Secure PIN Entry/Modification Fails with PCSC-Lite 1.8.9 and newer
Opened this issue · 2 comments
In PCSC-Lite 1.8.9, the structure PIN_VERIFY_STRUCTURE defines abData as a zero-size array. So PIN_VERIFY_STRUCTURE ends up being 19 bytes long. In 1.8.8 and earlier, it is defined as a 1-byte array. So PIN_VERIFY_STRUCTURE ends up being 20 bytes long. See https://alioth.debian.org/frs/download.php/latestfile/39/pcsc-lite-1.8.9.tar.bz2 in file pcsc-lite-1.8.9.tar-1/pcsc-lite-1.8.9/src/PCSC/reader.h
This driver's code (e.g. cjeca32/CCIDReader.cpp) assumes the 1-byte array definition, and will not work with 1.8.9 and newer. For example, the following code behave incorrectly when compiled with PCSC-Lite 1.8.9 and newer:
if(InputLength!=sizeof(PIN_VERIFY_STRUCTURE)-sizeof(uint8_t)+((PIN_VERIFY_STRUCTURE *)Input)->ulDataLength) { ...
A proposed fix for this issue is to change the code as follows so that it work correctly with both definitions of PIN_VERIFY_STRUCTURE:
if(InputLength!=sizeof(PIN_VERIFY_STRUCTURE)-sizeof(((PIN_VERIFY_STRUCTURE*)(0))->abData)+((PIN_VERIFY_STRUCTURE *)Input)->ulDataLength) { ...
I.e., the key to this proposed fix is to replace
sizeof(uint8_t)
which always evaluates to 1, with
sizeof(((PIN_VERIFY_STRUCTURE*)(0))->abData)
which evaluates to either 1 or 0 depending on the definition of PIN_VERIFY_STRUCTURE.
Sounds good. Since you seam to have already identified the code lines to change, I would be glad to merge a pull request with your changes!
Hi Lars,
Thanks for your reply. Sorry but can't comply for fear of breaking something and for lack of more time to analyze miscellaneous problems that I seem to be having with forking, cloning, and compiling this version on my CentOS system. (The version that worked for me and that I used to analyze this issue is from the ReinerSCT CD entitled pcsc-cyberjack_3.99.5final.SP03.tar.gz.)
In summary, there are 3 files that need changing:
2 lines in doc/verifypin_ascii.c
2 lines in doc/verifypin_fpin2.c
2 lines in cjeca32/CCIDReader.cpp
Please let me know if I can be of more help I will try my best to comply.
Best regards,
--Virgil