Skip to content

Commit

Permalink
Merge v1.14.2 into community
Browse files Browse the repository at this point in the history
  • Loading branch information
GovernikusAusweisApp2 committed Jun 20, 2018
2 parents b4c1fbe + b63df30 commit e626090
Show file tree
Hide file tree
Showing 67 changed files with 829 additions and 521 deletions.
2 changes: 1 addition & 1 deletion CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ ELSE()
ENDIF()


PROJECT(AusweisApp2 VERSION 1.14.1 LANGUAGES ${LANGUAGES})
PROJECT(AusweisApp2 VERSION 1.14.2 LANGUAGES ${LANGUAGES})

# Set TWEAK if not defined in PROJECT_VERSION above to
# have a valid tweak version without propagating it
Expand Down
21 changes: 21 additions & 0 deletions docs/releasenotes/1.14.2.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
AusweisApp2 1.14.2
^^^^^^^^^^^^^^^^^^

**Releasedatum:** 20. Juni 2018



Anwender
""""""""
- Optimierungen in der Benutzerfreundlichkeit.

- Ein leerer Zweck im Berechtigungszertifikat wird nun
korrekt dargestellt.


Entwickler
""""""""""
- Unterstützung von Vor-Ort-Auslesen von Ausweisdaten unter
Anwesenden (gem. §18a PAuswG).

- Aktualisierung von OpenSSL auf die Version 1.0.2o.
17 changes: 17 additions & 0 deletions docs/releasenotes/announce.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,23 @@ folgender Systeme eingestellt.
- OS X 10.10


Mit der Version 1.16.0 der AusweisApp2 wird die Unterstützung
folgender TLS-Cipher eingestellt.

- DHE-DSS-AES256-GCM-SHA384
- DHE-DSS-AES256-SHA256
- DHE-DSS-AES128-GCM-SHA256
- DHE-DSS-AES128-SHA256"
- DHE-DSS-AES256-SHA
- DHE-DSS-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- DHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- DHE-RSA-AES128-SHA


Mit der Version 1.14.0 der AusweisApp2 wurde die Unterstützung
folgender Systeme eingestellt.

Expand Down
1 change: 1 addition & 0 deletions docs/releasenotes/appcast.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ Release Notes
.. toctree::
:maxdepth: 1

1.14.2
1.14.1
1.14.0
announce
Expand Down
2 changes: 1 addition & 1 deletion docs/releasenotes/conf.py.in
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ master_doc = 'index'

# General information about the project.
project = 'AusweisApp2'
copyright = '2016-2017, Governikus GmbH & Co. KG'
copyright = '2016-2018, Governikus GmbH & Co. KG'
author = 'Governikus GmbH & Co. KG'

# The version info for the project you're documenting, acts as replacement for
Expand Down
4 changes: 4 additions & 0 deletions docs/releasenotes/issues.rst
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,7 @@ Die nachfolgende Liste bezieht sich auf die aktuelle Version der AusweisApp2.

- Unter Umständen kommt es zu Stabilitätsproblemen der NFC-Schnittstelle
auf Android.

- Das Vor-Ort-Auslesen von Ausweisdaten unter Anwesenden (gem. §18a PAuswG)
funktioniert nicht, wenn ein Smartphone als Kartenlesegerät genutzt wird
und der Tastaturmodus "PIN-Eingabe auf diesem Gerät" aktiviert ist.
10 changes: 5 additions & 5 deletions docs/releasenotes/support.rst
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,13 @@ und sollte daher mit allen marktüblichen Browsern verwendet werden können.
Im Rahmen der Qualitätssicherung werden die folgenden Browserversionen
getestet.

- Firefox 57
- Firefox 60

- Chrome 62
- Chrome 66

- Internet Explorer 11

- Safari 11
- Safari 11.1.1



Expand Down Expand Up @@ -112,9 +112,9 @@ Im mobilen Umfeld ist die Funktionalität jedoch abhängig von der vom
Diensteanbieter umgesetzten Aktivierung. Daher empfehlen wir einen der
folgenden Browser zu verwenden.

- Firefox Klar 2.5
- Firefox Klar 5.0

- Chrome 63
- Chrome 66

- Android System WebView 60

Expand Down
1 change: 1 addition & 0 deletions docs/releasenotes/versions.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Versionszweig 1.14
.. toctree::
:maxdepth: 1

1.14.2
1.14.1
1.14.0

Expand Down
2 changes: 1 addition & 1 deletion docs/sdk/conf.py.in
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ master_doc = 'index'

# General information about the project.
project = 'AusweisApp2 SDK'
copyright = '2016-2017, Governikus GmbH & Co. KG'
copyright = '2016-2018, Governikus GmbH & Co. KG'
author = 'Governikus GmbH & Co. KG'

# The version info for the project you're documenting, acts as replacement for
Expand Down
2 changes: 1 addition & 1 deletion docs/sdk/intro.rst
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ show a possible communication.

In case your client application requires data input from the
ID card, you need to get this from the backend system
(e.g. the eID server) after a succesfull authentication.
(e.g. the eID server) after a successful authentication.


.. seealso::
Expand Down
14 changes: 11 additions & 3 deletions docs/sdk/messages.rst
Original file line number Diff line number Diff line change
Expand Up @@ -328,9 +328,14 @@ Indicates that a CAN is required to continue workflow.
If the AusweisApp2 sends this message, you will have to
provide the CAN of the inserted card with :ref:`set_can`.

The workflow will automatically continue if the CAN was correct
and the AusweisApp2 will send an :ref:`enter_pin` message.
If the correct CAN is entered the retryCounter will still be **1**.
The CAN is required to enable the last attempt of PIN input if
the retryCounter is **1**. The workflow continues automatically with
the correct CAN and the AusweisApp2 will send an :ref:`enter_pin` message.
Despite the correct CAN being entered, the retryCounter remains at **1**.

The CAN is also required, if the authentication terminal has an approved
"CAN allowed right". This allows the workflow to continue without
an additional PIN.

If your application provides an invalid :ref:`set_can` command
the AusweisApp2 will send an :ref:`enter_can` message with an error
Expand All @@ -340,6 +345,9 @@ If your application provides a valid :ref:`set_can` command
and the CAN was incorrect the AusweisApp2 will send :ref:`enter_can`
again but without an error parameter.

.. versionadded:: 1.14.2
Support of "CAN allowed right".


- **error**: Optional error message if your command :ref:`set_can`
was invalid.
Expand Down
8 changes: 5 additions & 3 deletions libs/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -107,8 +107,8 @@ INCLUDE(Messages)
SET(QT 5.9.3)
SET(QT_HASH 57acd8f03f830c2d7dc29fbe28aaa96781b2b9bdddce94196e6761a0f88c6046)

SET(OPENSSL 1.0.2n)
SET(OPENSSL_HASH 370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe)
SET(OPENSSL 1.0.2o)
SET(OPENSSL_HASH ec3f5c9714ba0fd45cb4e087301eb1336c317e0d20b575a125050470e8089e4d)

################################## Files
SET(QT_FILE qt-everywhere-opensource-src-${QT}.tar.xz)
Expand Down Expand Up @@ -205,6 +205,8 @@ ExternalProject_Add(openssl
PATCH_COMMAND
${OPENSSL_PATCH_COMMAND}
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/openssl-fix-no-engine-build.patch &&
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/openssl-Revert-Configure-use-a-better-method-to-identify-gcc.patch &&
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/openssl-RSA-key-generation-ensure-BN_mod_inverse-and-BN_mod_.patch &&
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/openssl_rsa_psk.patch

CONFIGURE_COMMAND ${OPENSSL_ENV} ${PERL_EXECUTABLE} Configure --prefix=${DESTINATION_DIR} ${OPENSSL_CONFIGURE_FLAGS} "${COMPILER_FLAGS}" "${OPENSSL_COMPILER_FLAGS}"
Expand Down Expand Up @@ -313,7 +315,7 @@ ExternalProject_Add(qt
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/qt-Avoid-using-deprecated-APIs-on-iOS-10.0.patch &&
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/qt-Add-IsoDep-to-the-techList-on-Android.patch &&
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/qt-macOS-iOS-Fix-garbled-text-under-some-conditions.patch &&
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/qt-Fix-reopening-on-macOS.patch &&
${PATCH_CMD} -p1 ${PATCH_OPTIONS} ${PATCHES_DIR}/qt-QCoreTextFontEngine-Fix-build-with-Xcode-9.3.patch &&
${CMAKE_COMMAND} -E touch qtbase/.gitignore
CONFIGURE_COMMAND ${QT_ENV} ${QT_CONFIGURE} ${QT_CONFIGURE_FLAGS} ${QT_CONFIGURE_FLAGS_SKIP_MODULES}
BUILD_COMMAND ${MAKE} ${MAKE_JOBS}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001
From: Billy Brumley <[email protected]>
Date: Wed, 11 Apr 2018 10:10:58 +0300
Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont
both get called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)
---
crypto/rsa/rsa_gen.c | 2 ++
1 file changed, 2 insertions(+)

diff --git x/crypto/rsa/rsa_gen.c y/crypto/rsa/rsa_gen.c
index 9ca5dfefb7..42b89a8dfa 100644
--- x/crypto/rsa/rsa_gen.c
+++ y/crypto/rsa/rsa_gen.c
@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL)
goto err;

+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;) {
--
2.17.0

Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
From 2a33b07d56c7e30a18dda5760111af267271c236 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Klitzing?= <[email protected]>
Date: Tue, 24 Apr 2018 16:13:56 +0200
Subject: [PATCH] Revert "Configure: use a better method to identify gcc and
derivates"

This reverts commit 78e9e3f945935c91d8dfe0e832a95d6ea8d05f34.
---
Configure | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)

diff --git x/Configure y/Configure
index 744b493b96..fe7565ebd9 100755
--- x/Configure
+++ y/Configure
@@ -1269,7 +1269,7 @@ my ($prelflags,$postlflags)=split('%',$lflags);
if (defined($postlflags)) { $lflags=$postlflags; }
else { $lflags=$prelflags; undef $prelflags; }

-if ($target =~ /^mingw/ && `$cross_compile_prefix$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
+if ($target =~ /^mingw/ && `$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
{
$cflags =~ s/\-mno\-cygwin\s*//;
$shared_ldflag =~ s/\-mno\-cygwin\s*//;
@@ -1661,25 +1661,18 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
$shlib_minor=$2;
}

-my %predefined;
-
-# collect compiler pre-defines from gcc or gcc-alike...
-open(PIPE, "$cross_compile_prefix$cc -dM -E -x c /dev/null 2>&1 |");
-while (<PIPE>) {
- m/^#define\s+(\w+(?:\(\w+\))?)(?:\s+(.+))?/ or last;
- $predefined{$1} = defined($2) ? $2 : "";
-}
-close(PIPE);
+my $ecc = $cc;
+$ecc = "clang" if `$cc --version 2>&1` =~ /clang/;

if ($strict_warnings)
{
my $wopt;
- die "ERROR --strict-warnings requires gcc or clang" unless defined($predefined{__GNUC__});
+ die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/);
foreach $wopt (split /\s+/, $gcc_devteam_warn)
{
$cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
}
- if (defined($predefined{__clang__}))
+ if ($ecc eq "clang")
{
foreach $wopt (split /\s+/, $clang_devteam_warn)
{
@@ -1730,14 +1723,15 @@ while (<IN>)
s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/;
- s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $predefined{__GNUC__} >= 3;
+ s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc";
}
else {
s/^CC=.*$/CC= $cc/;
s/^AR=\s*ar/AR= $ar/;
s/^RANLIB=.*/RANLIB= $ranlib/;
s/^RC=.*/RC= $windres/;
- s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $predefined{__GNUC__} >= 3;
+ s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
+ s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $ecc eq "gcc" || $ecc eq "clang";
}
s/^CFLAG=.*$/CFLAG= $cflags/;
s/^DEPFLAG=.*$/DEPFLAG=$depflags/;
--
2.17.0

49 changes: 0 additions & 49 deletions patches/qt-Fix-reopening-on-macOS.patch

This file was deleted.

35 changes: 35 additions & 0 deletions patches/qt-QCoreTextFontEngine-Fix-build-with-Xcode-9.3.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
From 05eed1cd4505bf9912b84ed39ab1ad22846e7d09 Mon Sep 17 00:00:00 2001
From: Gabriel de Dietrich <[email protected]>
Date: Fri, 30 Mar 2018 11:58:16 -0700
Subject: QCoreTextFontEngine: Fix build with Xcode 9.3

Apple LLVM version 9.1.0 (clang-902.0.39.1)

Error message:

.../qfontengine_coretext.mm:827:20: error: qualified reference to
'QFixed' is a constructor name rather than a type in this context
return QFixed::QFixed(int(CTFontGetUnitsPerEm(ctfont)));

Change-Id: Iebe26b3b087a16b10664208fc8851cbddb47f043
Reviewed-by: Konstantin Ritt <[email protected]>
---
src/platformsupport/fontdatabases/mac/qfontengine_coretext.mm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git x/qtbase/src/platformsupport/fontdatabases/mac/qfontengine_coretext.mm y/qtbase/src/platformsupport/fontdatabases/mac/qfontengine_coretext.mm
index 66baf162d9..89794ef109 100644
--- x/qtbase/src/platformsupport/fontdatabases/mac/qfontengine_coretext.mm
+++ y/qtbase/src/platformsupport/fontdatabases/mac/qfontengine_coretext.mm
@@ -830,7 +830,7 @@ void QCoreTextFontEngine::getUnscaledGlyph(glyph_t glyph, QPainterPath *path, gl

QFixed QCoreTextFontEngine::emSquareSize() const
{
- return QFixed::QFixed(int(CTFontGetUnitsPerEm(ctfont)));
+ return QFixed(int(CTFontGetUnitsPerEm(ctfont)));
}

QFontEngine *QCoreTextFontEngine::cloneWithSize(qreal pixelSize) const
--
2.16.2

Loading

0 comments on commit e626090

Please sign in to comment.