diff options
| author | Werner Koch <[email protected]> | 2019-02-11 08:07:54 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2019-02-11 08:07:54 +0000 |
| commit | b2838694402ce0cfc2ef70451bf0e6677b875ca9 (patch) | |
| tree | 8890d855a7623eb1740a0d1f9fd07e941f6a8903 | |
| parent | scd: Implement RSA signing for PIV cards. (diff) | |
| download | gnupg-b2838694402ce0cfc2ef70451bf0e6677b875ca9.tar.gz gnupg-b2838694402ce0cfc2ef70451bf0e6677b875ca9.zip | |
scd: For PIV cards used NO_AUTH instead of BAD_PIN.
* common/util.h (GPG_ERR_NO_AUTH, GPG_ERR_BAD_AUTH): Add replacement
codes for gpgrt < 1.36.
* scd/app-piv.c (auth_adm_key):
(do_genkey, do_writecert): Use better error codes.
Signed-off-by: Werner Koch <[email protected]>
| -rw-r--r-- | common/util.h | 5 | ||||
| -rw-r--r-- | scd/app-piv.c | 15 |
2 files changed, 18 insertions, 2 deletions
diff --git a/common/util.h b/common/util.h index d5bb225a7..8895137ec 100644 --- a/common/util.h +++ b/common/util.h @@ -39,7 +39,10 @@ * libgpg-error version. Define them here. * Example: (#if GPG_ERROR_VERSION_NUMBER < 0x011500 // 1.21) */ - +#if GPG_ERROR_VERSION_NUMBER < 0x012400 /* 1.36 */ +#define GPG_ERR_NO_AUTH 314 +#define GPG_ERR_BAD_AUTH 315 +#endif /*GPG_ERROR_VERSION_NUMBER*/ /* Hash function used with libksba. */ #define HASH_FNC ((void (*)(void *, const void*,size_t))gcry_md_write) diff --git a/scd/app-piv.c b/scd/app-piv.c index 1d70db51c..36086f546 100644 --- a/scd/app-piv.c +++ b/scd/app-piv.c @@ -890,6 +890,8 @@ auth_adm_key (app_t app, const unsigned char *value, size_t valuelen) PIV_ALGORITHM_3DES_ECB_0, 0x9B, tmpl, tmpllen, 0, &outdata, &outdatalen); + if (gpg_err_code (err) == GPG_ERR_BAD_PIN) + err = gpg_error (GPG_ERR_BAD_AUTH); if (err) goto leave; if (!(outdatalen && *outdata == 0x7c @@ -921,6 +923,8 @@ auth_adm_key (app_t app, const unsigned char *value, size_t valuelen) PIV_ALGORITHM_3DES_ECB_0, 0x9B, tmpl, tmpllen, 0, &outdata, &outdatalen); + if (gpg_err_code (err) == GPG_ERR_BAD_PIN) + err = gpg_error (GPG_ERR_BAD_AUTH); if (err) goto leave; if (!(outdatalen && *outdata == 0x7c @@ -937,7 +941,7 @@ auth_adm_key (app_t app, const unsigned char *value, size_t valuelen) goto leave; if (memcmp (witness, tmpl+14, 8)) { - err = gpg_error (GPG_ERR_BAD_SIGNATURE); + err = gpg_error (GPG_ERR_BAD_AUTH); goto leave; } @@ -993,6 +997,9 @@ set_adm_key (app_t app, const unsigned char *value, size_t valuelen) wipememory (apdu+8, 24); if (err) log_error ("piv: setting admin key failed; sw=%04x\n", sw); + /* A PIN is not required, thus use a better error code. */ + if (gpg_err_code (err) == GPG_ERR_BAD_PIN) + err = gpg_error (GPG_ERR_NO_AUTH); } else err = gpg_error (GPG_ERR_NOT_SUPPORTED); @@ -2490,6 +2497,9 @@ do_genkey (app_t app, ctrl_t ctrl, const char *keyrefstr, const char *keytype, tmpl, tmpllen, 0, &buffer, &buflen); if (err) { + /* A PIN is not required, thus use a better error code. */ + if (gpg_err_code (err) == GPG_ERR_BAD_PIN) + err = gpg_error (GPG_ERR_NO_AUTH); log_error (_("generating key failed\n")); return err; } @@ -2562,6 +2572,9 @@ do_writecert (app_t app, ctrl_t ctrl, (int)0x71, (size_t)1, "", /* No compress */ (int)0xfe, (size_t)0, "", /* Empty LRC. */ (int)0, (size_t)0, NULL); + /* A PIN is not required, thus use a better error code. */ + if (gpg_err_code (err) == GPG_ERR_BAD_PIN) + err = gpg_error (GPG_ERR_NO_AUTH); if (err) log_error ("piv: failed to write cert to %s: %s\n", dobj->keyref, gpg_strerror (err)); |