opensc-0.26.1-160000.2.2

- Update to version 0.26.1
  General improvements
  * Align allocations of sc_mem_secure_alloc (#3281).
  * Fix -O3 gcc optimization failure on amd64 and ppc64el (#3299).
  pkcs11-spy
  * Avoid crash while spying C_GetInterface() (#3275).
  TCOS
  * Fix reading certificate (#3296).

- Update to version 0.26.0
  Security
  * CVE-2024-45615: Usage of uninitialized values in libopensc#
    and pkcs15init (#3225).
  * CVE-2024-45616: Uninitialized values after incorrect check or
    usage of APDU response values in libopensc (#3225)
  * CVE-2024-45617: Uninitialized values after incorrect or missing
    checking return values of functions in libopensc (#3225)
  * CVE-2024-45618: Uninitialized values after incorrect or missing
    checking return values of functions in pkcs15init (#3225)
  * CVE-2024-45619: Incorrect handling length of buffers or files
    in libopensc (#3225)
  * CVE-2024-45620: Incorrect handling of the length of buffers or
    files in pkcs15init (#3225)
  * CVE-2024-8443: Heap buffer overflow in OpenPGP driver when
    generating key (#3219)
  General improvements
  * Fix reselection of DF after error in PKCS#15 layer (#3067)
  * Unify OpenSSL logging throughout code (#2922)
  * Extend the p11test to support kryoptic (#3141)
  * Fix for error in PCSC reconnection (#3150)
  * Fixed various issues reported by OSS-Fuzz and Coverity in
    drivers, PKCS#11 and PKCS#15 layer
  PKCS#15
  * Documentation for PKCS#15 profile files (#3132)
  minidriver
  * Support PinCacheAlwaysPrompt usable for PIV cards (#3167)
  pkcs11-tool
  * Show URI when listing token information (#3125) and objects
  * Do not limit size of objects to 5000 bytes (#3174)
  * Add support for AES CMAC (#3184)
  * Add support for AES GCM encryption (#3195)
  * Add support for RSA OAEP encryption (#3175)
  * Add support for HKDF (#3193)
  * Implement better support for wrapping and unwrapping (#3198)
  * Add support for EdDSA sign and verify (#2979)
  pkcs15-crypt
  * Fix PKCS#1 encoding function to correctly detect padding type
  piv-tool
  * Fix RSA key generation (#3158)
  * Avoid possible state change when matching unknown card (#3112)
  sc-hsm-tool
  * Cleanse buffer with plaintext key share (#3226)
  pkcs11-register
  * Fix pkcs11-register defaults on macOS and Windows (#3053)
  IDPrime
  * Fix identification of IDPrime 840 cards (#3146)
  * Fix container mapping for IDPrime 940 cards (#3220)
  * Reorder ATRs for matching cards (#3154)
  OpenPGP
  * Fix state tracking after erasing card (#3024)
  Belpic
  * Disable Applet V1.8 (#3109)
  MICARDO
  * Deactivate driver (#3152)
  SmartCard-HSM
  * Fix signing with secp521r1 signature (#3157)
  eOI
  * Set model via sc_card_ctl function (#3189)
  Rutoken
  * increase the minimum PIN size to support Rutoken ECP BIO.
  JPKI
  * Adjust parameters for public key in PKCS#15 emulator (#3182)
  D-Trust
  * Add support for ECDSA signatures and ECDH key agreement for
    D-Trust Signatures Cards 4.1/4.4 (#3240, #3248)
- Drop patches (changes now in upstream):
  * opensc-CVE-2024-45615.patch
  * opensc-CVE-2024-45616.patch
  * opensc-CVE-2024-45617.patch
  * opensc-CVE-2024-45618.patch
  * opensc-CVE-2024-45619.patch
  * opensc-CVE-2024-45620.patch
  * opensc-CVE-2024-8443.patch

- - Security fix: [CVE-2024-8443, bsc#1230364]
  * opensc: heap buffer overflow in OpenPGP driver when generating key
  * Added patch: opensc-CVE-2024-8443.patch

- Security fix: [opensc-CVE-2024-45620, bsc#1230076]
- Security fix: [opensc-CVE-2024-45619, bsc#1230075]
- Security fix: [opensc-CVE-2024-45618, bsc#1230074]
- Security fix: [opensc-CVE-2024-45617, bsc#1230073]
- Security fix: [opensc-CVE-2024-45616, bsc#1230072]
- Security fix: [opensc-CVE-2024-45615, bsc#1230071]
  * opensc: pkcs15init: Usage of uninitialized values in libopensc and pkcs15init
  * opensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc
  * opensc: Uninitialized values after incorrect or missing checking return values of functions in libopensc
  * opensc: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init
  * opensc: Incorrect handling length of buffers or files in libopensc
  * opensc: Incorrect handling of the length of buffers or files in pkcs15init
  * Added patches:
  - opensc-CVE-2024-45615.patch
  - opensc-CVE-2024-45616.patch
  - opensc-CVE-2024-45617.patch
  - opensc-CVE-2024-45618.patch
  - opensc-CVE-2024-45619.patch
  - opensc-CVE-2024-45620.patch

- Update to verion 0.25.1
  General improvements
  * Add missing file to dist tarball to build documentation.
  minidriver
  * Fix RSA decryption with PKCS#1 v1.5 padding.
  * Fix crash when app is not set.

- Build with support for libeac (OpenPACE)

- Update to version 0.25.0
  Security
  * CVE-2023-5992: Fix Side-channel leaks while stripping
    encryption PKCS#1.5 padding in OpenSC.
  * CVE-2024-1454: Fix Potential use-after-free in AuthentIC driver
    during card enrollment in pkcs15init.
  General improvements
  * Remove support for old card drivers Akis, GPK, Incrypto34 and
    Westcos, disable Cyberflex driver.
  * Fix 64b to 32b conversions.
  * Improvements for the p11test.
  * Fix reader initialization without SCardControl.
  * Make RSA PKCS#1 v1.5 depadding constant-time.
  * Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02)
    on the card.
  * Fixed various issues reported by OSS-Fuzz and Coverity in
    drivers, PKCS#11 and PKCS#15 layer.
- Add patch:
  * opensc-docbook-xsl-fix.patch
- Drop not longer needed patches:
  * CVE-2024-1454.patch
- Introduce subpackage for bash-completion

- Add CVE-2024-1454.patch.
  Fix for CVE-2024-1454 / bsc#1219868.

- Update to OpenSC 0.24.0:
  * Security
  - CVE-2023-40660: Fix Potential PIN bypass
    (#2806, frankmorgner/OpenSCToken#50, #2807)
  - CVE-2023-40661: Important dynamic analyzers reports
  - CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption
    using symmetric keys (f1993dc)
  * General improvements
  - Fix compatibility of EAC with OpenSSL 3.0 (#2674)
  - Enable use_file_cache by default (#2501)
  - Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
  - Fix record-based files (#2604)
  - Fix several race conditions (#2735)
  - Run tests under Valgrind (#2756)
  - Test signing of data bigger than 512 bytes (#2789)
  - Update to OpenPACE 1.1.3 (#2796)
  - Implement logout for some of the card drivers (#2807)
  - Fix wrong popup position of opensc-notify (#2901)
  - Fixed various issues reported by OSS-Fuzz and Coverity regarding card
    drivers, PKCS#11 and PKCS#15 init
  * PKCS#11
  - Check card presence state in C_GetSessionInfo (#2740)
  - Remove onepin-opensc-pkcs11 module (#2681)
  - Do not use colons in the token info label (#2760)
  - Present profile objects in all slots with the CKA_TOKEN attribute to
    resolve issues with NSS (#2928, #2924)
  - Use secure memory for PUK (#2906)
  - Don't logout to preserve concurrent access from different processes
    (#2907)
  - Add more examples to manual page (#2936)
  - Present profile objects in all virtual slots (#2928)
  - Provide CKA_TOKEN attribute for profile objects (#2924)
  - Improve --slot parameter documentation (#2951)
  * PKCS#15
  - Honor cache offsets when writing file cache (#2858)
  - Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
  - Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and
    back to PKCS#11 (#2936)
  * Minidriver
  - Fix for private keys that do not need a PIN (#2722)
  - Unbreak decipher when the first null byte of PKCS#1.5 padding is
    missing (#2939*
  * pkcs11-tool
  - Fix RSA key import with OpenSSL 3.0 (#2656)
  - Add support for attribute filtering when listing objects (#2687)
  - Add support for --private flag when writing certificates (#2768)
  - Add support for non-AEAD ciphers to the test mode (#2780)
  - Show CKA_SIGN attribute for secret keys (#2862)
  - Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys
    (#2864, #2913)
  - Show Sign/VerifyRecover attributes (#2888)
  - Add option to import generic keys (#2955)
  * westcos-tool
  - Generate 2k RSA keys by default (b53fc5c)
  * pkcs11-register
  - Disable autostart on Linux by default (#2680)
  * IDPrime
  - Add support for IDPrime MD 830, 930 and 940 (#2666)
  - Add support for SafeNet eToken 5110 token (#2812)
  - Process index even without keyrefmap and use correct label for second
    PIN (#2878)
  - Add support for Gemalto IDPrime 940C (#2941)
  * EPass2003
  - Change of PIN requires verification of the PIN (#2759)
  - Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
  - Use true random number for mutual authentication for SM (#2766)
  - Add verification of data coming from the token in the secure messaging
    mode (#2772)
  - Avoid success when using unsupported digest and fix data length for RAW
    ECDSA signatures (#2845)
  * OpenPGP
  - Fix select data command (#2753, issue #2752)
  - Unbreak ed/curve25519 support (#2892)
  * eOI
  - Add support for Slovenian eID card (eOI) (#2646)
  * Italian CNS
  - Add support for IDEMIA (Oberthur) tokens (#2483)
  * PIV
  - Add support for Swissbit iShield FIDO2 Authenticator (#2671)
  - Implement PIV secure messaging (#2053)
  * SkeID
  - Add support for Slovak eID cards (#2672)
  * isoApplet
  - Support ECDSA with off-card hashing (#2642)
  * MyEID
  - Fix WRAP operation when using T0 (#2695)
  - Identify changes on the card and enable use_file_cache (#2798)
  - Workaround for unwrapping using 2K RSA key (#2921)
  * SC-HSM
  - Add support for opensc-tool --serial (#2675)
  - Fix unwrapping of 4096 keys with handling reader limits (#2682)
  - Indicate supported hashes and MGF1s (#2827)
- Remove patches:
  * opensc-CVE-2023-40660-1of2.patch
  * opensc-CVE-2023-40660-2of2.patch
  * opensc-CVE-2023-40661-1of12.patch
  * opensc-CVE-2023-40661-2of12.patch
  * opensc-CVE-2023-40661-3of12.patch
  * opensc-CVE-2023-40661-4of12.patch
  * opensc-CVE-2023-40661-5of12.patch
  * opensc-CVE-2023-40661-6of12.patch
  * opensc-CVE-2023-40661-7of12.patch
  * opensc-CVE-2023-40661-8of12.patch
  * opensc-CVE-2023-40661-9of12.patch
  * opensc-CVE-2023-40661-10of12.patch
  * opensc-CVE-2023-40661-11of12.patch
  * opensc-CVE-2023-40661-12of12.patch
  * opensc-CVE-2023-4535.patch
  * opensc-CVE-2023-2977.patch
  * opensc-NULL_pointer_fix.patch

- Security Fix: [CVE-2023-40661, bsc#1215761]
  * opensc: multiple memory issues with pkcs15-init (enrollment tool)
  * Add patches:
  - opensc-CVE-2023-40661-1of12.patch
  - opensc-CVE-2023-40661-2of12.patch
  - opensc-CVE-2023-40661-3of12.patch
  - opensc-CVE-2023-40661-4of12.patch
  - opensc-CVE-2023-40661-5of12.patch
  - opensc-CVE-2023-40661-6of12.patch
  - opensc-CVE-2023-40661-7of12.patch
  - opensc-CVE-2023-40661-8of12.patch
  - opensc-CVE-2023-40661-9of12.patch
  - opensc-CVE-2023-40661-10of12.patch
  - opensc-CVE-2023-40661-11of12.patch
  - opensc-CVE-2023-40661-12of12.patch