Skip to content

Yubikey reinsertion #1875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
frankmorgner merged 3 commits into from
Nov 28, 2019
Merged

Yubikey reinsertion #1875

frankmorgner merged 3 commits into from
Nov 28, 2019

Conversation

@Jakuje
Copy link
Member

@Jakuje Jakuje commented Nov 27, 2019

This is follow-up work on the #1822, mostly based on my last comment #1822 (comment) which I will try to summarize here again with the steps that happens and causes the issue reported above

  • The calling application has working token (lets say it just provided signature for TLS 1.3 session).
  • The Yubikey is removed and plugged in again
  • The application calls C_GetSlotInfo()
  • OpenSC checks the status of inserted card: card_detect_all() -> card_detect() -> sc_detect_card_presence() -> pcsc_detect_card_presence()
    • The PCSC reader function refresh_attributes() notices the card was changed (SCardStatus returns SCARD_E_INVALID_VALUE as handled in fb15a7d )
    • The function returns the card was changed CARD_CHANGED
  • the card is removed, internal card structures freed card_removed(), the reader->flags is reset (CARD_PRESENT is removed here)
  • sessions are closed
  • and detection starts over
  • Again card_detect_all() -> card_detect() -> sc_detect_card_presence() -> pcsc_detect_card_presence()
    • The PCSC reader function refresh_attributes() notices returns SCARD_E_TIMEOUT as there was really no change since last call.
    • This just unsets CARD_CHANGED
    • I add here the check to restore the CARD_PRESENT attribute.
  • Now, we have CARD_PRESENT in the reader flags so the card detection can finally start

Here is the raw log of the affected part of the code:

pkcs11-global.c:575:C_GetSlotInfo: C_GetSlotInfo(0x0)
slot.c:393:card_detect_all: Detect all cards
slot.c:219:card_detect: Yubico Yubikey 4 OTP+U2F+CCID 00 00: Detecting smart card
sc.c:315:sc_detect_card_presence: called
reader-pcsc.c:443:pcsc_detect_card_presence: called
reader-pcsc.c:333:refresh_attributes: Yubico Yubikey 4 OTP+U2F+CCID 00 00 check
reader-pcsc.c:379:refresh_attributes: current  state: 0x00000022
reader-pcsc.c:380:refresh_attributes: previous state: 0x00000120
reader-pcsc.c:435:refresh_attributes: card present, changed
reader-pcsc.c:448:pcsc_detect_card_presence: returning with: 3
sc.c:320:sc_detect_card_presence: returning with: 3
slot.c:235:card_detect: Yubico Yubikey 4 OTP+U2F+CCID 00 00: Card changed
slot.c:180:card_removed: Yubico Yubikey 4 OTP+U2F+CCID 00 00: card removed
slot.c:481:slot_token_removed: slot_token_removed(0x0)
pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x0) 1
pkcs11-session.c:109:sc_pkcs11_close_session: real C_CloseSession(0x7fc0551c8f20)
pkcs15-pin.c:844:sc_pkcs15_pincache_clear: called
framework-pkcs15.c:1575:pkcs15_release_token: pkcs15_release_token() not implemented
slot.c:481:slot_token_removed: slot_token_removed(0x1)
pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x1) 0
slot.c:481:slot_token_removed: slot_token_removed(0x2)
pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x2) 0
slot.c:481:slot_token_removed: slot_token_removed(0x3)
pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x3) 0
sc.c:315:sc_detect_card_presence: called
reader-pcsc.c:443:pcsc_detect_card_presence: called
reader-pcsc.c:333:refresh_attributes: Yubico Yubikey 4 OTP+U2F+CCID 00 00 check
reader-pcsc.c:356:refresh_attributes: returning with: 0 (Success)
reader-pcsc.c:448:pcsc_detect_card_presence: returning with: 1
sc.c:320:sc_detect_card_presence: returning with: 1
pkcs15.c:1297:sc_pkcs15_unbind: called
pkcs15-pin.c:844:sc_pkcs15_pincache_clear: called
misc.c:71:sc_to_cryptoki_error_common: libopensc return value: 0 (Success)
card.c:414:sc_disconnect_card: called
card-piv.c:3011:piv_finish: called
reader-pcsc.c:640:pcsc_disconnect: Yubico Yubikey 4 OTP+U2F+CCID 00 00:SCardDisconnect returned: 0x80100011
card.c:436:sc_disconnect_card: returning with: 0 (Success)
sc.c:315:sc_detect_card_presence: called
reader-pcsc.c:443:pcsc_detect_card_presence: called
reader-pcsc.c:333:refresh_attributes: Yubico Yubikey 4 OTP+U2F+CCID 00 00 check
reader-pcsc.c:356:refresh_attributes: returning with: 0 (Success)
reader-pcsc.c:448:pcsc_detect_card_presence: returning with: 1
sc.c:320:sc_detect_card_presence: returning with: 1
slot.c:256:card_detect: Yubico Yubikey 4 OTP+U2F+CCID 00 00: First seen the card
slot.c:265:card_detect: Yubico Yubikey 4 OTP+U2F+CCID 00 00: Connecting ...

The second commit bf4ef3f is addressing another issue that I noticed on the PKCS#11 level, when the first function after reinsertion was C_GetSessionInfo(), the OpenSC sometimes wrongly reported invalid login status, confusing the calling application.

Checklist
  • PKCS#11 module is tested
  • Windows minidriver is tested
  • macOS tokend is tested

@Jakuje Jakuje mentioned this pull request Nov 27, 2019
Closed
@frankmorgner frankmorgner merged commit 326955a into OpenSC:master Nov 28, 2019
@frankmorgner
Copy link
Member

frankmorgner commented Nov 28, 2019

thanks for the detailed analysis!

@frankmorgner frankmorgner mentioned this pull request Dec 2, 2019
Closed
@xhanulik xhanulik mentioned this pull request Apr 5, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jakuje @frankmorgner