security/gnupg: add the --shared-access option to scdaemon

gnupg's scdaemon opens smart cards in exclusive mode, which prevents other
applications (such as PKCS#11 libraries) from concurrently accessing the
card). Upstream refuses to fix the problem. This commit adds a
--shared-access option to scdaemon. When enabled, scdaemon will access the
smart card in shared mode, playing nicely with other applications. The
default behavior is unchanged.

See Also:
https://github.com/GPGTools/MacGPG2/commit/d6cb8039a0cdc74b9bdd89a3dfa93248aa2c4100
https://dev.gnupg.org/T3267
https://dev.gnupg.org/D320
https://github.com/OpenSC/OpenSC/issues/953

Reviewed by:	adamw
Approved by:	adamw (maintainer)
Obtained-from:	GPGTools
Sponsored by:	Axcient
Differential Revision:	https://reviews.freebsd.org/D22473

6 files changed, 85 insertions, 1 deletions

diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile
index caaad163fd6b..caa92adf1fd4 100644
--- a/security/gnupg/Makefile
+++ b/security/gnupg/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	gnupg
 PORTVERSION=	2.2.17
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	GNUPG
 
diff --git a/security/gnupg/files/patch-doc_scdaemon.texi b/security/gnupg/files/patch-doc_scdaemon.texi
new file mode 100644
index 000000000000..f44dc1142da2
--- /dev/null
+++ b/security/gnupg/files/patch-doc_scdaemon.texi
@@ -0,0 +1,14 @@
+--- doc/scdaemon.texi.orig	2019-11-20 21:45:47 UTC
++++ doc/scdaemon.texi
+@@ -300,6 +300,11 @@ Note that with the current version of Scdaemon the car
+ down immediately at the next timer tick for any value of @var{n} other
+ than 0.
+ 
++@item --shared-access
++@opindex shared-access
++Open the smart card in shared mode, rather than exclusive.  This will allow
++other applications like PKCS#11 libraries to use the smart card concurrently.
++
+ @item --enable-pinpad-varlen
+ @opindex enable-pinpad-varlen
+ Please specify this option when the card reader supports variable
diff --git a/security/gnupg/files/patch-scd_apdu.c b/security/gnupg/files/patch-scd_apdu.c
new file mode 100644
index 000000000000..f3313b850367
--- /dev/null
+++ b/security/gnupg/files/patch-scd_apdu.c
@@ -0,0 +1,11 @@
+--- scd/apdu.c.orig	2019-07-09 09:08:45 UTC
++++ scd/apdu.c
+@@ -816,7 +816,7 @@ connect_pcsc_card (int slot)
+ 
+   err = pcsc_connect (reader_table[slot].pcsc.context,
+                       reader_table[slot].rdrname,
+-                      PCSC_SHARE_EXCLUSIVE,
++                      opt.shared_access ? PCSC_SHARE_SHARED : PCSC_SHARE_EXCLUSIVE,
+                       PCSC_PROTOCOL_T0|PCSC_PROTOCOL_T1,
+                       &reader_table[slot].pcsc.card,
+                       &reader_table[slot].pcsc.protocol);
diff --git a/security/gnupg/files/patch-scd_scdaemon.c b/security/gnupg/files/patch-scd_scdaemon.c
new file mode 100644
index 000000000000..4b2e62255de6
--- /dev/null
+++ b/security/gnupg/files/patch-scd_scdaemon.c
@@ -0,0 +1,36 @@
+--- scd/scdaemon.c.orig	2019-07-09 09:08:45 UTC
++++ scd/scdaemon.c
+@@ -99,6 +99,7 @@ enum cmd_and_opt_values
+   oDenyAdmin,
+   oDisableApplication,
+   oEnablePinpadVarlen,
++  oSharedAccess,
+   oListenBacklog,
+ 
+   oNoop
+@@ -164,6 +165,8 @@ static ARGPARSE_OPTS opts[] = {
+   /* Stubs for options which are implemented by 2.3 or later.  */
+   ARGPARSE_s_s (oNoop, "application-priority", "@"),
+ 
++  ARGPARSE_s_n (oSharedAccess, "shared-access", N_("use PCSC_SHARE_SHARED for pcsc_connect")),
++
+   ARGPARSE_end ()
+ };
+ 
+@@ -629,6 +632,8 @@ main (int argc, char **argv )
+ 
+         case oNoop: break;
+ 
++        case oSharedAccess: opt.shared_access = 1; break;
++
+         default:
+           pargs.err = configfp? ARGPARSE_PRINT_WARNING:ARGPARSE_PRINT_ERROR;
+           break;
+@@ -727,6 +732,7 @@ main (int argc, char **argv )
+       es_printf ("disable-pinpad:%lu:\n", GC_OPT_FLAG_NONE );
+       es_printf ("card-timeout:%lu:%d:\n", GC_OPT_FLAG_DEFAULT, 0);
+       es_printf ("enable-pinpad-varlen:%lu:\n", GC_OPT_FLAG_NONE );
++      es_printf ("shared-access:%lu:\n", GC_OPT_FLAG_NONE );
+ 
+       scd_exit (0);
+     }
diff --git a/security/gnupg/files/patch-scd_scdaemon.h b/security/gnupg/files/patch-scd_scdaemon.h
new file mode 100644
index 000000000000..66748abf6bd6
--- /dev/null
+++ b/security/gnupg/files/patch-scd_scdaemon.h
@@ -0,0 +1,11 @@
+--- scd/scdaemon.h.orig	2019-07-09 09:08:45 UTC
++++ scd/scdaemon.h
+@@ -62,6 +62,8 @@ struct
+   strlist_t disabled_applications;  /* Card applications we do not
+                                        want to use. */
+   unsigned long card_timeout; /* Disconnect after N seconds of inactivity.  */
++
++  int shared_access;
+ } opt;
+ 
+ 
diff --git a/security/gnupg/files/patch-tools_gpgconf-comp.c b/security/gnupg/files/patch-tools_gpgconf-comp.c
new file mode 100644
index 000000000000..51bb3c1aca41
--- /dev/null
+++ b/security/gnupg/files/patch-tools_gpgconf-comp.c
@@ -0,0 +1,12 @@
+--- tools/gpgconf-comp.c.orig	2019-07-09 09:08:45 UTC
++++ tools/gpgconf-comp.c
+@@ -653,6 +653,9 @@ static gc_option_t gc_options_scdaemon[] =
+    { "card-timeout", GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME, GC_LEVEL_BASIC,
+      "gnupg", "|N|disconnect the card after N seconds of inactivity",
+      GC_ARG_TYPE_UINT32, GC_BACKEND_SCDAEMON },
++   { "shared-access", GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME, GC_LEVEL_BASIC,
++     "gnupg", "use PCSC_SHARE_SHARED for pcsc_connect",
++     GC_ARG_TYPE_NONE, GC_BACKEND_SCDAEMON },
+ 
+    { "Debug",
+      GC_OPT_FLAG_GROUP, GC_LEVEL_ADVANCED,