XRDP SmartCard Support fails on 64-bit Ubuntu System

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
After getting xrdp SmartCard support working on 32-bit Ubuntu, CentOS and OpenSuse systems, I
tried installing it on a Ubuntu 12.04 64-bit system.  I logged into the system with xrdp and appeared to be working, so then I replaced the default libpcsclite.so.1.0.0 with the xrdp one.

The opensc-tool and piv-tool both could see the SmartCard reader, but not the card.  I then
ran pcsc_scan and it aborted.

I then installed a real SmartCard reader on that Ubuntu 12.01 64-bit system with the original libpcsclite.so.1.0.0 and pcsc_scan ran ok and detects both the reader and card.  OpenSC-tool
and PIV_tool also detected both the reader and and the card and all the options worked ok.

It would appear that the xrdp libpcsclite module has some type problem on64-bit systems.
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

jsorg71
> After getting xrdp SmartCard support working on 32-bit Ubuntu, CentOS and
> OpenSuse systems, I
> tried installing it on a Ubuntu 12.04 64-bit system.  I logged into the
> system with xrdp and appeared to be working, so then I replaced the default
> libpcsclite.so.1.0.0 with the xrdp one.
>
> The opensc-tool and piv-tool both could see the SmartCard reader, but not
> the card.  I then
> ran pcsc_scan and it aborted.
>
> I then installed a real SmartCard reader on that Ubuntu 12.01 64-bit system
> with the original libpcsclite.so.1.0.0 and pcsc_scan ran ok and detects both
> the reader and card.  OpenSC-tool
> and PIV_tool also detected both the reader and and the card and all the
> options worked ok.
>
> It would appear that the xrdp libpcsclite module has some type problem
> on64-bit systems.

Hum, that could be.  I thought I tested it.
I do remember testing both 32 bit and 64 bit MSTSC clients.
I'm not sure about the server.
I think it should be relatively easy to fix if you can find it.

One thing I find annoying the that PCSC defines LONG as unsigned int.
I guess, that is because long in 32 bits in Win32 and Win64.
But a long changes size on linux 32 vs linux 64.

Jay

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

jsorg71
The file is here.

https://github.com/neutrinolabs/xrdp/blob/master/sesman/chansrv/pcsc/xrdp_pcsc.c

Jay

On Tue, Apr 22, 2014 at 2:07 PM, Jay Sorg <[hidden email]> wrote:

>> After getting xrdp SmartCard support working on 32-bit Ubuntu, CentOS and
>> OpenSuse systems, I
>> tried installing it on a Ubuntu 12.04 64-bit system.  I logged into the
>> system with xrdp and appeared to be working, so then I replaced the default
>> libpcsclite.so.1.0.0 with the xrdp one.
>>
>> The opensc-tool and piv-tool both could see the SmartCard reader, but not
>> the card.  I then
>> ran pcsc_scan and it aborted.
>>
>> I then installed a real SmartCard reader on that Ubuntu 12.01 64-bit system
>> with the original libpcsclite.so.1.0.0 and pcsc_scan ran ok and detects both
>> the reader and card.  OpenSC-tool
>> and PIV_tool also detected both the reader and and the card and all the
>> options worked ok.
>>
>> It would appear that the xrdp libpcsclite module has some type problem
>> on64-bit systems.
>
> Hum, that could be.  I thought I tested it.
> I do remember testing both 32 bit and 64 bit MSTSC clients.
> I'm not sure about the server.
> I think it should be relatively easy to fix if you can find it.
>
> One thing I find annoying the that PCSC defines LONG as unsigned int.
> I guess, that is because long in 32 bits in Win32 and Win64.
> But a long changes size on linux 32 vs linux 64.
>
> Jay

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
In reply to this post by jsorg71
I changed the debug level to 20 in xrdp_pcsc.c and I see the error very early in the
connection.  It is in the SCardConnect: routine and the status is 0x8010000f with a
hcard value of 0.  

I compared this one running on a 32 bit system, and the same location returns a status
of 0x00000000 with a hcard value of 0x0000000b

Note sure where the 0x8010000f error is coming from, since the normal lib pcsclite.so with the
same smartcard reader/card works ok.  Since the xrdp libpcsclite.so is the only thing being
different, what would be causing the error?  What does the 0x8010000f error code mean?
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
It is not clear to me what needs to be changed to support SmartCards within xrdp.  You make a reference to the PCSC project page on your limited WIKI.  Does that imply a specific version of pcsc-lite must be installed?  

After looking at the 64-bit version of xrdp associated SmartCard programs, it would appear this has never
been tested.  Although simple sample programs do work, it would appear there are major problems in
the SCardGetStatusChange function within the xrdp version of libpcsclite.so.  There are also problems in
the SCardConnect function, in the treatment of the dwActiveProtocol value.  Some production programs
such a opensc-tool and piv-tool fail when calling the SCardConnect fuction.  



Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

jsorg71
> It is not clear to me what needs to be changed to support SmartCards within
> xrdp.  You make a reference to the PCSC project page on your limited WIKI.
> Does that imply a specific version of pcsc-lite must be installed?

No, that package version should be ok.

> After looking at the 64-bit version of xrdp associated SmartCard programs,
> it would appear this has never
> been tested.  Although simple sample programs do work, it would appear there
> are major problems in
> the SCardGetStatusChange function within the xrdp version of libpcsclite.so.
> There are also problems in
> the SCardConnect function, in the treatment of the dwActiveProtocol value.
> Some production programs
> such a opensc-tool and piv-tool fail when calling the SCardConnect fuction.

It probably won't take much to fix for x64 but I can't get back to
this for a while.

So if I get this right.

Server, only 32 bit works.
Client, 32 bit and 64 bit work

Jay

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
I am not sure what you mean by "client".  I am using the Windows 7 mstsc client to connect to all the
Unix based systems I am testing.  So, if by client you mean mstsc, then yes that program works very
well.  If I use it connect to another Windows 7 or Windows 8 system, everything works fine.  The SmartCard and disk redirection all work.

However, if I use the mstsc client to connect to ANY Unix based system, the drive redirection DOES NOT work, whether its 32 or 64 bit systems.   I am not concerned with drive redirection, since it really does
not make a lot of sense when connecting a windows based system to Unix.

If I use mstsc to connect to ANY 32-bit Unix based system, SmartCard redirection works.  There is one small problem, but it does not appear to affect any of my test and production programs that use the redirected SmartCard.  That problem is the status returned from SCardStatus.  When these tests run on a system with a real Smartcard, the status returned is 0x34.  With the xrdp libpcsclite.so, the status returned is 0x1.

If I use mstsc to connect to ANY 64-bit Unix based system, the SmartCard support DOES NOT work.  All production programs (opensc-tool and piv-tool) fail.  Any test program that calls SCardGetStatusChange will fail.  It appears the xrdp libpcsclite.so cannot determine if a card is inserted into the reader or has been removed from the reader.

I have several SmartCard test programs that will demo this if you need them.
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

jsorg71
> I am not sure what you mean by "client".  I am using the Windows 7 mstsc
> client to connect to all the
> Unix based systems I am testing.  So, if by client you mean mstsc, then yes
> that program works very
> well.  If I use it connect to another Windows 7 or Windows 8 system,
> everything works fine.  The SmartCard and disk redirection all work.

Sorry, yes, I meant mstsc.

> However, if I use the mstsc client to connect to ANY Unix based system, the
> drive redirection DOES NOT work, whether its 32 or 64 bit systems.   I am
> not concerned with drive redirection, since it really does
> not make a lot of sense when connecting a windows based system to Unix.

It seems like if you redirect printers and drives, then drives do not work.
Can you uncheck Printers in Local resources and try again?

> If I use mstsc to connect to ANY 32-bit Unix based system, SmartCard
> redirection works.  There is one small problem, but it does not appear to
> affect any of my test and production programs that use the redirected
> SmartCard.  That problem is the status returned from SCardStatus.  When
> these tests run on a system with a real Smartcard, the status returned is
> 0x34.  With the xrdp libpcsclite.so, the status returned is 0x1.

Ok, that is a bug.  It should return 0x34.

> If I use mstsc to connect to ANY 64-bit Unix based system, the SmartCard
> support DOES NOT work.  All production programs (opensc-tool and piv-tool)
> fail.  Any test program that calls SCardGetStatusChange will fail.  It
> appears the xrdp libpcsclite.so cannot determine if a card is inserted into
> the reader or has been removed from the reader.
>
> I have several SmartCard test programs that will demo this if you need them.

Ok, I can fix this.

Yes, I do need more test programs for Smart Card.  Thanks if you can
make them available.  Did you write them?  Do I need any special
cards?

Jay

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
After looking for the problem with the xrdp SmartCard support for 64-bit systems, I have found at least one thing that may be a problem.  In xrdp_pcsc.c, a DWORD is defined as an unsigned int.  Whereas, most, if not all the user and test programs would get the definition for a DWORD from /usr/include/PCSC/wintypes.h which defines a DWORD as an unsigned long.  

I was seeing all types of strange behavior in one of the pcsc test programs where a call such as:

rv = SCardListReaders(hContext,NULL,NULL,&dwReaders);

would fail at random times.  The problem was dwReaders was defined as DWORD and used the definition in wintypes.h.  In xrdp_pcsc.c, it returned the value to dwReaders by the pointer to dwReaders.  So the value of dwReaders would be messed up at times.

Jay, can you verify this?
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

jsorg71
> After looking for the problem with the xrdp SmartCard support for 64-bit
> systems, I have found at least one thing that may be a problem.  In
> xrdp_pcsc.c, a DWORD is defined as an unsigned int.  Whereas, most, if not
> all the user and test programs would get the definition for a DWORD from
> /usr/include/PCSC/wintypes.h which defines a DWORD as an unsigned long.

Wow, that is ugly.  DWORD is defined as uint32_t on __APPLE__ and
unsigned long on non __APPLE__.
>From my experience whenever you try to using the windows-ish types on
non windows, it's a mess.

Goes that fix the problem?

Jay

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
Yes, it fixes most of the problems.  However there is still one more problem related to handling
PIV cards.  I will try to resolve that tomorrow.  When I changed the DWORD definition on the
32-bit version, everything worked, including the PIV card, so I suspect there is some int/long
problem that  is causing it.  Now that I have almost everything else working, it should be easy to track
it down.

Once I get that resolved, I will send you the resulting xrdp_pscs.c and let you run a diff and see what I
changed.  As I mentioned before, there are a couple of messages that should have a higher display value
so the average user will not see them, the status returned should be 0x34 instead of 1 and a problem in
SCardListReaders that caused some strange problems.

Also, I am now getting a lot of warnings when I compile the 64-bit version due to the new DWORD definition.  I will let you worry about that.





Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
I believe the PIV problem I am having is in the SCardTransmit function.  The trace shows the variable
cbRecvLength is always equal to 2 in the 64-bit version, however it varies in the 32-bit version.  This
is in the area of code where the piv-tool is trying to determine the card type.  

In the SCardTransmit function of xrdp_pcsc.c, I notice the comments:

// TODO figure out why recv pci does not work
if (1 || (pioRecvPci == 0) || (pioRecvPci->cbPciLength < 8))

What does this mean?   Would that be causing the problem?
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

support@securenetterm.com
Finally, the SmartCard support works on 64-bit systems.  I found the final problem in SCardTrasmit and now the PIV-II works.  I will test on other 64-bit systems and retest on 32-bit systems tomorrow.
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] XRDP SmartCard Support fails on 64-bit Ubuntu System

jsorg71
> Finally, the SmartCard support works on 64-bit systems.  I found the final
> problem in SCardTrasmit and now the PIV-II works.  I will test on other
> 64-bit systems and retest on 32-bit systems tomorrow.


Great, thanks Ken,
I can push it into devel.

Jay

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel