Page MenuHome GnuPG

cmd_apdu uses gpg_strerror instead of apdu_strerror
Closed, ResolvedPublic

Description

If the call to apdu_send_direct in cmd_apdu (scd/commands.rs) fails, the return code is logged using gpg_strerror. But apdu_send_direct returns an ISO-7816 status code, not a GnuPG error code, so a misleading error message is shown in the logs. Instead, apdu_strerror should be used to log the error.

For example, a “Host busy” (0x10007) APDU error is mapped to GnuPG error code 7 and leads to this log entry:

2023-04-19 14:23:34 scdaemon[578] apdu_send_direct failed: Bad secret key

We found this issue with GnuPG 2.2.12 but as far as I see, it is still present in newer versions.

Revisions and Commits

Event Timeline

gniibe changed the task status from Open to Testing.May 1 2023, 4:42 AM
gniibe claimed this task.
gniibe triaged this task as Normal priority.
gniibe added a subscriber: gniibe.

Thank you for your report. Good catch.

Indeed, the API of apdu_send_direct is difficult to use (because of historical reason).

Fixed in rG3cf5fc2e2f64: scd: Fix cmd_apdu on error..

werner added a subscriber: werner.

backported to 2.2