scdaemon lockup with Yubikey NEO

NIIBE Yutaka gniibe at fsij.org
Thu Dec 3 03:54:27 CET 2015


On 12/02/2015 11:35 PM, the2nd at otpme.org wrote:
> No problem. I'm glad to help out and probably get a fix for this annoying issue. :)

Thanks for your patience.

>> Anyway, when Scdaemon detects card/token removal, it could finish
>> existing connection(s).  I'll consider fixing this.
> 
> Sounds good. Should i open a bug report for this?

Not needed.  It's fixed in master.  I'm going to backport this to 2.0.

The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3

> Is there any workaround we can apply to fix this issue? Currently i
> am using a self compiled ssh client binary of openssh 6.7p1 as
> workaround.

Well, I found another bug with PC/SC.  Because of this bug, it is
sometimes (not always) possible for gpg not to raise the error of
"Conflicting usage".  So, it would be a workaround to disable internal
ccid driver of GnuPG and to use PC/SC.  (I don't recommend, though.)

Here is a backport patch which I'm considering to apply to 2.0.

Thank you again for your cooperation fixing this long standing bug.

=========================
diff --git a/scd/apdu.c b/scd/apdu.c
index f9a1a2d..acca799 100644
--- a/scd/apdu.c
+++ b/scd/apdu.c
@@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
     return SW_HOST_NO_DRIVER;
   sw = apdu_disconnect (slot);
   if (sw)
-    return sw;
+    {
+      /*
+       * When the reader/token was removed it might come here.
+       * It should go through to call CLOSE_READER even if we got an error.
+       */
+      log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
+    }
   if (reader_table[slot].close_reader)
     return reader_table[slot].close_reader (slot);
   return SW_HOST_NOT_SUPPORTED;
diff --git a/scd/app-common.h b/scd/app-common.h
index e48db3c..ac2c2e9 100644
--- a/scd/app-common.h
+++ b/scd/app-common.h
@@ -44,11 +44,6 @@ struct app_ctx_s {
      operations the particular function pointer is set to NULL */
   unsigned int ref_count;

-  /* Flag indicating that a reset has been done for that application
-     and that this context is merely lingering and just should not be
-     reused.  */
-  int no_reuse;
-
   /* Used reader slot. */
   int slot;

diff --git a/scd/app.c b/scd/app.c
index 742f937..380a347 100644
--- a/scd/app.c
+++ b/scd/app.c
@@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
   /* FIXME: We are ignoring any error value here.  */
   lock_reader (slot, NULL);

-  /* Mark application as non-reusable.  */
+  /* Release the APP, as it's not reusable any more.  */
   if (lock_table[slot].app)
-    lock_table[slot].app->no_reuse = 1;
+    {
+      deallocate_app (lock_table[slot].app);
+      lock_table[slot].app = NULL;
+    }

   /* Deallocate a saved application for that slot, so that we won't
      try to reuse it.  If there is no saved application, set a flag so
@@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char *name, app_t *r_app)
         return gpg_error (GPG_ERR_CONFLICT);
       }

-  /* Don't use a non-reusable marked application.  */
-  if (app && app->no_reuse)
-    {
-      unlock_reader (slot);
-      log_info ("lingering application `%s' in use by reader %d"
-                " - can't switch\n",
-                app->apptype? app->apptype:"?", slot);
-      return gpg_error (GPG_ERR_CONFLICT);
-    }
-
   /* If we don't have an app, check whether we have a saved
      application for that slot.  This is useful so that a card does
      not get reset even if only one session is using the card - this
@@ -506,15 +499,7 @@ release_application (app_t app)

   if (lock_table[slot].last_app)
     deallocate_app (lock_table[slot].last_app);
-  if (app->no_reuse)
-    {
-      /* If we shall not re-use the application we can't save it for
-         later use. */
-      deallocate_app (app);
-      lock_table[slot].last_app = NULL;
-    }
-  else
-    lock_table[slot].last_app = lock_table[slot].app;
+  lock_table[slot].last_app = lock_table[slot].app;
   lock_table[slot].app = NULL;
   unlock_reader (slot);
 }
-- 



More information about the Gnupg-users mailing list