From 7134af9fdb194ae8291775fed78cd1a82eaaa41b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 1 Dec 2003 10:54:09 +0000
Subject: [PATCH] * scdaemon.c, scdaemon.h: New options --allow-admin and
 --deny-admin. * app-openpgp.c (verify_chv3): Check it here.

---
 scd/ChangeLog     | 5 +++++
 scd/app-openpgp.c | 6 ++++++
 scd/scdaemon.c    | 9 +++++++--
 scd/scdaemon.h    | 2 ++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/scd/ChangeLog b/scd/ChangeLog
index cccd3b669..873691f63 100644
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@@ -1,3 +1,8 @@
+2003-11-17  Werner Koch  <wk@gnupg.org>
+
+	* scdaemon.c, scdaemon.h: New options --allow-admin and --deny-admin.
+	* app-openpgp.c (verify_chv3): Check it here.
+
 2003-11-12  Werner Koch  <wk@gnupg.org>
 
 	Adjusted for API changes in Libksba.
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 07abf9bfb..6b4a2f7ef 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -569,6 +569,12 @@ verify_chv3 (APP app,
 {
   int rc = 0;
 
+  if (!opt.allow_admin)
+    {
+      log_info ("access to admin commands is not configured\n");
+      return gpg_error (GPG_ERR_EACCES);
+    }
+      
   if (!app->did_chv3) 
     {
       char *pinvalue;
diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 89be04ab5..a3100988b 100644
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -73,6 +73,8 @@ enum cmd_and_opt_values
   opcscDriver,
   oDisableCCID,
   oDisableOpenSC,
+  oAllowAdmin,
+  oDenyAdmin,
 
 aTest };
 
@@ -112,8 +114,8 @@ static ARGPARSE_OPTS opts[] = {
                                     "@"
 #endif
                                          /* end --disable-opensc */},
-
-
+  { oAllowAdmin, "allow-admin", 0, N_("allow the use of admin card commands")},
+  { oDenyAdmin,  "deny-admin",  0, "@" },  
 
   {0}
 };
@@ -397,6 +399,9 @@ main (int argc, char **argv )
         case oDisableCCID: opt.disable_ccid = 1; break;
         case oDisableOpenSC: opt.disable_opensc = 1; break;
 
+        case oAllowAdmin: opt.allow_admin = 1; break;
+        case oDenyAdmin: opt.allow_admin = 0; break;
+
         default : pargs.err = configfp? 1:2; break;
 	}
     }
diff --git a/scd/scdaemon.h b/scd/scdaemon.h
index 43c3189b3..e13377af7 100644
--- a/scd/scdaemon.h
+++ b/scd/scdaemon.h
@@ -57,6 +57,8 @@ struct {
   const char *pcsc_driver;  /* Library to access the PC/SC system. */
   int disable_opensc;  /* Disable the use of the OpenSC framework. */
   int disable_ccid;    /* Disable the use of the internal CCID driver. */
+  int allow_admin;     /* Allow the use of admin commands for certain
+                          cards. */
 } opt;