security/gnupg: add the --shared-access option to scdaemon

gnupg's scdaemon opens smart cards in exclusive mode, which prevents other applications (such as PKCS#11 libraries) from concurrently accessing the card). Upstream refuses to fix the problem. This commit adds a --shared-access option to scdaemon. When enabled, scdaemon will access the smart card in shared mode, playing nicely with other applications. The default behavior is unchanged. See Also: d6cb8039a0 https://dev.gnupg.org/T3267 https://dev.gnupg.org/D320 https://github.com/OpenSC/OpenSC/issues/953 Reviewed by: adamw Approved by: adamw (maintainer) Obtained-from: GPGTools Sponsored by: Axcient Differential Revision: https://reviews.freebsd.org/D22473
svn path=/head/; revision=518435
2019-11-25 23:49:31 +00:00 · 2019-11-25 23:49:31 +00:00 · a6aa3c3cd7 · 2021-03-31 03:12:20 +00:00
commit a6aa3c3cd7
parent f2ab442843
6 changed files with 85 additions and 1 deletions
--- a/security/gnupg/Makefile
+++ b/security/gnupg/Makefile
@ -2,7 +2,7 @@

 PORTNAME=	gnupg
 PORTVERSION=	2.2.17
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	GNUPG

--- a/security/gnupg/files/patch-doc_scdaemon.texi
+++ b/security/gnupg/files/patch-doc_scdaemon.texi
@ -0,0 +1,14 @@
+--- doc/scdaemon.texi.orig	2019-11-20 21:45:47 UTC
+++ doc/scdaemon.texi
+@@ -300,6 +300,11 @@ Note that with the current version of Scdaemon the car
+ down immediately at the next timer tick for any value of @var{n} other
+ than 0.
+ 
+@item --shared-access
+@opindex shared-access
+Open the smart card in shared mode, rather than exclusive.  This will allow
+other applications like PKCS#11 libraries to use the smart card concurrently.
+
+ @item --enable-pinpad-varlen
+ @opindex enable-pinpad-varlen
+ Please specify this option when the card reader supports variable
--- a/security/gnupg/files/patch-scd_apdu.c
+++ b/security/gnupg/files/patch-scd_apdu.c
@ -0,0 +1,11 @@
+--- scd/apdu.c.orig	2019-07-09 09:08:45 UTC
+++ scd/apdu.c
+@@ -816,7 +816,7 @@ connect_pcsc_card (int slot)
+ 
+   err = pcsc_connect (reader_table[slot].pcsc.context,
+                       reader_table[slot].rdrname,
+-                      PCSC_SHARE_EXCLUSIVE,
+                      opt.shared_access ? PCSC_SHARE_SHARED : PCSC_SHARE_EXCLUSIVE,
+                       PCSC_PROTOCOL_T0|PCSC_PROTOCOL_T1,
+                       &reader_table[slot].pcsc.card,
+                       &reader_table[slot].pcsc.protocol);
--- a/security/gnupg/files/patch-scd_scdaemon.c
+++ b/security/gnupg/files/patch-scd_scdaemon.c
@ -0,0 +1,36 @@
+--- scd/scdaemon.c.orig	2019-07-09 09:08:45 UTC
+++ scd/scdaemon.c
+@@ -99,6 +99,7 @@ enum cmd_and_opt_values
+   oDenyAdmin,
+   oDisableApplication,
+   oEnablePinpadVarlen,
+  oSharedAccess,
+   oListenBacklog,
+ 
+   oNoop
+@@ -164,6 +165,8 @@ static ARGPARSE_OPTS opts[] = {
+   /* Stubs for options which are implemented by 2.3 or later.  */
+   ARGPARSE_s_s (oNoop, "application-priority", "@"),
+ 
+  ARGPARSE_s_n (oSharedAccess, "shared-access", N_("use PCSC_SHARE_SHARED for pcsc_connect")),
+
+   ARGPARSE_end ()
+ };
+ 
+@@ -629,6 +632,8 @@ main (int argc, char **argv )
+ 
+         case oNoop: break;
+ 
+        case oSharedAccess: opt.shared_access = 1; break;
+
+         default:
+           pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR;
+           break;
+@@ -727,6 +732,7 @@ main (int argc, char **argv )
+       es_printf ("disable-pinpad:%lu:\n", GC_OPT_FLAG_NONE );
+       es_printf ("card-timeout:%lu:%d:\n", GC_OPT_FLAG_DEFAULT, 0);
+       es_printf ("enable-pinpad-varlen:%lu:\n", GC_OPT_FLAG_NONE );
+      es_printf ("shared-access:%lu:\n", GC_OPT_FLAG_NONE );
+ 
+       scd_exit (0);
+     }
--- a/security/gnupg/files/patch-scd_scdaemon.h
+++ b/security/gnupg/files/patch-scd_scdaemon.h
@ -0,0 +1,11 @@
+--- scd/scdaemon.h.orig	2019-07-09 09:08:45 UTC
+++ scd/scdaemon.h
+@@ -62,6 +62,8 @@ struct
+   strlist_t disabled_applications;  /* Card applications we do not
+                                        want to use. */
+   unsigned long card_timeout; /* Disconnect after N seconds of inactivity.  */
+
+  int shared_access;
+ } opt;
+ 
+ 
--- a/security/gnupg/files/patch-tools_gpgconf-comp.c
+++ b/security/gnupg/files/patch-tools_gpgconf-comp.c
@ -0,0 +1,12 @@
+--- tools/gpgconf-comp.c.orig	2019-07-09 09:08:45 UTC
+++ tools/gpgconf-comp.c
+@@ -653,6 +653,9 @@ static gc_option_t gc_options_scdaemon[] =
+    { "card-timeout", GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME, GC_LEVEL_BASIC,
+      "gnupg", "|N|disconnect the card after N seconds of inactivity",
+      GC_ARG_TYPE_UINT32, GC_BACKEND_SCDAEMON },
+   { "shared-access", GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME, GC_LEVEL_BASIC,
+     "gnupg", "use PCSC_SHARE_SHARED for pcsc_connect",
+     GC_ARG_TYPE_NONE, GC_BACKEND_SCDAEMON },
+ 
+    { "Debug",
+      GC_OPT_FLAG_GROUP, GC_LEVEL_ADVANCED,