Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NVD tracks this CVE as version-less.
Per [1] this is fixed by following commits:
$ git tag --contains b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc
0.26.0
0.26.0-rc1
$ git tag --contains 02e847458369c08421fd2d5e9a16a5f272c2de9e
0.26.0
0.26.0-rc1
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2024-8443
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Apply some suggestions from oe-stylize.py and sort configure options
alphabetically, and remove stale version comment line which has not
been updated for some time.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
According to https://github.com/OpenSC/OpenSC/wiki#license OpenSC is
licensed under LGPL-2.1 or later, which seems to be affirmed also by
the comments in the source code files, as well as the COPYING file.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This helps us to also get rid of associated RDEPENDS declaration which
implicitly pulled readline to rootfs, even configure resolved readline
as not enabled.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Commit da68f807bd718fb848acc792fd9326df719e0880 added the symlink .so
path to FILES:${PN}-dev to fix QA error, complement the operation by
removing identical line from FILES:${PN}
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
* Add missing file to dist tarball to build documentation
* Fix RSA decryption with PKCS#1 v1.5 padding
* Fix crash when app is not set
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
## Security
* [CVE-2023-5992]: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC
* [CVE-2024-1454]: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init
## General improvements
* Update OpenSSL 1.1.1 to 3.0 in MacOS build
* Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver
* Fix 64b to 32b conversions
* Improvements for the p11test
* Fix reader initialization without SCardControl
* Make RSA PKCS#1 v1.5 depadding constant-time
* Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card
* Enable MSI signing via Signpath CI integration for Windows
* Fixed various issues reported by OSS-Fuzz and Coverity in drivers
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* All patches dropped because fixed in the new version.
0001-pkcs11-tool-Fix-private-key-import.patch -> https://github.com/OpenSC/OpenSC/blob/0.24.0/src/tools/pkcs11-tool.c#L3710
0002-pkcs11-tool-Log-more-information-on-OpenSSL-errors.patch -> https://github.com/OpenSC/OpenSC/blob/0.24.0/src/tools/pkcs11-tool.c#L3686
CVE-2023-2977.patch -> 81944d1529
* Fix -> ERROR: opensc-0.24.0-r0 do_package_qa: QA Issue: non -dev/-dbg/nativesdk- package opensc contains symlink .so '/usr/lib/onepin-opensc-pkcs11.so' [dev-so]
Changelog:
* CVE-2023-40660: Fix Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)
* CVE-2023-40661: Important dynamic analyzers reports
* CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys (f1993dc4)
* Fix compatibility of EAC with OpenSSL 3.0 (#2674)
* Enable `use_file_cache` by default (#2501)
* Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
* Fix record-based files (#2604)
* Fix several race conditions (#2735)
* Run tests under Valgrind (#2756)
* Test signing of data bigger than 512 bytes (#2789)
* Update to OpenPACE 1.1.3 (#2796)
* Implement logout for some of the card drivers (#2807)
* Fix wrong popup position of opensc-notify (#2901)
* Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
* Check card presence state in `C_GetSessionInfo` (#2740)
* Remove `onepin-opensc-pkcs11` module (#2681)
* Do not use colons in the token info label (#2760)
* Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
* Use secure memory for PUK (#2906)
* Don't logout to preserve concurrent access from different processes (#2907)
* Add more examples to manual page (#2936)
* Present profile objects in all virtual slots (#2928)
* Provide CKA_TOKEN attribute for profile objects (#2924)
* Improve --slot parameter documentation (#2951)
* Honor cache offsets when writing file cache (#2858)
* Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
* Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)
* Fix for private keys that do not need a PIN (#2722)
* Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)
* Fix RSA key import with OpenSSL 3.0 (#2656)
* Add support for attribute filtering when listing objects (#2687)
* Add support for `--private` flag when writing certificates (#2768)
* Add support for non-AEAD ciphers to the test mode (#2780)
* Show CKA_SIGN attribute for secret keys (#2862)
* Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
* Show Sign/VerifyRecover attributes (#2888)
* Add option to import generic keys (#2955)
* Generate 2k RSA keys by default (b53fc5cd)
* Disable autostart on Linux by default (#2680)
* Add support for IDPrime MD 830, 930 and 940 (#2666)
* Add support for SafeNet eToken 5110 token (#2812)
* Process index even without keyrefmap and use correct label for second PIN (#2878)
* Add support for Gemalto IDPrime 940C (#2941)
* Change of PIN requires verification of the PIN (#2759)
* Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
* Use true random number for mutual authentication for SM (#2766)
* Add verification of data coming from the token in the secure messaging mode (#2772)
* Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)
* Fix select data command (#2753, issue #2752)
* Unbreak ed/curve25519 support (#2892)
* Add support for Slovenian eID card (eOI) (#2646)
* Add support for IDEMIA (Oberthur) tokens (#2483)
* Add support for Swissbit iShield FIDO2 Authenticator (#2671)
* Implement PIV secure messaging (#2053)
* Add support for Slovak eID cards (#2672)
* Support ECDSA with off-card hashing (#2642)
* Fix WRAP operation when using T0 (#2695)
* Identify changes on the card and enable `use_file_cache` (#2798)
* Workaround for unwrapping using 2K RSA key (#2921)
* Add support for `opensc-tool --serial` (#2675)
* Fix unwrapping of 4096 keys with handling reader limits (#2682)
* Indicate supported hashes and MGF1s (#2827)
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Importing private keys into a PKCS#11 token is broken with OpenSC 0.23.0
and OpenSSL 3. Fix it by backporting the corresponding upstream fixes.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The opensc-project.org domain has not been active for a long time [1],
so use the current wiki (which is also linked from the projects GitHub
landing page).
[1] https://opensc-devel.narkive.com/48b09iig/www-opensc-project-org
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
Support signing of data with a length of more than 512 bytes (#2314)
By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
Compatibility with LibreSSL (#2495, #2595)
Remove support for DSA (#2503)
Extend p11test to support symmetric keys (#2430)
Notice detached reader on macOS (#2418)
Support for OAEP padding (#2475, #2484)
Fix for PSS salt length (#2478)
Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637)
Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
Fix issues with OpenPACE (#2472)
Containers support for local testing
Add support for encryption and decryption using symmetric keys (#2473, #2607)
Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
Fix detection of disconnected readers in PCSC (#2600)
Add configuration option for on-disk caching of private data (#2588)
Skip building empty binaries when dependencies are missing and remove needless linking (#2617)
Define arm64 as a supported architecture in the Installer package (#2610)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use standard paths for file cache on Linux and OSX
Various issues of memory/buffer handling in legacy drivers mostly
reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc,
westcos, gpk, flex, dnie, mcrd, authentic, belpic)
Add threading test to pkcs11-tool
Add support to generate generic secret keys
opensc-explorer: Print information about LCS (Life cycle status byte)
Add support for Apple's arm64 (M1) binaries, removed TokenD.
A seperate installer with TokenD (and without arm64 binaries) will be available.
Support for gcc11 and its new strict aliasing rules
Initial support for building with OpenSSL 3.0
pkcs15-tool: Write data objects in binary mode
Avoid limited size of log messages
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The corresponding version number of commit 30180986a08cf71fe4af4b50251a8bb5b1ab95af is 0.21.0.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-License-Update: The address is updated as follows
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
OpenSC depends on pcsc-lite's systemd service and pkcs11 library at
runtime.
Signed-off-by: Laurent Bonnans <laurent.bonnans@here.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is needed as a dependency when using SoftHSM from the PKCS#11
OpenSSL engine for code singing.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
OpenCT upstream maintenance seems to have stopped and OpenSC upstream
uses pcsc-lite by default in their configure script. Add PACKAGECONFIGs
for each and select pcsc by default.
As the openct package depends on pcsc-lite by itself, this avoids an
unnecessary package in the default case.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ERROR: opensc-0.18.0-r0 do_fetch: Fetcher failure for URL: 'http://ftp.debian.org/debian/pool/main/o/opensc/opensc_0.18.0.orig.tar.gz'. Unable to fetch URL from any source.
This version is no longer hosted on the main debian URL so
use the archive URL
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
OpenSC provides a set of libraries and utilities to work with smart cards.
Its main focus is on cards that support cryptographic operations, and
facilitate their use in security applications such as authentication,
mail encryption and digital signatures.
Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
