Avoid passphrase-error-lock by old GnuPG.

ChangeLog

@@ -1,3 +1,12 @@
+2017-11-07  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp-do.c (proc_resetting_code): Error when
+	it's not pass-hash.
+
+	* src/openpgp.c (cmd_verify, cmd_change_password)
+	(cmd_reset_user_password): Avoid authentication error
+	by old GnuPG which doesn't support KDF.
+
 2017-11-06  NIIBE Yutaka  <gniibe@fsij.org>
 
 	* tests/test_empty_card.py (test_extended_capabilities): Support

src/openpgp-do.c

@@ -906,6 +906,9 @@ proc_resetting_code (const uint8_t *data, int len)
 
   DEBUG_INFO ("Resetting Code!\r\n");
 
+  if (gpg_do_read_simple (NR_DO_KDF) && len != 32)
+    return 0;
+
   newpw_len = len;
   newpw = data;
   new_ks0[0] = newpw_len;

src/openpgp.c

@@ -192,6 +192,12 @@ cmd_verify (void)
       return;
     }
 
+  if (gpg_do_read_simple (NR_DO_KDF) && len != 32)
+    {
+      GPG_CONDITION_NOT_SATISFIED ();
+      return;
+    }
+
   /* This is real authentication.  */
   if (p2 == 0x81)
     r = verify_pso_cds (pw, len);
@@ -299,6 +305,12 @@ cmd_change_password (void)
       return;
     }
 
+  if (gpg_do_read_simple (NR_DO_KDF) && len != 64)
+    {
+      GPG_CONDITION_NOT_SATISFIED ();
+      return;
+    }
+
   if (who == BY_USER)			/* PW1 */
     {
       const uint8_t *ks_pw1 = gpg_do_read_simple (NR_DO_KEYSTRING_PW1);
@@ -519,6 +531,12 @@ cmd_reset_user_password (void)
       const uint8_t *ks_rc = gpg_do_read_simple (NR_DO_KEYSTRING_RC);
       uint8_t old_ks[KEYSTRING_MD_SIZE];
 
+      if (gpg_do_read_simple (NR_DO_KDF) && len != 64)
+	{
+	  GPG_CONDITION_NOT_SATISFIED ();
+	  return;
+	}
+
       if (gpg_pw_locked (PW_ERR_RC))
 	{
 	  DEBUG_INFO ("blocked.\r\n");
@@ -583,6 +601,12 @@ cmd_reset_user_password (void)
 	  return;
 	}
 
+      if (gpg_do_read_simple (NR_DO_KDF) && len != 32)
+	{
+	  GPG_CONDITION_NOT_SATISFIED ();
+	  return;
+	}
+
       newpw_len = len;
       newpw = pw;
       random_get_salt (new_salt);