Default apdu_masquerade settings?

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Default apdu_masquerade settings?

Stef Hoeben-2
Hi,

sinds the SVN 2608 changes to card.c (see end of mail, thx Jean-Piere),
the following settings seems to be required for Windows and Mac:

    apdu_masquerade = case4as3, case1as2;

This is on purpose? Isn't it needed on Linux (pcsc-lite, openct)?

If possible, it would be nice to to change things so everything works
by default on each platform without having to hack the opensc.conf first.
(Or to set the default to apdu_masquerade = case4as3, case1as2;
if this also works fine on Linux).

Cheers,
Stef


--- trunk/src/libopensc/card.c    (revision 2607)
+++ trunk/src/libopensc/card.c    (revision 2608)
@@ -129,6 +129,8 @@
     return 0;
 }
 
+/** Builds the TPDU and sends it to the reader driver
+ */
 static int sc_transceive(sc_card_t *card, sc_apdu_t *apdu)
 {
     u8 sbuf[SC_MAX_APDU_BUFFER_SIZE];
@@ -161,6 +163,9 @@
     *data++ = apdu->p2;
     switch (apdu->cse) {
     case SC_APDU_CASE_1:
+        if (card->slot->active_protocol == SC_PROTO_T0)
+            /* TO adds an additional 0x00 byte to the TPDU */
+            *data++;
         break;
     case SC_APDU_CASE_2_SHORT:
         *data++ = (u8) apdu->le;
@@ -183,10 +188,9 @@
             return SC_ERROR_INVALID_ARGUMENTS;
         memcpy(data, apdu->data, data_bytes);
         data += data_bytes;
-        if (apdu->le == 256)
-            *data++ = 0x00;
-        else
-            *data++ = (u8) apdu->le;
+        if (card->slot->active_protocol != SC_PROTO_T0)
+            /* unless T0 is used add Le byte */
+            *data++ = (u8) (apdu->le & 0xff);
         break;
     }
     sendsize = data - sbuf;
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Nils Larsch
Stef Hoeben wrote:
> Hi,
>
> sinds the SVN 2608 changes to card.c (see end of mail, thx Jean-Piere),
> the following settings seems to be required for Windows and Mac:
>
>     apdu_masquerade = case4as3, case1as2;
>
> This is on purpose? Isn't it needed on Linux (pcsc-lite, openct)?

please see [1] for the reason for the change

>
> If possible, it would be nice to to change things so everything works
> by default on each platform without having to hack the opensc.conf first.
> (Or to set the default to apdu_masquerade = case4as3, case1as2;
> if this also works fine on Linux).

Do you use T0 or T1 ? pcsc ? What's the value of
card->slot->active_protocol ?

Cheers,
Nils

[1] http://opensc.org/pipermail/opensc-devel/2005-September/007223.html
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Andreas Jellinghaus-2
In reply to this post by Stef Hoeben-2
On Thursday 06 October 2005 11:58, Stef Hoeben wrote:
> Hi,
>
> sinds the SVN 2608 changes to card.c (see end of mail, thx Jean-Piere),
> the following settings seems to be required for Windows and Mac:
>
>     apdu_masquerade = case4as3, case1as2;

yes.

> If possible, it would be nice to to change things so everything works
> by default on each platform without having to hack the opensc.conf first.

your changes will break openct and ct-api (those don't export the
protocol, so your if clause doesn't work).

> (Or to set the default to apdu_masquerade = case4as3, case1as2;
> if this also works fine on Linux).

lets change that, and see if it breaks for anyone, ok?
on windows I ship the config file with case4as3 all
the time and never heard any complain about it.

a long term solution would be to do the apdu->tpdu conversion
in reader-* code, not in the generic code.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Nils Larsch
Andreas Jellinghaus wrote:

> On Thursday 06 October 2005 11:58, Stef Hoeben wrote:
>
>>Hi,
>>
>>sinds the SVN 2608 changes to card.c (see end of mail, thx Jean-Piere),
>>the following settings seems to be required for Windows and Mac:
>>
>>    apdu_masquerade = case4as3, case1as2;
>
>
> yes.

why ?

>>If possible, it would be nice to to change things so everything works
>>by default on each platform without having to hack the opensc.conf first.
>
>
> your changes will break openct and ct-api (those don't export the
> protocol, so your if clause doesn't work).
>
>
>>(Or to set the default to apdu_masquerade = case4as3, case1as2;
>>if this also works fine on Linux).
>
>
> lets change that, and see if it breaks for anyone, ok?
> on windows I ship the config file with case4as3 all
> the time and never heard any complain about it.

can it be that either windows pcsc doesn't set the currently used
protocol version or that windows pcsc expects APDUs instead of TPDUs ?

>
> a long term solution would be to do the apdu->tpdu conversion
> in reader-* code, not in the generic code.

if the windows pcsc uses reader-pcsc.c this will only shift the
problem from card.c to reader-pcsc.c but it will not solve it

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Andreas Jellinghaus-2
On Thursday 06 October 2005 21:27, Nils Larsch wrote:
> if the windows pcsc uses reader-pcsc.c this will only shift the
> problem from card.c to reader-pcsc.c but it will not solve it

but changes in reader-pcsc.c cannot break openct and ct-api.
or at least a lot less likely :)

It isn't a very nice design, if common code looks at config
file properties for "reader pcsc", right? code that does this
should be in reader-pcsc, I think.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Stef Hoeben-2
Hi,

my 2 cents for 2 thoughts:

- IMHO, pcsc is our main reader API, if only because it's available on
all/most platforms

- IMHO, it would we nice if people could build & run OpenSC themselves,
without
  having to hack a config file first to set obscure, undocumented options

If we could a agree on a way to settle this and you want to put it in
beta2; just let me know
how to help.

Cheers,
Stef

Andreas Jellinghaus wrote:

>On Thursday 06 October 2005 21:27, Nils Larsch wrote:
>  
>
>>if the windows pcsc uses reader-pcsc.c this will only shift the
>>problem from card.c to reader-pcsc.c but it will not solve it
>>    
>>
>
>but changes in reader-pcsc.c cannot break openct and ct-api.
>or at least a lot less likely :)
>
>It isn't a very nice design, if common code looks at config
>file properties for "reader pcsc", right? code that does this
>should be in reader-pcsc, I think.
>
>Andreas
>_______________________________________________
>opensc-devel mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
>
>  
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Andreas Jellinghaus-2
On Friday 07 October 2005 09:08, Stef Hoeben wrote:

> Hi,
>
> my 2 cents for 2 thoughts:
>
> - IMHO, pcsc is our main reader API, if only because it's available on
> all/most platforms
>
> - IMHO, it would we nice if people could build & run OpenSC themselves,
> without
>   having to hack a config file first to set obscure, undocumented options
>
> If we could a agree on a way to settle this and you want to put it in
> beta2; just let me know
> how to help.

well I changed the config file, so if you checkout latest svn, it should be
fine. but I haven't had a chance to test this myself so far.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Nils Larsch
In reply to this post by Stef Hoeben-2
Stef Hoeben wrote:
...
> If we could a agree on a way to settle this and you want to put it in
> beta2; just let me know
> how to help.

I'm not really happy with this "solution", I would like to know where
exactly the problem is. I guess card uses T0 and you're using pcsc.
Afaik does pcsc-lite (and I hope the same is true for the window pcsc
implementation) expect a TPDU and hence I committed the
"if (card->slot->active_protocol == SC_PROTO_T0)" statements in
sc_transceive to 'fix' the apdu.
But if we have "card->slot->active_protocol == SC_PROTO_T0"
sc_transceive should automatically do the "masquerade" (or in other
words create a T0 TPDUs) even without these options.

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Stef Hoeben-2
Nils Larsch wrote:

> Stef Hoeben wrote:
> ...
>
>> If we could a agree on a way to settle this and you want to put it in
>> beta2; just let me know
>> how to help.
>
>
> I'm not really happy with this "solution", I would like to know where
> exactly the problem is. I guess card uses T0 and you're using pcsc.
> Afaik does pcsc-lite (and I hope the same is true for the window pcsc
> implementation) expect a TPDU and hence I committed the
> "if (card->slot->active_protocol == SC_PROTO_T0)" statements in
> sc_transceive to 'fix' the apdu.
> But if we have "card->slot->active_protocol == SC_PROTO_T0"
> sc_transceive should automatically do the "masquerade" (or in other
> words create a T0 TPDUs) even without these options.

Hm, there seems indeed to be an error:

With "case1as2" on Windows, I get: e.g.
  Masquerading case 1 APDU as case 2
  Sending 5 bytes (resp. 258 bytes):
  00 44 00 00 00 .D...
  Received 0 bytes (SW1=90 SW2=00)

Without the "case1as2", I get:
  Sending 5 bytes (resp. 258 bytes):
  00 44 00 00 E8 .D...
  => transmit error.
And each time I try the last byte (here E8 is something else...)

So it looks like last bytes doesn't get set to 0?
(Or is it the intension that only 4 bytes are sent?)

BTW: it seems the "case1as2" is also required for pcsc on Linux..

PS: the "case4as3" doesn't seem to have an influence on Windows,
it works fine with and without this option.

Cheers,
Stef

PS: the "case4as3" doesn't seem to have an influence on Windows,
it works fine with and without this option.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Nils Larsch
Stef Hoeben wrote:

> Nils Larsch wrote:
>
>> Stef Hoeben wrote:
>> ...
>>
>>> If we could a agree on a way to settle this and you want to put it in
>>> beta2; just let me know
>>> how to help.
>>
>>
>>
>> I'm not really happy with this "solution", I would like to know where
>> exactly the problem is. I guess card uses T0 and you're using pcsc.
>> Afaik does pcsc-lite (and I hope the same is true for the window pcsc
>> implementation) expect a TPDU and hence I committed the
>> "if (card->slot->active_protocol == SC_PROTO_T0)" statements in
>> sc_transceive to 'fix' the apdu.
>> But if we have "card->slot->active_protocol == SC_PROTO_T0"
>> sc_transceive should automatically do the "masquerade" (or in other
>> words create a T0 TPDUs) even without these options.
>
>
> Hm, there seems indeed to be an error:
>
> With "case1as2" on Windows, I get: e.g.
>  Masquerading case 1 APDU as case 2
>  Sending 5 bytes (resp. 258 bytes):
>  00 44 00 00 00 .D...
>  Received 0 bytes (SW1=90 SW2=00)
>
> Without the "case1as2", I get:
>  Sending 5 bytes (resp. 258 bytes):
>  00 44 00 00 E8 .D...
>  => transmit error.
> And each time I try the last byte (here E8 is something else...)

sorry, stupid typo. Could you please test a new snapshot.

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Andreas Jellinghaus-2
In reply to this post by Nils Larsch
On Friday 07 October 2005 20:35, Nils Larsch wrote:
> "if (card->slot->active_protocol == SC_PROTO_T0)" statements in
> sc_transceive to 'fix' the apdu.

those break openct and ct-api, as neither sets the active
protocol.

> But if we have "card->slot->active_protocol == SC_PROTO_T0"
> sc_transceive should automatically do the "masquerade" (or in other
> words create a T0 TPDUs) even without these options.

I think slot->active_protocol is a bad design and should go away.
it is fine if the reader-* implementation knows about it, but
I don't see any reason why the generic code should know or care.

I strongly refuse any chance that will break openct.

we are in beta stage and I think now is the time for workarounds
to get things going. clean redesigns should be left for 0.11.0.

if anyone can report that the config file stuff does not help,
please do so. currently my view is the config file settings
solve all known problems, and do not break openct or ct-api
and thus I prefere those for 0.10.0 (and a cleanup for 0.11.0).

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Andreas Jellinghaus-2
In reply to this post by Stef Hoeben-2
On Saturday 08 October 2005 22:39, Stef Hoeben wrote:
> PS: the "case4as3" doesn't seem to have an influence on Windows,
> it works fine with and without this option.

at least when I started working on scb, it was absolutely necessary
to add that option, to get cryptoflex in egate to work. thus I set
that as default on windows, and never got a problem report about it.
guess it works and not does not do any harm.

the case4as3 issue is at least two years old. It is a good idea to
look at it in detail and get it right for once and for all. but
I'm not sure that "beta2 real soon now" is a good timing.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Stef Hoeben-2
In reply to this post by Nils Larsch
Hi Nils,

ok, now it works fine.
(it doesn't seem to matter if you set the option or not,
in both cases there a 5 bytes sent..)

Cheers,
Stef

Nils Larsch wrote:

> Stef Hoeben wrote:
>
>> Nils Larsch wrote:
>>
>>> Stef Hoeben wrote:
>>> ...
>>>
>>>> If we could a agree on a way to settle this and you want to put it
>>>> in beta2; just let me know
>>>> how to help.
>>>
>>>
>>>
>>>
>>> I'm not really happy with this "solution", I would like to know where
>>> exactly the problem is. I guess card uses T0 and you're using pcsc.
>>> Afaik does pcsc-lite (and I hope the same is true for the window pcsc
>>> implementation) expect a TPDU and hence I committed the
>>> "if (card->slot->active_protocol == SC_PROTO_T0)" statements in
>>> sc_transceive to 'fix' the apdu.
>>> But if we have "card->slot->active_protocol == SC_PROTO_T0"
>>> sc_transceive should automatically do the "masquerade" (or in other
>>> words create a T0 TPDUs) even without these options.
>>
>>
>>
>> Hm, there seems indeed to be an error:
>>
>> With "case1as2" on Windows, I get: e.g.
>>  Masquerading case 1 APDU as case 2
>>  Sending 5 bytes (resp. 258 bytes):
>>  00 44 00 00 00 .D...
>>  Received 0 bytes (SW1=90 SW2=00)
>>
>> Without the "case1as2", I get:
>>  Sending 5 bytes (resp. 258 bytes):
>>  00 44 00 00 E8 .D...
>>  => transmit error.
>> And each time I try the last byte (here E8 is something else...)
>
>
> sorry, stupid typo. Could you please test a new snapshot.
>
> Cheers,
> Nils
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Nils Larsch
Stef Hoeben wrote:
> Hi Nils,
>
> ok, now it works fine.
> (it doesn't seem to matter if you set the option or not,
> in both cases there a 5 bytes sent..)

yep, the "case1as2" option is useless now as in case of T0
pcsc always needs a 5 byte case 1 APDU, everything else in a bug.
The same should be true for "case4as3". As both options are
useless I will remove them once 0.10 is out (not sure about
the third masquerade option).

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Nils Larsch
In reply to this post by Andreas Jellinghaus-2
Andreas Jellinghaus wrote:
> On Friday 07 October 2005 20:35, Nils Larsch wrote:
>
>>"if (card->slot->active_protocol == SC_PROTO_T0)" statements in
>>sc_transceive to 'fix' the apdu.
>
>
> those break openct and ct-api, as neither sets the active
> protocol.

yep, and hence they get the unmodified APDU as required

>
>
>>But if we have "card->slot->active_protocol == SC_PROTO_T0"
>>sc_transceive should automatically do the "masquerade" (or in other
>>words create a T0 TPDUs) even without these options.
>
>
> I think slot->active_protocol is a bad design and should go away.
> it is fine if the reader-* implementation knows about it, but
> I don't see any reason why the generic code should know or care.
>
> I strongly refuse any chance that will break openct.

as openct doesn't set the active_protocol value the checks for
active_protocol in sc_transceive have no effect on openct (and ctapi).

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Nils Larsch
In reply to this post by Andreas Jellinghaus-2
Andreas Jellinghaus wrote:

> On Saturday 08 October 2005 22:39, Stef Hoeben wrote:
>
>>PS: the "case4as3" doesn't seem to have an influence on Windows,
>>it works fine with and without this option.
>
>
> at least when I started working on scb, it was absolutely necessary
> to add that option, to get cryptoflex in egate to work. thus I set
> that as default on windows, and never got a problem report about it.
> guess it works and not does not do any harm.

could you try if it's still necessary (it shouldn't)

>
> the case4as3 issue is at least two years old. It is a good idea to
> look at it in detail and get it right for once and for all. but
> I'm not sure that "beta2 real soon now" is a good timing.

as far as I understand this issue it shouldn't be necessary anymore
(but to be honest the "case4as3" option doesn't hurt, actually it
should have no effect at all).

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default apdu_masquerade settings?

Andreas Jellinghaus-2
In reply to this post by Nils Larsch
On Sunday 09 October 2005 22:34, Nils Larsch wrote:

> Andreas Jellinghaus wrote:
> > On Friday 07 October 2005 20:35, Nils Larsch wrote:
> >
> >>"if (card->slot->active_protocol == SC_PROTO_T0)" statements in
> >>sc_transceive to 'fix' the apdu.
> >
> >
> > those break openct and ct-api, as neither sets the active
> > protocol.
>
> yep, and hence they get the unmodified APDU as required

ah, right. you changed the definition of SC_PROTO_T0, if I
remember correctly? (earlier it was 0 and the default value
in that field was 0, so it did match...) now I remember.

will check later on windows if cryptoflex/egate now work
without those config file entries changes.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel