pcsc-lite for limited (embedded) systems

Limited or embedded systems

Since Linux is working everywhere some of this everywhere is connected to a smart card reader. And of course pcsc-lite is used.

Example of embedded systems

I am not aware of any projects using pcsc-lite. I will just give two examples.

• Android: see the seek for android project trying to bring a Smartcard API for Android
• GCR5500: It is a health care reader for doctors, etc. It is also possible to connect a USB smart card reader and pcsc-lite is used to manage this external reader.
  
  
• Many set top boxes (ADSL modem, home routers, etc.) are using Linux. Some of the boxes have a smart card reader.

Memory optimisations

Starting with pcsc-lite 1.6.0 I worked on memory optimizations. The work is not yet finished since I have other ideas.

Disable unused interfaces

I added --disable-serial and --disable-usb options to remove code that will not be used.

• --disable-serial removes support of /etc/reader.conf.
  
  gain: 8.0kB of .text (12%) and 160 bytes of .bss (4%) for pcscd
  
• --disable-usb removes support of USB hotplug
  
  gain: 9.7kB of .text (14%) and 960 bytes of .bss (23%) for pcscd

If you use both options (and use a static driver configuration) gain:
17.7kB of .text (26%) and 1152 bytes of .bss (28%) for pcscd

No logs

Since the embedded systems are not supposed to be directly administered having logs in /var/log/syslog is not useful.

• Minimal pcsc_stringify_error()
  
  If NO_LOG is defined a minimal pcsc_stringify_error() is used. The function is still available but only the error code in hex is displayed in this case.
  
  Gain: 2kB of .text (10%) for libpcsclite
  
  
• No log function
  
  If NO_LOG is defined then no log are displayed. The log functions are defined (they are also used by the drivers) but are empty.
  
  With NO_LOG defined we gain 26% (17 kB) for the .text segment of pcscd and 15% (4 kB) for the .text segment of libpcsclite.so (for i386)

One option to activate the embedded mode

Just use the --enable-embedded (default is no) configure option to build pcsc-lite for an embedded system. This will activate the NO_LOG option to disable logging and limit RAM and disk consumption.

Results

If --enable-embedded is used and you disable the communication interface you do not use (serial or USB) you can expect a gain of 40% on the code size and then a reduced disk/flash space and memory used.

To be followed...

New version of pcsc-perl: 1.4.9

I just released a new version of pcsc-perl to fix a compilation bug.

The problem

pcsc-lite defined some error codes specific to pcsc-lite. One is SCARD_W_INSERTED_CARD.

This error code is never returned by pcsc-lite and has been removed in pcsc-lite revision 4574 included in pcsc-lite 1.6.0.

Solution

Do not reference this error code any more. The side effect is that if your Perl program uses SCARD_W_INSERTED_CARD it will fail and has to be corrected.

Thanks

Thanks to Olivier Huber for reporting the problem.

See also

A previous blog entry about this Perl PCSC wrapper: PCSC sample in Perl.

PyKCS11 history

This article is not part of the serie initiated by PC/SC sample in different languages. We will not use the PCSC API but the PKCS#11 API.

You can find the other articles in this serie from the first one: PyKCS11 introduction.

PKCS#11 (Cryptographic Token Interface Standard) is an API used to talk to cryptographic tokens like smart cards (but not only).

The PKCS#11 API is in C language but a wrapper for Python call pykcs11 also exists. We will use this wrapper. The project has a ohloh page.

History

The wrapper uses SWIG.

"SWIG is an interface compiler that connects programs written in C and C++ with scripting languages such as Perl, Python, Ruby, and Tcl. It works by taking the declarations found in C/C++ header files and using them to generate the wrapper code that scripting languages need to access the underlying C/C++ code. In addition, SWIG provides a variety of customization features that let you tailor the wrapping process to suit your application."

The wrapper is initialy written by Giuseppe Amato (started in 2004). But the API was very low level: one Python function for one PKCS#11 C function. This API was not really Python friendly. When I discovered the project, in 2006, I started writting a higher level API more Python oriented, object oriented and easier to use.

The project is still active. The latest version is 1.2.2 from June 2010.

Since I started this serie on PyKCS I added new methods and improved the wrapper to make it even easier to use.

PyKCS11 introduction

I will start a new serie about PyKCS11.

What is it?

PyKCS11 is a Python wrapper above the PKCS#11 API. PKCS#11 is a "Cryptographic Token Interface Standard" defined by RSA and used by smart cards (but not only).

If you are a user of PyKCS11 please add a comment. If you have requests about PyKCS11 please also add a comment.

Articles in the serie

• PyKCS11 introduction
• PyKCS11 history
• PyKCS11 provided samples: getinfo.py
• PyKCS11 provided samples: dumpit.py

Update on pcsc-lite security advisory CVE-2010-0407

I would like to update the status about the security issue of pcsc-lite also known as CVE-2010-0407. I presented the problem in pcsc-lite security advisory CVE-2010-0407

2 new CVE numbers

The fix in upstream revision 4208 was bogus. A fix of the fix is available in upstream revision 4334 and is included in pcsc-lite 1.5.5.

So even if pcsc-lite 1.5.4 do not have the security issue this version has a broken SCardControl() function. See Debian bug #585791 "Upgrading from pcscd_1.4.102-1_i386.deb to pcscd_1.4.102-1+lenny1_i386.deb broke my bankid application (digital signing internetbanking)".

CVE-2009-4901

The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 might allow local users to cause a denial of service (daemon crash) via crafted SCARD_SET_ATTRIB message data, which is improperly demarshalled and triggers a buffer over-read, a related issue to CVE-2010-0407.

CVE-2009-4902

Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4 and earlier might allow local users to gain privileges via crafted SCARD_CONTROL message data, which is improperly demarshalled. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-0407.

Debian

Debian should have a fixed fixed version named 1.4.102-1+lenny3 soon.

Red Hat

The Red Hat bug 596426 indicates that:

• Red Hat Enterprise Linux 5 is not vulnerable because pcscd is confined in a restricted
  SELinux domain (pcscd_t)
• pcsc-lite-1.5.2-4.fc12 has been submitted as an update for Fedora 12. And a Fedora Update Notification is available: [SECURITY] Fedora 12 Update: pcsc-lite-1.5.2-4.fc12
• pcsc-lite-1.5.2-3.fc11 has been submitted as an update for Fedora 11. And a Fedora Update Notification is available: [SECURITY] Fedora 11 Update: pcsc-lite-1.5.2-3.fc11

Others

Still no news about Ubuntu, SUSE Linux and the other GNU/Linux, *BSD or Unix distributions.

PCSC sample in Java

Here is the PCSC sample in Java language I promised in PC/SC sample in different languages.

Installation

Since Java 1.6 the JRE includes the package javax.smartcardio which was defined in the JSR 268. No need to compile additional source code.

For the example I used Eclipse Galileo and the Java 1.6 provided by Apple on a Mac OS X Snow Leopard (10.6.4).

Source code

import java.util.List;
import javax.smartcardio.*;

public class Blog {
 public static void main(String[] args) {
  try {
   // Display the list of terminals
   TerminalFactory factory = TerminalFactory.getDefault();
   List<CardTerminal> terminals = factory.terminals().list();
   System.out.println("Terminals: " + terminals);

   // Use the first terminal
   CardTerminal terminal = terminals.get(0);

   // Connect wit hthe card
   Card card = terminal.connect("*");
   System.out.println("card: " + card);
   CardChannel channel = card.getBasicChannel();

   // Send Select Applet command
   byte[] aid = {(byte)0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01};
   ResponseAPDU answer = channel.transmit(new CommandAPDU(0x00, 0xA4, 0x04, 0x00, aid));
   System.out.println("answer: " + answer.toString());

   // Send test command
   answer = channel.transmit(new CommandAPDU(0x00, 0x00, 0x00, 0x00));
   System.out.println("answer: " + answer.toString());
   byte r[] = answer.getData();
   for (int i=0; i<r.length; i++)
    System.out.print((char)r[i]);
   System.out.println();

   // Disconnect the card
   card.disconnect(false);
  } catch(Exception e) {
   System.out.println("Ouch: " + e.toString());
  }
 }
}

Output

Terminals: [PC/SC terminal Gemplus GemPC Twin 00 00]
card: PC/SC card in Gemplus GemPC Twin 00 00, protocol T=1, state OK
answer: ResponseAPDU: 2 bytes, SW=9000
answer: ResponseAPDU: 14 bytes, SW=9000
Hello world!

Conclusion

Nothing special to add. The major advantage here is that the wrapper is included in the runtime. So you do not have to install much on a system before you can use your program, just the JRE :-)

pcsc-lite security advisory CVE-2010-0407

The problem

It is possible to trigger a buffer overflow in old versions of pcsc-lite, and possibly gain root access.

The bug is present in version 1.4.102 of pcsc-lite and has been corrected in revision 4208 (May 14 2009). This revision was included in pcsc-lite 1.5.4.

Debian

Debian published a DSA (Debian Security Advisory) DSA-2059-1 pcsc-lite -- buffer overflow about a vulnerability in pcsc-lite present in Debian stable.

Ubuntu

Ubuntu has not yet published a usn (Ubuntu security notices). Maybe because pcscd is part of universe and not main. But libpcsclite is part of main. Note that Ubuntu is vulnerable even in the latest version 10.04 LTS "Lucid Lynx"

Red Hat

Red Hat has an entry for the CVE on their security web site and on their bug tracking tool as bug 596426. Maybe a new package will be available soon.

SUSE Linux

I could not find information on the novell.com site. I don't even know what versions of pcsc-lite SUSE Linux Enterprise 11 is providing.

Other distributions

There are too many Unix distributions to mention them all. If you have pointers for a Unix system just add a comment and I will update the blog.