diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 1a3ae1f53e..cc0de16c01 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -17,7 +17,9 @@ acct-group/messagebus acct-group/netperf acct-group/nobody acct-group/ntp +acct-group/openct acct-group/pcap +acct-group/pcscd acct-group/polkitd acct-group/portage acct-group/render @@ -34,6 +36,7 @@ acct-group/systemd-timesync acct-group/tape acct-group/tss acct-group/tty +acct-group/usb acct-group/users acct-group/utmp acct-group/uucp @@ -47,6 +50,7 @@ acct-user/netperf acct-user/nobody acct-user/ntp acct-user/pcap +acct-user/pcscd acct-user/polkitd acct-user/portage acct-user/root @@ -214,6 +218,7 @@ dev-libs/nettle dev-libs/npth dev-libs/nspr dev-libs/oniguruma +dev-libs/opensc dev-libs/popt dev-libs/protobuf dev-libs/userspace-rcu @@ -469,6 +474,7 @@ sys-apps/miscfiles sys-apps/net-tools sys-apps/nvme-cli sys-apps/pciutils +sys-apps/pcsc-lite sys-apps/portage sys-apps/pv sys-apps/sandbox diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index 8bcf8ae27e..ee0837d2dd 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -96,6 +96,7 @@ RDEPEND="${RDEPEND} RDEPEND="${RDEPEND} sys-fs/squashfs-tools dev-libs/libp11 + dev-libs/opensc " # Host dependencies that are needed for delta_generator. diff --git a/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml new file mode 100644 index 0000000000..115e9d64a6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild new file mode 100644 index 0000000000..e373f6d152 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild @@ -0,0 +1,8 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-group + +ACCT_GROUP_ID=46 diff --git a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml new file mode 100644 index 0000000000..115e9d64a6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild new file mode 100644 index 0000000000..29a733881a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild @@ -0,0 +1,8 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-group + +ACCT_GROUP_ID=47 diff --git a/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml new file mode 100644 index 0000000000..115e9d64a6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild new file mode 100644 index 0000000000..8f739063b3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild @@ -0,0 +1,8 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-group + +ACCT_GROUP_ID=85 diff --git a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml new file mode 100644 index 0000000000..115e9d64a6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild new file mode 100644 index 0000000000..e2ef2fb457 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild @@ -0,0 +1,13 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-user + +DESCRIPTION="A user for pcsc-lite" +ACCT_USER_ID=47 +ACCT_USER_GROUPS=( pcscd openct usb ) +ACCT_USER_GROUPS=( pcscd openct ) + +acct-user_add_deps diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest new file mode 100644 index 0000000000..5d4728329f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest @@ -0,0 +1 @@ +DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch new file mode 100644 index 0000000000..ad3bc1fadc --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch @@ -0,0 +1,49 @@ +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 +From: fullwaywang +Date: Mon, 29 May 2023 10:38:48 +0800 +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer + overrun bug. Fixes #2785 + +--- + src/pkcs15init/pkcs15-cardos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c +index 9715cf390f..f41f73c349 100644 +--- a/src/pkcs15init/pkcs15-cardos.c ++++ b/src/pkcs15init/pkcs15-cardos.c +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch new file mode 100644 index 0000000000..f9ce72d317 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch @@ -0,0 +1,215 @@ +https://bugs.gentoo.org/909781 +https://github.com/OpenSC/libp11/issues/478 +https://github.com/OpenSC/OpenSC/pull/2656 + +From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 1 Dec 2022 20:08:53 +0100 +Subject: [PATCH 1/4] pkcs11-tool: Fix private key import + +--- + src/tools/pkcs11-tool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index aae205fe2c..cfee8526d5 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + RSA_get0_factors(r, &r_p, &r_q); + RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp); + #else +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 || ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || +- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) { + util_fatal("OpenSSL error during RSA private key parsing"); ++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { + } + #endif + RSA_GET_BN(rsa, private_exponent, r_d); + +From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 1 Dec 2022 20:11:41 +0100 +Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors + +--- + src/tools/pkcs11-tool.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index cfee8526d5..f2e6b1dd91 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp; + r = EVP_PKEY_get1_RSA(pkey); + if (!r) { +- if (private) +- util_fatal("OpenSSL error during RSA private key parsing"); +- else +- util_fatal("OpenSSL error during RSA public key parsing"); ++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + + RSA_get0_key(r, &r_n, &r_e, NULL); +@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL; + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) { +- if (private) +- util_fatal("OpenSSL error during RSA private key parsing"); +- else +- util_fatal("OpenSSL error during RSA public key parsing"); ++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + #endif + RSA_GET_BN(rsa, modulus, r_n); +@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || +- util_fatal("OpenSSL error during RSA private key parsing"); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { ++ util_fatal("OpenSSL error during RSA private key parsing: %s", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + #endif + RSA_GET_BN(rsa, private_exponent, r_d); + +From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 1 Dec 2022 20:38:31 +0100 +Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import + +--- + tests/Makefile.am | 10 ++++--- + tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+), 4 deletions(-) + create mode 100755 tests/test-pkcs11-tool-import.sh + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d378e2ee00..9d8a24c321 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-sign-verify.sh \ + test-pkcs11-tool-allowed-mechanisms.sh \ +- test-pkcs11-tool-sym-crypt-test.sh\ +- test-pkcs11-tool-unwrap-wrap-test.sh ++ test-pkcs11-tool-sym-crypt-test.sh \ ++ test-pkcs11-tool-unwrap-wrap-test.sh \ ++ test-pkcs11-tool-import.sh + + .NOTPARALLEL: + TESTS = \ +@@ -25,8 +26,9 @@ TESTS = \ + test-pkcs11-tool-test.sh \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-allowed-mechanisms.sh \ +- test-pkcs11-tool-sym-crypt-test.sh\ +- test-pkcs11-tool-unwrap-wrap-test.sh ++ test-pkcs11-tool-sym-crypt-test.sh \ ++ test-pkcs11-tool-unwrap-wrap-test.sh \ ++ test-pkcs11-tool-import.sh + XFAIL_TESTS = \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-test.sh +diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh +new file mode 100755 +index 0000000000..76ff8e51be +--- /dev/null ++++ b/tests/test-pkcs11-tool-import.sh +@@ -0,0 +1,48 @@ ++#!/bin/bash ++SOURCE_PATH=${SOURCE_PATH:-..} ++ ++source $SOURCE_PATH/tests/common.sh ++ ++echo "=======================================================" ++echo "Setup SoftHSM" ++echo "=======================================================" ++if [[ ! -f $P11LIB ]]; then ++ echo "WARNING: The SoftHSM is not installed. Can not run this test" ++ exit 77; ++fi ++card_setup ++ ++ID="0100" ++OPTS="" ++for KEYTYPE in "RSA" "EC"; do ++ echo "=======================================================" ++ echo "Generate and import $KEYTYPE keys" ++ echo "=======================================================" ++ if [ "$KEYTYPE" == "RSA" ]; then ++ ID="0100" ++ elif [ "$KEYTYPE" == "EC" ]; then ++ ID="0200" ++ OPTS="-pkeyopt ec_paramgen_curve:P-521" ++ fi ++ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS ++ assert $? "Failed to generate private $KEYTYPE key" ++ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \ ++ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB" ++ assert $? "Failed to write private $KEYTYPE key" ++ ++ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER ++ assert $? "Failed to convert private $KEYTYPE key to public" ++ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \ ++ -p $PIN --module $P11LIB ++ assert $? "Failed to write public $KEYTYPE key" ++ # certificate import already tested in all other tests ++ ++ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der" ++done ++ ++echo "=======================================================" ++echo "Cleanup" ++echo "=======================================================" ++card_cleanup ++ ++exit $ERRORS + +From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 2 Dec 2022 18:07:43 +0100 +Subject: [PATCH 4/4] Simplify the new test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com> +--- + tests/test-pkcs11-tool-import.sh | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh +index 76ff8e51be..c90b3b4926 100755 +--- a/tests/test-pkcs11-tool-import.sh ++++ b/tests/test-pkcs11-tool-import.sh +@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then + fi + card_setup + +-ID="0100" +-OPTS="" + for KEYTYPE in "RSA" "EC"; do + echo "=======================================================" + echo "Generate and import $KEYTYPE keys" + echo "=======================================================" +- if [ "$KEYTYPE" == "RSA" ]; then +- ID="0100" +- elif [ "$KEYTYPE" == "EC" ]; then ++ ID="0100" ++ OPTS="" ++ if [ "$KEYTYPE" == "EC" ]; then + ID="0200" + OPTS="-pkeyopt ec_paramgen_curve:P-521" + fi diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch new file mode 100644 index 0000000000..72572c598a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch @@ -0,0 +1,39 @@ +https://bugs.gentoo.org/909781 +https://github.com/OpenSC/OpenSC/pull/2765 + +From 36178c8188521f2627d2eea428a7e53d149eed58 Mon Sep 17 00:00:00 2001 +From: Peter Popovec +Date: Fri, 28 Apr 2023 10:50:25 +0200 +Subject: [PATCH] Fix pkcs11-tool unwrap / incorrect CKA_ID + +"object_id[]" and "id_len" must be allocated so that it is not deallocated +or overwritten (on the stack) at the time of the C_UnwrapKey() call. + + modified: src/tools/pkcs11-tool.c +--- + src/tools/pkcs11-tool.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index 890ca27060..f3a01ab4cf 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3347,6 +3347,8 @@ unwrap_key(CK_SESSION_HANDLE session) + {CKA_CLASS, &secret_key_class, sizeof(secret_key_class)}, + {CKA_TOKEN, &_true, sizeof(_true)}, + }; ++ CK_BYTE object_id[100]; ++ size_t id_len; + CK_OBJECT_HANDLE hSecretKey; + int n_attr = 2; + CK_RV rv; +@@ -3450,9 +3452,6 @@ unwrap_key(CK_SESSION_HANDLE session) + } + + if (opt_application_id != NULL) { +- CK_BYTE object_id[100]; +- size_t id_len; +- + id_len = sizeof(object_id); + if (!sc_hex_to_bin(opt_application_id, object_id, &id_len)) { + FILL_ATTR(keyTemplate[n_attr], CKA_ID, object_id, id_len); diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module new file mode 100644 index 0000000000..3246ab4da0 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module @@ -0,0 +1,8 @@ +# This file describes how to load the opensc module +# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html + +# This is a relative path, which means it will be loaded from +# the p11-kit default path which is usually $(libdir)/pkcs11. +# Doing it this way allows for packagers to package opensc for +# 32-bit and 64-bit and make them parallel installable +module: onepin-opensc-pkcs11.so diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml new file mode 100644 index 0000000000..67d2c026ef --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml @@ -0,0 +1,30 @@ + + + + + soap@gentoo.org + David Seifert + + + OpenSC is a library for accessing SmartCard devices. It is also + the core library of the OpenSC project. + + Basic functionality (e.g. SELECT FILE, READ BINARY) should work on + any ISO 7816-4 compatible SmartCard. Encryption and decryption + using private keys on the SmartCard is possible with PKCS #15 + compatible cards, such as the FINEID (Finnish Electronic IDentity) + card. + + + Use CT-API for accessing Smartcard hardware + Enable notifications + Use dev-libs/openct (and CT-API) for accessing Smartcard hardware + Use dev-libs/openpace for EAC version 2 support + Use sys-apps/pcsc-lite (and PC/SC API) for accessing Smartcard hardware + Enable secure messaging + + + OpenSC/OpenSC + opensc + + diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild new file mode 100644 index 0000000000..f372e3e254 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools bash-completion-r1 + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git" +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz" + KEYWORDS="amd64 ~arm ~arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~s390 ~sparc x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2023-2977.patch + "${FILESDIR}"/${P}-backport-pr2656.patch +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild new file mode 100644 index 0000000000..dce614bde3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild @@ -0,0 +1,82 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools bash-completion-r1 + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git" +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2023-2977.patch + "${FILESDIR}"/${P}-backport-pr2656.patch + "${FILESDIR}"/${P}-backport-pr2765.patch +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild new file mode 100644 index 0000000000..a470c4913c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit bash-completion-r1 libtool + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki" + +if [[ ${PV} == *9999 ]]; then + inherit autotools git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git" +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz" + KEYWORDS="~amd64 ~ppc64 ~x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +src_prepare() { + default + + if [[ ${PV} == *9999 ]]; then + eautoreconf + else + elibtoolize + fi +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest new file mode 100644 index 0000000000..59e3eaefc6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest @@ -0,0 +1,2 @@ +DIST pcsc-lite-2.0.0.tar.bz2 799011 BLAKE2B d93fffebbe3daf389fcd8195c9fb3d76db64dbb98ac9c7ecd08338331389298e710ca71187cb73165868b0b5e66cb9735b60e22d508db1c1a81e04555103948a SHA512 4b34628d3269ae1859f19d2ab7eb74a76a55f3d76fbc9e4e420a081a065b1d0d7b98680552c7208f3265c684bed844afc6be1c2e5f103ad916ce7f38b52ee68c +DIST pcsc-lite-2.0.1.tar.bz2 815103 BLAKE2B a9eea4a4da1a78fc22797b17c128889b2f7caf8c4aa02dd77f4ac79e4ec458fb0162578b5422552545cd39303750d5396f3687f8cfee7603fad8d60cb54ee1e8 SHA512 af007f00f43e8d897710580f6f27814c9e7d3ca489ff01edf2e3b979e46267915aa04d9c15f225a420fa681de936e42a1d4779d962717cf9a9f4a3d1ca31502b diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules new file mode 100644 index 0000000000..fc612d5e25 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules @@ -0,0 +1,6 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# We add this here so that it runs after ccid's and ifd-gempc's rules; +# if we just added a pcscd-owned device, we hotplug the pcscd service. +ACTION=="add", ENV{PCSCD}=="1", GROUP="pcscd", TAG+="systemd", ENV{SYSTEMD_WANTS}+="pcscd.service", RUN+="pcscd.sh" diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch new file mode 100644 index 0000000000..e7a7b51582 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch @@ -0,0 +1,20 @@ +Index: pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy +=================================================================== +--- pcsc-lite-1.8.11.orig/doc/org.debian.pcsc-lite.policy ++++ pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy +@@ -15,6 +15,7 @@ + auth_admin + yes + ++ unix-user:pcscd + + + +@@ -25,6 +26,7 @@ + auth_admin + yes + ++ unix-user:pcscd + + + diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch new file mode 100644 index 0000000000..4d64c5c032 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch @@ -0,0 +1,18 @@ +Don't run the daemon as root +https://bugs.gentoo.org/545390 + +--- a/etc/pcscd.service.in ++++ b/etc/pcscd.service.in +@@ -4,9 +4,12 @@ + Documentation=man:pcscd(8) + + [Service] ++PIDFile=/run/pcscd/pcscd.pid + ExecStart=@sbindir_exp@/pcscd --foreground --auto-exit $PCSCD_ARGS + ExecReload=@sbindir_exp@/pcscd --hotplug + EnvironmentFile=-@sysconfdir@/default/pcscd ++User=pcscd ++Group=pcscd + + [Install] + Also=pcscd.socket diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7 b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7 new file mode 100644 index 0000000000..daf880f0e7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7 @@ -0,0 +1,22 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +name="PC/SC Daemon" + +pidfile=/run/pcscd/pcscd.pid + +command=/usr/sbin/pcscd +command_args="${EXTRA_OPTS}" + +start_stop_daemon_args="--user pcscd:pcscd" + +depend() { + need localmount + after udev openct dbus + use logger +} + +start_pre() { + checkpath -q -d -m 0755 -o pcscd:pcscd /run/pcscd +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev new file mode 100644 index 0000000000..e6d6c73488 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev @@ -0,0 +1,14 @@ +#!/bin/sh +# +# pcscd.sh: udev external RUN script +# +# based on netifrc net.sh helper +# Copyright 2007 Roy Marples +# Distributed under the terms of the GNU General Public License v2 + +# make sure openrc is managing services +if [ ! -d /run/openrc ]; then + exit 0 +fi + +IN_HOTPLUG=1 /etc/init.d/pcscd --quiet start diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf new file mode 100644 index 0000000000..168c860e88 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf @@ -0,0 +1 @@ +d /run/pcscd 0755 pcscd pcscd - diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml new file mode 100644 index 0000000000..90fbe94fb3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml @@ -0,0 +1,18 @@ + + + + + base-system@gentoo.org + Gentoo Base System + + + limit RAM and CPU ressources by disabling features + Use dev-libs/libusb detection to hotplug new smartcard readers. This flag should only be enabled if you're running a non-Linux kernel or you don't want to use udev. + Use virtual/libudev rules to handle devices' permissions and hotplug support. Unless you know what you're doing do not disable this flag on Linux kernels. This is provided as an option for completeness. + Uses sys-auth/polkit to restrict access to smartcard readers or smartcards to given users. + + + https://salsa.debian.org/rousseau/PCSC/blob/master/ChangeLog + LudovicRousseau/PCSC + + diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild new file mode 100644 index 0000000000..2b817740a7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild @@ -0,0 +1,109 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9..11} ) + +inherit python-single-r1 systemd tmpfiles udev multilib-minimal + +DESCRIPTION="PC/SC Architecture smartcard middleware library" +HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC" +SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2" + +# GPL-2 is there for the init script; everything else comes from +# upstream. +LICENSE="BSD ISC MIT GPL-3+ GPL-2" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" +# This is called libusb so that it doesn't fool people in thinking that +# it is _required_ for USB support. Otherwise they'll disable udev and +# that's going to be worse. +IUSE="doc embedded libusb policykit selinux systemd +udev" +REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}" + +# No dependencies need the MULTILIB_DEPS because the libraries are actually +# standalone, the deps are only needed for the daemon itself. +DEPEND=" + libusb? ( virtual/libusb:1 ) + udev? ( virtual/libudev:= ) + policykit? ( >=sys-auth/polkit-0.111 ) + acct-group/openct + acct-group/pcscd + acct-user/pcscd + ${PYTHON_DEPS}" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-pcscd )" +BDEPEND=" + sys-devel/flex + virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch + "${FILESDIR}"/${PN}-1.9.8-systemd-user.patch +) + +multilib_src_configure() { + ECONF_SOURCE="${S}" econf \ + --disable-maintainer-mode \ + --disable-strict \ + --enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \ + --enable-ipcdir=/run/pcscd \ + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + $(multilib_native_use_enable doc documentation) \ + $(multilib_native_use_enable embedded) \ + $(multilib_native_use_enable systemd libsystemd) \ + $(multilib_native_use_enable udev libudev) \ + $(multilib_native_use_enable libusb) \ + $(multilib_native_use_enable policykit polkit) +} + +multilib_src_install_all() { + einstalldocs + dodoc HELP SECURITY + + newinitd "${FILESDIR}"/pcscd-init.7 pcscd + dotmpfiles "${FILESDIR}"/pcscd.conf + + if use udev; then + exeinto "$(get_udevdir)" + newexe "${FILESDIR}"/pcscd-udev pcscd.sh + + insinto "$(get_udevdir)"/rules.d + newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules + fi + + python_fix_shebang "${ED}"/usr/bin/pcsc-spy + + find "${ED}" -name '*.la' -delete || die +} + +pkg_postinst() { + elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in" + elog "the pcscd group, to avoid running as root." + elog + elog "This also means you need the newest drivers available so that the" + elog "devices get the proper owner." + elog + elog "Furthermore, a conf.d file is no longer installed by default, as" + elog "the default configuration does not require one. If you need to" + elog "pass further options to pcscd, create a file and set the" + elog "EXTRA_OPTS variable." + elog + + if use udev; then + elog "Hotplug support is provided by udev rules." + elog "When using OpenRC you additionally need to tell it to hotplug" + elog "pcscd by setting this variable in /etc/rc.conf:" + elog + elog " rc_hotplug=\"pcscd\"" + fi + + tmpfiles_process pcscd.conf + + use udev && udev_reload +} + +pkg_postrm() { + use udev && udev_reload +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild new file mode 100644 index 0000000000..3a0cf3c74c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild @@ -0,0 +1,109 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9..11} ) + +inherit python-single-r1 systemd tmpfiles udev multilib-minimal + +DESCRIPTION="PC/SC Architecture smartcard middleware library" +HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC" +SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2" + +# GPL-2 is there for the init script; everything else comes from +# upstream. +LICENSE="BSD ISC MIT GPL-3+ GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" +# This is called libusb so that it doesn't fool people in thinking that +# it is _required_ for USB support. Otherwise they'll disable udev and +# that's going to be worse. +IUSE="doc embedded libusb policykit selinux systemd +udev" +REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}" + +# No dependencies need the MULTILIB_DEPS because the libraries are actually +# standalone, the deps are only needed for the daemon itself. +DEPEND=" + libusb? ( virtual/libusb:1 ) + udev? ( virtual/libudev:= ) + policykit? ( >=sys-auth/polkit-0.111 ) + acct-group/openct + acct-group/pcscd + acct-user/pcscd + ${PYTHON_DEPS}" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-pcscd )" +BDEPEND=" + sys-devel/flex + virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch + "${FILESDIR}"/${PN}-1.9.8-systemd-user.patch +) + +multilib_src_configure() { + ECONF_SOURCE="${S}" econf \ + --disable-maintainer-mode \ + --disable-strict \ + --enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \ + --enable-ipcdir=/run/pcscd \ + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + $(multilib_native_use_enable doc documentation) \ + $(multilib_native_use_enable embedded) \ + $(multilib_native_use_enable systemd libsystemd) \ + $(multilib_native_use_enable udev libudev) \ + $(multilib_native_use_enable libusb) \ + $(multilib_native_use_enable policykit polkit) +} + +multilib_src_install_all() { + einstalldocs + dodoc HELP SECURITY + + newinitd "${FILESDIR}"/pcscd-init.7 pcscd + dotmpfiles "${FILESDIR}"/pcscd.conf + + if use udev; then + exeinto "$(get_udevdir)" + newexe "${FILESDIR}"/pcscd-udev pcscd.sh + + insinto "$(get_udevdir)"/rules.d + newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules + fi + + python_fix_shebang "${ED}"/usr/bin/pcsc-spy + + find "${ED}" -name '*.la' -delete || die +} + +pkg_postinst() { + elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in" + elog "the pcscd group, to avoid running as root." + elog + elog "This also means you need the newest drivers available so that the" + elog "devices get the proper owner." + elog + elog "Furthermore, a conf.d file is no longer installed by default, as" + elog "the default configuration does not require one. If you need to" + elog "pass further options to pcscd, create a file and set the" + elog "EXTRA_OPTS variable." + elog + + if use udev; then + elog "Hotplug support is provided by udev rules." + elog "When using OpenRC you additionally need to tell it to hotplug" + elog "pcscd by setting this variable in /etc/rc.conf:" + elog + elog " rc_hotplug=\"pcscd\"" + fi + + tmpfiles_process pcscd.conf + + use udev && udev_reload +} + +pkg_postrm() { + use udev && udev_reload +}