scdaemon lockup with Yubikey NEO

Lance R. Vick lance at lrvick.net
Thu Dec 3 04:54:04 CET 2015 

I came up with the following udev rule which, while heavy handed, solves
these issues for me: https://gist.github.com/lrvick/d1a5a8e6cf0eefda69d7

On Wed, Dec 2, 2015 at 6:54 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:

> On 12/02/2015 11:35 PM, the2nd at otpme.org wrote:
> > No problem. I'm glad to help out and probably get a fix for this
> annoying issue. :)
>
> Thanks for your patience.
>
> >> Anyway, when Scdaemon detects card/token removal, it could finish
> >> existing connection(s).  I'll consider fixing this.
> >
> > Sounds good. Should i open a bug report for this?
>
> Not needed.  It's fixed in master.  I'm going to backport this to 2.0.
>
> The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
>
> > Is there any workaround we can apply to fix this issue? Currently i
> > am using a self compiled ssh client binary of openssh 6.7p1 as
> > workaround.
>
> Well, I found another bug with PC/SC.  Because of this bug, it is
> sometimes (not always) possible for gpg not to raise the error of
> "Conflicting usage".  So, it would be a workaround to disable internal
> ccid driver of GnuPG and to use PC/SC.  (I don't recommend, though.)
>
> Here is a backport patch which I'm considering to apply to 2.0.
>
> Thank you again for your cooperation fixing this long standing bug.
>
> =========================
> diff --git a/scd/apdu.c b/scd/apdu.c
> index f9a1a2d..acca799 100644
> --- a/scd/apdu.c
> +++ b/scd/apdu.c
> @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
>      return SW_HOST_NO_DRIVER;
>    sw = apdu_disconnect (slot);
>    if (sw)
> -    return sw;
> +    {
> +      /*
> +       * When the reader/token was removed it might come here.
> +       * It should go through to call CLOSE_READER even if we got an
> error.
> +       */
> +      log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
> +    }
>    if (reader_table[slot].close_reader)
>      return reader_table[slot].close_reader (slot);
>    return SW_HOST_NOT_SUPPORTED;
> diff --git a/scd/app-common.h b/scd/app-common.h
> index e48db3c..ac2c2e9 100644
> --- a/scd/app-common.h
> +++ b/scd/app-common.h
> @@ -44,11 +44,6 @@ struct app_ctx_s {
>       operations the particular function pointer is set to NULL */
>    unsigned int ref_count;
>
> -  /* Flag indicating that a reset has been done for that application
> -     and that this context is merely lingering and just should not be
> -     reused.  */
> -  int no_reuse;
> -
>    /* Used reader slot. */
>    int slot;
>
> diff --git a/scd/app.c b/scd/app.c
> index 742f937..380a347 100644
> --- a/scd/app.c
> +++ b/scd/app.c
> @@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
>    /* FIXME: We are ignoring any error value here.  */
>    lock_reader (slot, NULL);
>
> -  /* Mark application as non-reusable.  */
> +  /* Release the APP, as it's not reusable any more.  */
>    if (lock_table[slot].app)
> -    lock_table[slot].app->no_reuse = 1;
> +    {
> +      deallocate_app (lock_table[slot].app);
> +      lock_table[slot].app = NULL;
> +    }
>
>    /* Deallocate a saved application for that slot, so that we won't
>       try to reuse it.  If there is no saved application, set a flag so
> @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char
> *name, app_t *r_app)
>          return gpg_error (GPG_ERR_CONFLICT);
>        }
>
> -  /* Don't use a non-reusable marked application.  */
> -  if (app && app->no_reuse)
> -    {
> -      unlock_reader (slot);
> -      log_info ("lingering application `%s' in use by reader %d"
> -                " - can't switch\n",
> -                app->apptype? app->apptype:"?", slot);
> -      return gpg_error (GPG_ERR_CONFLICT);
> -    }
> -
>    /* If we don't have an app, check whether we have a saved
>       application for that slot.  This is useful so that a card does
>       not get reset even if only one session is using the card - this
> @@ -506,15 +499,7 @@ release_application (app_t app)
>
>    if (lock_table[slot].last_app)
>      deallocate_app (lock_table[slot].last_app);
> -  if (app->no_reuse)
> -    {
> -      /* If we shall not re-use the application we can't save it for
> -         later use. */
> -      deallocate_app (app);
> -      lock_table[slot].last_app = NULL;
> -    }
> -  else
> -    lock_table[slot].last_app = lock_table[slot].app;
> +  lock_table[slot].last_app = lock_table[slot].app;
>    lock_table[slot].app = NULL;
>    unlock_reader (slot);
>  }
> --
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Lance R. Vick
__________________________________________________
Cell      -  407.283.7596
Gtalk     -  lance at lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151202/cf5a0ee4/attachment.html>

More information about the Gnupg-users mailing list