mvogt1
Enthusiast
Enthusiast

state of smartcard support on Linux (RHEL 7.6)

With Horizon release 7.8.0 the SmartCard support still does not work.

Update : With Horizon release 7.9.0 the SmartCard support still does not work.

A year+ ago I debugged this here:

https://communities.vmware.com/message/2739746#2739746

Horizon 7.8.0 now contains the binaries for rhel (pcsd 1.8.8), which should support

the newer wire format of rhel:

[VMware-horizonagent-linux-x86_64-7.8.0-12610615]$ ll scredir/

total 26312

-rwxr-xr-x. 1 201 201 9507192 Mar  4 19:07 libscrediragent_188.so

-rwxr-xr-x. 1 201 201 9507184 Mar  4 19:07 libscrediragent.so

-rwxr-xr-x. 1 201 201 3959144 Mar  4 19:07 pcscd

-rwxr-xr-x. 1 201 201 3959168 Mar  4 19:07 pcscd_188

The install_viewagent.sh binary

- installs pcscd_188 in /usr/sbin/pcscd

- install libscrediragent_188.so in /usr/lib/vmware/vchan_plugins

When I reboot the machine, I can see in the pcsd log file:

00000000 bora/apps/rde/scrediragent/pcscd/debuglog.c:252:DebugLogSetLevel() debug level=debug

00000675 bora/apps/rde/scrediragent/pcscd/pcscdaemon.c:484:main() pcsc-lite daemon ready.

00001063 bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:500:IPCReaderThread() Entry IPCReaderThread.

00004455 bora/apps/rde/scrediragent/pcscd/utils.c:276:getUserID() uid: 979 gid: 970

00000511 bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:196:IPCAcceptConnection() Entry IPCAcceptConnection in bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c.

02782719 bora/apps/rde/scrediragent/pcscd/winscard_msg_srv.c:232:ProcessEventsServer() Common channel packet arrival

00000040 bora/apps/rde/scrediragent/pcscd/winscard_msg_srv.c:242:ProcessEventsServer() ProcessCommonChannelRequest detects: 6

00000010 bora/apps/rde/scrediragent/pcscd/pcscdaemon.c:100:SVCServiceRunLoop() A new context thread creation is requested: 6

00000148 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:405:ContextThread() Thread is started: dwClientID=6, threadContext @55E8C7A96590

00000446 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:420:ContextThread() Received command: CMD_VERSION from client 6

00000299 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:431:ContextThread() Client is protocol version 4:2

00000017 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:440:ContextThread() CMD_VERSION rv=0x0 for client 6

00000620 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:420:ContextThread() Received command: ESTABLISH_CONTEXT from client 6

00000306 bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:290:IPCRequest() ipc socket is 0, wait for connection from plugin

Then it blocks in a simply call, ESTABLISH_CONTEXT, for example, when starting:

- pkcs11-tool -I

And when I look into the log file of vmware-mks-<pid>.log:

2019-07-08T09:57:21.232+02:00| main| I125: VVC: (DEBUG) Added plugin to list libscrediragent.so fileName=/usr/lib/vmware/vchan_plugins/libscrediragent.so

2019-07-08T09:57:21.277+02:00| libscrediragent.so| I125: VTHREAD 140082588464896 "libscrediragent.so" tid 5873

2019-07-08T09:57:21.278+02:00| main| I125: VVC: LoadVvcPlugin: Started plugin 1: libscrediragent.so, filename:"/usr/lib/vmware/vchan_plugins/libscrediragent.so"

2019-07-08T09:57:21.278+02:00| main| I125: VVC: VVCLDR_LoadPlugins: Plugin entries found:1, loaded:1

2019-07-08T09:57:21.278+02:00| main| I125: VVC: VVC loader initialised

Result:

The situation is the same: Windows and linux smartcard redirection does not work.

0 Kudos
6 Replies
mvogt1
Enthusiast
Enthusiast

It does work partially (!).

For me it looks like, that the "back channel" in the vmware pcscd does not working correctly and libpsclite in RHEL drops the result, or waits for more data, to come.

For debugging I'm using the command:

>pkcs11-tool -L

The output should be (depending on the reader type):

>Slot 0 (0x0): Gemalto PC Twin Reader 00 00

When I strace the different components I can see, that the following works:

But first, the setup:

On the VDI host "v110" (the host to which I connect with vmware-view 4.10),

I strace the pcscd from vmware.

On the client "e120" (the host which starts vmware-wire and connects to

"v110", I strace pcsd (from redhat) too.

The sequence is:

I connect from e120 with vmware-view and log into v110.

There I open a terminal and start:

>pkcs11-tool -L

The strace on "v110" shows:

7700  write(1, "\33[36m00001019\33[0m bora/apps/rde/scrediragent/pcscd/winscard_svc.c::420:ContextThread() Received command: CMD_GET_READERS_STATE from client 9\n", 140) = 140

7700  write(1, "\33[36m00000201\33[0m \33[01;31mbora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:337:IPCRequest() has received the connection from plugin\33[0m\n", 132) = 132

7700  select(8, NULL, [7], NULL, NULL)  = 1 (out [7])

The important part is the CMD_GET_READERS_STATE, which is the command

to list the readers. ("-L option")

This is actually forwarded to "e120".

There the pcscd log shows:

[pid  7942] write(1, "\33[36m00010040\33[0m winscard_svc.c:317:ContextThread() Receive command: CMD_GET_READERS_STATE from client 12\n", 108) = 108

[pid  7942] select(13, NULL, [12], NULL, NULL) = 1 (out [12])

[pid  7942] sendto(12, "Gemalto PC Twin Reader 00 00.............

And this is seen on the "v110" too:

4536  read(7, "\277\16M*\0\0\0\0\0\0\0\0\0\0\0\0\36\0\0\0Gemalto PC Twin Reader 00

00..."

7700  write(1, "\33[36m00001391\33[0m \33[01;31mbora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:337:IPCRequest() has received the connection from plugin\33[0m\n", 132) = 132

7700  sendto(7, "\277\16M*\0\0\0\0\2\0\0\0\\\\?PnP?\\Notification\0%s:%d:%s() calloc failed.\0%s:%d:%s() return value 0x%x\n\0%s:%d:%s() rv = 0X%08X.\0\0\0\0\0\0\0\0\1\0

The answer "PNP\\Notification" looks suspicious, mostly because it contains the "calloc failed". PNP Notification is a part ofthe PCSC Protocoll for Status change messages, but it may be ok.

When I now strace the binary pkcs11-tool I see [1]:

read(3,Gemalto PC Twin Reader 00 00...",5888)=2944

Thus it ends in libpcsclite. But the binary does not "exit".

Maybe this can be debugged with libpcscspy.so.

As a result:

pkcs11-tool -L issues a CMD_GET_READERS_STATE in libpcsclite [1], which forward it to the local pcscd on v110, which forward it to libscrediragent, which is part of the agent process and this

paket is forwared to the vmware-view client on host "e120", which writes it into the local libpcsclite and this forwards it to the pcscd on e120. This daemon really knows whats going on, and

its answer "Gemalto PC Twin Reader 00 00". This is passed the whole chain back, and end up in the pcscd on "v110".

Then pcscd even writes it back into [1], but the binary does not exit and blocks forever.

Edit: added missing colums (80+) from strace 

0 Kudos
mvogt1
Enthusiast
Enthusiast

The solution is to replace /lib64/libpcsclite.so.1.0.0.

It seems pcsd by vmware is build with different compiler options, than the libpcsclite on RHEL

and libpcsclite expects maybe some padding.

I downloaded pcsc-lite-1.8.8 an build it with:

./configure --enable-usbdropdir=/usr/lib64/pcsc/drivers/

and then copied:

cp src/.libs/libpcsclite.so.1.0.0 /lib64/

This works here.

0 Kudos
mvogt1
Enthusiast
Enthusiast

>The solution is to replace /lib64/libpcsclite.so.1.0.0.

No. Yesterday it directly worked, after I replaced libpcsclite.

It worked for linux and windows clients.

Not only the  pkcs11-tool -L but the whole pkcs11 stack(including smartcard login,

firefore, thunderbird, email decrypt,...)

Today it does not work anymore.

The behaviour is the same, the whole chain works, but today it blocks again in libpcsclite

read(3,Gemalto PC Twin Reader 00 00...",5888)=2944

0 Kudos
mvogt1
Enthusiast
Enthusiast

Okay, after I checked the setup I found an older link:

# ls -la /lib64/libpcsclite.so.1

lrwxrwxrwx. 1 root root 24 Jul 11 14:20 /lib64/libpcsclite.so.1

-> libpcsclite.so.1.0.0.org

This is the lib from RHEL, and does not worked.

After replacing it with my own build libpcsclite it works again.

(libpcsclite is build with API TRACE and a few printf)

# pkcs11-tool -L

< [7F5578E36740] SCardEstablishContext 0, (nil), (nil)

> [7F5578E36740] SCardEstablishContext 1874136285

< [7F5578E36740] SCardListReaders 1874136285

reading waiting for: 2944

> [7F5578E36740] SCardListReaders 32

< [7F5578E36740] SCardListReaders 1874136285

reading waiting for: 2944

> [7F5578E36740] SCardListReaders 32

< [7F5578E36740] SCardGetStatusChange 1874136285 0 1

< [7F5578E36740] SCardGetStatusChange [0] Generic EMV Smartcard Reader 0 0 0

reading waiting for: 2944

> [7F5578E36740] SCardGetStatusChange [0] Generic EMV Smartcard Reader 0 0 B0012

< [7F5578E36740] SCardConnect 1874136285 Generic EMV Smartcard Reader 0 3 3

> [7F5578E36740] SCardConnect 0

< [7F5578E36740] SCardGetStatusChange 1874136285 0 1

< [7F5578E36740] SCardGetStatusChange [0] Generic EMV Smartcard Reader 0 B0012 B0012

reading waiting for: 2944

reading waiting for: 2944

0 Kudos
trailhawk
Contributor
Contributor

mvoget1

Thank you for the post - I have done the following

yum install -y opensc pcsc-lite pcsc-lite-libs pcsc-lite-ccid nss-tools

yum install -y git flex autoconf automake libtool libudev-devel flex

git clone https://salsa.debian.org/rousseau/PCSC.git

cd PCSC

git checkout -b 1.8.8 pcsc-1.8.8

./bootstrap

./configure --enable-usbdropdir=/usr/lib64/pcsc/drivers/

make

make install

cp src/.libs/libpcsclite.so.1.0.0 /lib64/

./install_viewagent.sh -m yes

However when I run pkcs11-tool -L I'm seeing Slot 0

Any thoughts or am I missing something?

0 Kudos
mvogt1
Enthusiast
Enthusiast

This needs debugging. You should connect from a windows client to the VDI host,

and then start pcscd on the VDI VM not over the service, but by hand in a separate window with

pcscd -d -a -f

Then you can see what pcscd is printing, when you logon.

This should get you an idea, whats wrong.

0 Kudos