[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 0/2] Try to fix problem with emulated smartcards
|
From: |
Robert Relyea |
|
Subject: |
Re: [Qemu-devel] [PATCH 0/2] Try to fix problem with emulated smartcards where invalid PIN succeeds |
|
Date: |
Mon, 09 Sep 2013 11:19:39 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130806 Thunderbird/17.0.8 |
On 09/08/2013 01:18 AM, Alon Levy wrote:
>> I started writing a blog post yesterday about virtualized smartcards here:
>>
>> https://blogs.gnome.org/halfline/2013/09/08/another-smartcard-post/
>>
>> and while testing what I was writing I noticed an invalid PIN worked when
>> it shouldn't have. It turns out that typing a valid PIN once in one program
>> in
>> the guest, is enough to make all future programs asking for the PIN to
>> succeed
>> regardless of what gets typed in for the PIN.
>>
>> I did some digging through the libcacard code, and noticed it uses the
>> NSS PK11_Authenticate function which calls a function that has this comment
>> above it:
>>
>> If we're already logged in and this function is called we
>> will still prompt for a password, but we will probably succeed
>> no matter what the password was.
>>
>> Also, PK11_Authenticate short-circuits to an early "return SECSuccess" if the
>> token
>> is already logged in.
>>
>> The two patches in this series attempt to correct this problem by calling
>> PK11_Logout.
>> I'm not 100% certain I've placed the PK11_Logout call in the best place, but
>> it does
>> seeming to fix the issue.
> Hi Ray,
>
> Thanks for the patches! It looks good to me but I'll defer to Robert,
>
> Alon
ack... The original problem is a little worse than ray says. It's not a
60 second window, it's pretty much anytime until the card is explicitly
logged out. Ray's patch will fix this.
bob
>
>>
>>
smime.p7s
Description: S/MIME Cryptographic Signature