Merge branch 'master' into firefox

.appveyor.yml

@@ -12,7 +12,7 @@ environment:
   GH_TOKEN:
     secure: aLu3tFc7lRJbotnmnHLx/QruIHc5rLaGm1RttoEdy4QILlPXzVkCZ6loYMz0sfrY
   PATH: C:\cygwin\bin;%PATH%
-  OPENPACE_VER: 1.1.2
+  OPENPACE_VER: 1.1.3
   ZLIB_VER_DOT: 1.2.12
   matrix:
   # not compatible with OpenSSL 1.1.1:
@@ -90,7 +90,7 @@ build_script:
           # OpenSSL 1.0.2
           #cl /nologo /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
           lib /nologo /out:libeac.lib ca_lib.obj cv_cert.obj cvc_lookup.obj x509_lookup.obj eac_asn1.obj eac.obj eac_ca.obj eac_dh.obj eac_ecdh.obj eac_kdf.obj eac_lib.obj eac_print.obj eac_util.obj misc.obj pace.obj pace_lib.obj pace_mappings.obj ri.obj ri_lib.obj ta.obj ta_lib.obj objects.obj ssl_compat.obj
-          cd C:\projects\OpenSC
+          cd ${env:APPVEYOR_BUILD_FOLDER}
         }
         $env:NMAKE_EXTRA+=" OPENPACE_DEF=/DENABLE_OPENPACE OPENPACE_DIR=C:\openpace-${env:OPENSSL_PF}"
       }

.editorconfig

@@ -7,7 +7,7 @@ end_of_line = lf
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[*.{c,h}]
+[*.{c,h,sh}]
 indent_style = tab
 tab_width = 4
 

.github/build.sh

@@ -34,7 +34,7 @@ if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
 	unset CC
 	unset CXX
 	./configure --host=$HOST --with-completiondir=/tmp --disable-openssl --disable-readline --disable-zlib --disable-notify --prefix=$PWD/win32/opensc || cat config.log;
-	make -j 2 V=1
+	make -j 4 V=1
 	# no point in running tests on mingw
 else
 	if [ "$1" == "ix86" ]; then
@@ -43,15 +43,29 @@ else
 	fi
 	# normal procedure
 
-	if [ "$1" == "no-shared" ]; then
+	if [ "$1" == "valgrind" ]; then
+		./configure --disable-notify --enable-valgrind
+	elif [ "$1" == "no-shared" ]; then
 		./configure --disable-shared
 	else
 		./configure --disable-dependency-tracking
 	fi
-	make -j 2 V=1
+	make -j 4 V=1
 	# 32b build has some issues to find openssl correctly
-	if [ "$1" != "ix86" ]; then
+	if [ "$1" == "valgrind" ]; then
+		make check-valgrind-memcheck
+		RV=$?
+		source .github/dump-logs.sh
+		if [ $RV -ne 0 ]; then
+			exit $RV
+		fi
+	elif [ "$1" != "ix86" ]; then
 		make check
+		RV=$?
+		source .github/dump-logs.sh
+		if [ $RV -ne 0 ]; then
+			exit $RV
+		fi
 	fi
 fi
 

.github/dump-logs.sh

@@ -0,0 +1,10 @@
+echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+for F in tests/*.log src/tests/unittests/*.log; do
+	echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+	echo $F
+	echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+	cat $F
+	echo "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
+done
+echo "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
+

.github/setup-fedora.sh

@@ -14,8 +14,7 @@ fi
 
 sudo dnf install -y $DEPS
 
-# The test-pkcs11-tool-unwrap-wrap-test.sh is broken in Fedora for some reason
 sed -i -e '/XFAIL_TESTS/,$ {
-  s/XFAIL_TESTS.*/XFAIL_TESTS=test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh test-pkcs11-tool-unwrap-wrap-test.sh/
+  s/XFAIL_TESTS.*/XFAIL_TESTS=test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh/
   q
 }' tests/Makefile.am

.github/setup-libressl.sh

@@ -2,7 +2,7 @@
 
 set -ex -o xtrace
 
-V=libressl-3.6.1
+V=libressl-3.7.3
 
 sudo apt-get remove -y libssl-dev
 

.github/setup-linux.sh

@@ -4,7 +4,7 @@ set -ex -o xtrace
 
 WINE_DEPS=""
 # Generic dependencies
-DEPS="docbook-xsl xsltproc gengetopt help2man pcscd check pcsc-tools libtool make autoconf autoconf-archive automake pkg-config git xxd openssl"
+DEPS="docbook-xsl xsltproc gengetopt help2man pcscd check pcsc-tools libtool make autoconf autoconf-archive automake pkg-config git xxd openssl valgrind"
 
 # 64bit or 32bit dependencies
 if [ "$1" == "ix86" ]; then
@@ -27,7 +27,7 @@ elif [ "$1" == "piv" -o "$1" == "isoapplet" -o "$1" == "gidsapplet" -o "$1" == "
 elif [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
 	# Note, that this list is somehow magic and adding libwine, libwine:i386 or wine64
 	# will make the following sections break without any useful logs. See GH#2458
-	WINE_DEPS="wine wine32 xvfb wget"
+	WINE_DEPS="wine wine32 xvfb wget libc6:i386 libgcc-s1:i386 libstdc++6:i386"
 	if [ "$1" == "mingw" ]; then
 		WINE_DEPS="$WINE_DEPS binutils-mingw-w64-x86-64 gcc-mingw-w64-x86-64 mingw-w64"
 	elif [ "$1" == "mingw32" ]; then
@@ -53,11 +53,16 @@ sudo apt-get install -y build-essential $DEPS
 
 # install libressl if needed
 if [ "$1" == "libressl" -o "$2" == "libressl" ]; then
-	./.github/setup-libressl.sh &> /tmp/libressl.log || cat /tmp/libressl.log
+	./.github/setup-libressl.sh &> /tmp/libressl.log
+	RET=$?
+	if [ $RET -ne 0 ]; then
+		cat /tmp/libressl.log
+		exit $RET
+	fi
 fi
 
 if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
-	sudo apt-get install -y $WINE_DEPS
+	sudo apt-get install --allow-downgrades  -y $WINE_DEPS
 	if [ ! -f "$(winepath 'C:/Program Files/Inno Setup 5/ISCC.exe')" ]; then
 		/sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16
 		export DISPLAY=:99.0

.github/setup-valgrind.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#
+# To be sourced to the test scripts to run the OpenSC tools under valgrind
+#
+if [ "$1" == "valgrind" -o "$2" == "valgrind" ]; then
+	# the glib raises dozens of memory related issues so we will rebuild opensc without notify support
+	./configure --disable-notify
+	make clean && make -j 4 V=1
+
+	# suppression file contains supressions for the notification support which leaks memory
+	# The other option would  be to build without the notification support.
+	# export VALGRIND="valgrind --error-exitcode=1 --leak-check=full --keep-debuginfo=yes --suppressions=$PWD/tests/opensc.supp"
+	export VALGRIND="valgrind --error-exitcode=1 --leak-check=full --keep-debuginfo=yes --trace-children=yes --gen-suppressions=all"
+	# this should help us getting better traces as some of pcsclite and avoid false positives
+	export LD_PRELOAD="/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
+fi

.github/setup-vsmartcard.sh

@@ -4,7 +4,10 @@ set -ex -o xtrace
 
 if [ ! -d "vsmartcard" ]; then
 	git clone https://github.com/frankmorgner/vsmartcard.git
+	pushd vsmartcard/virtualsmartcard
+	autoreconf -vis && ./configure && make -j2
+	popd
 fi
 pushd vsmartcard/virtualsmartcard
-autoreconf -vis && ./configure && make -j2 && sudo make install
+sudo make install
 popd

.github/test-cac.sh

@@ -2,6 +2,8 @@
 
 set -ex -o xtrace
 
+source .github/setup-valgrind.sh
+
 # install the opensc
 sudo make install
 export LD_LIBRARY_PATH=/usr/local/lib
@@ -12,9 +14,12 @@ export LD_LIBRARY_PATH=/usr/local/lib
 # libcacard
 if [ ! -d "libcacard" ]; then
 	git clone https://gitlab.freedesktop.org/spice/libcacard.git
+	pushd libcacard
+	./autogen.sh --prefix=/usr && make -j2
+	popd
 fi
 pushd libcacard
-./autogen.sh --prefix=/usr && make -j2 && sudo make install
+sudo make install
 popd
 
 # prepare pcscd
@@ -23,25 +28,23 @@ popd
 # virt_cacard
 if [ ! -d "virt_cacard" ]; then
 	git clone https://github.com/Jakuje/virt_cacard.git
+	pushd virt_cacard
+	./autogen.sh && ./configure && make
+	popd
 fi
 pushd virt_cacard
-./autogen.sh && ./configure && make
 ./setup-softhsm2.sh
 export SOFTHSM2_CONF=$PWD/softhsm2.conf
-# register cleanup function on exit
-trap "pkill -9 virt_cacard" EXIT
 ./virt_cacard 2>&1 | sed -e 's/^/virt_cacard: /;' &
+PID=$!
 popd
 
 # run the tests
 pushd src/tests/p11test/
 sleep 5
-./p11test -s 0 -p 12345678 -o virt_cacard.json
-popd
-
-# cleanup -- this would break later uses of pcscd
-pushd vsmartcard/virtualsmartcard
-sudo make uninstall
+$VALGRIND ./p11test -s 0 -p 12345678 -o virt_cacard.json
 popd
 
 diff -u3 src/tests/p11test/virt_cacard{_ref,}.json
+
+kill -9 $PID

.github/test-gidsapplet.sh

@@ -2,6 +2,8 @@
 
 set -ex -o xtrace
 
+source .github/setup-valgrind.sh
+
 # install the opensc
 sudo make install
 export LD_LIBRARY_PATH=/usr/local/lib
@@ -10,7 +12,9 @@ export LD_LIBRARY_PATH=/usr/local/lib
 . .github/setup-java.sh
 
 # GidsApplet
-git clone https://github.com/vletoux/GidsApplet.git;
+if [ ! -d "GidsApplet" ]; then
+	git clone https://github.com/vletoux/GidsApplet.git;
+fi
 javac -classpath jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar GidsApplet/src/com/mysmartlogon/gidsApplet/*.java;
 echo "com.licel.jcardsim.card.applet.0.AID=A000000397425446590201" > gids_jcardsim.cfg;
 echo "com.licel.jcardsim.card.applet.0.Class=com.mysmartlogon.gidsApplet.GidsApplet" >> gids_jcardsim.cfg;
@@ -27,7 +31,7 @@ echo "com.licel.jcardsim.vsmartcard.port=35963" >> gids_jcardsim.cfg;
 java -noverify -cp GidsApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard gids_jcardsim.cfg >/dev/null &
 PID=$!;
 sleep 5;
-opensc-tool --card-driver default --send-apdu 80b80000190bA0000003974254465902010bA00000039742544659020100;
-opensc-tool -n;
-gids-tool --initialize --pin 123456 --admin-key 000000000000000000000000000000000000000000000000 --serial 00000000000000000000000000000000;
+$VALGRIND opensc-tool --card-driver default --send-apdu 80b80000190bA0000003974254465902010bA00000039742544659020100;
+$VALGRIND opensc-tool -n;
+$VALGRIND gids-tool --initialize --pin 123456 --admin-key 000000000000000000000000000000000000000000000000 --serial 00000000000000000000000000000000;
 kill -9 $PID

.github/test-isoapplet.sh

@@ -2,6 +2,8 @@
 
 set -ex -o xtrace
 
+source .github/setup-valgrind.sh
+
 isoapplet_version="$1"
 if [ "$isoapplet_version" = "v0" ]; then
 	isoapplet_branch="main-javacard-v2.2.2"
@@ -45,7 +47,7 @@ PID=$!
 sleep 5
 
 # Does OpenSC see the uninitialized card?
-pkcs11-tool -L | tee opensc.log
+$VALGRIND pkcs11-tool -L | tee opensc.log
 # report as "token not recognized"
 grep "(token not recognized)" opensc.log
 
@@ -63,35 +65,35 @@ OPENSC_CONF=opensc.conf pkcs11-tool -L | tee opensc.log
 # report as "token not recognized"
 grep "uninitialized" opensc.log
 
-opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100
-opensc-tool -n
-pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef
-pkcs15-tool --change-pin --pin 123456 --new-pin 654321
-pkcs15-tool --unblock-pin --puk 0123456789abcdef --new-pin 123456
-pkcs15-init --generate-key rsa/2048     --id 1 --key-usage decrypt,sign --auth-id FF --pin 123456
-pkcs15-init --generate-key rsa/2048     --id 2 --key-usage decrypt      --auth-id FF --pin 123456
-pkcs15-init --generate-key ec/secp256r1 --id 3 --key-usage sign         --auth-id FF --pin 123456
-pkcs15-tool -D
-pkcs11-tool -l -t -p 123456
+$VALGRIND opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100
+$VALGRIND opensc-tool -n
+$VALGRIND pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef
+$VALGRIND pkcs15-tool --change-pin --pin 123456 --new-pin 654321
+$VALGRIND pkcs15-tool --unblock-pin --puk 0123456789abcdef --new-pin 123456
+$VALGRIND pkcs15-init --generate-key rsa/2048     --id 1 --key-usage decrypt,sign --auth-id FF --pin 123456
+$VALGRIND pkcs15-init --generate-key rsa/2048     --id 2 --key-usage decrypt      --auth-id FF --pin 123456
+$VALGRIND pkcs15-init --generate-key ec/secp256r1 --id 3 --key-usage sign         --auth-id FF --pin 123456
+$VALGRIND pkcs15-tool -D
+$VALGRIND pkcs11-tool -l -t -p 123456
 
 # run the tests
 pushd src/tests/p11test/
 sleep 5
-./p11test -s 0 -p 123456 -o isoapplet.json
+$VALGRIND ./p11test -s 0 -p 123456 -o isoapplet.json
 popd
 
 # random data to be signed
 dd if=/dev/random of=/tmp/data.bin bs=300 count=1
 # sign & verify using secp256r1 key
-pkcs11-tool -l -p 123456 -s -m ECDSA-SHA1 -d 3 -i /tmp/data.bin -o /tmp/data.sig
-pkcs11-tool --verify -m ECDSA-SHA1 -d 3 -i /tmp/data.bin --signature-file /tmp/data.sig
+$VALGRIND pkcs11-tool -l -p 123456 -s -m ECDSA-SHA1 -d 3 -i /tmp/data.bin -o /tmp/data.sig
+$VALGRIND pkcs11-tool --verify -m ECDSA-SHA1 -d 3 -i /tmp/data.bin --signature-file /tmp/data.sig
 # import, sign & verify using another secp256r1 key
 openssl ecparam -name secp256r1 -genkey -noout -out /tmp/ECprivKey.pem
 openssl ec -in /tmp/ECprivKey.pem -pubout -out /tmp/ECpubKey.pem
-pkcs11-tool -l -p 123456 -w /tmp/ECprivKey.pem -y privkey -d 4
-pkcs11-tool -l -p 123456 -w /tmp/ECpubKey.pem -y pubkey -d 4
-pkcs11-tool -l -p 123456 -s -m ECDSA-SHA1 -d 4 -i /tmp/data.bin -o /tmp/data.sig
-pkcs11-tool --verify -m ECDSA-SHA1 -d 4 -i /tmp/data.bin --signature-file /tmp/data.sig
+$VALGRIND pkcs11-tool -l -p 123456 -w /tmp/ECprivKey.pem -y privkey -d 4
+$VALGRIND pkcs11-tool -l -p 123456 -w /tmp/ECpubKey.pem -y pubkey -d 4
+$VALGRIND pkcs11-tool -l -p 123456 -s -m ECDSA-SHA1 -d 4 -i /tmp/data.bin -o /tmp/data.sig
+$VALGRIND pkcs11-tool --verify -m ECDSA-SHA1 -d 4 -i /tmp/data.bin --signature-file /tmp/data.sig
 # cleanup
 rm /tmp/ECprivKey.pem /tmp/ECpubKey.pem /tmp/data.bin /tmp/data.sig
 

.github/test-openpgp.sh

@@ -2,6 +2,8 @@
 
 set -ex -o xtrace
 
+source .github/setup-valgrind.sh
+
 # install the opensc
 sudo make install
 export LD_LIBRARY_PATH=/usr/local/lib
@@ -10,7 +12,9 @@ export LD_LIBRARY_PATH=/usr/local/lib
 . .github/setup-java.sh
 
 # The OpenPGP applet
-git clone --recursive https://github.com/Yubico/ykneo-openpgp.git;
+if [ ! -d "ykneo-openpgp" ]; then
+	git clone --recursive https://github.com/Yubico/ykneo-openpgp.git;
+fi
 pushd ykneo-openpgp;
 ant -DJAVACARD_HOME=${JC_HOME};
 popd
@@ -29,9 +33,9 @@ echo "com.licel.jcardsim.vsmartcard.port=35963" >> openpgp_jcardsim.cfg;
 java -noverify -cp ykneo-openpgp/applet/bin:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard openpgp_jcardsim.cfg >/dev/null &
 PID=$!;
 sleep 5;
-opensc-tool --card-driver default --send-apdu 80b800002210D276000124010200000000000001000010D276000124010200000000000001000000;
-opensc-tool -n;
-openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2;
-pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048;
-pkcs11-tool -l -t -p 123456;
+$VALGRIND opensc-tool --card-driver default --send-apdu 80b800002210D276000124010200000000000001000010D276000124010200000000000001000000;
+$VALGRIND opensc-tool -n;
+$VALGRIND openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2;
+$VALGRIND pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048;
+$VALGRIND pkcs11-tool -l -t -p 123456;
 kill -9 $PID