Index | Thread | Search

From:
Klemens Nanni <kn@openbsd.org>
Subject:
opensc: update to 0.26.1, take maintainer
To:
ports <ports@openbsd.org>
Date:
Sat, 22 Mar 2025 15:30:30 +0000

Download raw body.

Thread

  • Klemens Nanni:

    opensc: update to 0.26.1, take maintainer

Loads of updates, CVE fixes and support removal for old cards:
https://github.com/OpenSC/OpenSC/releases

Upstream also switched from calloc(3) to mmap(2) for secure memory allocation,
so adjust our patch from calloc_conceal(3) to MAP_CONCEAL;  drop m(un)lock(2)
as before.

I suggest taking maintainer to stay on track with updates.

Feedback? OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/opensc/Makefile,v
diff -u -p -r1.69 Makefile
--- Makefile	8 Feb 2025 04:15:28 -0000	1.69
+++ Makefile	22 Mar 2025 15:13:26 -0000
@@ -1,15 +1,16 @@
 COMMENT=	set of libraries and utilities to access smart cards
 
-V=		0.24.0
+V=		0.26.1
 DISTNAME=	opensc-${V}
-REVISION=	0
 
-SHARED_LIBS +=	opensc 8.1	# 10.1
+SHARED_LIBS +=	opensc 9.0
 SHARED_LIBS +=	smm-local 3.1
 
 CATEGORIES=	security
 
 HOMEPAGE=	https://github.com/OpenSC/OpenSC/wiki
+
+MAINTAINER=	Klemens Nanni <kn@openbsd.org>
 
 # LGPLv2.1+
 PERMIT_PACKAGE=	Yes
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/opensc/distinfo,v
diff -u -p -r1.19 distinfo
--- distinfo	19 Dec 2023 10:22:54 -0000	1.19
+++ distinfo	22 Mar 2025 14:49:27 -0000
@@ -1,2 +1,2 @@
-SHA256 (opensc-0.24.0.tar.gz) = JNA8aShykdoyowxMOKMErYJ/VsuF2DYZ4fVAOrZIDvg=
-SIZE (opensc-0.24.0.tar.gz) = 2440952
+SHA256 (opensc-0.26.1.tar.gz) = 8WKRoDHYblcDlHYunzXq8vy8IzekmRDz/q5C1U4WiMs=
+SIZE (opensc-0.26.1.tar.gz) = 2416935
Index: patches/patch-configure_ac
===================================================================
RCS file: patches/patch-configure_ac
diff -N patches/patch-configure_ac
--- patches/patch-configure_ac	19 Dec 2023 10:22:54 -0000	1.16
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-Index: configure.ac
---- configure.ac.orig
-+++ configure.ac
-@@ -444,7 +444,7 @@ AC_FUNC_STAT
- AC_FUNC_VPRINTF
- AC_CHECK_FUNCS([ \
- 	getpass gettimeofday getline memset mkdir \
--	strdup strerror memset_s explicit_bzero \
-+	strdup strerror memset_s explicit_bzero calloc_conceal \
- 	strnlen sigaction
- ])
- 
Index: patches/patch-src_libopensc_sc_c
===================================================================
RCS file: /cvs/ports/security/opensc/patches/patch-src_libopensc_sc_c,v
diff -u -p -r1.5 patch-src_libopensc_sc_c
--- patches/patch-src_libopensc_sc_c	28 Jun 2023 22:21:26 -0000	1.5
+++ patches/patch-src_libopensc_sc_c	22 Mar 2025 15:05:58 -0000
@@ -1,45 +1,36 @@
-Avoid mlock; not really useful unless non-default vm.swapencrypt.enable=0
-is used, and prevents opensc being used by pledge()'d callers.
+Avoid mlock(2); not really useful unless non-default vm.swapencrypt.enable=0
+is used, and prevents opensc being used by pledge(2)'d callers.
 
-Belt and braces with calloc_conceal: upstream already uses explicit_bzero,
-but we might as well use this which conceals secure allocations from dumps.
+Belt and braces with mmap(2) MAP_CONCEAL: upstream already uses
+explicit_bzero(3), but we might as well use this which conceals secure
+allocations from dumps.
 
 Index: src/libopensc/sc.c
 --- src/libopensc/sc.c.orig
 +++ src/libopensc/sc.c
-@@ -923,14 +923,18 @@ void *sc_mem_secure_alloc(size_t len)
- 		len = pages * page_size;
+@@ -907,11 +907,15 @@ void *sc_mem_secure_alloc(size_t len)
+ 		VirtualLock(p, len);
  	}
- 
-+#ifdef HAVE_CALLOC_CONCEAL
-+	p = calloc_conceal(1, len);
-+#else
- 	p = calloc(1, len);
- 	if (p == NULL) {
- 		return NULL;
+ #else
++# ifdef __OpenBSD__
++	p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_CONCEAL, -1, 0);
++# else
+ 	p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ 	if (p != NULL)
+ 	{
+ 		mlock(p, len);
  	}
--#ifdef _WIN32
-+#  ifdef _WIN32
- 	VirtualLock(p, len);
--#else
-+#  else
- 	mlock(p, len);
-+#  endif
++# endif
  #endif
  
  	return p;
-@@ -938,10 +942,14 @@ void *sc_mem_secure_alloc(size_t len)
- 
- void sc_mem_secure_free(void *ptr, size_t len)
- {
-+#ifdef HAVE_CALLOC_CONCEAL
-+	/* do nothing */
-+#else
- #ifdef _WIN32
+@@ -923,7 +927,9 @@ void sc_mem_secure_free(void *ptr, size_t len)
  	VirtualUnlock(ptr, len);
+ 	VirtualFree(ptr, 0, MEM_RELEASE);
  #else
++# ifndef __OpenBSD__
  	munlock(ptr, len);
-+#endif
++# endif
+ 	munmap(ptr, len);
  #endif
- 	free(ptr);
  }
Index: patches/patch-src_tools_pkcs11-tool_c
===================================================================
RCS file: /cvs/ports/security/opensc/patches/patch-src_tools_pkcs11-tool_c,v
diff -u -p -r1.4 patch-src_tools_pkcs11-tool_c
--- patches/patch-src_tools_pkcs11-tool_c	8 Feb 2025 04:15:28 -0000	1.4
+++ patches/patch-src_tools_pkcs11-tool_c	22 Mar 2025 15:18:03 -0000
@@ -1,9 +1,10 @@
 https://github.com/OpenSC/OpenSC/pull/3306
+merged after 0.26.1, remove on next release
 
 Index: src/tools/pkcs11-tool.c
 --- src/tools/pkcs11-tool.c.orig
 +++ src/tools/pkcs11-tool.c
-@@ -5339,7 +5339,7 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJEC
+@@ -5923,7 +5923,7 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJEC
  			BIO *bio = BIO_new(BIO_s_file());
  			BIO_set_fp(bio, stdout, BIO_NOCLOSE);
  			printf("  subject:    DN: ");
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/opensc/pkg/PLIST,v
diff -u -p -r1.18 PLIST
--- pkg/PLIST	19 Dec 2023 10:22:54 -0000	1.18
+++ pkg/PLIST	22 Mar 2025 15:09:56 -0000
@@ -1,6 +1,7 @@
 @bin bin/cardos-tool
 @bin bin/cryptoflex-tool
 @bin bin/dnie-tool
+@bin bin/dtrust-tool
 @bin bin/egk-tool
 @bin bin/eidenv
 @bin bin/gids-tool
@@ -31,6 +32,7 @@ lib/pkgconfig/libopensc.pc
 @man man/man1/cardos-tool.1
 @man man/man1/cryptoflex-tool.1
 @man man/man1/dnie-tool.1
+@man man/man1/dtrust-tool.1
 @man man/man1/egk-tool.1
 @man man/man1/eidenv.1
 @man man/man1/gids-tool.1
@@ -57,6 +59,7 @@ share/applications/org.opensc.notify.des
 share/bash-completion/completions/cardos-tool
 share/bash-completion/completions/cryptoflex-tool
 share/bash-completion/completions/dnie-tool
+share/bash-completion/completions/dtrust-tool
 share/bash-completion/completions/egk-tool
 share/bash-completion/completions/eidenv
 share/bash-completion/completions/gids-tool
@@ -91,7 +94,6 @@ share/opensc/entersafe.profile
 share/opensc/epass2003.profile
 share/opensc/flex.profile
 share/opensc/gids.profile
-share/opensc/gpk.profile
 share/opensc/ias_adele_admin1.profile
 share/opensc/ias_adele_admin2.profile
 share/opensc/ias_adele_common.profile
@@ -99,7 +101,6 @@ share/opensc/iasecc.profile
 share/opensc/iasecc_admin_eid.profile
 share/opensc/iasecc_generic_oberthur.profile
 share/opensc/iasecc_generic_pki.profile
-share/opensc/incrypto34.profile
 share/opensc/isoApplet.profile
 share/opensc/muscle.profile
 share/opensc/myeid.profile
@@ -112,5 +113,4 @@ share/opensc/rutoken_lite.profile
 share/opensc/sc-hsm.profile
 share/opensc/setcos.profile
 share/opensc/starcos.profile
-share/opensc/westcos.profile
 @tag update-desktop-database