Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle get_challenge corner cases #1440

Closed
Jakuje opened this issue Jul 30, 2018 · 1 comment
Closed

Handle get_challenge corner cases #1440

Jakuje opened this issue Jul 30, 2018 · 1 comment

Comments

@Jakuje
Copy link
Member

Jakuje commented Jul 30, 2018
edited
Loading

Problem Description

The get_challenge() function in coolkey applet is broken. Before 410cdf0 the function was returning some garbage from the heap:

[jjelen@t470s OpenSC (master)]$ pkcs11-tool --generate-random 8 | hexdump -C
Using slot 0 with a present token (0x0)
00000000  00 00 00 00 00 00 00 00                           |........|
00000008
[jjelen@t470s OpenSC (master)]$ pkcs11-tool --generate-random 32 | hexdump -C
Using slot 0 with a present token (0x0)
00000000  d0 1c f3 96 82 55 00 00  41 47 20 43 61 72 64 4d  |.....U..AG CardM|
00000010  61 6e 20 33 31 32 31 20  30 30 20 30 30 00 00 00  |an 3121 00 00...|
00000020
[jjelen@t470s OpenSC (master)]$ pkcs11-tool --generate-random 64 | hexdump -C
Using slot 0 with a present token (0x0)
00000000  00 90 5c 32 a6 55 00 00  03 0c 0b 4a 61 6b 75 62  |..\2.U.....Jakub|
00000010  20 4a 65 6c 65 6e 31 17  30 15 06 03 55 04 0a 0c  | Jelen1.0...U...|
00000020  0e 54 6f 6b 65 6e 20 4b  65 79 20 55 73 65 72 31  |.Token Key User1|
00000030  16 30 14 06 0a 09 92 26  89 93 f2 2c 64 01 01 0c  |.0.....&...,d...|
00000040

After the refactoring (410cdf0), the card is cycling in the following code:

0x7f643fc17880 16:30:28.816 [opensc-pkcs11] card-coolkey.c:1613:coolkey_get_challenge: called
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] card-coolkey.c:935:coolkey_apdu_io: called
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] card-coolkey.c:940:coolkey_apdu_io: 73 00 00 0 : 255 256
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] card-coolkey.c:1004:coolkey_apdu_io: calling sc_transmit_apdu flags=0 le=8, resplen=8, resp=0x147cc70
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] card.c:415:sc_lock: called
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] card.c:455:sc_lock: returning with: 0 (Success)
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] apdu.c:521:sc_transmit: called
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:B0, INS:73, P1:0, P2:0, data(0) (nil)
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit: reader 'OMNIKEY AG CardMan 3121 00 00'
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] reader-pcsc.c:285:pcsc_transmit: 
Outgoing APDU (5 bytes):
B0 73 00 00 08 .s...
0x7f643fc17880 16:30:28.816 [opensc-pkcs11] reader-pcsc.c:213:pcsc_internal_transmit: called
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] reader-pcsc.c:294:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] card.c:465:sc_unlock: called
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] card-coolkey.c:1011:coolkey_apdu_io: result r=0 apdu.resplen=0 sw1=90 sw2=00
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] card-coolkey.c:891:coolkey_check_sw: sw1 = 0x90, sw2 = 0x00
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] card-coolkey.c:1037:coolkey_apdu_io: returning with: 0 (Success)
0x7f643fc17880 16:30:28.821 [opensc-pkcs11] card-coolkey.c:1623:coolkey_get_challenge: returning with: 0 (Success)

There are two issues: First of all, coolkey get_random APDU does not work at all. I will need to figure out what is the problem here. Second issue is the handling of the get_random by the OpenSC, which is assuming that if user requested N bytes of random data, the driver will be able to return it.

Proposed Resolution

  • (1) There should be some showstopper, when the card fails to provide requested amount of data (returning length of zero), rather than optimistically cycling forever.
  • (2) The coolkey get_challenge needs to be fixed to work (or return some error if the random is not supported?)
  • (3) The p11tests should be extended with this test to avoid issues later.

Steps to reproduce

Try to generate random data with coolkey card with master (will cycle forever):

# ./src/tools/pkcs11-tool --login --pin redhat --module ./src/pkcs11/.libs/pkcs11-spy.so --generate-random 8
@Jakuje
Copy link
Member Author

Jakuje commented Jul 30, 2018

The (2) is fixed by #1441. The other issues still apply. I will change the title to reflect this.

@Jakuje Jakuje changed the title coolkey: get_challenge is broken Handle get_challenge corner cases Jul 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Jakuje