| blob | 5116461d4ba3d3053f790d2816f2f734936b1116 |
1 /* command.c - SCdaemon command handler
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuPG.
5 *
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19 * USA.
20 */
22 #include <config.h>
23 #include <errno.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <ctype.h>
28 #include <unistd.h>
29 #include <signal.h>
30 #ifdef USE_GNU_PTH
31 # include <pth.h>
32 #endif
34 #include <assuan.h>
37 #include <ksba.h>
42 /* Maximum length allowed as a PIN; used for INQUIRE NEEDPIN */
43 #define MAXLEN_PIN 100
45 /* Maximum allowed size of key data as used in inquiries. */
46 #define MAXLEN_KEYDATA 4096
49 #define set_error(e,t) assuan_set_error (ctx, gpg_error (e), (t))
52 /* Macro to flag a removed card. */
53 #define TEST_CARD_REMOVAL(c,r) \
54 do { \
55 int _r = (r); \
56 if (gpg_err_code (_r) == GPG_ERR_CARD_NOT_PRESENT \
57 || gpg_err_code (_r) == GPG_ERR_CARD_REMOVED) \
58 update_card_removed ((c)->reader_slot, 1); \
59 } while (0)
61 #define IS_LOCKED(c) \
62 (locked_session && locked_session != (c)->server_local \
63 && (c)->reader_slot != -1 && locked_session->ctrl_backlink \
64 && (c)->reader_slot == locked_session->ctrl_backlink->reader_slot)
67 /* This structure is used to keep track of open readers (slots). */
68 struct slot_status_s
69 {
76 done. This is set once to indicate that the status
77 tracking for the slot has been initialized. */
80 };
83 /* Data used to associate an Assuan context with local server data.
84 This object describes the local properties of one session. */
85 struct server_local_s
86 {
87 /* We keep a list of all active sessions with the anchor at
88 SESSION_LIST (see below). This field is used for linking. */
91 /* This object is usually assigned to a CTRL object (which is
92 globally visible). While enumerating all sessions we sometimes
93 need to access data of the CTRL object; thus we keep a
94 backpointer here. */
95 ctrl_t ctrl_backlink;
97 /* The Assuan context used by this session/server. */
98 assuan_context_t assuan_ctx;
102 /* True if the card has been removed and a reset is required to
103 continue operation. */
105 };
108 /* The table with information on all used slots. FIXME: This is a
109 different slot number than the one used by the APDU layer, and
110 should be renamed. */
114 /* To keep track of all running sessions, we link all active server
115 contexts and the anchor in this variable. */
118 /* If a session has been locked we store a link to its server object
119 in this variable. */
122 /* While doing a reset we need to make sure that the ticker does not
123 call scd_update_reader_status_file while we are using it. */
126 \f
127 /*-- Local prototypes --*/
131 \f
132 /* Update the CARD_REMOVED element of all sessions using the reader
133 given by SLOT to VALUE */
134 static void
136 {
142 {
144 }
147 }
151 /* Check whether the option NAME appears in LINE */
152 static int
154 {
160 }
163 /* Convert the STRING into a newly allocated buffer while translating
164 the hex numbers. Stops at the first invalid character. Blanks and
165 colons are allowed to separate the hex digits. Returns NULL on
166 error or a newly malloced buffer and its length in LENGTH. */
169 {
178 {
182 {
184 s++;
185 }
186 else
188 }
191 }
195 /* Reset the card and free the application context. With SEND_RESET
196 set to true actually send a RESET to the reader. */
197 static void
199 {
206 {
209 }
212 {
214 {
216 }
217 }
219 /* If we hold a lock, unlock now. */
221 {
224 }
226 /* Reset card removed flag for the current reader. We need to take
227 the lock here so that the ticker thread won't concurrently try to
228 update the file. Note that the update function will set the card
229 removed flag and we will later reset it - not a particualar nice
230 way of implementing it but it works. */
232 {
236 }
242 /* Do this last, so that update_card_removed does its job. */
244 }
246 \f
247 static void
249 {
253 }
256 static int
258 {
262 {
263 /* A value of 0 is allowed to reset the event signal. */
268 }
271 }
274 /* Return the slot of the current reader or open the reader if no
275 other sessions are using a reader. Note, that we currently support
276 only one reader but most of the code (except for this function)
277 should be able to cope with several readers. */
278 static int
280 {
285 /* Initialize the item if needed. */
287 {
290 }
292 /* Try to open the reader. */
296 /* Return the slot_table index. */
298 }
300 /* If the card has not yet been opened, do it. Note that this
301 function returns an Assuan error, so don't map the error a second
302 time. */
303 static assuan_error_t
305 {
306 gpg_error_t err;
309 /* If we ever got a card not present error code, return that. Only
310 the SERIALNO command and a reset are able to clear from that
311 state. */
319 {
320 /* Already initialized for one specific application. Need to
321 check that the client didn't requested a specific application
322 different from the one in use. */
324 }
328 else
333 else
338 }
341 /* Do the percent and plus/space unescaping in place and return the
342 length of the valid buffer. */
343 static size_t
345 {
350 {
352 {
353 string++;
355 n++;
357 }
359 {
361 n++;
362 string++;
363 }
364 else
365 {
367 n++;
368 }
369 }
372 }
376 /* SERIALNO [APPTYPE]
378 Return the serial number of the card using a status reponse. This
379 functon should be used to check for the presence of a card.
381 If APPTYPE is given, an application of that type is selected and an
382 error is returned if the application is not supported or available.
383 The default is to auto-select the application using a hardwired
384 preference system. Note, that a future extension to this function
385 may allow to specify a list and order of applications to try.
387 This function is special in that it can be used to reset the card.
388 Most other functions will return an error when a card change has
389 been detected and the use of this function is therefore required.
391 Background: We want to keep the client clear of handling card
392 changes between operations; i.e. the client can assume that all
393 operations are done on the same card unless he calls this function.
394 */
395 static int
397 {
404 /* Clear the remove flag so that the open_card is able to reread it. */
406 {
410 }
427 }
432 /* LEARN [--force]
434 Learn all useful information of the currently inserted card. When
435 used without the force options, the command might do an INQUIRE
436 like this:
438 INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>
440 The client should just send an "END" if the processing should go on
441 or a "CANCEL" to force the function to terminate with a Cancel
442 error message. The response of this command is a list of status
443 lines formatted as this:
445 S APPTYPE <apptype>
447 This returns the type of the application, currently the strings:
449 P15 = PKCS-15 structure used
450 DINSIG = DIN SIG
451 OPENPGP = OpenPGP card
453 are implemented. These strings are aliases for the AID
455 S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id>
457 If there is no certificate yet stored on the card a single "X" is
458 returned as the keygrip. In addition to the keypair info, information
459 about all certificates stored on the card is also returned:
461 S CERTINFO <certtype> <hexstring_with_id>
463 Where CERTTYPE is a number indicating the type of certificate:
464 0 := Unknown
465 100 := Regular X.509 cert
466 101 := Trusted X.509 cert
467 102 := Useful X.509 cert
468 110 := Root CA cert (DINSIG)
470 For certain cards, more information will be returned:
472 S KEY-FPR <no> <hexstring>
474 For OpenPGP cards this returns the stored fingerprints of the
475 keys. This can be used check whether a key is available on the
476 card. NO may be 1, 2 or 3.
478 S CA-FPR <no> <hexstring>
480 Similar to above, these are the fingerprints of keys assumed to be
481 ultimately trusted.
483 S DISP-NAME <name_of_card_holder>
485 The name of the card holder as stored on the card; percent
486 escaping takes place, spaces are encoded as '+'
488 S PUBKEY-URL <url>
490 The URL to be used for locating the entire public key.
492 Note, that this function may be even be used on a locked card.
493 */
494 static int
496 {
503 /* Unless the force option is used we try a shortcut by identifying
504 the card using a serial number and inquiring the client with
505 that. The client may choose to cancel the operation if he already
506 knows about this card */
507 {
523 {
528 {
531 }
536 {
542 }
543 /* not canceled, so we have to proceeed */
544 }
546 }
548 /* Let the application print out its collection of useful status
549 information. */
555 }
558 \f
559 /* READCERT <hexified_certid>
561 Note, that this function may even be used on a locked card.
562 */
563 static int
565 {
581 {
586 }
590 }
593 /* READKEY <keyid>
595 Return the public key for the given cert or key ID as an standard
596 S-Expression.
598 Note, that this function may even be used on a locked card.
599 */
600 static int
602 {
608 ksba_sexp_t p;
616 /* If the application supports the READKEY function we use that.
617 Otherwise we use the old way by extracting it from the
618 certificate. */
627 }
631 else
632 {
636 }
644 {
647 }
650 {
653 }
657 {
660 }
667 leave:
672 }
675 \f
677 /* SETDATA <hexstring>
679 The client should use this command to tell us the data he want to
680 sign. */
681 static int
683 {
692 /* Parse the hexstring. */
694 ;
711 }
715 static gpg_error_t
717 {
731 /* Fixme: Write an inquire function which returns the result in
732 secure memory and check all further handling of the PIN. */
739 {
740 /* We require that the returned value is an UTF-8 string */
743 }
746 }
749 /* PKSIGN [--hash=[rmd160|sha1|md5]] <hexified_id>
751 The --hash option is optional; the default is SHA1.
753 */
754 static int
756 {
772 else
774 /* Skip over options. */
776 {
778 line++;
780 line++;
781 }
789 /* We have to use a copy of the key ID because the function may use
790 the pin_cb which in turn uses the assuan line buffer and thus
791 overwriting the original line with the keyid */
804 {
806 }
807 else
808 {
813 }
817 }
819 /* PKAUTH <hexified_id>
821 */
822 static int
824 {
840 /* We have to use a copy of the key ID because the function may use
841 the pin_cb which in turn uses the assuan line buffer and thus
842 overwriting the original line with the keyid */
848 keyidstr,
854 {
856 }
857 else
858 {
863 }
867 }
869 /* PKDECRYPT <hexified_id>
871 */
872 static int
874 {
891 keyidstr,
898 {
900 }
901 else
902 {
907 }
911 }
914 /* GETATTR <name>
916 This command is used to retrieve data from a smartcard. The
917 allowed names depend on the currently selected smartcard
918 application. NAME must be percent and '+' escaped. The value is
919 returned through status message, see the LEARN command for details.
921 However, the current implementation assumes that Name is not escaped;
922 this works as long as noone uses arbitrary escaping.
924 Note, that this function may even be used on a locked card.
925 */
926 static int
928 {
938 ;
942 /* (We ignore any garbage for now.) */
944 /* FIXME: Applications should not return sensitive data if the card
945 is locked. */
950 }
953 /* SETATTR <name> <value>
955 This command is used to store data on a a smartcard. The allowed
956 names and values are depend on the currently selected smartcard
957 application. NAME and VALUE must be percent and '+' escaped.
959 However, the curent implementation assumes that Name is not escaped;
960 this works as long as noone uses arbitrary escaping.
962 A PIN will be requested for most NAMEs. See the corresponding
963 setattr function of the actually used application (app-*.c) for
964 details. */
965 static int
967 {
981 /* We need to use a copy of LINE, because PIN_CB uses the same
982 context and thus reuses the Assuan provided LINE. */
989 ;
993 line++;
1002 }
1006 /* WRITEKEY [--force] <keyid>
1008 This command is used to store a secret key on a a smartcard. The
1009 allowed keyids depend on the currently selected smartcard
1010 application. The actual keydata is requested using the inquiry
1011 "KETDATA" and need to be provided without any protection. With
1012 --force set an existing key under this KEYID will get overwritten.
1013 The keydata is expected to be the usual canonical encoded
1014 S-expression.
1016 A PIN will be requested for most NAMEs. See the corresponding
1017 writekey function of the actually used application (app-*.c) for
1018 details. */
1019 static int
1021 {
1032 /* Skip over options. */
1034 {
1036 line++;
1038 line++;
1039 }
1044 line++;
1057 /* Now get the actual keydata. */
1060 {
1063 }
1065 /* Write the key to the card. */
1073 }
1077 /* GENKEY [--force] <no>
1079 Generate a key on-card identified by NO, which is application
1080 specific. Return values are application specific. For OpenPGP
1081 cards 2 status lines are returned:
1083 S KEY-FPR <hexstring>
1084 S KEY-CREATED-AT <seconds_since_epoch>
1085 S KEY-DATA [p|n] <hexdata>
1088 --force is required to overwrite an already existing key. The
1089 KEY-CREATED-AT is required for further processing because it is
1090 part of the hashed key material for the fingerprint.
1092 The public part of the key can also later be retrieved using the
1093 READKEY command.
1095 */
1096 static int
1098 {
1107 /* Skip over options. */
1109 {
1111 line++;
1113 line++;
1114 }
1119 line++;
1136 }
1139 /* RANDOM <nbytes>
1141 Get NBYTES of random from the card and send them back as data.
1143 Note, that this function may be even be used on a locked card.
1144 */
1145 static int
1147 {
1169 {
1173 }
1178 }
1180 \f
1181 /* PASSWD [--reset] <chvno>
1183 Change the PIN or reset the retry counter of the card holder
1184 verfication vector CHVNO. */
1185 static int
1187 {
1196 /* Skip over options. */
1198 {
1200 line++;
1202 line++;
1203 }
1208 line++;
1227 }
1230 /* CHECKPIN <idstr>
1232 Perform a VERIFY operation without doing anything else. This may
1233 be used to initialize a the PIN cache earlier to long lasting
1234 operations. Its use is highly application dependent.
1236 For OpenPGP:
1238 Perform a simple verify operation for CHV1 and CHV2, so that
1239 further operations won't ask for CHV2 and it is possible to do a
1240 cheap check on the PIN: If there is something wrong with the PIN
1241 entry system, only the regular CHV will get blocked and not the
1242 dangerous CHV3. IDSTR is the usual card's serial number in hex
1243 notation; an optional fingerprint part will get ignored. There
1244 is however a special mode if the IDSTR is sffixed with the
1245 literal string "[CHV3]": In this case the Admin PIN is checked
1246 if and only if the retry counter is still at 3.
1248 */
1249 static int
1251 {
1265 /* We have to use a copy of the key ID because the function may use
1266 the pin_cb which in turn uses the assuan line buffer and thus
1267 overwriting the original line with the keyid. */
1273 keyidstr,
1281 }
1284 /* LOCK [--wait]
1286 Grant exclusive card access to this session. Note that there is
1287 no lock counter used and a second lock from the same session will
1288 be ignored. A single unlock (or RESET) unlocks the session.
1289 Return GPG_ERR_LOCKED if another session has locked the reader.
1291 If the option --wait is given the command will wait until a
1292 lock has been released.
1293 */
1294 static int
1296 {
1300 retry:
1302 {
1305 }
1306 else
1309 #ifdef USE_GNU_PTH
1311 {
1314 for card operations this should be
1315 sufficient. */
1316 /* FIXME: Need to check that the connection is still alive.
1317 This can be done by issuing status messages. */
1319 }
1325 }
1328 /* UNLOCK
1330 Release exclusive card access.
1331 */
1332 static int
1334 {
1339 {
1342 else
1344 }
1345 else
1351 }
1354 /* GETINFO <what>
1356 Multi purpose command to return certain information.
1357 Supported values of WHAT are:
1359 socket_name - Return the name of the socket.
1360 status - Return the status of the current slot (in the future, may
1361 also return the status of all slots). The status is a list of
1362 one-character flags. The following flags are currently defined:
1363 'u' Usable card present. This is the normal state during operation.
1364 'r' Card removed. A reset is necessary.
1365 These flags are exclusive.
1366 */
1368 static int
1370 {
1374 {
1379 else
1381 }
1383 {
1389 {
1402 }
1404 }
1405 else
1408 }
1411 /* RESTART
1413 Restart the current connection; this is a kind of warm reset. It
1414 deletes the context used by this connection but does not send a
1415 RESET to the card. Thus the card itself won't get reset.
1417 This is used by gpg-agent to reuse a primary pipe connection and
1418 may be used by clients to backup from a conflict in the serial
1419 command; i.e. to select another application.
1420 */
1422 static int
1424 {
1428 {
1431 }
1433 {
1436 }
1438 }
1441 /* APDU [--atr] [--more] [hexstring]
1443 Send an APDU to the current reader. This command bypasses the high
1444 level functions and sends the data directly to the card. HEXSTRING
1445 is expected to be a proper APDU. If HEXSTRING is not given no
1446 commands are set to the card but the command will implictly check
1447 whether the card is ready for use.
1449 Using the option "--atr" returns the ATR of the card as a status
1450 message before any data like this:
1451 S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
1453 Using the option --more handles the card status word MORE_DATA
1454 (61xx) and concatenate all reponses to one block.
1456 */
1457 static int
1459 {
1470 /* Skip over options. */
1472 {
1474 line++;
1476 line++;
1477 }
1486 {
1494 {
1497 }
1502 }
1506 {
1509 }
1511 {
1519 else
1520 {
1523 }
1524 }
1527 leave:
1530 }
1535 \f
1536 /* Tell the assuan library about our commands */
1537 static int
1539 {
1567 };
1571 {
1575 }
1581 }
1584 /* Startup the server. If FD is given as -1 this is simple pipe
1585 server, otherwise it is a regular server. */
1586 void
1588 {
1590 assuan_context_t ctx;
1597 {
1603 }
1604 else
1605 {
1607 }
1609 {
1613 }
1616 {
1620 }
1623 /* Allocate and initialize the server object. Put it into the list
1624 of active sessions. */
1634 /* We open the reader right at startup so that the ticker is able to
1635 update the status file. */
1637 {
1639 }
1641 /* Command processing loop. */
1643 {
1646 {
1648 }
1650 {
1653 }
1657 {
1660 }
1661 }
1663 /* Cleanup. */
1666 /* Release the server object. */
1669 else
1670 {
1679 }
1682 /* Release the Assuan context. */
1684 }
1687 /* Send a line with status information via assuan and escape all given
1688 buffers. The variable elements are pairs of (char *, size_t),
1689 terminated with a (NULL, 0). */
1690 void
1692 {
1705 {
1710 {
1712 n++;
1713 }
1715 {
1717 {
1720 }
1723 else
1725 }
1726 }
1731 }
1734 /* This is the core of scd_update_reader_status_file but the caller
1735 needs to take care of the locking. */
1736 static void
1738 {
1742 /* Note, that we only try to get the status, because it does not
1743 make sense to wait here for a operation to complete. If we are
1744 busy working with a card, delays in the status file update should
1745 be acceptable. */
1747 {
1757 {
1766 /* FIXME: Should this be IDX instead of ss->slot? This
1767 depends on how client sessions will associate the reader
1768 status with their session. */
1773 {
1779 }
1782 /* If a status script is executable, run it. */
1783 {
1787 gpg_error_t err;
1792 else
1793 {
1819 }
1821 }
1823 /* Set the card removed flag for all current sessions. We
1824 will set this on any card change because a reset or
1825 SERIALNO request must be done in any case. */
1833 /* Send a signal to all clients who applied for it. */
1836 {
1842 #ifndef HAVE_W32_SYSTEM
1845 #endif
1846 }
1848 }
1849 }
1850 }
1852 /* This function is called by the ticker thread to check for changes
1853 of the reader stati. It updates the reader status files and if
1854 requested by the caller also send a signal to the caller. */
1855 void
1857 {
1863 }