License: Apache License 2.0
While I was implementing support for KeepassXC' challenge-response over CCID, I've noticed that the SELECT call used there had not contain the Le byte. This caused the response to SELECT to be 61xx, which needed additional implementation for getting the remaining data. That sprinkled the discussion, why it was not needed before for the other supported there smart card readers. Apparently the SELECT call for them always result with the data in the direct response to the request.
I am documenting this behavior here for the future reference. Perhaps the SELECT command should be exempted from testing the Le byte, and following the usual rules (e.g. to make it work with improper implementations).
Yubikey 4 responds immediately as well AFAICS. Some YK4 traffic excerpt containing the SELECT (00 A4 04 00) calls:
07477498 APDU: 00 A4 04 00 07 A0 00 00 05 27 20 01
00001034 SW: 04 03 05 03 0B 00 06 0F 00 00 90 00
00000136 APDU: 00 A4 04 00 07 A0 00 00 05 27 20 01
00001019 SW: 04 03 05 03 0B 00 06 0F 00 00 90 00
00000062 APDU: 00 03 00 00 06
00000854 SW: 04 03 05 03 0B 00 90 00
00000137 APDU: 00 A4 04 00 07 A0 00 00 05 27 20 01
00001023 SW: 04 03 05 03 0B 00 06 0F 00 00 90 00
00000055 APDU: 00 01 10 00 06
00000849 SW: 00 56 7F B0 90 00
00000130 APDU: 00 A4 04 00 07 A0 00 00 05 27 20 01
00001000 SW: 04 03 05 03 0B 00 06 0F 00 00 90 00
The call used in KeepassXC for SELECT is:
uint8_t pbSendBuffer_head[5] = {
CLA_ISO, INS_SELECT, SEL_APP_AID, 0, static_cast<uint8_t>(handle.second.size())};
auto pbSendBuffer = new uint8_t[5 + handle.second.size()];
memcpy(pbSendBuffer, pbSendBuffer_head, 5);
memcpy(pbSendBuffer + 5, handle.second.constData(), handle.second.size());
// Give it more space in case custom implementations have longer answer to select
uint8_t pbRecvBuffer[64] = {0};
// 3 bytes version, 1 byte program counter, other stuff for various implementations, 2 bytes status
SCUINT dwRecvLength = sizeof pbRecvBuffer;
auto rv = transmit(handle.first, pbSendBuffer, 5 + handle.second.size(), pbRecvBuffer, dwRecvLength);PR: keepassxreboot/keepassxc#9397
Code in question:
Lines 280 to 334 in a6f0011
Hi!
A bit of fuzzing this library found that a panic happens when apdu_dispatch receives a select command with an Aid in the data field that is incorrect. This is because Aid::new panics when the input data is invalid.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.