dev-libs/opensc: Sync with Gentoo

It's from Gentoo commit 5c0bfd3185c4fa2cc8b17cde730e1c689b2c5f9d.
2025-11-12 22:21:28 +01:00 · 2024-03-11 07:12:13 +00:00 · 2024-03-11 07:12:13 +00:00 · 00be29d815
commit 00be29d815
parent 3443fa0f45
5 changed files with 3 additions and 312 deletions
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest
@ -1,2 +1,2 @@
 DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b
 DIST opensc-0.24.0.tar.gz 2440952 BLAKE2B afacdd151d169dd1840ecd6df1cec99a9805598d7b7af81e17b648f146cd1b3ad1d3dcae19ed94cf8ce0dbbd5b4285af9653af5ef5739d53908ce30a49544adb SHA512 0fd2ea858874ae0b85c8fe8c4b920988693a47ca95b26449a1e95f86e17b76000f236c1f75d63ee133306e01a965155da5e14c1b8a59053b85026ecb58fb97bb
 DIST opensc-0.25.0.tar.gz 2406137 BLAKE2B 07c7de7fa1c258a90b1acbfbc01383f204ad88169ae1d3681f240e881ab80652dc9b04ba452a433576847caa5ef49d35608b3f895e965fec9e79da231ecabab2 SHA512 c220607a543b1fcf7c89e051e7c7ca3908abab6c022818b01a6219becdbad217708fb3c5fe2fe2218ac82be0f174c5694e5fa07c6e0ae540cf3171462a23eee6
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch
@ -1,49 +0,0 @@
 From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
 From: fullwaywang <fullwaywang@tencent.com>
 Date: Mon, 29 May 2023 10:38:48 +0800
 Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
 overrun bug. Fixes #2785
 ---
 src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
 index 9715cf390f..f41f73c349 100644
 --- a/src/pkcs15init/pkcs15-cardos.c
 +++ b/src/pkcs15init/pkcs15-cardos.c
@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 	sc_apdu_t apdu;
         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
         int       r;
 -	const u8  *p = rbuf, *q;
 +	const u8  *p = rbuf, *q, *pp;
 	size_t    len, tlen = 0, ilen = 0;
 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 		return 0;
 	while (len != 0) {
 -		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
 -		if (p == NULL)
 +		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
 +		if (pp == NULL)
 			return 0;
 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
 			/* and Package Number 0x07					*/
 -			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
 +			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
 			if (q == NULL || ilen != 4)
 				return 0;
 			if (q[0] == 0x07)
@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
 			/* and Package Number 0x02					*/
 -			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
 +			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
 			if (q == NULL || ilen != 4)
 				return 0;
 			if (q[0] == 0x02)
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
@ -1,215 +0,0 @@
 https://bugs.gentoo.org/909781
 https://github.com/OpenSC/libp11/issues/478
 https://github.com/OpenSC/OpenSC/pull/2656
 From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:08:53 +0100
 Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
 ---
 src/tools/pkcs11-tool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index aae205fe2c..cfee8526d5 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 		RSA_get0_factors(r, &r_p, &r_q);
 		RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
 #else
 -		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
 +		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
 -			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
 			util_fatal("OpenSSL error during RSA private key parsing");
 +			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
 		}
 #endif
 		RSA_GET_BN(rsa, private_exponent, r_d);
 From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:11:41 +0100
 Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
 ---
 src/tools/pkcs11-tool.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index cfee8526d5..f2e6b1dd91 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 	const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
 	r = EVP_PKEY_get1_RSA(pkey);
 	if (!r) {
 -		if (private)
 -			util_fatal("OpenSSL error during RSA private key parsing");
 -		else
 -			util_fatal("OpenSSL error during RSA public key parsing");
 +		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
 +			ERR_error_string(ERR_peek_last_error(), NULL));
 	}
 	RSA_get0_key(r, &r_n, &r_e, NULL);
@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 	BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
 	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
 		EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
 -		if (private)
 -			util_fatal("OpenSSL error during RSA private key parsing");
 -		else
 -			util_fatal("OpenSSL error during RSA public key parsing");
 +		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
 +			ERR_error_string(ERR_peek_last_error(), NULL));
 	 }
 #endif
 	RSA_GET_BN(rsa, modulus, r_n);
@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
 -			util_fatal("OpenSSL error during RSA private key parsing");
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
 +			util_fatal("OpenSSL error during RSA private key parsing: %s",
 +				ERR_error_string(ERR_peek_last_error(), NULL));
 		}
 #endif
 		RSA_GET_BN(rsa, private_exponent, r_d);
 From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:38:31 +0100
 Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
 ---
 tests/Makefile.am                | 10 ++++---
 tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100755 tests/test-pkcs11-tool-import.sh
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index d378e2ee00..9d8a24c321 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
                       test-pkcs11-tool-test-threads.sh \
                       test-pkcs11-tool-sign-verify.sh \
                       test-pkcs11-tool-allowed-mechanisms.sh \
 -                      test-pkcs11-tool-sym-crypt-test.sh\
 -                      test-pkcs11-tool-unwrap-wrap-test.sh
 +                      test-pkcs11-tool-sym-crypt-test.sh \
 +                      test-pkcs11-tool-unwrap-wrap-test.sh \
 +                      test-pkcs11-tool-import.sh
 .NOTPARALLEL:
 TESTS = \
@@ -25,8 +26,9 @@ TESTS = \
         test-pkcs11-tool-test.sh \
         test-pkcs11-tool-test-threads.sh \
         test-pkcs11-tool-allowed-mechanisms.sh \
 -        test-pkcs11-tool-sym-crypt-test.sh\
 -        test-pkcs11-tool-unwrap-wrap-test.sh
 +        test-pkcs11-tool-sym-crypt-test.sh \
 +        test-pkcs11-tool-unwrap-wrap-test.sh \
 +        test-pkcs11-tool-import.sh
 XFAIL_TESTS = \
         test-pkcs11-tool-test-threads.sh \
         test-pkcs11-tool-test.sh
 diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
 new file mode 100755
 index 0000000000..76ff8e51be
 --- /dev/null
 +++ b/tests/test-pkcs11-tool-import.sh
@@ -0,0 +1,48 @@
 +#!/bin/bash
 +SOURCE_PATH=${SOURCE_PATH:-..}
 +
 +source $SOURCE_PATH/tests/common.sh
 +
 +echo "======================================================="
 +echo "Setup SoftHSM"
 +echo "======================================================="
 +if [[ ! -f $P11LIB ]]; then
 +    echo "WARNING: The SoftHSM is not installed. Can not run this test"
 +    exit 77;
 +fi
 +card_setup
 +
 +ID="0100"
 +OPTS=""
 +for KEYTYPE in "RSA" "EC"; do
 +    echo "======================================================="
 +    echo "Generate and import $KEYTYPE keys"
 +    echo "======================================================="
 +    if [ "$KEYTYPE" == "RSA" ]; then
 +        ID="0100"
 +    elif [ "$KEYTYPE" == "EC" ]; then
 +        ID="0200"
 +        OPTS="-pkeyopt ec_paramgen_curve:P-521"
 +    fi
 +    openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
 +    assert $? "Failed to generate private $KEYTYPE key"
 +    $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
 +        --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
 +    assert $? "Failed to write private $KEYTYPE key"
 +
 +    openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
 +    assert $? "Failed to convert private $KEYTYPE key to public"
 +    $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
 +        -p $PIN --module $P11LIB
 +    assert $? "Failed to write public $KEYTYPE key"
 +    # certificate import already tested in all other tests
 +
 +    rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
 +done
 +
 +echo "======================================================="
 +echo "Cleanup"
 +echo "======================================================="
 +card_cleanup
 +
 +exit $ERRORS
 From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jakuje@gmail.com>
 Date: Fri, 2 Dec 2022 18:07:43 +0100
 Subject: [PATCH 4/4] Simplify the new test
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
 ---
 tests/test-pkcs11-tool-import.sh | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
 diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
 index 76ff8e51be..c90b3b4926 100755
 --- a/tests/test-pkcs11-tool-import.sh
 +++ b/tests/test-pkcs11-tool-import.sh
@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
 fi
 card_setup
 -ID="0100"
 -OPTS=""
 for KEYTYPE in "RSA" "EC"; do
     echo "======================================================="
     echo "Generate and import $KEYTYPE keys"
     echo "======================================================="
 -    if [ "$KEYTYPE" == "RSA" ]; then
 -        ID="0100"
 -    elif [ "$KEYTYPE" == "EC" ]; then
 +    ID="0100"
 +    OPTS=""
 +    if [ "$KEYTYPE" == "EC" ]; then
         ID="0200"
         OPTS="-pkeyopt ec_paramgen_curve:P-521"
     fi
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch
@ -1,39 +0,0 @@
 https://bugs.gentoo.org/909781
 https://github.com/OpenSC/OpenSC/pull/2765
 From 36178c8188521f2627d2eea428a7e53d149eed58 Mon Sep 17 00:00:00 2001
 From: Peter Popovec <popovec.peter@gmail.com>
 Date: Fri, 28 Apr 2023 10:50:25 +0200
 Subject: [PATCH] Fix pkcs11-tool unwrap / incorrect CKA_ID
 "object_id[]" and "id_len" must be allocated so that it is not deallocated
 or overwritten (on the stack) at the time of the C_UnwrapKey() call.
 	modified:   src/tools/pkcs11-tool.c
 ---
 src/tools/pkcs11-tool.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index 890ca27060..f3a01ab4cf 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3347,6 +3347,8 @@ unwrap_key(CK_SESSION_HANDLE session)
 		{CKA_CLASS, &secret_key_class, sizeof(secret_key_class)},
 		{CKA_TOKEN, &_true, sizeof(_true)},
 	};
 +	CK_BYTE object_id[100];
 +	size_t id_len;
 	CK_OBJECT_HANDLE hSecretKey;
 	int n_attr = 2;
 	CK_RV rv;
@@ -3450,9 +3452,6 @@ unwrap_key(CK_SESSION_HANDLE session)
 	}
 	if (opt_application_id != NULL) {
 -		CK_BYTE object_id[100];
 -		size_t id_len;
 -
 		id_len = sizeof(object_id);
 		if (!sc_hex_to_bin(opt_application_id, object_id, &id_len)) {
 			FILL_ATTR(keyTemplate[n_attr], CKA_ID, object_id, id_len);
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild
@ -13,11 +13,11 @@ if [[ ${PV} == *9999 ]]; then
 	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
 else
 	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
-	KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ppc64 ~riscv ~s390 ~sparc x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 fi
 LICENSE="LGPL-2.1"
-SLOT="0"
+SLOT="0/11"
 IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
 RESTRICT="!test? ( test )"
@ -40,12 +40,6 @@ REQUIRED_USE="
 	ctapi? ( !pcsc-lite !openct )
 	|| ( pcsc-lite openct ctapi )"
 PATCHES=(
 	"${FILESDIR}"/${P}-CVE-2023-2977.patch
 	"${FILESDIR}"/${P}-backport-pr2656.patch
 	"${FILESDIR}"/${P}-backport-pr2765.patch
 )
 src_prepare() {
 	default
 	eautoreconf