGO_ECDH) {
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+ }
/* set the output data */
/* len is ecpoint length + format byte
* see section 7.2.14 of 3.3.1 specs */

13
opensc-docbook-xsl-fix.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/doc/html.xsl b/doc/html.xsl
index 665d45f..734fa98 100644
--- a/doc/html.xsl
+++ b/doc/html.xsl
@@ -3,7 +3,7 @@
<!ENTITY css SYSTEM "api.css">
]>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
- <xsl:import href="docbook-utf8.xsl"/>
+ <xsl:import href="docbook.xsl"/>
<xsl:param name="toc.section.depth" select="0"/>
<xsl:param name="generate.consistent.ids" select="1"/>
<xsl:template name="user.head.content">

31
opensc-gcc11.patch Normal file
View File

@ -0,0 +1,31 @@
diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c
index 41e620a..57f8a79 100644
--- a/src/tools/opensc-explorer.c
+++ b/src/tools/opensc-explorer.c
@@ -1839,6 +1839,12 @@ static int do_apdu(int argc, char **argv)
if (argc < 1)
return usage(do_apdu);
+ /* gcc-11 complains about BUF potentially being used without being
+ initialized. I can't convince myself that the calls to
+ parse_string_or_hexdata will fully initialize it, so we just
+ initialize it here. */
+ memset (buf, 0, sizeof (buf));
+
/* loop over the args and parse them, making sure the result fits into buf[] */
for (i = 0, len = 0; i < (unsigned) argc && len < sizeof(buf); i++) {
size_t len0 = sizeof(buf) - len;
commit 1680b3a1fb15319e41dbe3214ef8c4a4c215d529
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Feb 23 19:57:02 2021 +0100
Fix build on gcc11
This made most of the applications crashing in Fedora 34 when
smart card was plugged in.
The suggested patch makes the code path more obvious for gcc to
handle.
https://bugzilla.redhat.com/show_bug.cgi?id=1930652

3
opensc-rpmlintrc Normal file
View File

@ -0,0 +1,3 @@
# There is no devel package any more.
addFilter("obsolete-not-provided")
addFilter("devel-file-in-non-devel-package")

981
opensc.changes Normal file
View File

@ -0,0 +1,981 @@
-------------------------------------------------------------------
Tue Oct 1 06:30:06 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- - Security fix: [CVE-2024-8443, bsc#1230364]
* opensc: heap buffer overflow in OpenPGP driver when generating key
* Added patch: opensc-CVE-2024-8443.patch
-------------------------------------------------------------------
Tue Oct 1 06:27:05 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- Security fix: [opensc-CVE-2024-45620, bsc#1230076]
- Security fix: [opensc-CVE-2024-45619, bsc#1230075]
- Security fix: [opensc-CVE-2024-45618, bsc#1230074]
- Security fix: [opensc-CVE-2024-45617, bsc#1230073]
- Security fix: [opensc-CVE-2024-45616, bsc#1230072]
- Security fix: [opensc-CVE-2024-45615, bsc#1230071]
* opensc: pkcs15init: Usage of uninitialized values in libopensc and pkcs15init
* opensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc
* opensc: Uninitialized values after incorrect or missing checking return values of functions in libopensc
* opensc: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init
* opensc: Incorrect handling length of buffers or files in libopensc
* opensc: Incorrect handling of the length of buffers or files in pkcs15init
* Added patches:
- opensc-CVE-2024-45615.patch
- opensc-CVE-2024-45616.patch
- opensc-CVE-2024-45617.patch
- opensc-CVE-2024-45618.patch
- opensc-CVE-2024-45619.patch
- opensc-CVE-2024-45620.patch
-------------------------------------------------------------------
Fri Apr 5 18:54:38 UTC 2024 - Martin Hauke <mardnh@gmx.de>
- Update to verion 0.25.1
General improvements
* Add missing file to dist tarball to build documentation.
minidriver
* Fix RSA decryption with PKCS#1 v1.5 padding.
* Fix crash when app is not set.
-------------------------------------------------------------------
Wed Mar 13 21:56:31 UTC 2024 - Martin Hauke <mardnh@gmx.de>
- Build with support for libeac (OpenPACE)
-------------------------------------------------------------------
Sat Mar 9 12:06:03 UTC 2024 - Martin Hauke <mardnh@gmx.de>
- Update to version 0.25.0
Security
* CVE-2023-5992: Fix Side-channel leaks while stripping
encryption PKCS#1.5 padding in OpenSC.
* CVE-2024-1454: Fix Potential use-after-free in AuthentIC driver
during card enrollment in pkcs15init.
General improvements
* Remove support for old card drivers Akis, GPK, Incrypto34 and
Westcos, disable Cyberflex driver.
* Fix 64b to 32b conversions.
* Improvements for the p11test.
* Fix reader initialization without SCardControl.
* Make RSA PKCS#1 v1.5 depadding constant-time.
* Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02)
on the card.
* Fixed various issues reported by OSS-Fuzz and Coverity in
drivers, PKCS#11 and PKCS#15 layer.
- Add patch:
* opensc-docbook-xsl-fix.patch
- Drop not longer needed patches:
* CVE-2024-1454.patch
- Introduce subpackage for bash-completion
-------------------------------------------------------------------
Sun Feb 25 20:35:05 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Add CVE-2024-1454.patch.
Fix for CVE-2024-1454 / bsc#1219868.
-------------------------------------------------------------------
Wed Dec 13 12:27:34 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Update to OpenSC 0.24.0:
* Security
- CVE-2023-40660: Fix Potential PIN bypass
(#2806, frankmorgner/OpenSCToken#50, #2807)
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption
using symmetric keys (f1993dc)
* General improvements
- Fix compatibility of EAC with OpenSSL 3.0 (#2674)
- Enable use_file_cache by default (#2501)
- Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
- Fix record-based files (#2604)
- Fix several race conditions (#2735)
- Run tests under Valgrind (#2756)
- Test signing of data bigger than 512 bytes (#2789)
- Update to OpenPACE 1.1.3 (#2796)
- Implement logout for some of the card drivers (#2807)
- Fix wrong popup position of opensc-notify (#2901)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card
drivers, PKCS#11 and PKCS#15 init
* PKCS#11
- Check card presence state in C_GetSessionInfo (#2740)
- Remove onepin-opensc-pkcs11 module (#2681)
- Do not use colons in the token info label (#2760)
- Present profile objects in all slots with the CKA_TOKEN attribute to
resolve issues with NSS (#2928, #2924)
- Use secure memory for PUK (#2906)
- Don't logout to preserve concurrent access from different processes
(#2907)
- Add more examples to manual page (#2936)
- Present profile objects in all virtual slots (#2928)
- Provide CKA_TOKEN attribute for profile objects (#2924)
- Improve --slot parameter documentation (#2951)
* PKCS#15
- Honor cache offsets when writing file cache (#2858)
- Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
- Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and
back to PKCS#11 (#2936)
* Minidriver
- Fix for private keys that do not need a PIN (#2722)
- Unbreak decipher when the first null byte of PKCS#1.5 padding is
missing (#2939*
* pkcs11-tool
- Fix RSA key import with OpenSSL 3.0 (#2656)
- Add support for attribute filtering when listing objects (#2687)
- Add support for --private flag when writing certificates (#2768)
- Add support for non-AEAD ciphers to the test mode (#2780)
- Show CKA_SIGN attribute for secret keys (#2862)
- Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys
(#2864, #2913)
- Show Sign/VerifyRecover attributes (#2888)
- Add option to import generic keys (#2955)
* westcos-tool
- Generate 2k RSA keys by default (b53fc5c)
* pkcs11-register
- Disable autostart on Linux by default (#2680)
* IDPrime
- Add support for IDPrime MD 830, 930 and 940 (#2666)
- Add support for SafeNet eToken 5110 token (#2812)
- Process index even without keyrefmap and use correct label for second
PIN (#2878)
- Add support for Gemalto IDPrime 940C (#2941)
* EPass2003
- Change of PIN requires verification of the PIN (#2759)
- Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
- Use true random number for mutual authentication for SM (#2766)
- Add verification of data coming from the token in the secure messaging
mode (#2772)
- Avoid success when using unsupported digest and fix data length for RAW
ECDSA signatures (#2845)
* OpenPGP
- Fix select data command (#2753, issue #2752)
- Unbreak ed/curve25519 support (#2892)
* eOI
- Add support for Slovenian eID card (eOI) (#2646)
* Italian CNS
- Add support for IDEMIA (Oberthur) tokens (#2483)
* PIV
- Add support for Swissbit iShield FIDO2 Authenticator (#2671)
- Implement PIV secure messaging (#2053)
* SkeID
- Add support for Slovak eID cards (#2672)
* isoApplet
- Support ECDSA with off-card hashing (#2642)
* MyEID
- Fix WRAP operation when using T0 (#2695)
- Identify changes on the card and enable use_file_cache (#2798)
- Workaround for unwrapping using 2K RSA key (#2921)
* SC-HSM
- Add support for opensc-tool --serial (#2675)
- Fix unwrapping of 4096 keys with handling reader limits (#2682)
- Indicate supported hashes and MGF1s (#2827)
- Remove patches:
* opensc-CVE-2023-40660-1of2.patch
* opensc-CVE-2023-40660-2of2.patch
* opensc-CVE-2023-40661-1of12.patch
* opensc-CVE-2023-40661-2of12.patch
* opensc-CVE-2023-40661-3of12.patch
* opensc-CVE-2023-40661-4of12.patch
* opensc-CVE-2023-40661-5of12.patch
* opensc-CVE-2023-40661-6of12.patch
* opensc-CVE-2023-40661-7of12.patch
* opensc-CVE-2023-40661-8of12.patch
* opensc-CVE-2023-40661-9of12.patch
* opensc-CVE-2023-40661-10of12.patch
* opensc-CVE-2023-40661-11of12.patch
* opensc-CVE-2023-40661-12of12.patch
* opensc-CVE-2023-4535.patch
* opensc-CVE-2023-2977.patch
* opensc-NULL_pointer_fix.patch
-------------------------------------------------------------------
Fri Oct 6 06:49:24 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-40661, bsc#1215761]
* opensc: multiple memory issues with pkcs15-init (enrollment tool)
* Add patches:
- opensc-CVE-2023-40661-1of12.patch
- opensc-CVE-2023-40661-2of12.patch
- opensc-CVE-2023-40661-3of12.patch
- opensc-CVE-2023-40661-4of12.patch
- opensc-CVE-2023-40661-5of12.patch
- opensc-CVE-2023-40661-6of12.patch
- opensc-CVE-2023-40661-7of12.patch
- opensc-CVE-2023-40661-8of12.patch
- opensc-CVE-2023-40661-9of12.patch
- opensc-CVE-2023-40661-10of12.patch
- opensc-CVE-2023-40661-11of12.patch
- opensc-CVE-2023-40661-12of12.patch
-------------------------------------------------------------------
Thu Oct 5 13:45:16 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-4535, bsc#1215763]
* Add patches:
- opensc-CVE-2023-4535.patch
- opensc-NULL_pointer_fix.patch
-------------------------------------------------------------------
Wed Oct 4 13:26:11 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-40660, bsc#1215762]
* opensc: PIN bypass when card tracks its own login state
* Add patches:
- opensc-CVE-2023-40660-1of2.patch
- opensc-CVE-2023-40660-2of2.patch
-------------------------------------------------------------------
Thu Jun 1 12:55:19 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-2977, bsc#1211894]
* opensc: out of bounds read in pkcs15 cardos_have_verifyrc_package()
* Add opensc-CVE-2023-2977.patch
-------------------------------------------------------------------
Tue Nov 29 17:52:46 UTC 2022 - Michael Ströder <michael@stroeder.com>
- Update to OpenSC 0.23.0:
* General improvements
- Support signing of data with a length of more than 512 bytes (#2314)
- By default, disable support for old card drivers (#2391) and remove
support for old drivers MioCOS and JCOP (#2374)
- Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
- Compatibility with LibreSSL (#2495, #2595)
- Remove support for DSA (#2503)
- Extend p11test to support symmetric keys (#2430)
- Notice detached reader on macOS (#2418)
- Support for OAEP padding (#2475, #2484)
- Fix for PSS salt length (#2478)
- Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding
card drivers, PKCS#11 and PKCS#15 init
- Fix issues with OpenPACE (#2472)
- Containers support for local testing
- Add support for encryption and decryption using symmetric keys (#2473, #2607)
- Stop building support for Gost algorithms with OpenSSL 3.0 as they
require deprecated API (#2586)
- Fix detection of disconnected readers in PCSC (#2600)
- Add configuration option for on-disk caching of private data (#2588)
- Skip building empty binaries when dependencies are missing and
remove needless linking (#2617)
- Define arm64 as a supported architecture in the Installer package (#2610)
* PKCS#11
- Implement C_CreateObject for EC keys and fix signature verification
for CKM_ECDSA_SHAx cards (#2420)
* pkcs11-tool
- Add more elliptic curves (#2301)
- Add support for symmetric encrypt and decrypt, wrap and unwrap operations,
and initialization vector (#2268)
- Fix consistent handling of secret key attributes (#2497)
- Add support for signing and verifying with HMAC (#2385)
- Add support for SHA3 (#2467)
- Make object selectable via label (#2570)
- Do not require an R/W session for some operations and
add --session-rw option (#2579)
- Print more information: CKA_UNIQUE_ID attribute, SHA3 HMACs and
serial number for certificates (#2644, #2643, #2641)
- Add new option --undestroyable to create keys with CKA_DESTROYABLE=FALSE (#2645)
* sc-hsm-tool
- Add options for public key authentication (#2301)
* Minidriver
- Fix reinit of the card (#2525)
- Add an entry for Italian CNS (e) (#2548)
- Fix detection of ECC mechanisms (#2523)
- Fix ATRs before adding them to the windows registry (#2628)
* NQ-Applet
- Add support for the JCOP4 Cards with NQ-Applet (#2425)
* ItaCNS
- Add support for ItaCMS v1.1 (key length 2048) (#2371)
* Belpic
- Add support for applet v1.8 (#2455)
* Starcos
- Add ATR for V3.4 (#2464)
- Add PKCS#15 emulator for 3.x cards with eSign app (#2544)
* ePass2003
- Fix PKCS#15 initialization (#2403)
- Add support for FIPS (#2543)
- Fix matching with newer versions and tokens initialized with OpenSC (#2575)
* MyEID
- Support logout operation (#2557)
- Support for symmetric encryption and decryption (#2473, #2607)
* GIDS
- Fix decipher for TPM (#1881)
* OpenPGP
- Get the list of supported algorithms from algorithm information
on the card (#2287)
- Support for 3 certificates with OpenPGP 3+ (#2103)
* nPA
- Fix card detection (#2463)
* Rutoken
- Fix formatting rtecp cards (#2599)
* PIV
- Add new PIVKey ATRs for current cards (#2602)
-------------------------------------------------------------------
Mon Oct 4 12:59:24 UTC 2021 - Daniel Donisa <daniel.donisa@suse.com>
- Update to OpenSC 0.22.0:
* Removed changes in opensc-gcc11.patch already present in upstream.
- See https://github.com/OpenSC/OpenSC/pull/2241/commits/e549e9c62eb4fcd2260800e2665071e4dd9bbbda
* Removed some false positives from the openrc-rpmlintrc file.
* Use standard paths for file cache on Linux (#2148) and OSX (#2214)
* Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
* Add threading test to `pkcs11-tool` (#2067)
* Add support to generate generic secret keys (#2140)
* `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
* Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
* Support for gcc11 and its new strict aliasing rules (#2241, #2260)
* Initial support for building with OpenSSL 3.0 (#2343)
* pkcs15-tool: Write data objects in binary mode (#2324)
* Avoid limited size of log messages (#2352)
* Support for ECDSA verification (#2211)
* Support for ECDSA with different SHA hashes (#2190)
* Prevent issues in p11-kit by not returning unexpected return codes (#2207)
* Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
* Standardize the version 2 on 2.20 in the code (#2096)
* Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176)
* Copy arguments of C_Initialize (#2350)
* Fix RSA-PSS signing (#2234)
* Fix DO deletion (#2215)
* Add support for (X)EdDSA keys (#1960)
* Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
* Add support for applet version 4 (#2332)
* New configuration option for opensc.conf to disable pkcs1_padding (#2193)
* Add support for ECDSA with different hashes (#2190)
* Enable more mechanisms (#2178)
* Fixed asking for a user pin when formatting a card (#1737)
* Added support for French CPx Healthcare cards (#2217)
* Added ATR for new CardOS 5.4 version (#2296)
* Fixes security issues:
* tcos: use after return (bsc#1192005, CVE-2021-42780)
* oberthur: use after free (bsc#1191992, CVE-2021-42779)
* oberthur: multiple heap buffer overflows (bsc#1192000,
CVE-2021-42781)
* multiple stack buffer overflow issues (bsc#1191957,
CVE-2021-42782)
-------------------------------------------------------------------
Sun Jun 27 16:48:49 UTC 2021 - Predrag Ivanović <predivan@mts.rs>
- Fix build on GCC11
* Add opensc-gcc11.patch from Fedora
(https://github.com/OpenSC/OpenSC/pull/2241/)
-------------------------------------------------------------------
Fri Mar 12 22:58:46 UTC 2021 - Dirk Müller <dmueller@suse.com>
- move licenses to licensedir
-------------------------------------------------------------------
Fri Nov 27 19:27:30 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
- OpenSC 0.21.0:
* CVE-2020-26571: stack-based buffer overflow in the gemsafe GPK
smart card software driver (boo#1177380)
* CVE-2020-26572: stack-based buffer overflow in the TCOS smart
card software driver (boo#1177378)
* CVE-2020-26570: heap-based buffer overflow in the Oberthur
smart card software driver (boo#1177364)
* CardOS 5.x support boo#1179291
* Support for OAEP encryption, make SHA256 default
* New separate debug level for PIN commands
* Fix handling of card/reader insertion/removal events in pcscd
* Fixes of removed readers handling
* Fix Firefox crash because of invalid pcsc context
* PKCS#11: Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards
* Propagate ignore_user_content to PKCS#11 layer not to confuse applications
* Minidriver: Fix check of ATR length (2-to 33 characters inclusive)
* pkcs11-tool: allow using SW tokens
* opensc-explorer asn1 accepts offsets and decode records
* opensc-explorer cat accepts records
* OpenPGP: Add new ec curves supported by GNUK
* First steps supporting OpenPGP 3.4
* OpenPGP: Add support for EC key import
* Rutoken: Add ATR for Rutoken ECP SC NFC
* Improve detection of various CardOS 5 configurations
* DNIe: Add new DNIe CA structure for the secure channel
* ePass2003: Improve ECC support
* ePass2003: Fix erase sequence
* IAS-ECC: Fix support for Idemia Cosmo cards
* IAS-ECC: PIN padding settings are now used from PKCS#15 info when available
* IAS-ECC: Added PIN-pad support for PIN unblock
* New driver for Gemalto IDPrime (only some types)
* eDo: New driver with initial support for Polish eID card (e-dowód, eDO)
* MCRD: Remove unused and broken RSA EstEID support
* TCOS: Add missing encryption certificates
* PIV: Add ATR of DOD Yubikey
* fixed PIV global pin bug
* CAC1: Support changing PIN with CAC Alt tokens
- includes changes from 0.20.0
* CVE-2019-6502: memory leak in libopensc (boo#1122756)
* CVE-2019-15946: out-of-bounds access of an ASN.1 Octet string (boo#1149747)
* CVE-2019-15945: out-of-bounds access of an ASN.1 Bitstring (boo#1149746)
* CVE-2019-19479: incorrect read operation during parsing of a SETCOS file attribute (boo#1158256)
* CVE-2019-19480: improper free operation in sc_pkcs15_decode_prkdf_entry (boo#1158307)
* CVE-2019-20792: double free in coolkey_free_private_dat (bsc#1170809)
* Support RSA-PSS signature mechanisms using RSA-RAW
* Added memory locking for secrets
* added support for terminal colors
* PC/SC driver: Fixed error handling in case of changing or removing the card reader
* rename md_read_only to read_only and use it for PKCS#11 and Minidriver
* allow global use of ignore_private_certificate
* PKCS#11: Implement write protection (CKF_WRITE_PROTECTED) based on the card profile
* PKCS#11: Add C_WrapKey and C_UnwrapKey implementations
* PKCS#11: Handle CKA_ALWAYS_AUTHENTICATE when creating key objects
* PKCS#11: Truncate long PKCS#11 labels with ...
* PKCS#11: Fixed recognition of a token when being unplugged and reinserted
* Minidriver: Register for CardOS5 cards
* Minidriver: Add support for RSA-PSS
* tools: Harmonize the use of option -r/--reader
* goid-tool: GoID personalization with fingerprint
* openpgp-tool: replace the options -L/--key-length with -t/--key-type
* openpgp-tool: add options -C/--card-info and -K/--key-info
* opensc-explorer: add command pin_info, extend random
* pkcs11-register: Auto-configuration of applications for use of OpenSC PKCS#11
* pkcd11-register: Autostart
* opensc-tool: Show ATR also for cards not recognized by OpenSC
* pkcs11-spy: parse CKM_AES_GCM, EC Derive parameters
* pkcs11-spy: Add support for CKA_OTP_* and CKM_*_PSS values
* pkcs11-tool: Support for signature verification via --verify
* pkcs11-tool: Add object type secrkey for --type option
* pkcs11-tool: Implement Secret Key write object
* pkcs11-tool: Add GOSTR3410-2012 support
* pkcs11-tool: Add support for testing CKM_RSA_PKCS_OAEP
* pkcs11-tool: Add extractable option to key import
* pkcs11-tool: list more key access flags when listing keys
* pkcs11-tool: Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys
* pkcs15-crypt: *Handle keys with user consent
* New separate CAC1 driver using the old CAC specification (#1502)
* CardOS: Add support for 4K RSA keys in CardOS 5
* CardOS: Fixed decryption with CardOS 5
* Enable CoolKey driver to handle 2048-bit keys
* EstEID: add support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018
* GIDS Decipher fix (#1881)
* GIDS: Allow RSA 4K support
* MICARDO: Remove long expired EstEID 1.0/1.1 card support
* MyEID: Add support for unwrapping a secret key with an RSA key or secret key
* MyEID Add support for wrapping a secret key with a secret key
* Support for MyEID 4K RSA
* Support for OsEID
* Gemalto GemSafe: add new PTeID ATRs, add support for 4K RSA keys
* OpenPGP Card v3 ECC support
* Add Rutoken ECP SC
* Add Rutoken Lite
* Add SmartCard-HSM 4K ATR
* Add missing secp384r1 curve parameter
* Stacros: Fix decipher with 2.3
* Stacros: Add ATR for 2nd gen. eGK
* Stacros: Add new ATR for 3.5
* Stacros: Detect and allow Globalplatform PIN encoding
* Fix TCOS IDKey support
* TCOS: add encryption certificate for IDKey
* Infocamere, Postecert, Cnipa: Remove profiles
* Remove incomplete acos5 driver
- drop patches now upstream:
* opensc-0.19.0-piv_card_matching.patch
* opensc-0.19.0-redundant_logging.patch
* opensc-0.19.0-rsa-pss.patch
-------------------------------------------------------------------
Sun Aug 18 01:35:45 UTC 2019 - Jason Sikes <jsikes@suse.com>
- added opensc-0.19.0-piv_card_matching.patch
* Improve Card Matching for Dual CAC/PIV and PIVKEY cards.
* sourced from https://github.com/OpenSC/OpenSC/pull/1549
-------------------------------------------------------------------
Tue Jul 30 03:15:14 UTC 2019 - Jason Sikes <jsikes@suse.de>
- added opensc-0.19.0-rsa-pss.patch
* Fixes the pkcs11-tool example
* Added missing CKM_SHA224_RSA_PKCS_PSS
* Add support for PSS padding to RSA signatures
* Support for signature verification in pkcs11-tool
* Switch cleanup steps to avoid segfaults on errors and more sanity checking
- added opensc-0.19.0-redundant_logging.patch
* Remove redundant debug output
-------------------------------------------------------------------
Tue Jul 23 21:51:42 UTC 2019 - Benjamin Greiner <code@bnavigator.de>
- add explicit BuildRequires: zlib-devel
-------------------------------------------------------------------
Thu Sep 13 13:46:43 UTC 2018 - Karol Babioch <kbabioch@suse.com>
- Update to version 0.19.0
* Fixed multiple security problems (out of bound writes/reads):
* bsc#1104812
* CVE-2018-16391 (bsc#1106998)
* CVE-2018-16392 (bsc#1106999)
* CVE-2018-16393 (bsc#1108318)
* CVE-2018-16418 (bsc#1107039)
* CVE-2018-16419 (bsc#1107107)
* CVE-2018-16420 (bsc#1107097)
* CVE-2018-16421 (bsc#1107049)
* CVE-2018-16422 (bsc#1107038)
* CVE-2018-16423 (bsc#1107037)
* CVE-2018-16424 (bsc#1107036)
* CVE-2018-16425 (bsc#1107035)
* CVE-2018-16426 (bsc#1107034)
* CVE-2018-16427 (bsc#1107033)
* Workaround cards returning short signatures without leading zeroes
* Distribute minimal opensc.conf
* `pkcs11_enable_InitToken made` global configuration option
* Modify behavior of `OPENSC_DRIVER` environment variable to restrict driver
list instead of forcing one driver and skipping vital parts of
configuration
* Removed configuration options `zero_ckaid_for_ca_certs`,
`force_card_driver`, `reopen_debug_file`, `paranoid-memory`
* Generalized configuration option `ignored_readers`
* If card initialization fails, continue card detection with other card
drivers
* reader-pcsc: allow fixing the length of a PIN
* fixed crash during `C_WaitForSlotEvent`
* Allow cancelling the PIN pad prompt before starting the reader transaction.
Whether to start the transaction immediately or not is user-configurable
for each application
* opensc-notify
* add Exit button to tray icon
* User better description (GenericName) and a generic application icon
* Do not display in the application list
- Removed patches included upstream now:
* opensc-desktop.patch
* opensc-desktop2.patch
* opensc-bash-completions.patch
- Applied spec-cleaner
-------------------------------------------------------------------
Tue Jul 10 16:56:28 CEST 2018 - sbrabec@suse.com
- Update to version 0.18.0:
* Further improvements of PIN support.
* Large number of improvements and fixes
(boo#1097951, boo#1100501).
* See /usr/share/doc/packages/opensc/NEWS for complete list.
- Add opensc-desktop.patch, opensc-desktop2.patch and
opensc-bash-completions.patch.
-------------------------------------------------------------------
Mon Jan 1 16:16:13 UTC 2018 - michael@stroeder.com
- update to version 0.17.0:
* support for new cards
* PIN support enhancemets
* added .pc file
* builds with OpenSSL 1.1.0 (1074799)
* See /usr/share/doc/packages/opensc/NEWS for complete list.
-------------------------------------------------------------------
Tue Jul 18 13:58:05 UTC 2017 - tchvatal@suse.com
- Switch to tarball fetching from github
- Few small cleanups
-------------------------------------------------------------------
Tue Nov 22 16:42:06 CET 2016 - sbrabec@suse.com
- Add baselibs.conf to provide 32-bit PKCS11 plugins (bsc#996047).
- Drop opensc-ADVISORIES. There is no new advisory since 2009.
-------------------------------------------------------------------
Tue Jul 5 12:09:24 UTC 2016 - t.gruner@katodev.de
- update to version 0.16.0
- remove fix (issue 505)
- clean up spec-file
-------------------------------------------------------------------
Thu Jul 30 16:16:19 EEST 2015 - bwachter-pkg@lart.info
- update to version 0.15.0
- register with p11-kit
(https://www.opensc-project.org/opensc/ticket/390)
-------------------------------------------------------------------
Mon Feb 16 15:14:55 UTC 2015 - michael@stroeder.com
- update to version 0.14.0
-------------------------------------------------------------------
Tue Dec 3 18:53:23 UTC 2013 - luizluca@tre-sc.gov.br
- update to version 0.13.0
-------------------------------------------------------------------
Tue Jun 12 21:00:03 UTC 2012 - mgorse@suse.com
- make needed directories before running make install
-------------------------------------------------------------------
Thu Sep 29 18:26:23 UTC 2011 - lmedinas@opensuse.org
- Updated to version 0.12.2:
* Builds are now silent by default when OpenSC is built from
source on Unix.
* Using --wait with command line tools works with 64bit Linux
again.
* Greatly improved OpenPGP card support, including OpenPGP
2.0 cards like the one found in German Privacy Foundation
CryptoStick.
* Fixed support for FINeID cards issued after 01.03.2011 with
2048bit keys.
* #256: Fixed support for TCOS cards (broken since 0.12.0).
* Added support for IDKey-cards to TCOS3 driver.
* #361: Improved PC/SC driver to fetch the maximum PIN sizes
from the open source CCID driver. This fixes the issue for
Linux/OSX with recent driver.
* Fix FINeID cards for organizations.
* Several smaller bugs and compiler warnings fixed
- Updated to version 0.12.1:
* IAS-ECC 1.0.1
* Support for cards with multiple PKCS#15 applications
* New card driver: IAS/ECC 1.0.1
* rutoken-tool has been deprecated and removed.
* eidenv and piv-tool utilities now have manual pages.
* pkcs11-tool now requires the use of --module parameter.
* All tools can now use an ATR as an argument to --reader,
to skip to the card with given ATR.
* opensc-tool -l with -v now shows information about the
inserted cards.
* Creating files have an enforced upper size limit, 64K
* Support for multiple PKCS#15 applications with different
AID-s. PKCS#15 applications can be listed with pkcs15-tool
--list-applications. Binding to a specific AID with PKCS#15
tools can be done with --aid.
* Hex strings (like card ATR or APDU-s) can now be separated
by space, in addition to colons.
* Pinpad readers known to be bogus are now ignored by OpenSC.
At the moment only "HP USB Smart Card Keyboard" is disabled.
* Numerous compiler warnings, unused code and internal bugs
have been eliminated.
-------------------------------------------------------------------
Fri Jan 7 14:49:37 CET 2011 - sbrabec@suse.cz
- Updated to version 0.12.0:
* Security fix (bnc#660109, CVE-2010-4523).
* Only one backend is supported. openSUSE will use pcsc-lite.
* libopensc made private, library should not be used by other
applications. Please use generic PKCS#11 interface instead.
* Signer plugin discontinued. Please use openssl engine_pkcs11.
* No more depends on libassuan.
* New card drivers.
* Support for CardOS enhanced.
* More changes and enhancements.
- libopensc merged back to the main package, as it is private now.
-------------------------------------------------------------------
Mon Aug 23 14:15:22 CEST 2010 - sbrabec@suse.cz
- Fixed broken opensc-fix-gcc-warnings.patch (bnc#627619).
- Simplified plugin installation.
-------------------------------------------------------------------
Tue Apr 13 14:35:32 UTC 2010 - puzel@novell.com
- update to version 0.11.13
* Modify Rutoken S binary interfaces by Aktiv Co.
* Muscle driver fixed (acl reading issue)
* Many small fixes (e.g. mem leaks)
* Compiling with openssl 1.0.0-beta fixed
* Document integer problem in OpenSC and implement workaround
* Improve entersafe profile to support private data objects
- Require pinentry
- add opensc-libassuan-2.patch
- add opensc-fix-gcc-warnings.patch
-------------------------------------------------------------------
Fri Jan 1 20:07:35 CET 2010 - jengelh@medozas.de
- package baselibs.conf
-------------------------------------------------------------------
Wed Aug 5 14:59:33 CEST 2009 - sbrabec@suse.cz
- Updated to version 0.11.9:
* New rutoken_ecp driver
* Allow more keys/certificates/files etc. with entersafe tokens
* Updates pkcs11.h from scute fixing warnings
* Small fixes in rutoken driver
* Major update for piv driver with increased compatibility
-------------------------------------------------------------------
Thu Jul 30 12:45:26 CEST 2009 - sbrabec@suse.cz
- libopensc2 should not require opensc (bnc#466430).
-------------------------------------------------------------------
Thu May 7 17:52:06 CEST 2009 - sbrabec@suse.cz
- Updated to version 0.11.8:
* Fix security problem in pkcs11-tool gen_keypair
(PublicExponent 1) (bnc#501726)
See http://en.opensuse.org/Smart_Cards/Advisories for more.
* updated and improve entersafe driver. FTCOS/PK-01C cards are
supported now, compatible with cards writen by Feitian's
software on windows.
-------------------------------------------------------------------
Thu Apr 9 11:32:23 CEST 2009 - sbrabec@suse.cz
- Fixed undefined code (bnc#440853).
- Don't call autoreconf on older products.
-------------------------------------------------------------------
Tue Mar 17 18:01:29 CET 2009 - sbrabec@suse.cz
- Updated to version 0.11.7:
* hide_empty_slots now on by default? small logic change?
* ruToken driver was updated.
* openct virtual readers reduced to 2 by default.
* Security issue: Fix private data support. (bnc#480262,
CVE-2009-0368)
See http://en.opensuse.org/Smart_Cards/Advisories for more.
* Enable lock_login by default.
* Disable allow_soft_keygen by default.
-------------------------------------------------------------------
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
(bnc#437293)
-------------------------------------------------------------------
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
- obsolete old -XXbit packages (bnc#437293)
-------------------------------------------------------------------
Wed Sep 10 13:46:44 CEST 2008 - sbrabec@suse.cz
- Updated to version 0.11.6:
* New support for Feitian ePass3000.
* GemSafeV1 improved to handle key_ref other than 3.
* Build system rewritten.
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamically linked.
* PKCS#11 provider is now installed at LIBDIR/pkcs11.
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
* make sign_with_decrypt hack configureable for siemens cards.
-------------------------------------------------------------------
Mon Sep 1 14:06:17 CEST 2008 - sbrabec@suse.cz
- Check validity of SSL certificates for all Siemens CardOS M4
cards (SCA and SCB are affected as well, bnc#413496#c6).
-------------------------------------------------------------------
Thu Jul 31 12:45:11 CEST 2008 - sbrabec@suse.cz
- Fixed initialization access rights for Siemens CardOS M4, added
a security check to pkcs15-tool (bnc#413496, CVE-2008-2235)
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
-------------------------------------------------------------------
Thu Feb 7 17:12:02 CET 2008 - sbrabec@suse.cz
- Updated to version 0.11.4:
* Browser plugin support
* Support Siemens CardOS initialized cards (signing with
decryption)
* Add Siemens CardOS M4.2B support (experimental)
* Support for AKIS cards added (partial)
-------------------------------------------------------------------
Thu Jul 26 13:40:30 CEST 2007 - sbrabec@suse.cz
- Updated to version 0.11.3:
* make lots of internal functions and variables static.
* fix 0 vs NULL in many places. fix ansi c style (void).
* avoid variable names used also as glibc function (random etc.).
* new code for deleting objects.
* special hack for firefox.
* suport for Athena APCOS cards added.
* piv driver now supports bigger rsa keys too.
* enabled pin caching by default.
* use max_send_size 255 / max_recv_size 256 bytes by default.
* increase pin buffer size to allow longer pin codes.
* Added --read-ssk-key option to pkcs15-tool
* use pkg-config for finding openct
* use strlcpy function
* use new pkcs11.h from scute with an open source license
* add support for sha2 to pkcs15-crypt
* add piv-tool for managing piv cards
* add muscle driver
* improved oberthur driver
* add support for pcsc v2 part10
* convert source files to utf-8
- Split package according to shared library packaging policy.
-------------------------------------------------------------------
Tue Feb 27 12:12:30 CET 2007 - mvaner@suse.cz
- Fixing dodgy use of sizeof (#238660)
- sizeof.patch
-------------------------------------------------------------------
Mon Oct 2 18:49:35 CEST 2006 - sbrabec@suse.cz
- Updated to version 0.11.1:
* Update for piv pkcs#15 emulation
* Improved TCOS driver for Uni Giesen Card
* Handle size_t printf with "%lu" and (unsigned long) cast
* Add support for d-trust cards / improve micardo 2.1 driver
-------------------------------------------------------------------
Thu May 25 16:13:02 CEST 2006 - sbrabec@suse.cz
- Fixed build for old SuSE Linux versions.
-------------------------------------------------------------------
Thu May 11 13:00:00 CEST 2006 - sbrabec@suse.cz
- Fixed devel dependencies.
-------------------------------------------------------------------
Wed May 10 16:58:12 CEST 2006 - sbrabec@suse.cz
- Updated to version 0.11.0.
-------------------------------------------------------------------
Wed Jan 25 21:39:06 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Thu Jan 5 02:05:11 CET 2006 - ro@suse.de
- added unpackaged so-links to devel filelist
-------------------------------------------------------------------
Tue Oct 25 15:30:04 CEST 2005 - rhafer@suse.de
- added LDAP_DEPRECATED to CFLAGS to build correctly with·
OpenLDAP 2.3
-------------------------------------------------------------------
Fri Sep 2 12:56:14 CEST 2005 - okir@suse.de
- Removed +x permissions on opensc.conf (#114849)
-------------------------------------------------------------------
Thu Jul 14 16:11:56 CEST 2005 - okir@suse.de
- Updated to latest upstream version
- Added missing documentation files (#75425)
-------------------------------------------------------------------
Fri Mar 4 11:06:48 CET 2005 - meissner@suse.de
- fixed gcc4 compilation.
-------------------------------------------------------------------
Fri Jan 21 14:43:23 CET 2005 - okir@suse.de
- Updated to latest upstream version (0.9.4)
-------------------------------------------------------------------
Thu Nov 18 15:49:34 CET 2004 - ro@suse.de
- use kerberos-devel-packages
-------------------------------------------------------------------
Mon Jul 19 14:06:10 CEST 2004 - adrian@suse.de
- fix file list
-------------------------------------------------------------------
Mon Jul 12 17:26:31 CEST 2004 - adrian@suse.de
- update to version 0.8.1
-------------------------------------------------------------------
Fri Mar 19 11:10:13 CET 2004 - okir@suse.de
- Fixed permissions and path names of some include files (#36432)
-------------------------------------------------------------------
Fri Jan 16 13:19:16 CET 2004 - kukuk@suse.de
- Add pam-devel to neededforbuild
-------------------------------------------------------------------
Sat Jan 10 15:47:57 CET 2004 - adrian@suse.de
- add %run_ldconfig and %defattr
-------------------------------------------------------------------
Mon Aug 4 11:00:27 CEST 2003 - okir@suse.de
- Build fixes for x86_64/ppc64
- use a version string other than "CVS" (#28423)
-------------------------------------------------------------------
Fri Aug 1 12:04:29 CEST 2003 - okir@suse.de
- Updated to most recent upstream snapshot
-------------------------------------------------------------------
Thu Jun 12 13:28:31 CEST 2003 - kukuk@suse.de
- Fix filelist and permissions
-------------------------------------------------------------------
Wed Jun 4 00:39:12 CEST 2003 - ro@suse.de
- added rest of static libs to devel filelist
- remove unpackaged files from buildroot
-------------------------------------------------------------------
Wed Jan 15 17:34:58 CET 2003 - ro@suse.de
- use sasl2
-------------------------------------------------------------------
Thu Dec 5 11:22:44 CET 2002 - okir@suse.de
- fixed x86_64 build problem
- updated to latest upstream
-------------------------------------------------------------------
Fri Nov 29 10:01:14 CET 2002 - okir@suse.de
- updated to current CVS snapshot
-------------------------------------------------------------------
Fri Aug 9 21:35:43 CEST 2002 - okir@suse.de
- added missing libs to files list
-------------------------------------------------------------------
Thu Jul 4 17:48:11 CEST 2002 - ro@suse.de
- added heimdal-devel to neededforbuild to make libtool happy
-------------------------------------------------------------------
Fri Jun 28 17:34:49 CEST 2002 - schwab@suse.de
- Fix bootstrap script.
- Use correct libtool macros.
-------------------------------------------------------------------
Mon May 27 19:10:07 CEST 2002 - sf@suse.de
- @libdir@ added to Makefile.am to use correct dirs for
*/lib */lib64
-------------------------------------------------------------------
Tue Apr 30 16:05:12 CEST 2002 - okir@suse.de
- Initial check-in

8
opensc.module Normal file
View File

@ -0,0 +1,8 @@
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: onepin-opensc-pkcs11.so

143
opensc.spec Normal file
View File

@ -0,0 +1,143 @@
#
# spec file for package opensc
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sover 11
%define completionsdir %(pkg-config --variable completionsdir bash-completion)
Name: opensc
Version: 0.25.1
Release: 0
Summary: Smart Card Utilities
License: LGPL-2.1-or-later
Group: Productivity/Security
URL: https://github.com/OpenSC/OpenSC/wiki
Source: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
Source1: baselibs.conf
Source2: %{name}-rpmlintrc
# Register with p11-kit
# https://web.archive.org/web/20111225073733/http://www.opensc-project.org/opensc/ticket/390
Source3: opensc.module
Patch0: opensc-gcc11.patch
Patch1: opensc-docbook-xsl-fix.patch
Patch2: opensc-CVE-2024-8443.patch
# PATCH-FIX-UPSTREAM: bsc#1230071 CVE-2024-45615: opensc: pkcs15init: Usage of uninitialized values in libopensc and pkcs15init
Patch3: opensc-CVE-2024-45615.patch
# PATCH-FIX-UPSTREAM: bsc#1230072 CVE-2024-45616: opensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc
Patch4: opensc-CVE-2024-45616.patch
# PATCH-FIX-UPSTREAM: bsc#1230073 CVE-2024-45617: opensc: Uninitialized values after incorrect or missing checking return values of functions in libopensc
Patch5: opensc-CVE-2024-45617.patch
# PATCH-FIX-UPSTREAM: bsc#1230074 CVE-2024-45618: opensc: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init
Patch6: opensc-CVE-2024-45618.patch
# PATCH-FIX-UPSTREAM: bsc#1230075 CVE-2024-45619: opensc: Incorrect handling length of buffers or files in libopensc
Patch7: opensc-CVE-2024-45619.patch
# PATCH-FIX-UPSTREAM: bsc#1230076 CVE-2024-45620: opensc: Incorrect handling of the length of buffers or files in pkcs15init
Patch8: opensc-CVE-2024-45620.patch
BuildRequires: automake
BuildRequires: docbook-xsl-stylesheets
BuildRequires: libxslt
BuildRequires: pkgconfig
BuildRequires: readline-devel
BuildRequires: zlib-devel
BuildRequires: pkgconfig(bash-completion)
BuildRequires: pkgconfig(libeac) >= 0.9
BuildRequires: pkgconfig(libpcsclite) >= 1.8.22
BuildRequires: pkgconfig(openssl) >= 1.0.1
Requires: pcsc-lite
# There is no more devel package.
Obsoletes: opensc-devel < %{version}
%description
OpenSC provides a set of utilities to access smart cards. It mainly
focuses on cards that support cryptographic operations. It facilitates
their use in security applications such as mail encryption,
authentication, and digital signature. OpenSC implements the PKCS#11
API. Applications supporting this API, such as Mozilla Firefox and
Thunderbird, can use it. OpenSC implements the PKCS#15 standard and aims
to be compatible with every software that does so, too.
Before purchasing any cards, please read carefully documentation on the
web pageonly some cards are supported. Not only card type matters, but
also card version, card OS version and preloaded applet. Only subset of
possible operations may be supported for your card. Card initialization
may require third party proprietary software.
%package bash-completion
Summary: Bash Completion for %{name}
Group: Productivity/Security
Requires: %{name} = %{version}
Requires: bash-completion
Supplements: (%{name} and bash-completion)
BuildArch: noarch
%description bash-completion
Bash completion script for %{name}.
%prep
%setup -q
%autopatch -p1
%build
%configure \
--docdir=%{_docdir}/%{name} \
--disable-static \
--enable-doc \
--disable-silent-rules
%make_build
%install
%make_install
# Private library.
rm %{buildroot}%{_libdir}/libopensc.so
install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pkcs11/modules/opensc.module
%ldconfig_scriptlets
%files
%license COPYING
%doc NEWS README
%doc %{_docdir}/%{name}/tools.html
%doc %{_docdir}/%{name}/files.html
%doc %{_docdir}/%{name}/opensc.conf
#
%config(noreplace) %{_sysconfdir}/eac/cvc/DESCHSMCVCA00001
%config(noreplace) %{_sysconfdir}/eac/cvc/DESRCACC100001
#
%{_bindir}/*
%{_datadir}/applications/*.desktop
%{_datadir}/opensc
# Note: .la and .so must be in the main package, required by ltdl:
%{_libdir}/*.la
%{_libdir}/libsmm-local.so
%{_libdir}/onepin-opensc-pkcs11.so
%{_libdir}/opensc-pkcs11.so
%{_libdir}/pkcs11-spy.so
# This is a private library. There is no reason to split it to libopensc* package.
%{_libdir}/libsmm-local.so.%{sover}*
%{_libdir}/libopensc.so.%{sover}*
#
%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/*.so
%{_libdir}/pkgconfig/opensc-pkcs11.pc
%{_mandir}/man?/*%{ext_man}
%config %{_sysconfdir}/opensc.conf
%dir %{_sysconfdir}/pkcs11
%config %{_sysconfdir}/pkcs11/modules/
%files bash-completion
%{completionsdir}/*
%changelog