scd: Add --challenge-response option to PK_AUTH for OpenPGP card.

* scd/app-openpgp.c (rmd160_prefix, sha1_prefix, sha224_prefix)
(sha256_prefix, sha384_prefix, sha512_prefix): Move the scope up.
(gen_challenge): New.
(do_auth): Support challenge-response check if it signs correctly.
* scd/app.c (app_auth): Remove the check INDATA and INDATALEN.
* scd/command.c (cmd_pkauth): Support --challenge-response option.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

scd/command.c

@@ -41,6 +41,7 @@
 #endif
 #include "../common/asshelp.h"
 #include "../common/server-help.h"
+#include "../common/ssh-utils.h"
 
 /* Maximum length allowed as a PIN; used for INQUIRE NEEDPIN.  That
  * length needs to small compared to the maximum Assuan line length.  */
@@ -1074,7 +1075,7 @@ cmd_pksign (assuan_context_t ctx, char *line)
 
 
 static const char hlp_pkauth[] =
-  "PKAUTH <hexified_id>";
+  "PKAUTH [--challenge-response] <hexified_id>";
 static gpg_error_t
 cmd_pkauth (assuan_context_t ctx, char *line)
 {
@@ -1085,11 +1086,17 @@ cmd_pkauth (assuan_context_t ctx, char *line)
   char *keyidstr;
   card_t card;
   const char *keygrip = NULL;
+  int challenge_response = 0;
 
   if ((rc = open_card (ctrl)))
     return rc;
 
- /* We have to use a copy of the key ID because the function may use
+  if (has_option (line, "--challenge-response"))
+    challenge_response = 1;
+
+  line = skip_options (line);
+
+  /* We have to use a copy of the key ID because the function may use
      the pin_cb which in turn uses the assuan line buffer and thus
      overwriting the original line with the keyid */
   keyidstr = xtrystrdup (line);
@@ -1101,6 +1108,13 @@ cmd_pkauth (assuan_context_t ctx, char *line)
   if (strlen (keyidstr) == 40)
     keygrip = keyidstr;
 
+  if (challenge_response)
+    {
+      xfree (ctrl->in_data.value);
+      ctrl->in_data.value = NULL;
+      ctrl->in_data.valuelen = 0;
+    }
+
   card = card_get (ctrl, keygrip);
   if (card)
     {