1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-03 12:11:33 +01:00

scd: New option --pcsc-shared.

* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (cache_pin): Bypass in shared mode.
(verify_chv2: Do not auto verify chv1 in shared mode.
* scd/app-piv.c (cache_pin): By pass caceh in shared mode.
--

This option should in general not be used.  The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
This commit is contained in:
Werner Koch 2021-03-12 09:21:57 +01:00
parent 95156ef9bf
commit 5732e7a8e9
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
6 changed files with 23 additions and 4 deletions

View File

@ -226,6 +226,12 @@ Append all logging output to @var{file}. This is very helpful in
seeing what the agent actually does. Use @file{socket://} to log to seeing what the agent actually does. Use @file{socket://} to log to
socket. socket.
@item --pcsc-shared
@opindex pcsc-shared
Use shared mode to access the card via PC/SC. This is a somewhat
dangerous option because Scdaemon assumes exclusivbe access to teh
card and for example caches certain information from the card. Use
this option only if you know what you are doing.
@item --pcsc-driver @var{library} @item --pcsc-driver @var{library}
@opindex pcsc-driver @opindex pcsc-driver

View File

@ -732,7 +732,8 @@ pcsc_get_status (int slot, unsigned int *status, int on_wire)
mode. */ mode. */
if ( (*status & (APDU_CARD_PRESENT|APDU_CARD_ACTIVE)) if ( (*status & (APDU_CARD_PRESENT|APDU_CARD_ACTIVE))
== (APDU_CARD_PRESENT|APDU_CARD_ACTIVE) == (APDU_CARD_PRESENT|APDU_CARD_ACTIVE)
&& !(reader_table[slot].pcsc.current_state & PCSC_STATE_INUSE) ) && (opt.pcsc_shared
|| !(reader_table[slot].pcsc.current_state & PCSC_STATE_INUSE)))
*status |= APDU_CARD_USABLE; *status |= APDU_CARD_USABLE;
#else #else
/* Some winscard drivers may set EXCLUSIVE and INUSE at the same /* Some winscard drivers may set EXCLUSIVE and INUSE at the same
@ -856,7 +857,7 @@ connect_pcsc_card (int slot)
err = pcsc_connect (pcsc.context, err = pcsc_connect (pcsc.context,
reader_table[slot].rdrname, reader_table[slot].rdrname,
PCSC_SHARE_EXCLUSIVE, opt.pcsc_shared? PCSC_SHARE_SHARED:PCSC_SHARE_EXCLUSIVE,
PCSC_PROTOCOL_T0|PCSC_PROTOCOL_T1, PCSC_PROTOCOL_T0|PCSC_PROTOCOL_T1,
&reader_table[slot].pcsc.card, &reader_table[slot].pcsc.card,
&reader_table[slot].pcsc.protocol); &reader_table[slot].pcsc.protocol);

View File

@ -2483,10 +2483,15 @@ chvno_to_keyref (int chvno)
static void static void
cache_pin (app_t app, ctrl_t ctrl, int chvno, const char *pin) cache_pin (app_t app, ctrl_t ctrl, int chvno, const char *pin)
{ {
const char *keyref = chvno_to_keyref (chvno); const char *keyref;
if (opt.pcsc_shared)
return;
keyref = chvno_to_keyref (chvno);
if (!keyref) if (!keyref)
return; return;
switch (APP_CARD(app)->cardtype) switch (APP_CARD(app)->cardtype)
{ {
case CARDTYPE_YUBIKEY: break; case CARDTYPE_YUBIKEY: break;
@ -2707,7 +2712,7 @@ verify_chv2 (app_t app, ctrl_t ctrl,
return rc; return rc;
app->did_chv2 = 1; app->did_chv2 = 1;
if (!app->did_chv1 && !app->force_chv1 && pinvalue) if (!app->did_chv1 && !app->force_chv1 && pinvalue && !opt.pcsc_shared)
{ {
/* For convenience we verify CHV1 here too. We do this only if /* For convenience we verify CHV1 here too. We do this only if
the card is not configured to require a verification before the card is not configured to require a verification before

View File

@ -1681,6 +1681,9 @@ cache_pin (app_t app, ctrl_t ctrl, int pinno,
{ {
char pinref[20]; char pinref[20];
if (opt.pcsc_shared)
return;
if (pinno < 0) if (pinno < 0)
return; return;
switch (app->card->cardtype) switch (app->card->cardtype)

View File

@ -94,6 +94,7 @@ enum cmd_and_opt_values
oCardTimeout, oCardTimeout,
octapiDriver, octapiDriver,
opcscDriver, opcscDriver,
opcscShared,
oDisableCCID, oDisableCCID,
oDisableOpenSC, oDisableOpenSC,
oDisablePinpad, oDisablePinpad,
@ -150,6 +151,7 @@ static gpgrt_opt_t opts[] = {
N_("|NAME|use NAME as ct-API driver")), N_("|NAME|use NAME as ct-API driver")),
ARGPARSE_s_s (opcscDriver, "pcsc-driver", ARGPARSE_s_s (opcscDriver, "pcsc-driver",
N_("|NAME|use NAME as PC/SC driver")), N_("|NAME|use NAME as PC/SC driver")),
ARGPARSE_s_n (opcscShared, "pcsc-shared", "@"),
ARGPARSE_s_n (oDisableCCID, "disable-ccid", ARGPARSE_s_n (oDisableCCID, "disable-ccid",
#ifdef HAVE_LIBUSB #ifdef HAVE_LIBUSB
N_("do not use the internal CCID driver") N_("do not use the internal CCID driver")
@ -602,6 +604,7 @@ main (int argc, char **argv )
case oReaderPort: opt.reader_port = pargs.r.ret_str; break; case oReaderPort: opt.reader_port = pargs.r.ret_str; break;
case octapiDriver: opt.ctapi_driver = pargs.r.ret_str; break; case octapiDriver: opt.ctapi_driver = pargs.r.ret_str; break;
case opcscDriver: opt.pcsc_driver = pargs.r.ret_str; break; case opcscDriver: opt.pcsc_driver = pargs.r.ret_str; break;
case opcscShared: opt.pcsc_shared = 1; break;
case oDisableCCID: opt.disable_ccid = 1; break; case oDisableCCID: opt.disable_ccid = 1; break;
case oDisableOpenSC: break; case oDisableOpenSC: break;

View File

@ -62,6 +62,7 @@ struct
int enable_pinpad_varlen; /* Use variable length input for pinpad. */ int enable_pinpad_varlen; /* Use variable length input for pinpad. */
int allow_admin; /* Allow the use of admin commands for certain int allow_admin; /* Allow the use of admin commands for certain
cards. */ cards. */
int pcsc_shared; /* Use shared PC/SC access. */
strlist_t disabled_applications; /* Card applications we do not strlist_t disabled_applications; /* Card applications we do not
want to use. */ want to use. */
unsigned long card_timeout; /* Disconnect after N seconds of inactivity. */ unsigned long card_timeout; /* Disconnect after N seconds of inactivity. */