[git] GnuPG - branch, master, updated. gnupg-2.2.7-391-ga481d17
by Werner Koch
cvs at cvs.gnupg.org
Mon Feb 25 11:30:05 CET 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via a481d17432bf7cca19ca71b6aa5ccd9aee2b3baa (commit)
from 28de5c0ea53373c56a4405fe6b08d194682dd1de (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a481d17432bf7cca19ca71b6aa5ccd9aee2b3baa
Author: Werner Koch <wk at gnupg.org>
Date: Mon Feb 25 11:29:30 2019 +0100
scd: PIV: Always require a PIN for signing with 9C.
* scd/app-piv.c (verify_chv): Add arg 'force'.
(do_sign): Use force for 0x9c.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/scd/app-piv.c b/scd/app-piv.c
index edb00bf..704a498 100644
--- a/scd/app-piv.c
+++ b/scd/app-piv.c
@@ -1803,9 +1803,10 @@ ask_and_prepare_chv (app_t app, int keyref, int ask_new, int remaining,
/* Verify the card holder verification identified by KEYREF. This is
- * either the Appication PIN or the Global PIN. */
+ * either the Appication PIN or the Global PIN. If FORCE is true a
+ * verification is always done. */
static gpg_error_t
-verify_chv (app_t app, int keyref,
+verify_chv (app_t app, int keyref, int force,
gpg_error_t (*pincb)(void*,const char *,char **), void *pincb_arg)
{
gpg_error_t err;
@@ -1823,10 +1824,11 @@ verify_chv (app_t app, int keyref,
apdu[3] = keyref;
if (!iso7816_apdu_direct (app->slot, apdu, 4, 0, &sw, NULL, NULL))
{
- /* No need to verification. */
- return 0; /* All fine. */
+ if (!force) /* No need to verification. */
+ return 0; /* All fine. */
+ remaining = -1;
}
- if ((sw & 0xfff0) == 0x63C0)
+ else if ((sw & 0xfff0) == 0x63C0)
remaining = (sw & 0x000f); /* PIN has REMAINING tries left. */
else
remaining = -1;
@@ -1998,7 +2000,7 @@ do_check_chv (app_t app, const char *pwidstr,
if (keyref == -1)
return gpg_error (GPG_ERR_INV_ID);
- return verify_chv (app, keyref, pincb, pincb_arg);
+ return verify_chv (app, keyref, 0, pincb, pincb_arg);
}
@@ -2032,6 +2034,7 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
unsigned char *indata_buffer = NULL; /* Malloced helper. */
unsigned char *apdudata = NULL;
size_t apdudatalen;
+ int force_verify;
if (!keyidstr || !*keyidstr)
{
@@ -2046,6 +2049,15 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
goto leave;
}
+ /* According to table 4b of SP800-73-4 the signing key always
+ * requires a verify. */
+ switch (keyref)
+ {
+ case 0x9c: force_verify = 1; break;
+ default: force_verify = 0; break;
+ }
+
+
err = get_key_algorithm_by_dobj (app, dobj, &mechanism);
if (err)
goto leave;
@@ -2185,7 +2197,7 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
}
/* Now verify the Application PIN. */
- err = verify_chv (app, 0x80, pincb, pincb_arg);
+ err = verify_chv (app, 0x80, force_verify, pincb, pincb_arg);
if (err)
return err;
@@ -2388,7 +2400,7 @@ do_decipher (app_t app, const char *keyidstr,
}
/* Now verify the Application PIN. */
- err = verify_chv (app, 0x80, pincb, pincb_arg);
+ err = verify_chv (app, 0x80, 0, pincb, pincb_arg);
if (err)
return err;
-----------------------------------------------------------------------
Summary of changes:
scd/app-piv.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list