Loads of updates, CVE fixes and support removal for old cards:
https://github.com/OpenSC/OpenSC/releases
Upstream also switched from calloc(3) to mmap(2) for secure memory allocation,
so adjust our patch from calloc_conceal(3) to MAP_CONCEAL; drop m(un)lock(2)
as before.
I suggest taking maintainer to stay on track with updates.
Feedback? OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/opensc/Makefile,v
diff -u -p -r1.69 Makefile
--- Makefile 8 Feb 2025 04:15:28 -0000 1.69
+++ Makefile 22 Mar 2025 15:13:26 -0000
@@ -1,15 +1,16 @@
COMMENT= set of libraries and utilities to access smart cards
-V= 0.24.0
+V= 0.26.1
DISTNAME= opensc-${V}
-REVISION= 0
-SHARED_LIBS += opensc 8.1 # 10.1
+SHARED_LIBS += opensc 9.0
SHARED_LIBS += smm-local 3.1
CATEGORIES= security
HOMEPAGE= https://github.com/OpenSC/OpenSC/wiki
+
+MAINTAINER= Klemens Nanni <k...@openbsd.org>
# LGPLv2.1+
PERMIT_PACKAGE= Yes
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/opensc/distinfo,v
diff -u -p -r1.19 distinfo
--- distinfo 19 Dec 2023 10:22:54 -0000 1.19
+++ distinfo 22 Mar 2025 14:49:27 -0000
@@ -1,2 +1,2 @@
-SHA256 (opensc-0.24.0.tar.gz) = JNA8aShykdoyowxMOKMErYJ/VsuF2DYZ4fVAOrZIDvg=
-SIZE (opensc-0.24.0.tar.gz) = 2440952
+SHA256 (opensc-0.26.1.tar.gz) = 8WKRoDHYblcDlHYunzXq8vy8IzekmRDz/q5C1U4WiMs=
+SIZE (opensc-0.26.1.tar.gz) = 2416935
Index: patches/patch-configure_ac
===================================================================
RCS file: patches/patch-configure_ac
diff -N patches/patch-configure_ac
--- patches/patch-configure_ac 19 Dec 2023 10:22:54 -0000 1.16
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-Index: configure.ac
---- configure.ac.orig
-+++ configure.ac
-@@ -444,7 +444,7 @@ AC_FUNC_STAT
- AC_FUNC_VPRINTF
- AC_CHECK_FUNCS([ \
- getpass gettimeofday getline memset mkdir \
-- strdup strerror memset_s explicit_bzero \
-+ strdup strerror memset_s explicit_bzero calloc_conceal \
- strnlen sigaction
- ])
-
Index: patches/patch-src_libopensc_sc_c
===================================================================
RCS file: /cvs/ports/security/opensc/patches/patch-src_libopensc_sc_c,v
diff -u -p -r1.5 patch-src_libopensc_sc_c
--- patches/patch-src_libopensc_sc_c 28 Jun 2023 22:21:26 -0000 1.5
+++ patches/patch-src_libopensc_sc_c 22 Mar 2025 15:05:58 -0000
@@ -1,45 +1,36 @@
-Avoid mlock; not really useful unless non-default vm.swapencrypt.enable=0
-is used, and prevents opensc being used by pledge()'d callers.
+Avoid mlock(2); not really useful unless non-default vm.swapencrypt.enable=0
+is used, and prevents opensc being used by pledge(2)'d callers.
-Belt and braces with calloc_conceal: upstream already uses explicit_bzero,
-but we might as well use this which conceals secure allocations from dumps.
+Belt and braces with mmap(2) MAP_CONCEAL: upstream already uses
+explicit_bzero(3), but we might as well use this which conceals secure
+allocations from dumps.
Index: src/libopensc/sc.c
--- src/libopensc/sc.c.orig
+++ src/libopensc/sc.c
-@@ -923,14 +923,18 @@ void *sc_mem_secure_alloc(size_t len)
- len = pages * page_size;
+@@ -907,11 +907,15 @@ void *sc_mem_secure_alloc(size_t len)
+ VirtualLock(p, len);
}
-
-+#ifdef HAVE_CALLOC_CONCEAL
-+ p = calloc_conceal(1, len);
-+#else
- p = calloc(1, len);
- if (p == NULL) {
- return NULL;
+ #else
++# ifdef __OpenBSD__
++ p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS
| MAP_CONCEAL, -1, 0);
++# else
+ p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE |
MAP_ANONYMOUS, -1, 0);
+ if (p != NULL)
+ {
+ mlock(p, len);
}
--#ifdef _WIN32
-+# ifdef _WIN32
- VirtualLock(p, len);
--#else
-+# else
- mlock(p, len);
-+# endif
++# endif
#endif
return p;
-@@ -938,10 +942,14 @@ void *sc_mem_secure_alloc(size_t len)
-
- void sc_mem_secure_free(void *ptr, size_t len)
- {
-+#ifdef HAVE_CALLOC_CONCEAL
-+ /* do nothing */
-+#else
- #ifdef _WIN32
+@@ -923,7 +927,9 @@ void sc_mem_secure_free(void *ptr, size_t len)
VirtualUnlock(ptr, len);
+ VirtualFree(ptr, 0, MEM_RELEASE);
#else
++# ifndef __OpenBSD__
munlock(ptr, len);
-+#endif
++# endif
+ munmap(ptr, len);
#endif
- free(ptr);
}
Index: patches/patch-src_tools_pkcs11-tool_c
===================================================================
RCS file: /cvs/ports/security/opensc/patches/patch-src_tools_pkcs11-tool_c,v
diff -u -p -r1.4 patch-src_tools_pkcs11-tool_c
--- patches/patch-src_tools_pkcs11-tool_c 8 Feb 2025 04:15:28 -0000
1.4
+++ patches/patch-src_tools_pkcs11-tool_c 22 Mar 2025 15:18:03 -0000
@@ -1,9 +1,10 @@
https://github.com/OpenSC/OpenSC/pull/3306
+merged after 0.26.1, remove on next release
Index: src/tools/pkcs11-tool.c
--- src/tools/pkcs11-tool.c.orig
+++ src/tools/pkcs11-tool.c
-@@ -5339,7 +5339,7 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJEC
+@@ -5923,7 +5923,7 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJEC
BIO *bio = BIO_new(BIO_s_file());
BIO_set_fp(bio, stdout, BIO_NOCLOSE);
printf(" subject: DN: ");
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/opensc/pkg/PLIST,v
diff -u -p -r1.18 PLIST
--- pkg/PLIST 19 Dec 2023 10:22:54 -0000 1.18
+++ pkg/PLIST 22 Mar 2025 15:09:56 -0000
@@ -1,6 +1,7 @@
@bin bin/cardos-tool
@bin bin/cryptoflex-tool
@bin bin/dnie-tool
+@bin bin/dtrust-tool
@bin bin/egk-tool
@bin bin/eidenv
@bin bin/gids-tool
@@ -31,6 +32,7 @@ lib/pkgconfig/libopensc.pc
@man man/man1/cardos-tool.1
@man man/man1/cryptoflex-tool.1
@man man/man1/dnie-tool.1
+@man man/man1/dtrust-tool.1
@man man/man1/egk-tool.1
@man man/man1/eidenv.1
@man man/man1/gids-tool.1
@@ -57,6 +59,7 @@ share/applications/org.opensc.notify.des
share/bash-completion/completions/cardos-tool
share/bash-completion/completions/cryptoflex-tool
share/bash-completion/completions/dnie-tool
+share/bash-completion/completions/dtrust-tool
share/bash-completion/completions/egk-tool
share/bash-completion/completions/eidenv
share/bash-completion/completions/gids-tool
@@ -91,7 +94,6 @@ share/opensc/entersafe.profile
share/opensc/epass2003.profile
share/opensc/flex.profile
share/opensc/gids.profile
-share/opensc/gpk.profile
share/opensc/ias_adele_admin1.profile
share/opensc/ias_adele_admin2.profile
share/opensc/ias_adele_common.profile
@@ -99,7 +101,6 @@ share/opensc/iasecc.profile
share/opensc/iasecc_admin_eid.profile
share/opensc/iasecc_generic_oberthur.profile
share/opensc/iasecc_generic_pki.profile
-share/opensc/incrypto34.profile
share/opensc/isoApplet.profile
share/opensc/muscle.profile
share/opensc/myeid.profile
@@ -112,5 +113,4 @@ share/opensc/rutoken_lite.profile
share/opensc/sc-hsm.profile
share/opensc/setcos.profile
share/opensc/starcos.profile
-share/opensc/westcos.profile
@tag update-desktop-database
