From 3f1ee534febdc7cb65831b97bdedcdb2cc6ff678 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Tue, 9 Feb 2016 14:15:41 +0900
Subject: [PATCH] Support VERIFY reset feature

---
 ChangeLog     |  7 +++++--
 NEWS          |  8 ++++++++
 src/openpgp.c | 43 +++++++++++++++++++++++++++++--------------
 3 files changed, 42 insertions(+), 16 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7e4d4b8..fd21c49 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,10 @@
-2016-02-09  gniibe  <gniibe@fsij.org>
+2016-02-09  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp.c (cmd_verify): Support VERIFY reset, which is
+	described in the specification V2.2 and V3.1.
 
 	* polarssl/library/bignum.c (mpi_exp_mod): Fix to our local
-	change.  Thanks to Aidan Thornton for failure test case.
+	change.  Thanks to Aidan Thornton for the failure test case.
 
 	Fix of mpi_div_mpi from upstream.
 	* polarssl/library/bignum.c (int_clz, int_div_int): New.
diff --git a/NEWS b/NEWS
index 4ef176b..5bf89ae 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,10 @@ Gnuk NEWS - User visible changes
 
   Released 2016-02-xx, by NIIBE Yutaka
 
+** Support authentication status reset by VERIFY command.
+This feature is described in the OpenPGPcard specification V2.2 and
+V3.1, which allow user to reset authentication status.
+
 ** S2K algorithm change to defeat "copycat" service of MCU.
 Even if the existence of some services copying MCU, your private key
 will not be controled by others.
@@ -11,6 +15,10 @@ will not be controled by others.
 ** Bug fix for secp256k1 and NIST P-256.
 Bugs in basic computation were fixed.
 
+** Bug fix for bignum routines.
+Bignum routine update from upstream (failure doesn't occur for our RSA
+computation, though).  Another fix for mpi_exp_mod.
+
 
 * Major changes in Gnuk 1.1.9
 
diff --git a/src/openpgp.c b/src/openpgp.c
index 83d269b..5818648 100644
--- a/src/openpgp.c
+++ b/src/openpgp.c
@@ -138,6 +138,7 @@ static void
 cmd_verify (void)
 {
   int len;
+  uint8_t p1 = P1 (apdu);
   uint8_t p2 = P2 (apdu);
   int r;
   const uint8_t *pw;
@@ -149,22 +150,36 @@ cmd_verify (void)
   pw = apdu.cmd_apdu_data;
 
   if (len == 0)
-    {				/* This is to examine status.  */
-      if (p2 == 0x81)
-	r = ac_check_status (AC_PSO_CDS_AUTHORIZED);
-      else if (p2 == 0x82)
-	r = ac_check_status (AC_OTHER_AUTHORIZED);
-      else
-	r = ac_check_status (AC_ADMIN_AUTHORIZED);
+    {
+      if (p1 == 0)
+	{			/* This is to examine status.  */
+	  if (p2 == 0x81)
+	    r = ac_check_status (AC_PSO_CDS_AUTHORIZED);
+	  else if (p2 == 0x82)
+	    r = ac_check_status (AC_OTHER_AUTHORIZED);
+	  else
+	    r = ac_check_status (AC_ADMIN_AUTHORIZED);
 
-      if (r)
-	GPG_SUCCESS ();	/* If authentication done already, return success.  */
-      else
-	{		 /* If not, return retry counter, encoded.  */
-	  r = gpg_pw_get_retry_counter (p2);
-	  set_res_sw (0x63, 0xc0 | (r&0x0f));
+	  if (r)
+	    GPG_SUCCESS ();	/* If authentication done already, return success.  */
+	  else
+	    {		 /* If not, return retry counter, encoded.  */
+	      r = gpg_pw_get_retry_counter (p2);
+	      set_res_sw (0x63, 0xc0 | (r&0x0f));
+	    }
 	}
-
+      else if (p1 == 0xff)
+	{			/* Reset the status.  */
+	  if (p2 == 0x81)
+	    ac_reset_pso_cds ();
+	  else if (p2 == 0x82)
+	    ac_reset_other ();
+	  else
+	    ac_reset_admin ();
+	  GPG_SUCCESS ();
+	}
+      else
+	GPG_BAD_P1_P2 ();
       return;
     }