[pkg-opensc-commit] [opensc] 208/295: Support PIN unblocking in minidriver via PUK as response to challenge
Eric Dorland
eric at moszumanska.debian.org
Sat Jun 24 21:11:32 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository opensc.
commit 1c40426421974ff22fa4379707d7107c94a20929
Author: Maciej S. Szmigiero <mail at maciej.szmigiero.name>
Date: Thu Aug 25 22:41:58 2016 +0200
Support PIN unblocking in minidriver via PUK as response to challenge
Minidriver currently has basic support for unblocking card PIN by providing
PUK as an administrator password to CardUnblockPin() function.
However, this doesn't work for example when trying to unblock PIN via
system smartcard PIN unblock screen accessible after pressing Ctrl+Alt+Del
as it wants to use challenge / response authentication.
MS Smart Card Minidriver specification (version 7.07) explicitly says that
challenge / response is the only authentication mode that Windows uses to
authenticate an administrator.
Unfortunately, this way of unblocking PIN seems to not be widely supported
by cards.
However, we can simply treat the provided response to challenge as PUK.
Because (at least) Ctrl+Alt+Del PIN unblock screen accepts only hex string,
every PUK digit X has to be input as '3X' (without quotes) there.
Also the response string is not hidden behind asterisks on this screen as
it should been.
Signed-off-by: Maciej S. Szmigiero <mail at maciej.szmigiero.name>
---
src/minidriver/minidriver.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index c0a6fff..8279269 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -2945,16 +2945,30 @@ DWORD WINAPI CardUnblockPin(__in PCARD_DATA pCardData,
logprintf(pCardData, 1, "\nP:%d T:%d pCardData:%p ",GetCurrentProcessId(), GetCurrentThreadId(), pCardData);
logprintf(pCardData, 1, "CardUnblockPin\n");
- if (pwszUserId == NULL)
+ if (pwszUserId == NULL) {
+ logprintf(pCardData, 1, "no user ID\n");
return SCARD_E_INVALID_PARAMETER;
- if (wcscmp(wszCARD_USER_USER, pwszUserId) != 0 && wcscmp(wszCARD_USER_ADMIN,pwszUserId) != 0)
+ }
+ if (wcscmp(wszCARD_USER_USER, pwszUserId) != 0 && wcscmp(wszCARD_USER_ADMIN,pwszUserId) != 0) {
+ logprintf(pCardData, 1, "unknown user ID %S\n", pwszUserId);
return SCARD_E_INVALID_PARAMETER;
- if (wcscmp(wszCARD_USER_ADMIN, pwszUserId) == 0)
- return SCARD_E_UNSUPPORTED_FEATURE;
- if (dwFlags & CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE)
+ }
+ if (wcscmp(wszCARD_USER_ADMIN, pwszUserId) == 0) {
+ logprintf(pCardData, 1, "unlocking admin not supported\n");
return SCARD_E_UNSUPPORTED_FEATURE;
- if (dwFlags)
+ }
+ if (dwFlags & CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE) {
+ logprintf(pCardData, 1,
+ "challenge / response not supported, we'll treat response as a PUK\n");
+ logprintf(pCardData, 1,
+ "note that you'll need to type PUK in hex (replace every PUK digit X with '3X') in Win CAD unblock dialog response field\n");
+ dwFlags &= ~CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE;
+ }
+ if (dwFlags) {
+ logprintf(pCardData, 1, "flags of %x not supported\n",
+ (unsigned int)dwFlags);
return SCARD_E_INVALID_PARAMETER;
+ }
logprintf(pCardData, 1, "UserID('%S'), AuthData(%p, %u), NewPIN(%p, %u), Retry(%u), dwFlags(0x%X)\n",
pwszUserId, pbAuthenticationData, cbAuthenticationData, pbNewPinData, cbNewPinData,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git
More information about the pkg-opensc-commit
mailing list