Re: [opensc-devel] Pin unlock.

Wed, 08 Sep 2010 04:33:17 -0700 

Hey Peter,

>>  Is there also a limit to the number of unlock attempts? What happens when 
>> the limit is reached?
Yes there is, if you enter the wrong puk 8 times your card will be locked and 
not usable anymore.

>>  Any memory used to store a PIN should IMO be mlock()ed before the first use.
Ok cool, as a security measure that is ?

>>  Any memory used to store a PIN should IMO be erased as soon as is no longer 
>> needed.
You mean, write over the data with rubbish and then free it ? (I thought it was 
enough with just freeing it, but i see you got a point)

 >> I would reuse e.g. the OpenSSH read_passphrase() code instead:
Didn't even think about that.

Thanks for the tips Peter.

Patrik Martinsson,
Sweden.




On 09/08/2010 10:06 AM, Peter Stuge wrote:
> Patrik Martinsson wrote:
>    
>> I just wanted to share a small program I wrote for unlocking pin's
>> with your puk.
>>      
> ..
>    
>> Any comments, suggestions, improvements, thoughts around this
>> method,
>> are welcome. (Go easy on the coding-part since I'm not a
>> programmer)
>>      
> The approach seems fine to me. Some things to consider for the
> implementation:
>
> * Is there also a limit to the number of unlock attempts? What
>    happens when the limit is reached?
>
> * Any memory used to store a PIN should IMO be mlock()ed before the
>    first use.
>
> * Any memory used to store a PIN should IMO be erased as soon as it
>    is no longer needed.
>
>
>    
>> /* Handle user input */
>> int handle_input(int puk, char *input, CK_SESSION_HANDLE session){
>>    int i = 0;
>>    int c = 0;
>>
>>    /* Disable echo */
>>    struct termios oflags, nflags;
>>    tcgetattr(fileno(stdin),&oflags);
>>    nflags = oflags;
>>    nflags.c_lflag&= ~ECHO;
>>    nflags.c_lflag |= ECHONL;
>>
>>    if (tcsetattr(fileno(stdin), TCSANOW,&nflags) != 0) {
>>      printdebug("Terminal", "Echo disabling failed");
>>      finish(1, session);
>>    }
>>
>>    /* Scan input */
>>    if (scanf("%10s", input) != 1){
>>      
> * I would reuse e.g. the OpenSSH read_passphrase() code instead:
>    http://anoncvs.mindrot.org/index.cgi/openssh/readpass.c?view=markup#l107
>
>    As a bonus it may even allow staying in X if you set up a special
>    session for the unlock user.
>
>
> //Peter
> _______________________________________________
> opensc-devel mailing list
> [email protected]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>    
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to