-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCARD_INSUFFICIENT_BUFFER error #4743
Comments
The last messages are issued by In the version of the sources I have, cchReaderLen is either set to 0 or to SCARD_AUTOALLOCATE, so the error should not occur with it. Check your version of the sources, in smartcard_operation.c, function Therefore the problem must lie with cbAtrLen, which is limited to 32 (why hardwiring such a number?) in smartcard_StatusW_Call. pbAtr is defined like this: Therefore cbAtrLen should be set to sizeof(red.pbAtr) at least! pbAtr is used in a limited number of places, so it should be easy enough to make a patch to allocate it dynamically to accommodate the required sizes. (Or you can just allocate 34 bytes instead of 32, since it looks like it just a matter of allocating the size of a msz with a single string, instead of a normal string, but this would hardwire a dependency on the maximum length of a field in the smartcard...). |
I implemented the change of 34 bytes from 32, but now simply receive a SCARD_E_CANCELED error with no additional information. The card is valid as I use it to log into the windows server and I verified it contains the certificates on the Linux host using yubico-piv-tool |
@gofish543 Which version of FreeRDP are you using? Could you attach the output of |
|
Ah, could you give the current nightlies a try? |
Using nightly... https://github.com/FreeRDP/FreeRDP/tree/0ec9579013270dd648f1d5283727a03e6a814c88
|
Using master
|
@gofish543 Seems to be specific to your smartcard hardware, so I can't test (as I have another revision). |
I should have done more reading, especially into log-level, before opening this so that I could more aptly verify the issue I'm having.
Specifically this is where things go south
|
@gofish543 Ok, so what I can tell is that the error is from |
I do not have any issues connecting to the smart card. Is there a pcsc-lite tool I can use to verify that everything works? |
How about this...
I started messing around with the smartcard CCID list and giving different textual names to the IDs |
@gofish543 Can you access the yubikey under linux without issues? |
On 16 Jul 2018, at 15:47, Nick ***@***.***> wrote:
I do not have any issues connecting to the smart card. Is there a pcsc-lite tool I can use to verify that everything works?
You can use opensc-tools: https://github.com/opensC/OpenSC/ <https://github.com/opensC/OpenSC/>
% opensc-tool --list-files
or pcsc_scan from pcsc-tools https://github.com/LudovicRousseau/pcsc-tools/releases/tag/pcsc-tools-1.5.1 <https://github.com/LudovicRousseau/pcsc-tools/releases/tag/pcsc-tools-1.5.1>
…--
__Pascal J. Bourguignon__
|
opensc-tool --list-files is giving SELECT FILE failed: Not found *Note This is why.. OpenSC/OpenSC#576 (The Yubikey is configured as a PIV card) But pcsc_scan lists out the Yubikey just fine.. |
Just to give a little bit more insight. I did a fresh install of Ubuntu 18.04 onto a virtualized enviornment. I then ran apt-get update... upgrade... and dist-upgrade. After those finished I installed freerdp2-x11, pcscd, and opensc. I then get the exact same error as before. |
After digging around and going back to the your first command, changing 32 -> 34 I get SCARD_E_CANCELLED
|
Just realized, you never tested the nightlies (they are installed in /opt/freerdp-nightly), could you do that before debugging further? |
1 similar comment
Just realized, you never tested the nightlies (they are installed in /opt/freerdp-nightly), could you do that before debugging further? |
I did. I also tried it with v1.0-beta1, v2.0, the nightly build below, and master.
" |
Sorry, not self compiled but our nightlies. https://github.com/FreeRDP/FreeRDP/wiki/PreBuilds as mentioned, installed on /opt |
I went ahead and tried to use the nightly build (the one from yesterday), but received the same error from before. Upon changing the buffer from 32 to 34 I can eliminate the buffer overflow error that continues to occur.
I then went ahead and searched through the logs of xfreerdp to see if any errors were thrown, but I cannot seem to find any
|
@gofish543 So you no longer have the initial issue but you still can't access the reader? |
I still have the initial issue, but if I update the scLen from 32 to 34 bytes I will no longer receive the initial SCARD_INSUFFICIENT_BUFFER exception. However, I am now having another problem with reading the smart card within a rdp session. The rdp server detects the smart card, but will fail to read any data off of it. |
@informatimago. Thanks. I understand what you are saying. Although I do want smartcard logon eventually which you are working on in #4823. That isn't my issue at the moment, my issue here though is that for some reason the old /smartcard redirection seems to have a bug somewhere, as Windows sees the smart-card but doesn't think there is anything on it and therefore I can't use it to further logon within the windows network. However I have tested the smartcard solely through Windows and it shows the certificates. From what you are saying above, it should be possible, but isn't for some reason. |
@informatimago I believe from reading #4823 that my issue is the same as the one mentioned in the below quote by @gofish543.
That sounds like the same issue as I am having which should be resolvable separate to the whole smartcard-logon situation. But I'm unsure on where I'd change or set this to test, or if it can just be set on my system. |
Just changing the buffer sizes will not work. See |
@gofish543 Could you please run your 32/34 bytes use case with this patch to winpr/libwinpr/smartcard/smartcard_pcsc.c : commit c94245f (or this using this whole #4837 branch). |
@adam-birds-hwt Please see previous comment. |
@informatimago can you advise the steps required to test and to grab those logs you requested? I've never built this app from source if thats what needed. |
@adam-birds-hwt Here are the commands I use to perform this test:
Here are the resulting log extract:
Here is my full logs: https://gist.github.com/informatimago/7fcb0153c60cfa956b595111ea697c23 (I used If you have compilation errors for dependencies, here are the dependencies I installed on ubuntu 14.04:
|
The "no certificates found on smartcard" fault still exists on the given branch. I attempt to run the new commands from the specified branch for authentication and I get the following errors...
|
@akallabeth Is there any progress? We have a customer, which see exactly this issue with 2.0-rc4. The 1.0 version works for them nicely with Windows 2008, though not with Windows 2016. The rc4 doesn't work either with Windows 2008. This issue has the waiting-feedback label, but it seems that the feedback has been already provided by @gofish543. Is there any other info we can provide to help with this? |
@ondrejholy the trace from @gofish543 is for smartcard logon, looks unrelated to this issue. |
I've identified an issue with attribute handling that leads to a SCARD_E_INSUFFICIENT_BUFFER error. A possible fix can be found here @gofish543 @ondrejholy can you verify if this resolves the issue? |
@bmiklautz Thanks! I will forward this to our customer for testing. |
@ondrejholy thank you. But I'm not sure if this is the only/last issue :). |
@bmiklautz This seemingly fix the |
@ondrejholy thanks, so the fix is working (at least for the buffer problem) |
@bmiklautz They tried different smartcard reader, but it still doesn't work properly with Windows Server 2016 (and probably 2012 also). They still see "No valid certificates were found on this smart card", just the freerdp logs don't contain some obvious errors. It works properly with Windows Server 2008 also (but it worked even without that fix). |
SCARD_INSUFFICIENT_BUFFER should be fixed with pull #5499 |
There were server-side changes on Windows 2012 and newer regarding smartcards, namely the Smart Card Service start and stop behavior: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh849637(v%3Dws.11)#smart-card-service-start-and-stop-behavior Some people see "No valid certificates were found on this smart card", when the Smart Card Service is not running and has to use various workarounds to start the service manually, e.g.: http://blogs.danosaab.com/2016/12/using-smart-card-with-remote-desktop-connection-on-mac-osx/ http://www.edugeek.net/forums/windows-server-2012/161255-smart-card-service-issue-windows-server-2012r2-terminal-services-hyperv.html I've been looking at RDP specifications and found that REDIRECTED_SMARTCARD should be specified in TS_UD_CS_CLUSTER block flags when the smartcard is redirected, but it is not currently. This might be the reason, why the Smart Card Service is not autostarted for some people. Let's try to set this flag and see what will happens... FreeRDP#4743
There were server-side changes on Windows 2012 and newer regarding smartcards, namely the Smart Card Service start and stop behavior: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh849637(v%3Dws.11)#smart-card-service-start-and-stop-behavior Some people see "No valid certificates were found on this smart card", when the Smart Card Service is not running and has to use various workarounds to start the service manually, e.g.: http://blogs.danosaab.com/2016/12/using-smart-card-with-remote-desktop-connection-on-mac-osx/ http://www.edugeek.net/forums/windows-server-2012/161255-smart-card-service-issue-windows-server-2012r2-terminal-services-hyperv.html I've been looking at RDP specifications and found that REDIRECTED_SMARTCARD should be probably specified in TS_UD_CS_CLUSTER block flags when the smartcard is redirected, but it is not currently: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/d68c629f-36a1-4a40-afd0-8b3e56d29aac This might be the reason, why the Smart Card Service is not autostarted for some people. Let's try to set this flag and see what will happens... FreeRDP#4743
I can confirm that #5499 fixes SCARD_INSUFFICIENT_BUFFER for our customers and smartcard redirection works, just they see "SCardListReadersW failed with error -2146435043" in the log every 2 ms (#5791). Also, workaround to start smartcard service is needed (#5792). So I would suggest to close this issue and continue on the mentioned issues. |
There were server-side changes on Windows 2012 and newer regarding smartcards, namely the Smart Card Service start and stop behavior: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh849637(v%3Dws.11)#smart-card-service-start-and-stop-behavior Some people see "No valid certificates were found on this smart card", when the Smart Card Service is not running and has to use various workarounds to start the service manually, e.g.: http://blogs.danosaab.com/2016/12/using-smart-card-with-remote-desktop-connection-on-mac-osx/ http://www.edugeek.net/forums/windows-server-2012/161255-smart-card-service-issue-windows-server-2012r2-terminal-services-hyperv.html I've been looking at RDP specifications and found that REDIRECTED_SMARTCARD should be probably specified in TS_UD_CS_CLUSTER block flags when the smartcard is redirected, but it is not currently: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/d68c629f-36a1-4a40-afd0-8b3e56d29aac This might be the reason, why the Smart Card Service is not autostarted for some people. Let's try to set this flag and see what will happens... FreeRDP#4743
@ondrejholy thanks. |
There were server-side changes on Windows 2012 and newer regarding smartcards, namely the Smart Card Service start and stop behavior: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh849637(v%3Dws.11)#smart-card-service-start-and-stop-behavior Some people see "No valid certificates were found on this smart card", when the Smart Card Service is not running and has to use various workarounds to start the service manually, e.g.: http://blogs.danosaab.com/2016/12/using-smart-card-with-remote-desktop-connection-on-mac-osx/ http://www.edugeek.net/forums/windows-server-2012/161255-smart-card-service-issue-windows-server-2012r2-terminal-services-hyperv.html I've been looking at RDP specifications and found that REDIRECTED_SMARTCARD should be probably specified in TS_UD_CS_CLUSTER block flags when the smartcard is redirected, but it is not currently: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/d68c629f-36a1-4a40-afd0-8b3e56d29aac This might be the reason, why the Smart Card Service is not autostarted for some people. Let's try to set this flag and see what will happens... FreeRDP#4743 Signed-off-by: Armin Novak <armin.novak@thincast.com>
Found a bug? - We would like to help you and smash the bug away.
xrdp version is 2.0.0-dev (git n/a)
xfreerdp /smartcard /d:GOFISH.COM /u:gofish543 -sec-nla /v:192.168.1.100
The text was updated successfully, but these errors were encountered: