security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

scd:p15: For CardOS make use of ISO7816_VERIFY_NOT_NEEDED.

Browse Source 
* scd/app-p15.c (verify_pin): Take care of verify status.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2021-03-30 11:43:45 +02:00
parent de4d3c99aa
commit 651c07a730
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
scd/app-p15.c
View File

@ -257,7 +257,8 @@ struct prkdf_object_s
unsigned int have_off:1; unsigned int have_off:1;
/* Flag indicating that the corresponding PIN has already been /* Flag indicating that the corresponding PIN has already been
* verified. */ * verified. Note that for cards which are able to return the
* verification stus, this flag is not used. */
unsigned int pin_verified:1; unsigned int pin_verified:1;
/* PKCS#15 info whether this is an EC key. Default is RSA. Note /* PKCS#15 info whether this is an EC key. Default is RSA. Note
@ -4709,6 +4710,7 @@ verify_pin (app_t app,
const char *s; const char *s;
int remaining; int remaining;
int pin_reference; int pin_reference;
int verified = 0;
int i; int i;
if (!aodf) if (!aodf)
@ -4720,24 +4722,28 @@ verify_pin (app_t app,
{ {
/* We know that this card supports a verify status check. Note /* We know that this card supports a verify status check. Note
* that in contrast to PIV cards ISO7816_VERIFY_NOT_NEEDED is * that in contrast to PIV cards ISO7816_VERIFY_NOT_NEEDED is
* not supported. */ * not supported. Noet that we don't use the pin_verified cache
* status because that is not as reliable than to ask the card
* about its state. */
if (prkdf) /* Clear the cache which we don't use. */
prkdf->pin_verified = 0;
remaining = iso7816_verify_status (app_get_slot (app), pin_reference); remaining = iso7816_verify_status (app_get_slot (app), pin_reference);
if (remaining < 0) if (remaining == ISO7816_VERIFY_NOT_NEEDED)
remaining = -1; /* We don't care about the concrete error. */
if (remaining < 3)
{ {
if (remaining >= 0) verified = 1;
log_info ("p15: PIN has %d attempts left\n", remaining); remaining = -1;
/* On error or if less than 3 better ask. */
if (prkdf)
prkdf->pin_verified = 0;
} }
else if (remaining < 0)
remaining = -1; /* We don't care about the concrete error. */
else if (remaining < 3)
log_info ("p15: PIN has %d attempts left\n", remaining);
} }
else else
remaining = -1; /* Unknown. */ remaining = -1; /* Unknown. */
/* Check whether we already verified it. */ /* Check whether we already verified it. */
if (prkdf && prkdf->pin_verified) if (prkdf && (prkdf->pin_verified || verified))
return 0; /* Already done. */ return 0; /* Already done. */
if (prkdf if (prkdf