New version of pcsc-lite: 1.6.7

I just released new version of pcsc-lite 1.6.7.

pcsc-lite-1.6.7: Ludovic Rousseau
22 February 2011

  • better Mac OS X support
  • Fix Alioth bug [#312960] "SCardDisconnect when other context has transaction"
  • add a API tracing feature in the client side (#define DO_TRACE)
  • allow the use of tracing and profiling features from different
    application threads
  • fix a problem with a multi-slots reader
  • fix minor problems detected by the clang tool
  • some other minor improvements and bug corrections

The next version of pcsc-lite should use libudev instead of the deprecated libhal.

pcsc-lite: arbitrary code execution

LWN published a message about "pcsc-lite: arbitrary code execution":

pcsc-lite: arbitrary code execution


Package(s): pcsc-lite CVE #(s): CVE-2010-4531
Created: January 14, 2011 Updated: February 3, 2011
Description: From the Red Hat bugzilla:
A stack-based buffer overflow flaw was found in the way
PC/SC Lite smart card framework decoded certain attribute
values of the Answer-to-Reset (ATR) message, received back
from the card after connecting. A local attacker could
use this flaw to execute arbitrary code with the privileges
of the user running the pcscd daemon, via a malicious smart
card inserted to the system USB port.
Alerts:
Fedora FEDORA-2011-0164 2011-01-05
Fedora FEDORA-2011-0123 2011-01-05
Mandriva MDVSA-2011:015 2011-01-20
Debian DSA-2156-1 2011-01-31
openSUSE openSUSE-SU-2011:0092-1 2011-02-02
Pardus 2011-24 2011-02-02


The description of the bug is correct (this time). But I am not sure it would be possible to execute arbitrary code. The ATR is still limited to MAX_ATR_SIZE=33 bytes.

The bug was fixed on 3rd November 2010 in revision 5370 more than a month before MWR published a InfoSecurity Security Advisory PCSC-Lite: pcscd ATR Handler Buffer Overflow on 13th December 2010.

Debian 6.0 was released just yesterday. The pcscd package in this version contains the fix.

ccid: arbitrary code execution

LWN published a message about "ccid: arbitrary code execution":

ccid: arbitrary code execution


Package(s): ccid CVE #(s): CVE-2010-4530
Created: January 14, 2011 Updated: February 3, 2011
Description: From the Red Hat bugzilla:
An integer overflow, leading to array index error was found
in the way USB CCID (Chip/Smart Card Interface Devices) driver
processed certain values of card serial number. A local attacker
could use this flaw to execute arbitrary code, with the privileges
of the user running the pcscd daemon, via a malicious smart card
with specially-crafted value of its serial number, inserted to
the system USB port.
Alerts:
Fedora FEDORA-2011-0162 2011-01-05
Fedora FEDORA-2011-0143 2011-01-05
Mandriva MDVSA-2011:014 2011-01-20
openSUSE openSUSE-SU-2011:0092-1 2011-02-02
Pardus 2011-22 2011-02-02

The description of the problem is not exact. The problem is present in file ccid/src/ccid_serial.c and only impacts the GemPC Twin connected to a serial port.

The bug was fixed on 5th November 2010 in revisions 5381 and 5382, more than a month before MWR published a InfoSecurity Security Advisory PCSC-Lite: libccid Buffer Overflow on 13th December 2010.

Debian 6.0 was released just yesterday. The libccid package in this version contains the fix. Debian did not released a Debian Security Advisory because the bug is minor.

PCSC API spy, another way

In a previous post "PCSC API spy for GNU systems" I described the use of ltrace to trace the PC/SC API calls with the arguments.

ltrace limitations

ltrace can only trace calls made by the program itself. It does not work in two common cases in the smart card world:

library loading at run time


If the libpcsclite.so.1 library is loaded at run time using dlopen() then ltrace can't be used.

For example OpenSC now uses dlopen to load libpcsclite.so.1.

library used by another library


A PKCS#11 library using a smart card will be linked to libpcsclite.so.1. You may have your program traced by ltrace directly linked to the PKCS#11 library (to avoid the previous limitation). In this case ltrace will only be able to trace calls to the PKCS#11 library but not calls from the PKCS#11 library to the libpcsclite.so.1 library.

Usefulness of ltrace?


With these 2 limitations the use of ltrace is very limited. It works well for a test program doing direct winscard calls. But it is useless for a PKCS#11 library.

Internal tracing feature


So the idea is to do the tracing inside the PC/SC library itself.

Profiling


I already had a profiling feature on the client side. This offer the possibility to log every PC/SC calls and the time in each call. It is useful to know where time is spent in the application and to detect some application bugs (like less SCardReleaseContext() calls than SCardEstablishContext() calls).

Profiling is activated by defining DO_PROFILE in PCSC/src/winscard_clnt.c and recompiling + reinstalling libpcsclite.so.1.

I wrote a Perl script to generate a report from the traces.

Example trace file generated by the pcsc/src/testpcscd "sample":

Start a new profile
SCardEstablishContext 169
SCardIsValidContext 1
SCardIsValidContext 0
SCardListReaderGroups 1
SCardFreeMemory 1
SCardListReaders 26
SCardListReaders 26
SCardGetStatusChange 24
SCardConnect 15766
SCardTransmit 2952
SCardControl 1902
SCardGetAttrib 133
SCardFreeMemory 0
SCardGetAttrib 66
SCardFreeMemory 1
SCardGetAttrib 94
SCardGetAttrib 103
SCardGetAttrib 36
SCardSetAttrib 41
SCardStatus 171
SCardFreeMemory 1
SCardFreeMemory 0
SCardReconnect 112890
SCardDisconnect 90827
SCardFreeMemory 1
SCardReleaseContext 170


Example result:

(6) SCardFreeMemory: 4 µs
(5) SCardGetAttrib: 432 µs
(2) SCardIsValidContext: 1 µs
(2) SCardListReaders: 52 µs
(1) SCardDisconnect: 90827 µs
(1) SCardTransmit: 2952 µs
(1) SCardGetStatusChange: 24 µs
(1) SCardStatus: 171 µs
(1) SCardReconnect: 112890 µs
(1) SCardConnect: 15766 µs
(1) SCardEstablishContext: 169 µs
(1) SCardControl: 1902 µs
(1) SCardSetAttrib: 41 µs
(1) SCardListReaderGroups: 1 µs
(1) SCardReleaseContext: 170 µs
total: 225402 µs

Percentages:
50.08%: SCardReconnect
40.30%: SCardDisconnect
6.99%: SCardConnect
1.31%: SCardTransmit
0.84%: SCardControl
0.19%: SCardGetAttrib
0.08%: SCardStatus
0.08%: SCardReleaseContext
0.07%: SCardEstablishContext
0.02%: SCardListReaders
0.02%: SCardSetAttrib
0.01%: SCardGetStatusChange
0.00%: SCardFreeMemory
0.00%: SCardIsValidContext
0.00%: SCardListReaderGroups


In the first list WinSCard calls are sorted by number of occurrence with the total time of execution.
In the second list the WinSCard calls are sorted by percentage of total time used.

Tracing


The profiling feature is fine but does not give the parameters used in the calls.
So I added a tracing feature.

Tracing is activated by defining DO_TRACE in PCSC/src/winscard_clnt.c and recompiling + reinstalling libpcsclite.so.1.

Example trace file generated by the pcsc/src/testpcscd "sample":


< [7FFF70121CA0] SCardEstablishContext 2, 0x0, 0x0
> [7FFF70121CA0] SCardEstablishContext 16997142
< [7FFF70121CA0] SCardIsValidContext 16997142
> [7FFF70121CA0] SCardIsValidContext
< [7FFF70121CA0] SCardIsValidContext 16997143
> [7FFF70121CA0] SCardIsValidContext
< [7FFF70121CA0] SCardListReaders 16997142
> [7FFF70121CA0] SCardListReaders 26
< [7FFF70121CA0] SCardListReaders 16997142
> [7FFF70121CA0] SCardListReaders 26
< [7FFF70121CA0] SCardGetStatusChange 16997142 -1 1
< [7FFF70121CA0] SCardGetStatusChange [0] Gemalto GemPC Twin 00 00 10 0
> [7FFF70121CA0] SCardGetStatusChange [0] Gemalto GemPC Twin 00 00 10 22
< [7FFF70121CA0] SCardConnect 16997142 Gemalto GemPC Twin 00 00 2 3
> [7FFF70121CA0] SCardConnect 1
< [7FFF70121CA0] SCardDisconnect 71159 2
> [7FFF70121CA0] SCardDisconnect
< [7FFF70121CA0] SCardReleaseContext 16997142
> [7FFF70121CA0] SCardReleaseContext


< lines are IN arguments
> lines are OUT arguments

The value within [] is the thread identification.

You should look at the source code to know what are the other data.

Not all the function are covered by the tracing feature. For example SCardTransmit has not tracing facility. But it is easy to get the arguments on the pcscd side using --debug --foreground --apdu.

Conclusion


ltrace is a nice tool but not usable for tracing libraries using PC/SC.

pcsc-lite profiling is nice but does not give the parameters used.

pcsc-lite tracing is an answer to the problem.

Of course profiling and tracing in libpcsclite are DISABLED by default and should be disabled in a deployed system. They are help tools for a developer.

MUSCLE mailing list statistics for 2010

As I did for 2009 here is the statistics from the MUSCLE mailing list for 2010.


Again I am the mail poster number one :-)

Statistics from 1.1.2010 to 29.12.2010
for muscle@lists.musclecard.com



People who have written most messages:

 Author   Msg   Percent 
1 ludovic.rousseau@gmail.com 213 29.67 %
2 squalyl@gmail.com 47 6.55 %
3 martin@paljak.pri.ee 42 5.85 %
4 drasko.draskovic@gmail.com 26 3.62 %
5 deengert@anl.gov 25 3.48 %
6 aj@dungeon.inka.de 18 2.51 %
7 acptsys@gmail.com 17 2.37 %
8 mstjohns@comcast.net 14 1.95 %
9 fundu_1999@yahoo.com 13 1.81 %
10 vtanna1@gmail.com 12 1.67 %
11 brocean@gmail.com 11 1.53 %
12 nsayer@kfu.com 10 1.39 %
13 tkoeppen.nospam@googlemail.com 8 1.11 %
14 nicholas.cole@gmail.com 8 1.11 %
15 kalev@smartlink.ee 8 1.11 %
16 roger.brown@snapper.co.nz 8 1.11 %
17 dr.claudia.neumann@gmx.de 7 0.97 %
18 Ivar.Nilsson@kapsch.net 7 0.97 %
19 jmpoure@gooze.eu 7 0.97 %
20 max.vozeler@lsexperts.de 6 0.84 %
21 linuxprocess@free.fr 6 0.84 %
22 valerie.fenwick@oracle.com 6 0.84 %
23 marcelmancini@hotmail.com 6 0.84 %
24 han.hartgers@gmail.com 5 0.70 %
25 kreinholz@gmail.com 5 0.70 %
26 baran.murat@gmail.com 5 0.70 %
27 pakorodri@gmail.com 5 0.70 %
28 lcstyle@hotmail.com 4 0.56 %
29 hugomc.silva@gmail.com 4 0.56 %
30 caruso.ray@gmail.com 4 0.56 %
other 161 22.42 %

Best authors, by total size of their messages (w/o quoting):

 Author   KBytes 
1 ludovic.rousseau@gmail.com 177.1
2 squalyl@gmail.com 155.8
3 deengert@anl.gov 79.8
4 vtanna1@gmail.com 57.2
5 marcelmancini@hotmail.com 51.9
6 sasha.garcya@gmail.com 47.2
7 kreinholz@gmail.com 42.6
8 lcstyle@hotmail.com 42.5
9 dr.claudia.neumann@gmx.de 40.5
10 han.hartgers@gmail.com 40.1
11 pakorodri@gmail.com 36.2
12 forest@alittletooquiet.net 34.2
13 drasko.draskovic@gmail.com 31.5
14 praveenya.g@gmail.com 30.7
15 martin@paljak.pri.ee 28.2
16 Paul.Klissner@sun.com 24.8
17 mstjohns@comcast.net 24.7
18 caruso.ray@gmail.com 24.6
19 amustelier@tecatel.com 21.4
20 Michael.Bender@sun.com 20.0
21 tkoeppen.nospam@googlemail.com 19.5
22 aj@dungeon.inka.de 18.6
23 mbrown@dsci.com 18.5
24 amiad.salton@gmail.com 17.9
25 Ivar.Nilsson@kapsch.net 17.6
26 fundu_1999@yahoo.com 16.9
27 roger.brown@snapper.co.nz 16.5
28 global@codekab.com 16.1
29 acptsys@gmail.com 15.8
30 Geert.VanMuylem@be.zetes.com 15.1

Best authors, by average size of their message (w/o quoting):

 Author   bytes 
1 alessandro.vincelli@wedjaa.net 14998
2 sasha.garcya@gmail.com 12094
3 forest@alittletooquiet.net 11684
4 alexej.muehlberg@nxp.com 11247
5 lcstyle@hotmail.com 10875
6 Michael.Bender@sun.com 10246
7 mbrown@dsci.com 9452
8 marcelmancini@hotmail.com 8860
9 kreinholz@gmail.com 8729
10 Paul.Klissner@sun.com 8479
11 han.hartgers@gmail.com 8211
12 praveenya.g@gmail.com 7857
13 Geert.VanMuylem@be.zetes.com 7745
14 pakorodri@gmail.com 7407
15 B.Thomas@astronautics.com 7105
16 bcymet@cbnco.com 7011
17 franz.trierweiler.ingenieur@gmail.com 6379
18 caruso.ray@gmail.com 6309
19 bogusemail98230@yahoo.com 6299
20 dr.claudia.neumann@gmx.de 5918
21 anujakarthikeyan@gmail.com 5918
22 jlucg_ml@mac.com 5892
23 amustelier@tecatel.com 5475
24 nzl@me.com 4974
25 vtanna1@gmail.com 4882
26 sschwab@hidglobal.com 4724
27 amiad.salton@gmail.com 4588
28 global@codekab.com 4122
29 nastasi@alternativeoutput.it 3829
30 natarajsn@gmail.com 3720

Table showing the most successful subjects:

 Subject   Msg   Percent 
1 [Muscle] Re: Open readers and iso7816 question 31 4.32 %
2 [Muscle] new BETA versions of pcsc-lite and libccid 22 3.06 %
3 [Muscle] T=0 Case 2 response length 19 2.65 %
4 [Muscle] 64bit portability and header tidy up 17 2.37 %
5 [Muscle] [PATCH] more idiomatic sysconfdir usage 15 2.09 %
6 [Muscle] Questions about musclecard 13 1.81 %
7 [Muscle] PCSC on ARM 12 1.67 %
8 [Muscle] Problem communication with pcscd. 12 1.67 %
9 [Muscle] Accessing Smart Card Unique ID (newbee) 11 1.53 %
10 [Muscle] German Health Insurance Card (Krankenversichertenkarte 11 1.53 %
11 [Muscle] Problem with gemalto USB Shell Token V2 on OS X 10 1.39 %
12 [Muscle] Loaded latest pcsc-lite 1.5.5, getting seg fault and 9 1.25 %
13 [Muscle] Re: Muscle Digest, Vol 76, Issue 9 9 1.25 %
14 [Muscle] Status of the Muscle applet 9 1.25 %
15 [Muscle] pcsc-lite 1.5.5 problem 8 1.11 %
16 [Muscle] powerup problem and timed out problem with mac osx 8 1.11 %
17 [Muscle] SCARD_E_SHARING_VIOLATION information 8 1.11 %
18 [Muscle] Re: "Card absent or mute" on MacOS 10.6.3 8 1.11 %
19 [Muscle] pcsc freeze my computer 8 1.11 %
20 [Muscle] Problem with "precise biometrics 250 MC reader" 8 1.11 %
21 [Muscle] SmartCard/PCSC-lite developer information 8 1.11 %
22 [Muscle] Open Port 200000 Failed 7 0.97 %
23 [Muscle] [PATCH] Quirk for BCM5880/5881 GetSlotStatus 7 0.97 %
24 [Muscle] GDM with smartcard 7 0.97 %
25 [Muscle] ACR122U102 7 0.97 %
26 [opensc-devel] pcscd access rights limitation and scard group 7 0.97 %
27 [Muscle] pcsc-lite, ccid: Precise MC 200 problems with T=1 7 0.97 %
28 [Muscle] Problem with pcsc-lite 1.6.5 7 0.97 %
29 [Muscle] Bug with bit4id smart card reader and the Italian 7 0.97 %
30 [Muscle] Re: pcscd: Error: "Client failed to authenticate" on 6 0.84 %
other 400 55.71 %

Most used email clients:

 Mailer   Msg   Percent 
1 (unknown) 484 67.41 %
2 Mozilla/5.x 45 6.27 %
3 KMail 32 4.46 %
4 Apple Mail (2.1077) 23 3.20 %
5 Apple Mail (2.1078) 14 1.95 %
6 QUALCOMM Windows Eudora 13 1.81 %
7 Thunderbird 2.0.0.23 (Windows/20090812) 12 1.67 %
8 Apple Mail (2.1081) 10 1.39 %
9 YahooMailRC/459 YahooMailWebService/0.8.105.279950 7 0.97 %
10 Thunderbird 2.0.0.24 (Windows/20100228) 6 0.84 %
11 Apple Mail (2.1082) 6 0.84 %
12 Evolution 2.30.3 6 0.84 %
13 Mutt 6 0.84 %
14 Zimbra 5.0 (ZimbraWebClient - FF3.0 5 0.70 %
15 Evolution 2.28.1 5 0.70 %
16 YahooMailRC/397.8 YahooMailWebService/0.8.104.274457 4 0.56 %
17 Microsoft-MacOutlook/14.0.0.100825 4 0.56 %
18 SquirrelMail/1.4.19 3 0.42 %
19 Zarafa 6.30.5-17658 3 0.42 %
20 YahooMailRC/240.3 YahooMailWebService/0.8.100.260964 2 0.28 %
21 Thunderbird 2.0.0.22 (X11/20090605) 2 0.28 %
22 Thunderbird 2.0.0.23 (X11/20090817) 2 0.28 %
23 iPhone Mail (7E18) 2 0.28 %
24 Thunderbird 2.0.0.22 (X11/20090625) 2 0.28 %
25 Apple Mail (2.936) 2 0.28 %
26 Microsoft Office Outlook 11 2 0.28 %
27 Evolution 2.30.2 2 0.28 %
28 Microsoft Office Outlook 12.0 2 0.28 %
29 Zimbra 5.0 (ZimbraWebClient - FF3.0 (Win)/5.0.15_GA_2815.UBUNTU8_64) 1 0.14 %
30 SquirrelMail/1.4.9a 1 0.14 %
other 10 1.39 %

Table of maximal quoting:

 Author   Percent 
1 alon.barlev@gmail.com 79.80 %
2 mrv@c3po.es 74.18 %
3 acptsys@gmail.com 65.14 %
4 brocean@gmail.com 63.17 %
5 martin@aqbanking.de 62.37 %
6 jianjiaosun@gmail.com 61.15 %
7 gregor.dschung@itwm.fraunhofer.de 60.79 %
8 stef.hoeben@zetes.com 58.35 %
9 mailman@hanez.org 57.45 %
10 Paul.Klissner@sun.com 50.84 %
11 kevredon@mail.tsaitgaist.info 50.35 %
12 andreas.schwier@cardcontact.de 48.46 %
13 ludovic.rousseau@gmail.com 47.98 %
14 martin@paljak.pri.ee 47.58 %
15 deengert@anl.gov 47.16 %
16 Michael.Bender@sun.com 43.92 %
17 zealcook@gmail.com 43.44 %
18 anujakarthikeyan@gmail.com 42.93 %
19 mstjohns@comcast.net 41.78 %
20 Todd.Denniston@tsb.cranrdte.navy.mil 40.03 %
21 caruso.ray@gmail.com 39.05 %
22 ilgicioglu@gmail.com 38.58 %
23 squalyl@gmail.com 37.24 %
24 puneet.maillist@gmail.com 36.96 %
25 hugomc.silva@gmail.com 36.87 %
26 jonas.gulle@gmail.com 36.02 %
27 martin@martinpaljak.net 33.90 %
28 info@linsoft.de 32.75 %
29 vdsrst@gmail.com 30.47 %
30 drasko.draskovic@gmail.com 30.30 %
average 30.79 %

Graph showing number of messages written during hours of day:

msgs 14
|
8
|
1
|
0
|
4
|
3
|
5
|
12
|
37
|
62
|
48
|
62
|
34
|
54
|
50
|
49
|
62
|
42
|
36
|
23
|
29
|
42
|
27
|
14
|
hour 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

Graph showing number of messages written during days of month:

msgs 25
|
37
|
22
|
28
|
33
|
30
|
27
|
34
|
25
|
32
|
23
|
8
|
15
|
30
|
43
|
21
|
12
|
7
|
16
|
11
|
23
|
28
|
31
|
10
|
13
|
4
|
22
|
22
|
40
|
37
|
9
|
day 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Graph showing number of messages written during days of week:

msgs 91
|
139
|
126
|
133
|
100
|
71
|
58
|

Mon Tue Wed Thu Fri Sat Sun

Maximal quoting:

Author : deengert@anl.gov
Subject : [Muscle] new BETA versions of pcsc-lite and libccid
Date : Thu, 11 Feb 2010 14:08:52 -0600
Quote ratio: 95.44% / 17763 bytes

Longest message:

Author : sasha.garcya@gmail.com
Subject : [Muscle] pcsc freeze my computer
Date : Thu, 28 Oct 2010 13:49:13 +0200
Size : 41721 bytes

Most successful subject:

Subject : [Muscle] Re: Open readers and iso7816 question
No. of msgs: 31
Total size : 108549 bytes

Final summary:

Total number of messages: 718
Total number of different authors: 116
Total number of different subjects: 227
Total size of messages (w/o headers): 2271592 bytes
Average size of a message: 3163 bytes


Input file last updated: Wed Jan 5 15:02:38 2011 Generated by MailListStat v1.3


Configuring your system for pcscd auto-start

Since pcsc-lite 1.6.5 it is possible to start pcscd on demand and run it with less privileges than root.

System configuration


pcscd group

pcscd is run as a user in the pcscd group. So you need to create this group.

$ sudo addgroup --system pcscd

/var/run/pcscd directory

Since pcscd is no more running as root it cannot create the /var/run/pcscd directory itself. The directory must be created as root and the correct permissions must be set:

  • group = pcscd group
  • access rights = rwx

$ sudo mkdir /var/run/pcscd
$ sudo chgrp pcscd /var/run/pcscd
$ sudo chmod g+w /var/run/pcscd

udev rule


pcscd is no more running as root so need permissions changed on the reader device. For USB readers this is done via a udev rule file.

A previous blog entry described such a udev rule file.
libccid provides a udev rule file. I guess other drivers does not (yet) provide one.

Example:

# If not adding the device, go away
ACTION!="add", GOTO="pcscd_ccid_rules_end"
SUBSYSTEM!="usb", GOTO="pcscd_ccid_rules_end"
ENV{DEVTYPE}!="usb_device", GOTO="pcscd_ccid_rules_end"

ATTRS{idVendor}=="0x08E6", ATTRS{idProduct}=="0x0430", GROUP="pcscd"

# All done
LABEL="pcscd_ccid_rules_end"


This example if for the Gemplus GemPC430 reader. It is an old reader and is not CCID. Just replace the idVendor and idProduct by the value of your own USB reader.

Debian


All these steps are already in place for the pcscd and libccid packages in Debian (in experimental for now). The packages for the other drivers should follow.

Conclusion


The auto-start feature needs some configuration before it can be used.
If you do not want to follow all the steps described in this article you can continue to run pcscd as root as before.

New version of pcsc-lite: 1.6.6

I just released new version of pcsc-lite 1.6.6. This version does not bring new feature bug fixes two bugs.
The version is available here.

Changelog


pcsc-lite-1.6.6: Ludovic Rousseau
12 December 2010
  • SCardGetStatusChange(): fix a bug on 64-bits systems
  • Fix another bug because of a regression in the internal list manager

New version of libccid: 1.4.1

I just released a new version of libccid.

Changelog


1.4.1 - 3 December 2010, Ludovic Rousseau

  • Add support of Gemalto Smart Guardian (SG CCID), ReinerSCT cyberJack RFID basis, Akasa AK-CR-03, BZH uKeyCI800-K18, Free Software Initiative of Japan Gnuk token readers
  • Remove O2 Micro Oz776 and Blutronics Bludrive II CCID since they are no more supported since version 1.4.0
  • SecurePINVerify & SecurePINModify: Accept big and little endian byte orders for multibytes fields. The application should not use HOST_TO_CCID_16() and HOST_TO_CCID_32() any more and just use the normal byte order of the architecture.
  • Need pcsc-lite 1.6.5 for TAG_IFD_POLLING_THREAD_WITH_TIMEOUT
  • Add --enable-embedded (default is no) to build libccid for an embedded system. This will activate the NO_LOG option to disable logging and limit RAM and disk consumption.
  • Remove --enable-udev option since it is not used anymore with libhal. The udev rules file is now used to change the access rights of the device and not send a hotplug signal to pcscd. See /posts/2010/09/pcscd-auto-start/
  • some minor bugs removed

New version of pcsc-lite: 1.6.5

I just released new version of pcsc-lite. Some of the improvements or changes have already been described in previous blog articles.

Changelog


pcsc-lite-1.6.5: Ludovic Rousseau
3 December 2010
  • Power on the card _only_ if an application requests a connection. You can disable the feature using DISABLE_ON_DEMAND_POWER_ON in src/pcscd.h.in If DISABLE_AUTO_POWER_ON is defined then do not automatically power on the card. The card will be powered on on the first SCardConnect() See /posts/2010/10/card-auto-power-on-and-off/
  • SCardReconnect(): return SCARD_E_NO_SMARTCARD when card is removed and SCARD_W_UNRESPONSIVE_CARD when card is unresponsive instead of SCARD_E_PROTO_MISMATCH
  • Install pcscd as sgid pcscd instead of suid root See /posts/2010/09/pcscd-auto-start/
  • SCardSetTimeout() is no more provided. This function is not provided by Microsoft and is deprecated since 2004 in pcsc-lite.
  • SCardCancelTransaction() is no more provided. This function is not provided by Microsoft and is deprecated since 2005 in pcsc-lite.
  • Parsing the CCID Info.plist (159 readers supported) was, on a i386 machine, done in 264306 s and is now done 5547 s => gain x47 or 4600% See /posts/2010/08/ram-and-cpu-improvements-in-pcsc-lite/
  • It is now possible to configure the local socket name to use using the environment variable PCSCLITE_CSOCK_NAME See /posts/2010/11/pcsc-client-and-server-on-two-different/
  • Wait until all connected readers have a chance to power up a possibly inserted card before accepting clients.
  • restrict pcscd features when not run by root (so using suid): APDU logging or setting parameters are disabled for example
  • fix compilation problem on kfreebsd-* systems
  • PCSC/reader.h: HOST_TO_CCID_16() and HOST_TO_CCID_32() are now identity functions Since libccid 1.4.1 (revision 5252) the byte order is no more important
  • If you want to use IFDHCreateChannel() instead of IFDHCreateChannelByName() then do not use any DEVICENAME line in the configuration file. IFDHCreateChannel() will then be called with the CHANNELID parameter.
  • the CHANNELID parameter can also be a decimal number.
  • Remove the support of IFDHandler v1 API. I don't know any driver using this API. See /posts/2010/10/ifdhandler-version-1-support-removed/
  • avoids a buffer overflow with badly formed ATR
  • some other minor improvements and bug corrections

New PyKCS11 1.2.3 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

Changelog


1.2.3 - December 2010, Ludovic Rousseau

  • Add new classes CK_SLOT_INFO, CK_INFO, CK_SESSION_INFO, CK_MECHANISM_INFO and CK_TOKEN_INFO instead of the low level ones to have a __repr__() method. It is now possible to just print an object of these classes and have a human readable version.
  • Add a new class CK_OBJECT_HANDLE() to replace the low level one and have a __repr__() method for objects returned by findObjects()
  • Move initToken() from class Session to class PyKCS11Lib and add a slot parameter.
  • Add generateKeyPair() and destoryObject() support in high level interface

What next?


This new release should restart the publication of articles on this wrapper. I have not published anything since June.

This new version 1.2.3 is more easy and fun to use in an interactive Python interpreter. You can just display objects using print. More to come...