| blob | 1037f1667449d3e9a1a0c19eb5294248b46faf63 |
1 /* command.c - SCdaemon command handler
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005,
3 * 2007, 2008 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
21 #include <config.h>
22 #include <errno.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <ctype.h>
27 #include <unistd.h>
28 #include <signal.h>
29 #ifdef USE_GNU_PTH
30 # include <pth.h>
31 #endif
33 #include <assuan.h>
36 #include <ksba.h>
40 #ifdef HAVE_LIBUSB
42 #endif
44 /* Maximum length allowed as a PIN; used for INQUIRE NEEDPIN */
45 #define MAXLEN_PIN 100
47 /* Maximum allowed size of key data as used in inquiries. */
48 #define MAXLEN_KEYDATA 4096
50 /* Maximum allowed size of certificate data as used in inquiries. */
51 #define MAXLEN_CERTDATA 16384
54 #define set_error(e,t) assuan_set_error (ctx, gpg_error (e), (t))
57 /* Macro to flag a removed card. */
58 #define TEST_CARD_REMOVAL(c,r) \
59 do { \
60 int _r = (r); \
61 if (gpg_err_code (_r) == GPG_ERR_CARD_NOT_PRESENT \
62 || gpg_err_code (_r) == GPG_ERR_CARD_REMOVED) \
63 update_card_removed ((c)->reader_slot, 1); \
64 } while (0)
66 #define IS_LOCKED(c) \
67 (locked_session && locked_session != (c)->server_local \
68 && (c)->reader_slot != -1 && locked_session->ctrl_backlink \
69 && (c)->reader_slot == locked_session->ctrl_backlink->reader_slot)
72 /* This structure is used to keep track of open readers (slots). */
73 struct slot_status_s
74 {
81 done. This is set once to indicate that the status
82 tracking for the slot has been initialized. */
85 };
88 /* Data used to associate an Assuan context with local server data.
89 This object describes the local properties of one session. */
90 struct server_local_s
91 {
92 /* We keep a list of all active sessions with the anchor at
93 SESSION_LIST (see below). This field is used for linking. */
96 /* This object is usually assigned to a CTRL object (which is
97 globally visible). While enumerating all sessions we sometimes
98 need to access data of the CTRL object; thus we keep a
99 backpointer here. */
100 ctrl_t ctrl_backlink;
102 /* The Assuan context used by this session/server. */
103 assuan_context_t assuan_ctx;
105 #ifdef HAVE_W32_SYSTEM
107 #else
109 #endif
111 /* True if the card has been removed and a reset is required to
112 continue operation. */
115 /* A disconnect command has been sent. */
117 };
120 /* The table with information on all used slots. FIXME: This is a
121 different slot number than the one used by the APDU layer, and
122 should be renamed. */
126 /* To keep track of all running sessions, we link all active server
127 contexts and the anchor in this variable. */
130 /* If a session has been locked we store a link to its server object
131 in this variable. */
134 /* While doing a reset we need to make sure that the ticker does not
135 call scd_update_reader_status_file while we are using it. */
138 \f
139 /*-- Local prototypes --*/
143 \f
145 /* This function must be called once to initialize this module. This
146 has to be done before a second thread is spawned. We can't do the
147 static initialization because Pth emulation code might not be able
148 to do a static init; in particular, it is not possible for W32. */
149 void
151 {
155 {
158 }
159 }
162 /* Update the CARD_REMOVED element of all sessions using the reader
163 given by SLOT to VALUE */
164 static void
166 {
172 {
174 }
175 /* Let the card application layer know about the removal. */
178 }
182 /* Check whether the option NAME appears in LINE */
183 static int
185 {
191 }
193 /* Same as has_option but does only test for the name of the option
194 and ignores an argument, i.e. with NAME being "--hash" it would
195 return a pointer for "--hash" as well as for "--hash=foo". If
196 thhere is no such option NULL is returned. The pointer returned
197 points right behind the option name, this may be an equal sign, Nul
198 or a space. */
201 {
208 }
211 /* Skip over options. It is assumed that leading spaces have been
212 removed (this is the case for lines passed to a handler from
213 assuan). Blanks after the options are also removed. */
216 {
218 {
220 line++;
222 line++;
223 }
225 }
229 /* Convert the STRING into a newly allocated buffer while translating
230 the hex numbers. Stops at the first invalid character. Blanks and
231 colons are allowed to separate the hex digits. Returns NULL on
232 error or a newly malloced buffer and its length in LENGTH. */
235 {
244 {
248 {
250 s++;
251 }
252 else
254 }
257 }
261 /* Reset the card and free the application context. With SEND_RESET
262 set to true actually send a RESET to the reader; this is the normal
263 way of calling the function. */
264 static void
266 {
272 /* If there is an active application, release it. */
274 {
277 }
279 /* If we want a real reset for the card, send the reset APDU and
280 tell the application layer about it. */
282 {
284 {
286 }
288 }
290 /* If we hold a lock, unlock now. */
292 {
295 }
297 /* Reset the card removed flag for the current reader. We need to
298 take the lock here so that the ticker thread won't concurrently
299 try to update the file. Calling update_reader_status_file is
300 required to get hold of the new status of the card in the slot
301 table. */
303 {
307 }
313 /* Do this last, so that the update_card_removed above does its job. */
315 }
317 \f
318 static void
320 {
324 }
327 static int
329 {
333 {
334 /* A value of 0 is allowed to reset the event signal. */
335 #ifdef HAVE_W32_SYSTEM
339 #else
344 #endif
345 }
348 }
351 /* Return the slot of the current reader or open the reader if no
352 other sessions are using a reader. Note, that we currently support
353 only one reader but most of the code (except for this function)
354 should be able to cope with several readers. */
355 static int
357 {
362 /* Initialize the item if needed. */
364 {
367 }
369 /* Try to open the reader. */
373 /* Return the slot_table index. */
375 }
377 /* If the card has not yet been opened, do it. Note that this
378 function returns an Assuan error, so don't map the error a second
379 time. */
380 static assuan_error_t
382 {
383 gpg_error_t err;
386 /* If we ever got a card not present error code, return that. Only
387 the SERIALNO command and a reset are able to clear from that
388 state. */
396 {
397 /* Already initialized for one specific application. Need to
398 check that the client didn't requested a specific application
399 different from the one in use. */
401 }
405 else
410 else
411 {
412 /* Fixme: We should move the apdu_connect call to
413 select_application. */
419 {
422 else
424 }
425 else
427 }
431 }
434 /* Do the percent and plus/space unescaping in place and return the
435 length of the valid buffer. */
436 static size_t
438 {
443 {
445 {
446 string++;
448 n++;
450 }
452 {
454 n++;
455 string++;
456 }
457 else
458 {
460 n++;
461 }
462 }
465 }
469 /* SERIALNO [APPTYPE]
471 Return the serial number of the card using a status reponse. This
472 functon should be used to check for the presence of a card.
474 If APPTYPE is given, an application of that type is selected and an
475 error is returned if the application is not supported or available.
476 The default is to auto-select the application using a hardwired
477 preference system. Note, that a future extension to this function
478 may allow to specify a list and order of applications to try.
480 This function is special in that it can be used to reset the card.
481 Most other functions will return an error when a card change has
482 been detected and the use of this function is therefore required.
484 Background: We want to keep the client clear of handling card
485 changes between operations; i.e. the client can assume that all
486 operations are done on the same card unless he calls this function.
487 */
488 static int
490 {
497 /* Clear the remove flag so that the open_card is able to reread it. */
499 {
503 }
521 }
526 /* LEARN [--force]
528 Learn all useful information of the currently inserted card. When
529 used without the force options, the command might do an INQUIRE
530 like this:
532 INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>
534 The client should just send an "END" if the processing should go on
535 or a "CANCEL" to force the function to terminate with a Cancel
536 error message. The response of this command is a list of status
537 lines formatted as this:
539 S APPTYPE <apptype>
541 This returns the type of the application, currently the strings:
543 P15 = PKCS-15 structure used
544 DINSIG = DIN SIG
545 OPENPGP = OpenPGP card
547 are implemented. These strings are aliases for the AID
549 S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id>
551 If there is no certificate yet stored on the card a single "X" is
552 returned as the keygrip. In addition to the keypair info, information
553 about all certificates stored on the card is also returned:
555 S CERTINFO <certtype> <hexstring_with_id>
557 Where CERTTYPE is a number indicating the type of certificate:
558 0 := Unknown
559 100 := Regular X.509 cert
560 101 := Trusted X.509 cert
561 102 := Useful X.509 cert
562 110 := Root CA cert (DINSIG)
564 For certain cards, more information will be returned:
566 S KEY-FPR <no> <hexstring>
568 For OpenPGP cards this returns the stored fingerprints of the
569 keys. This can be used check whether a key is available on the
570 card. NO may be 1, 2 or 3.
572 S CA-FPR <no> <hexstring>
574 Similar to above, these are the fingerprints of keys assumed to be
575 ultimately trusted.
577 S DISP-NAME <name_of_card_holder>
579 The name of the card holder as stored on the card; percent
580 escaping takes place, spaces are encoded as '+'
582 S PUBKEY-URL <url>
584 The URL to be used for locating the entire public key.
586 Note, that this function may be even be used on a locked card.
587 */
588 static int
590 {
597 /* Unless the force option is used we try a shortcut by identifying
598 the card using a serial number and inquiring the client with
599 that. The client may choose to cancel the operation if he already
600 knows about this card */
601 {
617 {
622 {
625 }
630 {
636 }
637 /* not canceled, so we have to proceeed */
638 }
640 }
642 /* Let the application print out its collection of useful status
643 information. */
649 }
652 \f
653 /* READCERT <hexified_certid>|<keyid>
655 Note, that this function may even be used on a locked card.
656 */
657 static int
659 {
675 {
680 }
684 }
687 /* READKEY <keyid>
689 Return the public key for the given cert or key ID as an standard
690 S-Expression.
692 Note, that this function may even be used on a locked card.
693 */
694 static int
696 {
702 ksba_sexp_t p;
710 /* If the application supports the READKEY function we use that.
711 Otherwise we use the old way by extracting it from the
712 certificate. */
721 }
725 else
726 {
730 }
738 {
741 }
744 {
747 }
751 {
754 }
761 leave:
766 }
769 \f
771 /* SETDATA <hexstring>
773 The client should use this command to tell us the data he want to
774 sign. */
775 static int
777 {
786 /* Parse the hexstring. */
788 ;
805 }
809 static gpg_error_t
811 {
819 {
820 /* We prompt for keypad entry. To make sure that the popup has
821 been show we use an inquire and not just a status message.
822 We ignore any value returned. */
824 {
831 }
832 else
833 {
837 }
841 }
850 /* Fixme: Write an inquire function which returns the result in
851 secure memory and check all further handling of the PIN. */
858 {
859 /* We require that the returned value is an UTF-8 string */
862 }
865 }
868 /* PKSIGN [--hash=[rmd160|sha1|md5]] <hexified_id>
870 The --hash option is optional; the default is SHA1.
872 */
873 static int
875 {
891 else
902 /* We have to use a copy of the key ID because the function may use
903 the pin_cb which in turn uses the assuan line buffer and thus
904 overwriting the original line with the keyid */
917 {
919 }
920 else
921 {
926 }
930 }
932 /* PKAUTH <hexified_id>
934 */
935 static int
937 {
953 /* We have to use a copy of the key ID because the function may use
954 the pin_cb which in turn uses the assuan line buffer and thus
955 overwriting the original line with the keyid */
961 keyidstr,
967 {
969 }
970 else
971 {
976 }
980 }
982 /* PKDECRYPT <hexified_id>
984 */
985 static int
987 {
1004 keyidstr,
1011 {
1013 }
1014 else
1015 {
1020 }
1024 }
1027 /* GETATTR <name>
1029 This command is used to retrieve data from a smartcard. The
1030 allowed names depend on the currently selected smartcard
1031 application. NAME must be percent and '+' escaped. The value is
1032 returned through status message, see the LEARN command for details.
1034 However, the current implementation assumes that Name is not escaped;
1035 this works as long as noone uses arbitrary escaping.
1037 Note, that this function may even be used on a locked card.
1038 */
1039 static int
1041 {
1051 ;
1055 /* (We ignore any garbage for now.) */
1057 /* FIXME: Applications should not return sensitive data if the card
1058 is locked. */
1063 }
1066 /* SETATTR <name> <value>
1068 This command is used to store data on a a smartcard. The allowed
1069 names and values are depend on the currently selected smartcard
1070 application. NAME and VALUE must be percent and '+' escaped.
1072 However, the current implementation assumes that NAME is not
1073 escaped; this works as long as noone uses arbitrary escaping.
1075 A PIN will be requested for most NAMEs. See the corresponding
1076 setattr function of the actually used application (app-*.c) for
1077 details. */
1078 static int
1080 {
1094 /* We need to use a copy of LINE, because PIN_CB uses the same
1095 context and thus reuses the Assuan provided LINE. */
1102 ;
1106 line++;
1115 }
1119 /* WRITECERT <hexified_certid>
1121 This command is used to store a certifciate on a smartcard. The
1122 allowed certids depend on the currently selected smartcard
1123 application. The actual certifciate is requested using the inquiry
1124 "CERTDATA" and needs to be provided in its raw (e.g. DER) form.
1126 In almost all cases a a PIN will be requested. See the related
1127 writecert function of the actually used application (app-*.c) for
1128 details. */
1129 static int
1131 {
1147 line++;
1160 /* Now get the actual keydata. */
1164 {
1167 }
1169 /* Write the certificate to the card. */
1177 }
1181 /* WRITEKEY [--force] <keyid>
1183 This command is used to store a secret key on a a smartcard. The
1184 allowed keyids depend on the currently selected smartcard
1185 application. The actual keydata is requested using the inquiry
1186 "KEYDATA" and need to be provided without any protection. With
1187 --force set an existing key under this KEYID will get overwritten.
1188 The keydata is expected to be the usual canonical encoded
1189 S-expression.
1191 A PIN will be requested for most NAMEs. See the corresponding
1192 writekey function of the actually used application (app-*.c) for
1193 details. */
1194 static int
1196 {
1213 line++;
1226 /* Now get the actual keydata. */
1231 {
1234 }
1236 /* Write the key to the card. */
1244 }
1248 /* GENKEY [--force] [--timestamp=<isodate>] <no>
1250 Generate a key on-card identified by NO, which is application
1251 specific. Return values are application specific. For OpenPGP
1252 cards 2 status lines are returned:
1254 S KEY-FPR <hexstring>
1255 S KEY-CREATED-AT <seconds_since_epoch>
1256 S KEY-DATA [p|n] <hexdata>
1258 --force is required to overwrite an already existing key. The
1259 KEY-CREATED-AT is required for further processing because it is
1260 part of the hashed key material for the fingerprint.
1262 If --timestamp is given an OpenPGP key will be created using this
1263 value. The value needs to be in ISO Format; e.g.
1264 "--timestamp=20030316T120000" and after 1970-01-01 00:00:00.
1266 The public part of the key can also later be retrieved using the
1267 READKEY command.
1269 */
1270 static int
1272 {
1286 {
1292 }
1293 else
1302 line++;
1320 }
1323 /* RANDOM <nbytes>
1325 Get NBYTES of random from the card and send them back as data.
1327 Note, that this function may be even be used on a locked card.
1328 */
1329 static int
1331 {
1353 {
1357 }
1362 }
1364 \f
1365 /* PASSWD [--reset] [--nullpin] <chvno>
1367 Change the PIN or reset the retry counter of the card holder
1368 verfication vector CHVNO. The option --nullpin is used for TCOS
1369 cards to set the initial PIN. */
1370 static int
1372 {
1392 line++;
1411 }
1414 /* CHECKPIN <idstr>
1416 Perform a VERIFY operation without doing anything else. This may
1417 be used to initialize a the PIN cache earlier to long lasting
1418 operations. Its use is highly application dependent.
1420 For OpenPGP:
1422 Perform a simple verify operation for CHV1 and CHV2, so that
1423 further operations won't ask for CHV2 and it is possible to do a
1424 cheap check on the PIN: If there is something wrong with the PIN
1425 entry system, only the regular CHV will get blocked and not the
1426 dangerous CHV3. IDSTR is the usual card's serial number in hex
1427 notation; an optional fingerprint part will get ignored. There
1428 is however a special mode if the IDSTR is sffixed with the
1429 literal string "[CHV3]": In this case the Admin PIN is checked
1430 if and only if the retry counter is still at 3.
1432 */
1433 static int
1435 {
1449 /* We have to use a copy of the key ID because the function may use
1450 the pin_cb which in turn uses the assuan line buffer and thus
1451 overwriting the original line with the keyid. */
1457 keyidstr,
1465 }
1468 /* LOCK [--wait]
1470 Grant exclusive card access to this session. Note that there is
1471 no lock counter used and a second lock from the same session will
1472 be ignored. A single unlock (or RESET) unlocks the session.
1473 Return GPG_ERR_LOCKED if another session has locked the reader.
1475 If the option --wait is given the command will wait until a
1476 lock has been released.
1477 */
1478 static int
1480 {
1484 retry:
1486 {
1489 }
1490 else
1493 #ifdef USE_GNU_PTH
1495 {
1498 for card operations this should be
1499 sufficient. */
1500 /* FIXME: Need to check that the connection is still alive.
1501 This can be done by issuing status messages. */
1503 }
1509 }
1512 /* UNLOCK
1514 Release exclusive card access.
1515 */
1516 static int
1518 {
1525 {
1528 else
1530 }
1531 else
1537 }
1540 /* GETINFO <what>
1542 Multi purpose command to return certain information.
1543 Supported values of WHAT are:
1545 version - Return the version of the program.
1546 pid - Return the process id of the server.
1548 socket_name - Return the name of the socket.
1550 status - Return the status of the current slot (in the future, may
1551 also return the status of all slots). The status is a list of
1552 one-character flags. The following flags are currently defined:
1553 'u' Usable card present. This is the normal state during operation.
1554 'r' Card removed. A reset is necessary.
1555 These flags are exclusive.
1557 reader_list - Return a list of detected card readers. Does
1558 currently only work with the internal CCID driver.
1559 */
1561 static int
1563 {
1567 {
1570 }
1572 {
1577 }
1579 {
1584 else
1586 }
1588 {
1594 {
1607 }
1609 }
1611 {
1612 #ifdef HAVE_LIBUSB
1614 #else
1616 #endif
1620 else
1623 }
1624 else
1627 }
1630 /* RESTART
1632 Restart the current connection; this is a kind of warm reset. It
1633 deletes the context used by this connection but does not send a
1634 RESET to the card. Thus the card itself won't get reset.
1636 This is used by gpg-agent to reuse a primary pipe connection and
1637 may be used by clients to backup from a conflict in the serial
1638 command; i.e. to select another application.
1639 */
1641 static int
1643 {
1649 {
1652 }
1654 {
1657 }
1659 }
1662 /* DISCONNECT
1664 Disconnect the card if it is not any longer used by other
1665 connections and the backend supports a disconnect operation.
1666 */
1667 static int
1669 {
1676 }
1680 /* APDU [--atr] [--more] [hexstring]
1682 Send an APDU to the current reader. This command bypasses the high
1683 level functions and sends the data directly to the card. HEXSTRING
1684 is expected to be a proper APDU. If HEXSTRING is not given no
1685 commands are set to the card but the command will implictly check
1686 whether the card is ready for use.
1688 Using the option "--atr" returns the ATR of the card as a status
1689 message before any data like this:
1690 S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
1692 Using the option --more handles the card status word MORE_DATA
1693 (61xx) and concatenate all reponses to one block.
1695 */
1696 static int
1698 {
1718 {
1725 {
1728 }
1732 }
1736 {
1739 }
1741 {
1749 else
1750 {
1753 }
1754 }
1757 leave:
1760 }
1765 \f
1766 /* Tell the assuan library about our commands */
1767 static int
1769 {
1799 };
1803 {
1807 }
1813 }
1816 /* Startup the server. If FD is given as -1 this is simple pipe
1817 server, otherwise it is a regular server. Returns true if there
1818 are no more active asessions. */
1819 int
1821 {
1823 assuan_context_t ctx;
1826 {
1832 }
1833 else
1834 {
1836 }
1838 {
1842 }
1845 {
1849 }
1852 /* Allocate and initialize the server object. Put it into the list
1853 of active sessions. */
1863 /* We open the reader right at startup so that the ticker is able to
1864 update the status file. */
1866 {
1868 }
1870 /* Command processing loop. */
1872 {
1875 {
1877 }
1879 {
1882 }
1886 {
1889 }
1890 }
1892 /* Cleanup. We don't send an explicit reset to the card. */
1895 /* Release the server object. */
1898 else
1899 {
1908 }
1912 /* Release the Assuan context. */
1915 /* If there are no more sessions return true. */
1917 }
1920 /* Send a line with status information via assuan and escape all given
1921 buffers. The variable elements are pairs of (char *, size_t),
1922 terminated with a (NULL, 0). */
1923 void
1925 {
1938 {
1943 {
1945 n++;
1946 }
1948 {
1950 {
1953 }
1956 else
1958 }
1959 }
1964 }
1968 /* Helper to send the clients a status change notification. */
1969 static void
1971 {
1973 pid_t pid;
1974 #ifdef HAVE_W32_SYSTEM
1975 HANDLE handle;
1976 #else
1978 #endif
1985 {
1987 {
1989 #ifdef HAVE_W32_SYSTEM
1999 else
2000 {
2007 {
2010 killidx++;
2011 }
2012 }
2017 {
2025 else
2026 {
2031 {
2034 killidx++;
2035 }
2036 }
2038 }
2039 }
2040 }
2041 }
2045 /* This is the core of scd_update_reader_status_file but the caller
2046 needs to take care of the locking. */
2047 static void
2049 {
2053 /* Make sure that the reader has been opened. Like get_reader_slot,
2054 this part of the code assumes that there is only one reader. */
2058 /* Note, that we only try to get the status, because it does not
2059 make sense to wait here for a operation to complete. If we are
2060 busy working with a card, delays in the status file update should
2061 be acceptable. */
2063 {
2073 {
2074 /* Get status failed. Ignore that. */
2076 }
2079 {
2089 /* FIXME: Should this be IDX instead of ss->slot? This
2090 depends on how client sessions will associate the reader
2091 status with their session. */
2096 {
2102 }
2105 /* If a status script is executable, run it. */
2106 {
2110 gpg_error_t err;
2115 else
2116 {
2142 }
2144 }
2146 /* Set the card removed flag for all current sessions. We
2147 will set this on any card change because a reset or
2148 SERIALNO request must be done in any case. */
2154 /* Send a signal to all clients who applied for it. */
2156 }
2158 /* Check whether a disconnect is pending. */
2160 {
2165 {
2166 /* FIXME: Use a real timeout. */
2167 /* At least one connection and all allow a disconnect. */
2170 }
2171 }
2173 }
2174 }
2176 /* This function is called by the ticker thread to check for changes
2177 of the reader stati. It updates the reader status files and if
2178 requested by the caller also send a signal to the caller. */
2179 void
2181 {
2187 }