Version 1.1.9

ChangeLog

@@ -1,3 +1,86 @@
+2015-09-18  Niibe Yutaka  <gniibe@fsij.org>
+
+	* VERSION: 1.1.9.
+
+	* src/openpgp-do.c (proc_key_import): Fix error return.
+	(rw_algorithm_attr): Check it's not ALGO_RSA2K.
+
+2015-09-17  Niibe Yutaka  <gniibe@fsij.org>
+
+	* VERSION: 1.1.8.
+
+2015-09-15  Niibe Yutaka  <gniibe@fsij.org>
+
+	* chopstx: Update to 0.10.
+
+	* src/main.c (main): Don't join after calling ccid_usb_reset.
+	* src/usb-icc.c (ccid_thread): Don't finish on reset, but
+	keep running.
+
+	* src/usb_ctrl.c (usb_cb_device_reset): Stop the interface.
+
+	* src/usb_stm32f103.c (std_set_interface): Bug fix for conf.
+
+	* src/gnuk.ld.in (__process3_stack_size__): Increase stack size of
+	GPG thread.
+	(__process2_stack_size__): Increase stack size of RNG.
+	(__process4_stack_size__): Increase stack size of USB.
+	(__main_stack_size__): Decrease stack size of exception handlers.
+	(__process1_stack_size__): Decrease stack size of CCID.
+
+2015-09-14  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/gnuk.h (LED_GNUK_EXEC): New.
+	* src/main.c, src/usb-icc.c, src/usb_ctrl.c: icc_state_p access
+	clean up.
+
+2015-09-11  Niibe Yutaka  <gniibe@fsij.org>
+
+	* tool/upgrade_by_passwd.py (main): Loop until finding reGNUal
+	device.
+
+2015-09-10  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/call-rsa.c (rsa_cleanup): New.
+	(rsa_sign, rsa_decrypt, rsa_genkey): Allow cancellation.
+	* src/openpgp.c (cmd_pso, cmd_internal_authenticate): Cancellation
+	is handled by each functions in case of RSA.
+
+2015-09-09  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/sys.h: Update from Chopstx.
+	* src/adc_stm32f103.c: Update from NeuG.
+
+	* src/openpgp.c (process_command_apdu): Protect command execution
+	against cancelling the execution thread.
+	(cmd_pso, cmd_internal_authenticate): Allow cancellation.
+
+	* src/main.c (main): Handle LED_USB_RESET.
+
+	* src/usb-icc.c (ccid_usb_reset): New.
+	(ccid_thread): Upon receival of EV_USB_RESET, finish
+	the thread, canceling the card thread.
+
+2015-09-08  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/gnuk.h (EV_USB_RESET, LED_USB_RESET): New.
+
+	* src/usb_ctrl.c (CDC_CTRL_DTR): New.
+	(vcom_port_data_setup): Distinguish detail->value for DTR.
+
+	* src/configure (help): Add ST_DONGLE and ST_NUCLEO_F103.
+
+2015-09-04  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp-do.c (do_openpgpcard_aid): Use upper bytes of unique
+	ID of MCU; same as USB serial number.
+
+	* src/configure (help): Add NITROKEY_START.
+
+2015-08-26  Mateusz Zalega  <mateusz@nitrokey.com>
+
+	* GNUK_USB_DEVICE_ID: Add Nitrokey Start.
+
 2015-08-05  Niibe Yutaka  <gniibe@fsij.org>
 
 	* VERSION: 1.1.7.

GNUK_USB_DEVICE_ID

@@ -1,3 +1,4 @@
-# VID:PID	bcdDev	Product_STRING	Vender_STRING
+# VID:PID	bcdDev	Product_STRING	Vendor_STRING
 234b:0000	0200	Gnuk Token	Free Software Initiative of Japan
+20a0:4211	0200	Nitrokey Start	Nitrokey
 ##########<TAB>	##<TAB>	##########<TAB>	#################

NEWS

@@ -1,5 +1,32 @@
 Gnuk NEWS - User visible changes
 
+* Major changes in Gnuk 1.1.9
+
+  Released 2015-09-18, by NIIBE Yutaka
+
+** Bug fix for Ed25519 and Curve25519
+When registering key, wrong operations were not detected correctly.
+This is fixed.
+
+
+* Major changes in Gnuk 1.1.8
+
+  Released 2015-09-17, by NIIBE Yutaka
+
+** Upgrade of Chopstx
+We use Chopstx 0.10, which supports Nitrokey-Start.
+
+** Card serial number
+The way to determine a serial number of Gnuk Token for card has been
+changed.  It uses the 96-bit unique bits of MCU, but the portion for
+use is changed.
+
+** USB Reset handling
+USB reset lets Gnuk Token restart.  It would not be perfect, when it's
+during computation of some function, but most parts are protected by
+Chopstx's feature of cancellation.
+
+
 * Major changes in Gnuk 1.1.7
 
   Released 2015-08-05, by NIIBE Yutaka
@@ -22,7 +49,7 @@ We use Chopstx 0.07, which supports STM32 Primer2 and CQ STARM, too.
 
 ** Experimental Curve25519 support.
 
-Gnuk can support Curve25519 (for deecryption).  Note that this is
+Gnuk can support Curve25519 (for decryption).  Note that this is
 pretty much experimental, and subjects to change.  The low level code
 is somehow stable, but there are no consensus in higer level.
 Especially, OID in the key attribute would be changed in future.

README

@@ -1,26 +1,25 @@
 Gnuk - An Implementation of USB Cryptographic Token for GnuPG
 
-							  Version 1.1.7
-							     2015-08-05
+							  Version 1.1.9
+							     2015-09-18
 							   Niibe Yutaka
 				      Free Software Initiative of Japan
 
 Warning
 =======
 
-This is another experimental release of Gnuk, version 1.1.7, which has
+This is another experimental release of Gnuk, version 1.1.9, which has
 incompatible changes to Gnuk 1.0.x.  Specifically, it now supports
 overriding key import, but importing keys (or generating keys) results
 password reset.  Please update your documentation for Gnuk Token, so
 that the instruction of importing keys won't cause any confusion.  It
 has supports of ECDSA (with NIST P256 and secp256k1), EdDSA, and ECDH
 (with NIST P256, secp256k1, and Curve25519), but this ECC feature is
-pretty much experimental, and it requires development version of GnuPG
-with newest version of libgcrypt (Further, for Curve25519, it requires
-additional patches by me).
+pretty much experimental, and it requires modern GnuPG with
+development version of libgcrypt.
 
-It also support RSA-4096 experimentally, but users should know that it
-takes more than 8 second to sign/decrypt.
+It also supports RSA-4096 experimentally, but users should know that
+it takes more than 8 second to sign/decrypt.
 
 You will not able to keep using Curve25519 keys, as the key format is
 subject to change.
@@ -48,9 +47,9 @@ FAQ
 ===
 
 Q0: How Gnuk USB Token is superior than other solutions (OpenPGP
-    card 2.0, GPF Crypto Stick, etc.) ?
+    card 2.0, YubiKey, etc.) ?
     http://www.g10code.de/p-card.html
-    http://www.privacyfoundation.de/crypto_stick/
+    https://www.yubico.com/
 A0: Good points of Gnuk are:
     * If you have skill of electronics and like DIY, you can build
       Gnuk Token cheaper (see Q8-A8).
@@ -63,21 +62,23 @@ A0: Good points of Gnuk are:
 	    "for Free Software"; Gnuk supports GnuPG.
 
 Q1: What kind of key algorithm is supported?
-A1: Gnuk version 1.0 only supports RSA 2048.
+A1: Gnuk version 1.0 only supports RSA-2048.
     Development version of Gnuk (1.1.x) supports 256-bit ECDSA and EdDSA,
-    as well as RSA 4096-bit.  But it takes long time to sign with RSA 4096.
+    as well as RSA 4096-bit.  But it takes long time to sign with RSA-4096.
 
 Q2: How long does it take for digital signing?
-A2: It takes a second and a half or so. 
+A2: It takes a second and a half or so for RSA-2048. 
 
 Q3: What's your recommendation for target board?
 A3: Orthodox choice is Olimex STM32-H103.
     FST-01 (Flying Stone Tiny 01) is available for sale, and it is a
     kind of the best choice, hopefully.
+    If you have a skill of electronics, STM32 Nucleo F103 is the best
+    choice for experiment.
 
 Q4: What's version of GnuPG are you using?
-A4: In Debian GNU/Linux system, I use gnupg 1.4.12-7 and gnupg-agent
-    2.0.20-1.
+A4: In Debian GNU/Linux system, I use GnuPG modern 2.1.x in
+    experimental.
 
 Q5: What's version of pcscd and libccid are you using?
 A5: I don't use them, pcscd and libccid are optional, you can use Gnuk
@@ -94,8 +95,11 @@ A6: You need a target board plus a JTAG/SWD debugger.  If you just
 Q7: How much does it cost?
 A7: Olimex STM32-H103 plus ARM-USB-TINY-H cost 70 Euro or so.
 
+Q8: How much does it cost for DIY version?
+A8: STM32 Nucleo F103 costs about $10 USD.
+
 Q9: I got an error like "gpg: selecting openpgp failed: ec=6.108", what's up?
-A9: GnuPG's SCDaemon has problems for handling insertion/removal of
+A9: Older GnuPG's SCDaemon has problems for handling insertion/removal of
     card/reader.  When your newly inserted token is not found by
     GnuPG, try killing scdaemon and let it to be invoked again.  I do:
 
@@ -134,15 +138,14 @@ Ac: That's because gnome-keyring-daemon interferes GnuPG.  Please
 
 Qd: Do you know a good SWD debugger to connect FST-01 or something?
 Ad: ST-Link/V2 is cheap one.  We have a tool/stlinkv2.py as flash ROM
-    writer program.
-
-
+    writer program.  STM32 Nucleo F103 comes with the valiant of
+    ST-Link/V2.
 
 
 Release notes
 =============
 
-This is seventh experimental release in version 1.1 series of Gnuk.
+This is ninth experimental release in version 1.1 series of Gnuk.
 
 While it is daily use by its developer, some newly introduced features
 (including ECDSA/EdDSA/ECDH, key generation and firmware upgrade)
@@ -197,12 +200,12 @@ DfuSe is for experiment only, because it is impossible for DfuSe to
 disable read from flash.  For real use, please consider killing DfuSe
 and enabling read protection using JTAG debugger.
 
-For PIN-pad support, I connect a consumer IR receive module to FST-01,
-and use controller for TV.  PIN verification is supported by this
-configuration.  Yes, it is not secure at all, since it is very easy to
-monitor IR output of the controllers.  It is just an experiment.  Note
-that hardware needed for this experiment is only a consumer IR receive
-module which is as cheap as 50 JPY.
+For experimental PIN-pad support, I connect a consumer IR receive
+module to FST-01, and use controller for TV.  PIN verification is
+supported by this configuration.  Yes, it is not secure at all, since
+it is very easy to monitor IR output of the controllers.  It is just
+an experiment.  Note that hardware needed for this experiment is only
+a consumer IR receive module which is as cheap as 50 JPY.
 
 Note that you need pinpad support for GnuPG to use PIN-pad enabled
 Gnuk.  The pinpad support for GnuPG is only available in version 2.
@@ -253,7 +256,7 @@ External source code
 
 Gnuk is distributed with external source code.
 
-* chopstx/  -- Chopstx 0.07
+* chopstx/  -- Chopstx 0.10
 
   We use Chopstx as the kernel for Gnuk.
 
@@ -306,7 +309,7 @@ Gnuk is distributed with external source code.
 USB vendor ID and product ID (USB device ID)
 ============================================
 
-When you have a vender ID and assign a product ID for Gnuk, edit the
+When you have a vendor ID and assign a product ID for Gnuk, edit the
 file GNUK_USB_DEVICE_ID and add an entry for yours.  In this case,
 please contact Niibe, so that it is listed to the file in the official
 release of the source code.
@@ -363,10 +366,16 @@ How to compile
 
 You need GNU toolchain and newlib for 'arm-none-eabi' target.
 
-There is "gcc-arm-embedded" project.  See:
+On Debian we can install the packages of gcc-arm-none-eabi,
+gdb-arm-none-eabi and its friends.  I'm using:
 
-    https://launchpad.net/gcc-arm-embedded/
+	binutils-arm-none-eabi	2.25-5+5+b1
+	gcc-arm-none-eabi 	15:4.9.3+svn227297-1
+	gdb-arm-none-eabi 	7.7.1+dfsg-5+8
+	libnewlib-arm-none-eabi	2.2.0+git20150830.5a3d536-1
 
+Or else, see https://launchpad.net/gcc-arm-embedded for preparation of
+GNU Toolchain for 'arm-none-eabi' target.
 
 Change directory to `src':
 
@@ -582,8 +591,8 @@ I put Chopstx as a submodule of Git.  Please do this:
   $ git submodule init
   $ git submodule update
 
-We have migrated from ChibiOS/RT to Chopstx.  If you have old code of
-ChibiOS/RT, you need:
+We have migrated from ChibiOS/RT to Chopstx in Gnuk 1.1.  If you have
+old code of ChibiOS/RT, you need:
 
     Edit .git/config to remove chibios reference
     git rm --cached chibios

THANKS

@@ -9,18 +9,26 @@ improvements, or fixing bugs.  Here is a list of those people.
 
 Achim Pietig		achim@pietig.com
 Aidan Thornton
+Anibal Monsalve Salazar	anibal@debian.org
 Andre Zepezauer		andre.zepezauer@student.uni-halle.de
 Bertrand Jacquin	bertrand@jacquin.bzh
+Clint Adams		clint@softwarefreedom.org
+Daniel Kahn Gillmor	dkg@fifthhorseman.net
 Hironobu SUZUKI		hironobu@h2np.net
 Jan Suhr		jan@suhr.info
+Jonathan McDowell	noodles@earth.li
 Kaz Kojima		kkojima@rr.iij4u.or.jp
 Ludovic Rousseau	ludovic.rousseau@free.fr
 Luis Felipe R. Murillo	luisfelipe@ucla.edu
+Mateusz Zalega		mateusz@nitrokey.com
 MATSUU Takuto		matsuu@gentoo.org
+Micah Anderson		micah@debian.org
 NAGAMI Takeshi		nagami-takeshi@aist.go.jp
 Nguyễn Hồng Quân	quannguyen@mbm.vn
+Nico Rikken		nico@nicorikken.eu
 NOKUBI Takatsugu	knok@daionet.gr.jp
 Paul Bakker		polarssl_maintainer@polarssl.org
+Santiago Ruano Rincón	santiago@debian.org
 Shane Coughlan		scoughlan@openinventionnetwork.com
 Vasily Evseenko
 Werner Koch		wk@gnupg.org

VERSION

@@ -1 +1 @@
-release/1.1.7
+release/1.1.9

doc/note/firmware-update-2

@@ -0,0 +1,131 @@
+Please refer:
+
+    How can I reflash FST-01 with SWD port?:
+    http://www.gniibe.org/FST-01/q_and_a/swd-debugger.html
+
+
+Installing newer version of Gnuk onto FST-01 with Gnuk 1.0.1
+============================================================
+
+Please note that the feature of firmware upgrade is somewhat
+experimental.  I haven't got any success reports yet, but it's only
+used by me, so far.  When you will get some failure during your
+firmware installation, you will need SWD debugger.  YOU HAVE BEEN
+WARNED.  It is best to try firmware upgrade after you get a SWD
+debugger.
+
+
+The firmare upgrade feature of Gnuk
+------------------------------------
+
+Gnuk supports firmware upgrade by reGNUal.  It works in the following
+steps.
+
+1. User registers RSA public key to Gnuk Token for firmware upgrade
+
+2. When User wants firmware upgrade, user sends
+   the GET_CHALLENGE command then the EXTERNAL_AUTHENTICATE command
+   to Gnuk Token from host PC to authenticate.
+   The EXTERNAL_AUTHENTICATE command message consists of
+   signature (of challenge) by corresponding RSA private key.
+
+3. When Gnuk Token receives the EXTERNAL_AUTHENTICATE command message
+   and validates signature successfully, Gnuk finishes its normal
+   operation and goes to enter mode of loading special program onto RAM.
+
+4. Host PC sends reflashing program (reGNUal) to Gnuk Token.
+
+5. Gnuk clears up all content of flash ROM (but first 4KiB of system)
+   at the end of receiving special program and transfers its control
+   to reGNUal.
+
+6. reGNUal on Gnuk Token receives new firmware image from host PC and writes
+   to each page.
+
+7. Done.
+
+
+Host PC setting for Gnuk
+------------------------
+
+You need proper configuration for permission of Gnuk Token (udev
+setting).  It should have lines something like: ::
+
+  # Gnuk Token by FSIJ
+
+  SUBSYSTEMS=="usb", ACTION=="add", \
+    ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0000", \
+    ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+
+I have those lines in /etc/udev/rules.d/69-gnuk.rules.
+
+
+Building another version (newer) of Gnuk
+----------------------------------------
+
+Please see README of Gnuk for detail, but it's like configure
+and make:  ::
+
+  $ pwd
+  /home/user/src/gnuk
+  $ cd src
+  $ ./configure --vidpid=234b:0000
+  $ make
+
+Please take care of configure options.  The default target in 1.0.x
+series is Olimex STM32 H103 (not FST-01).  The default target in 1.1.8
+is FST-01.
+
+
+Then you get build/gnuk.elf and build/gnuk.bin.
+
+Invoking configure with FSIJ's USB ID (234b:0000) means that you are
+using FSIJ's USB ID (for reGNUal in this case).  Please note that FSIJ
+only allows use of its USB ID for specific situations.  Please read
+README of Gnuk about that.
+
+
+Bulding reGNUal
+---------------
+
+You need to compile reGNUal. ::
+
+  $ cd ../regnual
+  $ make
+
+Then, you should have regnual.bin.  Note that 'configure' of Gnuk
+itself is needed before compiling reGNUal.
+
+
+upgrade_by_passwd.py
+--------------------
+
+In the source code distribution of 1.0.4 (or current development
+version) of Gnuk, there is a tool named 'upgrade_by_passwd.py'.
+
+This is an easy tool to hide lengthy steps from user and to allow user
+firmware upgrade only by password of Gnuk Token.
+
+Before running the script, you need to kill scdaemon: ::
+
+  $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
+
+The command line invokation above assumes that you properly configure
+your environment for Gnuk Token.
+
+
+How to run the script: ::
+
+  $ cd tool
+  $ ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
+
+Then, the script on your host PC invoke the steps described above, and
+you will get new version of Gnuk installed.
+
+You can also specify -p option to enter your password (other than
+factory setting).
+
+If you already have configured another upgrade key installed, you can
+specify different slot by -k ``<slot_no>`` option.  SLOT_NO can be 0
+to 3.
+-- 

regnual/regnual.c

@@ -68,7 +68,7 @@ static const uint8_t regnual_config_desc[] = {
   9,
   USB_CONFIGURATION_DESCRIPTOR_TYPE, /* bDescriptorType: Configuration */
   18, 0,			/* wTotalLength: no of returned bytes */
-  1,			/* bNumInterfaces: single vender interface */
+  1,			/* bNumInterfaces: single vendor interface */
   0x01,			/* bConfigurationValue: Configuration value */
   0x00,			/* iConfiguration: None */
 #if defined(USB_SELF_POWERED)

src/ac.c

@@ -169,7 +169,7 @@ verify_admin_00 (const uint8_t *pw, int buf_len, int pw_len_known,
   pw_len = ks[0] & PW_LEN_MASK;
   salt = KS_GET_SALT (ks);
   salt_len = SALT_SIZE;
-  
+
   if ((pw_len_known >= 0 && pw_len_known != pw_len) || buf_len < pw_len)
     return -1;
 

src/adc_stm32f103.c

@@ -90,7 +90,7 @@
 #define NEUG_ADC_SETTING1_SQR3  ADC_SQR3_SQ1_N(ADC_CHANNEL_VREFINT)     \
                               | ADC_SQR3_SQ2_N(ADC_CHANNEL_SENSOR)      \
                               | ADC_SQR3_SQ3_N(ADC_CHANNEL_SENSOR)      \
-                              | ADC_SQR3_SQ4_N(ADC_CHANNEL_VREFINT)     
+                              | ADC_SQR3_SQ4_N(ADC_CHANNEL_VREFINT)
 #define NEUG_ADC_SETTING1_NUM_CHANNELS 4
 
 
@@ -149,7 +149,7 @@ get_adc_config (uint32_t config[4])
 
     case BOARD_ID_OLIMEX_STM32_H103:
     case BOARD_ID_STBEE:
-      config[0] = ADC_SMPR1_SMP_AN10(ADC_SAMPLE_1P5) 
+      config[0] = ADC_SMPR1_SMP_AN10(ADC_SAMPLE_1P5)
 		| ADC_SMPR1_SMP_AN11(ADC_SAMPLE_1P5);
       config[1] = 0;
       config[3] = ADC_SQR3_SQ1_N(ADC_CHANNEL_IN10)
@@ -171,6 +171,7 @@ get_adc_config (uint32_t config[4])
     case BOARD_ID_STM8S_DISCOVERY:
     case BOARD_ID_ST_DONGLE:
     case BOARD_ID_ST_NUCLEO_F103:
+    case BOARD_ID_NITROKEY_START:
     default:
       config[0] = 0;
       config[1] = ADC_SMPR2_SMP_AN0(ADC_SAMPLE_1P5)

src/call-rsa.c

@@ -1,7 +1,7 @@
 /*
  * call-rsa.c -- Glue code between RSA computation and OpenPGP card protocol
  *
- * Copyright (C) 2010, 2011, 2012, 2013, 2014
+ * Copyright (C) 2010, 2011, 2012, 2013, 2014, 2015
  *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
@@ -25,6 +25,8 @@
 #include <stdint.h>
 #include <string.h>
 #include <stdlib.h>
+#include <chopstx.h>
+
 #include "config.h"
 
 #include "gnuk.h"
@@ -34,6 +36,15 @@
 #include "polarssl/rsa.h"
 
 static rsa_context rsa_ctx;
+static struct chx_cleanup clp;
+
+static void
+rsa_cleanup (void *arg)
+{
+  free (arg);
+  rsa_free (&rsa_ctx);
+}
+
 
 int
 rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
@@ -66,12 +77,20 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
   mpi_free (&P1);  mpi_free (&Q1);  mpi_free (&H);
   if (ret == 0)
     {
-      DEBUG_INFO ("RSA sign...");
+      int cs;
 
+      DEBUG_INFO ("RSA sign...");
+      clp.next = NULL;
+      clp.routine = rsa_cleanup;
+      clp.arg = NULL;
+      chopstx_cleanup_push (&clp);
+      cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
       ret = rsa_rsassa_pkcs1_v15_sign (&rsa_ctx, NULL, NULL,
 				       RSA_PRIVATE, SIG_RSA_RAW,
 				       msg_len, raw_message, temp);
       memcpy (output, temp, pubkey_len);
+      chopstx_setcancelstate (cs);
+      chopstx_cleanup_pop (0);
     }
 
   rsa_free (&rsa_ctx);
@@ -150,10 +169,19 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
   mpi_free (&P1);  mpi_free (&Q1);  mpi_free (&H);
   if (ret == 0)
     {
+      int cs;
+
       DEBUG_INFO ("RSA decrypt ...");
+      clp.next = NULL;
+      clp.routine = rsa_cleanup;
+      clp.arg = NULL;
+      chopstx_cleanup_push (&clp);
+      cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
       ret = rsa_rsaes_pkcs1_v15_decrypt (&rsa_ctx, NULL, NULL,
 					 RSA_PRIVATE, output_len_p, input,
 					 output, MAX_RES_APDU_DATA_SIZE);
+      chopstx_setcancelstate (cs);
+      chopstx_cleanup_pop (0);
     }
 
   rsa_free (&rsa_ctx);
@@ -213,6 +241,8 @@ rsa_genkey (int pubkey_len)
   uint8_t *p = p_q_modulus;
   uint8_t *q = p_q_modulus + pubkey_len / 2;
   uint8_t *modulus = p_q_modulus + pubkey_len;
+  int cs;
+
   extern int prng_seed (int (*f_rng)(void *, unsigned char *, size_t),
 			void *p_rng);
   extern void neug_flush (void);
@@ -222,12 +252,19 @@ rsa_genkey (int pubkey_len)
 
   neug_flush ();
   prng_seed (random_gen, &index);
-
   rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
+
+  clp.next = NULL;
+  clp.routine = rsa_cleanup;
+  clp.arg = (void *)p_q_modulus;
+  chopstx_cleanup_push (&clp);
+  cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
   MPI_CHK( rsa_gen_key (&rsa_ctx, random_gen, &index, pubkey_len * 8,
 			RSA_EXPONENT) );
   if (ret != 0)
     {
+      chopstx_setcancelstate (cs);
+      chopstx_cleanup_pop (0);
       free (p_q_modulus);
       rsa_free (&rsa_ctx);
       return NULL;
@@ -238,6 +275,8 @@ rsa_genkey (int pubkey_len)
   MPI_CHK( mpi_write_binary (&rsa_ctx.N, modulus, pubkey_len) );
 
  cleanup:
+  chopstx_setcancelstate (cs);
+  chopstx_cleanup_pop (0);
   rsa_free (&rsa_ctx);
   if (ret != 0)
       return NULL;

src/configure

@@ -107,6 +107,9 @@ Configuration:
 			   STBEE
 			   STBEE_MINI
 			   MAPLE_MINI
+			   ST_DONGLE
+			   ST_NUCLEO_F103
+			   NITROKEY_START
 			   CQ_STARM
 			   FST_01_00 (unreleased version with 8MHz XTAL)
   --enable-debug	debug with virtual COM port	[no]

src/ecc-edwards.c

@@ -50,7 +50,7 @@
  * IMPLEMENTATION NOTE
  *
  * (0) We assume that the processor has no cache, nor branch target
- *     prediction.  Thus, we don't avoid indexing by secret value. 
+ *     prediction.  Thus, we don't avoid indexing by secret value.
  *     We don't avoid conditional jump if both cases have same timing,
  *     either.
  *
@@ -235,7 +235,7 @@ point_add (ptc *X, const ptc *A, const ac *B)
  * @param X	Destination AC
  * @param A	PTC
  *
- * (X1:Y1:Z1) represents the affine point (x=X1/Z1, y=Y1/Z1) 
+ * (X1:Y1:Z1) represents the affine point (x=X1/Z1, y=Y1/Z1)
  */
 static void
 point_ptc_to_ac (ac *X, const ptc *A)
@@ -258,195 +258,195 @@ point_ptc_to_ac (ac *X, const ptc *A)
 static const ac precomputed_KG[16] = {
   { {{{ 0, 0, 0, 0, 0, 0, 0, 0 }}},
     {{{ 1, 0, 0, 0, 0, 0, 0, 0 }}}                         },
-  { {{{ 0x8f25d51a, 0xc9562d60, 0x9525a7b2, 0x692cc760, 
+  { {{{ 0x8f25d51a, 0xc9562d60, 0x9525a7b2, 0x692cc760,
         0xfdd6dc5c, 0xc0a4e231, 0xcd6e53fe, 0x216936d3 }}},
-    {{{ 0x66666658, 0x66666666, 0x66666666, 0x66666666, 
+    {{{ 0x66666658, 0x66666666, 0x66666666, 0x66666666,
         0x66666666, 0x66666666, 0x66666666, 0x66666666 }}} },
-  { {{{ 0x3713af22, 0xac7137bd, 0xac634604, 0x25ed77a4, 
+  { {{{ 0x3713af22, 0xac7137bd, 0xac634604, 0x25ed77a4,
         0xa815e038, 0xce0d0064, 0xbca90151, 0x041c030f }}},
-    {{{ 0x0780f989, 0xe9b33fcf, 0x3d4445e7, 0xe4e97c2a, 
+    {{{ 0x0780f989, 0xe9b33fcf, 0x3d4445e7, 0xe4e97c2a,
         0x655e5c16, 0xc67dc71c, 0xee43fb7a, 0x72467625 }}} },
-  { {{{ 0x3ee99893, 0x76a19171, 0x7ba9b065, 0xe647edd9, 
+  { {{{ 0x3ee99893, 0x76a19171, 0x7ba9b065, 0xe647edd9,
         0x6aeae260, 0x31f39299, 0x5f4a9bb2, 0x6d9e4545 }}},
-    {{{ 0x94cae280, 0xc41433da, 0x79061211, 0x8e842de8, 
+    {{{ 0x94cae280, 0xc41433da, 0x79061211, 0x8e842de8,
         0xa259dc8a, 0xaab95e0b, 0x99013cd0, 0x28bd5fc3 }}} },
-  { {{{ 0x7d23ea24, 0x59e22c56, 0x0460850e, 0x1e745a88, 
+  { {{{ 0x7d23ea24, 0x59e22c56, 0x0460850e, 0x1e745a88,
         0xda13ef4b, 0x4583ff4c, 0x95083f85, 0x1f13202c }}},
-    {{{ 0x90275f48, 0xad42025c, 0xb55c4778, 0x0085087e, 
+    {{{ 0x90275f48, 0xad42025c, 0xb55c4778, 0x0085087e,
         0xfdfd7ffa, 0xf21109e7, 0x6c381b7e, 0x66336d35 }}} },
-  { {{{ 0xd00851f2, 0xaa9476ab, 0x4a61600b, 0xe7838534, 
+  { {{{ 0xd00851f2, 0xaa9476ab, 0x4a61600b, 0xe7838534,
         0x1a52df87, 0x0de65625, 0xbd675870, 0x5f0dd494 }}},
-    {{{ 0xe23493ba, 0xf20aec1b, 0x3414b0a8, 0x8f7f2741, 
+    {{{ 0xe23493ba, 0xf20aec1b, 0x3414b0a8, 0x8f7f2741,
         0xa80e1eb6, 0x497e74bd, 0xe9365b15, 0x1648eaac }}} },
-  { {{{ 0x04ac2b69, 0x5b78dcec, 0x32001a73, 0xecdb66ce, 
+  { {{{ 0x04ac2b69, 0x5b78dcec, 0x32001a73, 0xecdb66ce,
         0xb34cf697, 0xb75832f4, 0x3a2bce94, 0x7aaf57c5 }}},
-    {{{ 0x60fdfc6f, 0xb32ed2ce, 0x757924c6, 0x77bf20be, 
+    {{{ 0x60fdfc6f, 0xb32ed2ce, 0x757924c6, 0x77bf20be,
         0x48742dd1, 0xaebd15dd, 0x55d38439, 0x6311bb16 }}} },
-  { {{{ 0x42ff5c97, 0x139cdd73, 0xdbd82964, 0xee4c359e, 
+  { {{{ 0x42ff5c97, 0x139cdd73, 0xdbd82964, 0xee4c359e,
         0x70611a3f, 0x91c1cd94, 0x8075dbcb, 0x1d0c34f6 }}},
-    {{{ 0x5f931219, 0x43eaa549, 0xa23d35a6, 0x3737aba7, 
+    {{{ 0x5f931219, 0x43eaa549, 0xa23d35a6, 0x3737aba7,
         0x46f167bb, 0x54b1992f, 0xb74a9944, 0x01a11f3c }}} },
-  { {{{ 0xba46b161, 0x67a5310e, 0xd9d67f6c, 0x790f8527, 
+  { {{{ 0xba46b161, 0x67a5310e, 0xd9d67f6c, 0x790f8527,
         0x2f6cc814, 0x359c5b5f, 0x7786383d, 0x7b6a5565 }}},
-    {{{ 0x663ab0d3, 0xf1431b60, 0x09995826, 0x14a32d8f, 
+    {{{ 0x663ab0d3, 0xf1431b60, 0x09995826, 0x14a32d8f,
         0xeddb8571, 0x61d526f6, 0x0eac739a, 0x0cb7acea }}} },
-  { {{{ 0x4a2d009f, 0x5eb1a697, 0xd8df987a, 0xdacb43b4, 
+  { {{{ 0x4a2d009f, 0x5eb1a697, 0xd8df987a, 0xdacb43b4,
         0x8397f958, 0x4870f214, 0x8a175fbb, 0x5aa0c67c }}},
-    {{{ 0x78887db3, 0x27dbbd4c, 0x64e322ab, 0xe327b707, 
+    {{{ 0x78887db3, 0x27dbbd4c, 0x64e322ab, 0xe327b707,
         0x7cbe4e3b, 0x87e293fa, 0xbda72395, 0x17040799 }}} },
-  { {{{ 0x99d1e696, 0xc833a5a2, 0x2d9d5877, 0x969bff8e, 
+  { {{{ 0x99d1e696, 0xc833a5a2, 0x2d9d5877, 0x969bff8e,
         0x2216fa67, 0x383a533a, 0x684d3925, 0x338bbe0a }}},
-    {{{ 0xd6cfb491, 0x35b5aae8, 0xaa12f3f8, 0x4a588279, 
+    {{{ 0xd6cfb491, 0x35b5aae8, 0xaa12f3f8, 0x4a588279,
         0x2e30380e, 0xa7c2e708, 0x9e4b3d62, 0x69f13e09 }}} },
-  { {{{ 0x27f1cd56, 0xec0dc2ef, 0xdb11cc97, 0x1af11548, 
+  { {{{ 0x27f1cd56, 0xec0dc2ef, 0xdb11cc97, 0x1af11548,
         0x9ebc7613, 0xb642f86a, 0xcb77c3b9, 0x5ce45e73 }}},
-    {{{ 0x3eddd6de, 0x5d128786, 0x4859eab7, 0x16f9a6b4, 
+    {{{ 0x3eddd6de, 0x5d128786, 0x4859eab7, 0x16f9a6b4,
         0xd8782345, 0x55c53916, 0xdb7b202a, 0x6b1dfa87 }}} },
-  { {{{ 0x19e30528, 0x2461a8ed, 0x665cfb1c, 0xaf756bf9, 
+  { {{{ 0x19e30528, 0x2461a8ed, 0x665cfb1c, 0xaf756bf9,
         0x3a6e8673, 0x0fcafd1d, 0x45d10f48, 0x0d264435 }}},
-    {{{ 0x5431db67, 0x543fd4c6, 0x60932432, 0xc153a5b3, 
+    {{{ 0x5431db67, 0x543fd4c6, 0x60932432, 0xc153a5b3,
         0xd2119aa4, 0x41d5b8eb, 0x8b09b6a5, 0x36bd9ab4 }}} },
-  { {{{ 0x21e06738, 0x6d39f935, 0x3765dd86, 0x4e6a7c59, 
+  { {{{ 0x21e06738, 0x6d39f935, 0x3765dd86, 0x4e6a7c59,
         0xa4730880, 0xefc0dd80, 0x4079fe2f, 0x40617e56 }}},
-    {{{ 0x921439b9, 0xbc83cdff, 0x98833c09, 0xd5cccc06, 
+    {{{ 0x921439b9, 0xbc83cdff, 0x98833c09, 0xd5cccc06,
         0xda13cdcb, 0xe315c425, 0x67ff5370, 0x37bc6e84 }}} },
-  { {{{ 0xf643b5f5, 0x65e7f028, 0x0ffbf5a8, 0x5b0d4831, 
+  { {{{ 0xf643b5f5, 0x65e7f028, 0x0ffbf5a8, 0x5b0d4831,
         0xf4085f62, 0x0f540498, 0x0db7bd1b, 0x6f0bb035 }}},
-    {{{ 0x9733742c, 0x51f65571, 0xf513409f, 0x2fc047a0, 
+    {{{ 0x9733742c, 0x51f65571, 0xf513409f, 0x2fc047a0,
         0x355facf6, 0x07f45010, 0x3a989a9c, 0x5cd416a9 }}} },
-  { {{{ 0x748f2a67, 0x0bdd7208, 0x415b7f7f, 0x0cf0b80b, 
+  { {{{ 0x748f2a67, 0x0bdd7208, 0x415b7f7f, 0x0cf0b80b,
         0x57aa0119, 0x44afdd5f, 0x430dc946, 0x05d68802 }}},
-    {{{ 0x1a60eeb2, 0x420c46e5, 0x665024f5, 0xc60a9b33, 
+    {{{ 0x1a60eeb2, 0x420c46e5, 0x665024f5, 0xc60a9b33,
         0x48c51347, 0x37520265, 0x00a21bfb, 0x6f4be0af }}} }
 };
 
 static const ac precomputed_2E_KG[16] = {
   { {{{ 0, 0, 0, 0, 0, 0, 0, 0 }}},
     {{{ 1, 0, 0, 0, 0, 0, 0, 0 }}}                         },
-  { {{{ 0x199c4f7d, 0xec314ac0, 0xb2ebaaf9, 0x66a39c16, 
+  { {{{ 0x199c4f7d, 0xec314ac0, 0xb2ebaaf9, 0x66a39c16,
         0xedd4d15f, 0xab1c92b8, 0x57d9eada, 0x482a4cdf }}},
-    {{{ 0x6e4eb04b, 0xbd513b11, 0x25e4fd6a, 0x3f115fa5, 
+    {{{ 0x6e4eb04b, 0xbd513b11, 0x25e4fd6a, 0x3f115fa5,
         0x14519298, 0x0b3c5fc6, 0x81c2f7a8, 0x7391de43 }}} },
-  { {{{ 0x1254fe02, 0xa57dca18, 0x6da34368, 0xa56a2a14, 
+  { {{{ 0x1254fe02, 0xa57dca18, 0x6da34368, 0xa56a2a14,
         0x63e7328e, 0x44c6e34f, 0xca63ab3e, 0x3f748617 }}},
-    {{{ 0x7dc1641e, 0x5a13dc52, 0xee4e9ca1, 0x4cbb2899, 
+    {{{ 0x7dc1641e, 0x5a13dc52, 0xee4e9ca1, 0x4cbb2899,
         0x1ba9acee, 0x3938a289, 0x420fc47b, 0x0fed89e6 }}} },
-  { {{{ 0x49cbad08, 0x3c193f32, 0x15e80ef5, 0xdda71ef1, 
+  { {{{ 0x49cbad08, 0x3c193f32, 0x15e80ef5, 0xdda71ef1,
         0x9d128c33, 0xda44186c, 0xbf98c24f, 0x54183ede }}},
-    {{{ 0x93d165c1, 0x2cb483f7, 0x177f44aa, 0x51762ace, 
+    {{{ 0x93d165c1, 0x2cb483f7, 0x177f44aa, 0x51762ace,
         0xb4ab035d, 0xb3fe651b, 0xa0b0d4e5, 0x426c99c3 }}} },
-  { {{{ 0xef3f3fb1, 0xb3fcf4d8, 0x065060a0, 0x7052292b, 
+  { {{{ 0xef3f3fb1, 0xb3fcf4d8, 0x065060a0, 0x7052292b,
         0x24240b15, 0x18795ff8, 0x9989ffcc, 0x13aea184 }}},
-    {{{ 0xc2b81f44, 0x1930c101, 0x10600555, 0x672d6ca4, 
+    {{{ 0xc2b81f44, 0x1930c101, 0x10600555, 0x672d6ca4,
         0x1b25e570, 0xfbddbff2, 0x8ca12b70, 0x0884949c }}} },
-  { {{{ 0x00564bbf, 0x9983a033, 0xde61b72d, 0x95587d25, 
+  { {{{ 0x00564bbf, 0x9983a033, 0xde61b72d, 0x95587d25,
         0xeb17ad71, 0xb6719dfb, 0xc0bc3517, 0x46871ad0 }}},
-    {{{ 0xe95a6693, 0xb034fb61, 0x76eabad9, 0x5b0d8d18, 
+    {{{ 0xe95a6693, 0xb034fb61, 0x76eabad9, 0x5b0d8d18,
         0x884785dc, 0xad295dd0, 0x74a1276a, 0x359debad }}} },
-  { {{{ 0xe89fb5ca, 0x2e5a2686, 0x5656c6c5, 0xd3d200ba, 
+  { {{{ 0xe89fb5ca, 0x2e5a2686, 0x5656c6c5, 0xd3d200ba,
         0x9c969001, 0xef4c051e, 0x02cb45f4, 0x0d4ea946 }}},
-    {{{ 0x76d6e506, 0xa6f8a422, 0x63209e23, 0x454c768f, 
+    {{{ 0x76d6e506, 0xa6f8a422, 0x63209e23, 0x454c768f,
         0x2b372386, 0x5c12fd04, 0xdbfee11f, 0x1aedbd3e }}} },
-  { {{{ 0x00dbf569, 0x700ab50f, 0xd335b313, 0x9553643c, 
+  { {{{ 0x00dbf569, 0x700ab50f, 0xd335b313, 0x9553643c,
         0xa17dc97e, 0xeea9bddf, 0x3350a2bd, 0x0d12fe3d }}},
-    {{{ 0xa16a3dee, 0xe5ac35fe, 0xf81950c3, 0x4ae4664a, 
+    {{{ 0xa16a3dee, 0xe5ac35fe, 0xf81950c3, 0x4ae4664a,
         0x3dbbf921, 0x75c63df4, 0x2958a5a6, 0x545b109c }}} },
-  { {{{ 0x0a61b29c, 0xd7a52a98, 0x65aca9ee, 0xe21e0acb, 
+  { {{{ 0x0a61b29c, 0xd7a52a98, 0x65aca9ee, 0xe21e0acb,
         0x5985dcbe, 0x57a69c0f, 0xeb87a534, 0x3c0c1e7b }}},
-    {{{ 0x6384bd2f, 0xf0a0b50d, 0xc6939e4b, 0xff349a34, 
+    {{{ 0x6384bd2f, 0xf0a0b50d, 0xc6939e4b, 0xff349a34,
         0x6e2f1973, 0x922c4554, 0xf1347631, 0x74e826b2 }}} },
-  { {{{ 0xa655803c, 0xd7eaa066, 0x38292c5c, 0x09504e76, 
+  { {{{ 0xa655803c, 0xd7eaa066, 0x38292c5c, 0x09504e76,
         0x2c874953, 0xe298a02e, 0x8932b73f, 0x225093ed }}},
-    {{{ 0xe69c3efd, 0xf93e2b4d, 0x8a87c799, 0xa2cbd5fc, 
+    {{{ 0xe69c3efd, 0xf93e2b4d, 0x8a87c799, 0xa2cbd5fc,
         0x85dba986, 0xdf41da94, 0xccee8edc, 0x36fe85e7 }}} },
-  { {{{ 0x7d742813, 0x78df7dc5, 0x4a193e64, 0x333bcc6d, 
+  { {{{ 0x7d742813, 0x78df7dc5, 0x4a193e64, 0x333bcc6d,
         0x6a966d2d, 0x8242aa25, 0x4cd36d32, 0x03500a94 }}},
-    {{{ 0x580505d7, 0xd5d110fc, 0xfa11e1e9, 0xb2f47e16, 
+    {{{ 0x580505d7, 0xd5d110fc, 0xfa11e1e9, 0xb2f47e16,
         0x06eab6b4, 0xd0030f92, 0x62c91d46, 0x2dc80d5f }}} },
-  { {{{ 0x2a75e492, 0x5788b01a, 0xbae31352, 0x992acf54, 
+  { {{{ 0x2a75e492, 0x5788b01a, 0xbae31352, 0x992acf54,
         0x8159db27, 0x4591b980, 0xd3d84740, 0x36c6533c }}},
-    {{{ 0x103883b5, 0xc44c7c00, 0x515d0820, 0x10329423, 
+    {{{ 0x103883b5, 0xc44c7c00, 0x515d0820, 0x10329423,
         0x71b9dc16, 0xbd306903, 0xf88f8d32, 0x7edd5a95 }}} },
-  { {{{ 0x005523d7, 0xfd63b1ac, 0xad70dd21, 0x74482e0d, 
+  { {{{ 0x005523d7, 0xfd63b1ac, 0xad70dd21, 0x74482e0d,
         0x02b56105, 0x67c9d9d0, 0x5971b456, 0x4d318012 }}},
-    {{{ 0x841106df, 0xdc9a6f6d, 0xa326987f, 0x7c52ed9d, 
+    {{{ 0x841106df, 0xdc9a6f6d, 0xa326987f, 0x7c52ed9d,
         0x00607ea0, 0x4dbeaa6f, 0x6959e688, 0x115c221d }}} },
-  { {{{ 0xc80f7c16, 0xf8718464, 0xe9930634, 0x05dc8f40, 
+  { {{{ 0xc80f7c16, 0xf8718464, 0xe9930634, 0x05dc8f40,
         0xc2e9d5f4, 0xefa699bb, 0x021da209, 0x2469e813 }}},
-    {{{ 0xc602a3c4, 0x75c02845, 0x0a200f9d, 0x49d1b2ce, 
+    {{{ 0xc602a3c4, 0x75c02845, 0x0a200f9d, 0x49d1b2ce,
         0x2fb3ec8f, 0xd21b75e4, 0xd72a7545, 0x10dd726a }}} },
-  { {{{ 0x63ef1a6c, 0xeda58527, 0x051705e0, 0xb3fc0e72, 
+  { {{{ 0x63ef1a6c, 0xeda58527, 0x051705e0, 0xb3fc0e72,
         0x44f1161f, 0xbda6f3ee, 0xf339efe5, 0x7680aebf }}},
-    {{{ 0xb1b070a7, 0xe8d3fd01, 0xdbfbaaa0, 0xc3ff7dbf, 
+    {{{ 0xb1b070a7, 0xe8d3fd01, 0xdbfbaaa0, 0xc3ff7dbf,
         0xa320c916, 0xd81ef6f2, 0x62a3b54d, 0x3e22a1fb }}} },
-  { {{{ 0xb1fa18c8, 0xcdbb9187, 0xcb483a17, 0x8ddb5f6b, 
+  { {{{ 0xb1fa18c8, 0xcdbb9187, 0xcb483a17, 0x8ddb5f6b,
         0xea49af98, 0xc0a880b9, 0xf2dfddd0, 0x53bf600b }}},
-    {{{ 0x9e25b164, 0x4217404c, 0xafb74aa7, 0xfabf06ee, 
+    {{{ 0x9e25b164, 0x4217404c, 0xafb74aa7, 0xfabf06ee,
         0x2b9f233c, 0xb17712ae, 0xd0eb909e, 0x71f0b344 }}} }
 };
 
 static const ac precomputed_4E_KG[16] = {
   { {{{ 0, 0, 0, 0, 0, 0, 0, 0 }}},
     {{{ 1, 0, 0, 0, 0, 0, 0, 0 }}}                         },
-  { {{{ 0xe388a820, 0xbb6ec091, 0x5182278a, 0xa928b283, 
+  { {{{ 0xe388a820, 0xbb6ec091, 0x5182278a, 0xa928b283,
         0xa9a6eb83, 0x2259174d, 0x45500054, 0x184b48cb }}},
-    {{{ 0x26e77c33, 0xfe324dba, 0x83faf453, 0x6679a5e3, 
+    {{{ 0x26e77c33, 0xfe324dba, 0x83faf453, 0x6679a5e3,
         0x2380ef73, 0xdd60c268, 0x03dc33a9, 0x3ee0e07a }}} },
-  { {{{ 0xce974493, 0x403aff28, 0x9bf6f5c4, 0x84076bf4, 
+  { {{{ 0xce974493, 0x403aff28, 0x9bf6f5c4, 0x84076bf4,
         0xecd898fb, 0xec57038c, 0xb663ed49, 0x2898ffaa }}},
-    {{{ 0xf335163d, 0xf4b3bc46, 0xfa4fb6c6, 0xe613a0f4, 
+    {{{ 0xf335163d, 0xf4b3bc46, 0xfa4fb6c6, 0xe613a0f4,
         0xb9934557, 0xe759d6bc, 0xab6c9477, 0x094f3b96 }}} },
-  { {{{ 0x6afffe9e, 0x168bb5a0, 0xee748c29, 0x950f7ad7, 
+  { {{{ 0x6afffe9e, 0x168bb5a0, 0xee748c29, 0x950f7ad7,
         0xda17203d, 0xa4850a2b, 0x77289e0f, 0x0062f7a7 }}},
-    {{{ 0x4b3829fa, 0x6265d4e9, 0xbdfcd386, 0x4f155ada, 
+    {{{ 0x4b3829fa, 0x6265d4e9, 0xbdfcd386, 0x4f155ada,
         0x475795f6, 0x9f38bda4, 0xdece4a4c, 0x560ed4b3 }}} },
-  { {{{ 0x141e648a, 0xdad4570a, 0x019b965c, 0x8bbf674c, 
+  { {{{ 0x141e648a, 0xdad4570a, 0x019b965c, 0x8bbf674c,
         0xdb08fe30, 0xd7a8d50d, 0xa2851109, 0x7efb45d3 }}},
-    {{{ 0xd0c28cda, 0x52e818ac, 0xa321d436, 0x792257dd, 
+    {{{ 0xd0c28cda, 0x52e818ac, 0xa321d436, 0x792257dd,
         0x9d71f8b7, 0x867091c6, 0x11a1bf56, 0x0fe1198b }}} },
-  { {{{ 0x06137ab1, 0x4e848339, 0x3e6674cc, 0x5673e864, 
+  { {{{ 0x06137ab1, 0x4e848339, 0x3e6674cc, 0x5673e864,
         0x0140502b, 0xad882043, 0x6ea1e46a, 0x34b5c0cb }}},
-    {{{ 0x1d70aa7c, 0x29786814, 0x8cdbb8aa, 0x840ae3f9, 
+    {{{ 0x1d70aa7c, 0x29786814, 0x8cdbb8aa, 0x840ae3f9,
         0xbd4801fb, 0x78b4d622, 0xcf18ae9a, 0x6cf4e146 }}} },
-  { {{{ 0x36297168, 0x95c270ad, 0x942e7812, 0x2303ce80, 
+  { {{{ 0x36297168, 0x95c270ad, 0x942e7812, 0x2303ce80,
         0x0205cf0e, 0x71908cc2, 0x32bcd754, 0x0cc15edd }}},
-    {{{ 0x2c7ded86, 0x1db94364, 0xf141b22c, 0xc694e39b, 
+    {{{ 0x2c7ded86, 0x1db94364, 0xf141b22c, 0xc694e39b,
         0x5e5a9312, 0xf22f64ef, 0x3c5e6155, 0x649b8859 }}} },
-  { {{{ 0xb6417945, 0x0d5611c6, 0xac306c97, 0x9643fdbf, 
+  { {{{ 0xb6417945, 0x0d5611c6, 0xac306c97, 0x9643fdbf,
         0x0df500ff, 0xe81faaa4, 0x6f50e615, 0x0792c79b }}},
-    {{{ 0xd2af8c8d, 0xb45bbc49, 0x84f51bfe, 0x16c615ab, 
+    {{{ 0xd2af8c8d, 0xb45bbc49, 0x84f51bfe, 0x16c615ab,
         0xc1d02d32, 0xdc57c526, 0x3c8aaa55, 0x5fb9a9a6 }}} },
-  { {{{ 0xdee40b98, 0x82faa8db, 0x6d520674, 0xff8a5208, 
+  { {{{ 0xdee40b98, 0x82faa8db, 0x6d520674, 0xff8a5208,
         0x446ac562, 0x1f8c510f, 0x2cc6b66e, 0x4676d381 }}},
-    {{{ 0x2e7429f4, 0x8f1aa780, 0x8ed6bdf6, 0x2a95c1bf, 
+    {{{ 0x2e7429f4, 0x8f1aa780, 0x8ed6bdf6, 0x2a95c1bf,
         0x457fa0eb, 0x051450a0, 0x744c57b1, 0x7d89e2b7 }}} },
-  { {{{ 0x3f95ea15, 0xb6bdacd2, 0x2f1a5d69, 0xc9a9d1b1, 
+  { {{{ 0x3f95ea15, 0xb6bdacd2, 0x2f1a5d69, 0xc9a9d1b1,
         0xf4d22d72, 0xd4c2f1a9, 0x4dc516b5, 0x73ecfdf1 }}},
-    {{{ 0x05391e08, 0xa1ce93cd, 0x7b8aac17, 0x98f1e99e, 
+    {{{ 0x05391e08, 0xa1ce93cd, 0x7b8aac17, 0x98f1e99e,
         0xa098cbb3, 0x9ba84f2e, 0xf9bdd37a, 0x1425aa8b }}} },
-  { {{{ 0x966abfc0, 0x8a385bf4, 0xf081a640, 0x55e5e8bc, 
+  { {{{ 0x966abfc0, 0x8a385bf4, 0xf081a640, 0x55e5e8bc,
         0xee26f5ff, 0x835dff85, 0xe509e1ea, 0x4927e622 }}},
-    {{{ 0x352334b0, 0x164c8dbc, 0xa3fea31f, 0xcac1ad63, 
+    {{{ 0x352334b0, 0x164c8dbc, 0xa3fea31f, 0xcac1ad63,
         0x682fd457, 0x9b87a676, 0x1a53145f, 0x75f382ff }}} },
-  { {{{ 0xc3efcb46, 0x16b944f5, 0x68cb184c, 0x1fb55714, 
+  { {{{ 0xc3efcb46, 0x16b944f5, 0x68cb184c, 0x1fb55714,
         0x9ccf2dc8, 0xf1c2b116, 0x808283d8, 0x7417e00f }}},
-    {{{ 0x930199ba, 0x1ea67a22, 0x718990d8, 0x9fbaf765, 
+    {{{ 0x930199ba, 0x1ea67a22, 0x718990d8, 0x9fbaf765,
         0x8f3d5d57, 0x231fc664, 0xe5853194, 0x38141a19 }}} },
-  { {{{ 0x2f81290d, 0xb9f00390, 0x04a9ca6c, 0x44877827, 
+  { {{{ 0x2f81290d, 0xb9f00390, 0x04a9ca6c, 0x44877827,
         0xe1dbdd65, 0x65d7f9b9, 0xf7c6698a, 0x7133424c }}},
-    {{{ 0xa7cd250f, 0x604cfb3c, 0x5acc18f3, 0x460c3c4b, 
+    {{{ 0xa7cd250f, 0x604cfb3c, 0x5acc18f3, 0x460c3c4b,
         0xb518e3eb, 0xa53e50e0, 0x98a40196, 0x2b4b9267 }}} },
-  { {{{ 0xc5dbd06c, 0x591b0672, 0xaa1eeb65, 0x10d43dca, 
+  { {{{ 0xc5dbd06c, 0x591b0672, 0xaa1eeb65, 0x10d43dca,
         0xcd2517af, 0x420cdef8, 0x0b695a8a, 0x513a307e }}},
-    {{{ 0x66503215, 0xee9d6a7b, 0x088fd9a4, 0xdea58720, 
+    {{{ 0x66503215, 0xee9d6a7b, 0x088fd9a4, 0xdea58720,
         0x973afe12, 0x8f3cbbea, 0x872f2538, 0x005c2350 }}} },
-  { {{{ 0x35af3291, 0xe5024b70, 0x4f5e669a, 0x1d3eec2d, 
+  { {{{ 0x35af3291, 0xe5024b70, 0x4f5e669a, 0x1d3eec2d,
         0x6e79d539, 0xc1f6d766, 0x795b5248, 0x34ec043f }}},
-    {{{ 0x400960b6, 0xb2763511, 0x29e57df0, 0xff7a3d84, 
+    {{{ 0x400960b6, 0xb2763511, 0x29e57df0, 0xff7a3d84,
         0x1666c1f1, 0xaeac7792, 0x66084bc0, 0x72426e97 }}} },
-  { {{{ 0x44f826ca, 0x5b1c3199, 0x790aa408, 0x68b00b73, 
+  { {{{ 0x44f826ca, 0x5b1c3199, 0x790aa408, 0x68b00b73,
         0x69e9b92b, 0xaf0984b4, 0x3ffe9093, 0x5fe6736f }}},
-    {{{ 0xffd49312, 0xd67f2889, 0x5cb9ed21, 0x3520d747, 
+    {{{ 0xffd49312, 0xd67f2889, 0x5cb9ed21, 0x3520d747,
         0x3c65a606, 0x94f893b1, 0x2d65496f, 0x2fee5e8c }}} }
 };
 
@@ -586,7 +586,7 @@ bnX_mul_C (uint32_t *r, const uint32_t *q, int q_size)
 
 /**
  * @brief R = A mod M (using M=2^252+C) (Barret reduction)
- * 
+ *
  * See HAC 14.47.
  */
 static void

src/ecc-mont.c

@@ -33,7 +33,7 @@
  * References:
  *
  * [1] D. J. Bernstein. Curve25519: new Diffie-Hellman speed records.
- *     Proceedings of PKC 2006, to appear. 
+ *     Proceedings of PKC 2006, to appear.
  *     http://cr.yp.to/papers.html#curve25519. Date: 2006.02.09.
  *
  * [2] D. J. Bernstein. Can we avoid tests for zero in fast
@@ -46,7 +46,7 @@
  * IMPLEMENTATION NOTE
  *
  * (0) We assume that the processor has no cache, nor branch target
- *     prediction.  Thus, we don't avoid indexing by secret value. 
+ *     prediction.  Thus, we don't avoid indexing by secret value.
  *     We don't avoid conditional jump if both cases have same timing,
  *     either.
  *

src/ecc.c

@@ -34,7 +34,7 @@
  *     Pages 250-265, Springer-Verlag London, UK, 2001
  *     ISBN:3-540-41898-9
  *
- * [3] Mustapha Hedabou, Pierre Pinel, Lucien Bénéteau, 
+ * [3] Mustapha Hedabou, Pierre Pinel, Lucien Bénéteau,
  *     A comb method to render ECC resistant against Side Channel Attacks,
  *     2004
  */

src/flash.c

@@ -338,7 +338,7 @@ uint8_t *
 flash_key_alloc (enum kind_of_key kk)
 {
   uint8_t *k, *k0 = flash_key_getpage (kk);
-  int i; 
+  int i;
   int key_size = gpg_get_algo_attr_key_size (kk, GPG_KEY_STORAGE);
 
   /* Seek free space in the page.  */

src/gnuk.h

@@ -22,19 +22,21 @@ extern struct apdu apdu;
 #define CARD_CHANGE_REMOVE 1
 #define CARD_CHANGE_TOGGLE 2
 void ccid_card_change_signal (int how);
+void ccid_usb_reset (void);
 
 /* CCID thread */
-#define EV_RX_DATA_READY (1) /* USB Rx data available  */
-#define EV_EXEC_FINISHED (2) /* OpenPGP Execution finished */
-#define EV_TX_FINISHED   (4) /* CCID Tx finished  */
-#define EV_CARD_CHANGE   (8)
+#define EV_RX_DATA_READY   1 /* USB Rx data available  */
+#define EV_EXEC_FINISHED   2 /* OpenPGP Execution finished */
+#define EV_TX_FINISHED     4 /* CCID Tx finished  */
+#define EV_CARD_CHANGE     8
+#define EV_USB_RESET      16
 
 /* OpenPGPcard thread */
-#define EV_PINPAD_INPUT_DONE    (1)
-#define EV_EXIT                 (2)
-#define EV_CMD_AVAILABLE        (4)
-#define EV_VERIFY_CMD_AVAILABLE (8)
-#define EV_MODIFY_CMD_AVAILABLE (16)
+#define EV_PINPAD_INPUT_DONE      1
+#define EV_EXIT                   2
+#define EV_CMD_AVAILABLE          4
+#define EV_VERIFY_CMD_AVAILABLE   8
+#define EV_MODIFY_CMD_AVAILABLE  16
 
 /* Maximum cmd apdu data is key import 24+4+256+256 (proc_key_import) */
 #define MAX_CMD_APDU_DATA_SIZE (24+4+256+256) /* without header */
@@ -416,12 +418,14 @@ void flash_do_write_internal (const uint8_t *p, int nr,
 
 extern const uint8_t gnuk_string_serial[];
 
-#define LED_ONESHOT		(1)
-#define LED_TWOSHOTS		(2)
-#define LED_SHOW_STATUS		(4)
-#define LED_START_COMMAND	(8)
-#define LED_FINISH_COMMAND	(16)
-#define LED_FATAL		(32)
+#define LED_ONESHOT		  1
+#define LED_TWOSHOTS		  2
+#define LED_SHOW_STATUS		  4
+#define LED_START_COMMAND	  8
+#define LED_FINISH_COMMAND	 16
+#define LED_FATAL		 32
+#define LED_USB_RESET		 64
+#define LED_GNUK_EXEC		128
 void led_blink (int spec);
 
 #if defined(PINPAD_SUPPORT)

src/gnuk.ld.in

@@ -1,12 +1,12 @@
 /*
  * ST32F103 memory setup.
  */
-__main_stack_size__      = 0x0100;      /* Exception handlers     */
+__main_stack_size__      = 0x0080;      /* Exception handlers     */
 __process0_stack_size__  = 0x0100;      /* main */
-__process1_stack_size__  = 0x0140;      /* ccid */
-__process2_stack_size__  = 0x0180;      /* rng */
-__process3_stack_size__  = 0x1600;      /* gpg */
-__process4_stack_size__  = 0x0100;      /* intr: usb */
+__process1_stack_size__  = 0x0120;      /* ccid */
+__process2_stack_size__  = 0x01a0;      /* rng */
+__process3_stack_size__  = 0x1640;      /* gpg */
+__process4_stack_size__  = 0x0120;      /* intr: usb */
 __process5_stack_size__  = @MSC_SIZE@;  /* msc */
 __process6_stack_size__  = @TIM_SIZE@;  /* intr: timer */
 __process7_stack_size__  = @EXT_SIZE@;  /* intr: ext */

src/main.c

@@ -71,7 +71,7 @@ _write (const char *s, int len)
       packet_len =
 	(len < VIRTUAL_COM_PORT_DATA_SIZE) ? len : VIRTUAL_COM_PORT_DATA_SIZE;
 
-      chopstx_mutex_lock (&stdout.m_dev);     
+      chopstx_mutex_lock (&stdout.m_dev);
       usb_lld_write (ENDP3, s, packet_len);
       chopstx_cond_wait (&stdout.cond_dev, &stdout.m_dev);
       chopstx_mutex_unlock (&stdout.m_dev);
@@ -210,13 +210,8 @@ static eventmask_t emit_led (int on_time, int off_time)
 
 static eventmask_t display_status_code (void)
 {
-  enum icc_state icc_state;
   eventmask_t m;
-
-  if (icc_state_p == NULL)
-    icc_state = ICC_STATE_START;
-  else
-    icc_state = *icc_state_p;
+  enum icc_state icc_state = *icc_state_p;
 
   if (icc_state == ICC_STATE_START)
     return emit_led (LED_TIMEOUT_ONE, LED_TIMEOUT_STOP);
@@ -290,7 +285,7 @@ const size_t __stacksize_usb = (size_t)&__process4_stack_size__;
 
 #define PRIO_CCID 3
 #define PRIO_USB  4
-#define PRIO_MAIN 5 
+#define PRIO_MAIN 5
 
 extern void *usb_intr (void *arg);
 
@@ -331,8 +326,8 @@ main (int argc, char *argv[])
   stdout_init ();
 #endif
 
-  ccid_thd = chopstx_create (PRIO_CCID, __stackaddr_ccid,
-			     __stacksize_ccid, USBthread, NULL);
+  ccid_thd = chopstx_create (PRIO_CCID, __stackaddr_ccid, __stacksize_ccid,
+			     USBthread, NULL);
 
 #ifdef PINPAD_CIR_SUPPORT
   cir_init ();
@@ -358,9 +353,6 @@ main (int argc, char *argv[])
     {
       eventmask_t m;
 
-      if (icc_state_p != NULL && *icc_state_p == ICC_STATE_EXEC_REQUESTED)
-	break;
-
       m = eventflag_wait_timeout (&led_event, MAIN_TIMEOUT_INTERVAL);
     got_it:
       count++;
@@ -391,6 +383,11 @@ main (int argc, char *argv[])
 	case LED_FATAL:
 	  display_fatal_code ();
 	  break;
+	case LED_USB_RESET:
+	  ccid_usb_reset ();
+	  break;
+	case LED_GNUK_EXEC:
+	  goto exec;
 	default:
 	  if ((m = emit_led (LED_TIMEOUT_ZERO, LED_TIMEOUT_STOP)))
 	    goto got_it;
@@ -408,6 +405,7 @@ main (int argc, char *argv[])
 #endif
     }
 
+ exec:
   random_fini ();
 
   set_led (1);

src/mod.c

@@ -27,7 +27,7 @@
 
 /**
  * @brief X = A mod B (using MU=(1<<(256)+MU_lower)) (Barret reduction)
- * 
+ *
  */
 void
 mod_reduce (bn256 *X, const bn512 *A, const bn256 *B, const bn256 *MU_lower)
@@ -145,7 +145,7 @@ mod_reduce (bn256 *X, const bn512 *A, const bn256 *B, const bn256 *MU_lower)
 
 /**
  * @brief C = X^(-1) mod N
- * 
+ *
  * Assume X and N are co-prime (or N is prime).
  * NOTE: If X==0, it return 0.
  *

src/modp256k1.c

@@ -181,12 +181,12 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
    */
   S->word[7] = S->word[6] = S->word[5] = S->word[4] = S->word[3] = 0;
 
-  /* (S02, S01, S00) = (S1, S0) + (S1, S0)*2^32 */ 
+  /* (S02, S01, S00) = (S1, S0) + (S1, S0)*2^32 */
   s00 = s0;
   s01 = s0 + s1;
   s02 = s1 + ((s01 < s0)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^9 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^9 */
   carry = (s0 >> 23) + s01;
   s02 += (s1 >> 23) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 9) + carry;
@@ -196,7 +196,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^8 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^8 */
   carry = (s0 >> 24) + s01;
   s02 += (s1 >> 24) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 8) + carry;
@@ -206,7 +206,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^7 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^7 */
   carry = (s0 >> 25) + s01;
   s02 += (s1 >> 25) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 7) + carry;
@@ -216,7 +216,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^6 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^6 */
   carry = (s0 >> 26) + s01;
   s02 += (s1 >> 26) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 6) + carry;
@@ -226,7 +226,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^4 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^4 */
   carry = (s0 >> 28) + s01;
   s02 += (s1 >> 28) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 4) + carry;

src/openpgp-do.c

@@ -201,7 +201,7 @@ gpg_get_pw1_lifetime (void)
 /*
  * Representation of algorithm attributes:
  *    0: ALGO_ATTR_<>_P == NULL : RSA-2048
- *    N: ALGO_ATTR_<>_P != NULL : 
+ *    N: ALGO_ATTR_<>_P != NULL :
  *
  */
 static const uint8_t *algo_attr_sig_p;
@@ -631,16 +631,19 @@ do_openpgpcard_aid (uint16_t tag, int with_tag)
 
   if (vid == 0xffff || vid == 0x0000)
     {
-      const uint8_t *u = unique_device_id ();
+      const uint8_t *u = unique_device_id () + 8;
 
       memcpy (res_p, openpgpcard_aid, 8);
       res_p += 8;
 
-      /* vid == 0xfffe: serial number is random byte */
+      /* vid == 0xfffe: serial number is four random bytes */
       *res_p++ = 0xff;
       *res_p++ = 0xfe;
-      memcpy (res_p, u, 4);
-      res_p += 4;
+
+      *res_p++ = u[3];
+      *res_p++ = u[2];
+      *res_p++ = u[1];
+      *res_p++ = u[0];
     }
   else
     {
@@ -755,7 +758,7 @@ rw_algorithm_attr (uint16_t tag, int with_tag,
 	algo = ALGO_CURVE25519;
 
       if (algo < 0)
-	return 0;		/* Error */
+	return 0;		/* Error.  */
       else if (algo == ALGO_RSA2K && *algo_attr_pp != NULL)
 	{
 	  gpg_do_delete_prvkey (kk, CLEAN_PAGE_FULL);
@@ -763,7 +766,8 @@ rw_algorithm_attr (uint16_t tag, int with_tag,
 	  if (*algo_attr_pp != NULL)
 	    return 0;
 	}
-      else if (*algo_attr_pp == NULL || (*algo_attr_pp)[1] != algo)
+      else if ((algo != ALGO_RSA2K && *algo_attr_pp == NULL)
+	       || (*algo_attr_pp)[1] != algo)
 	{
 	  gpg_do_delete_prvkey (kk, CLEAN_PAGE_FULL);
 	  *algo_attr_pp = flash_enum_write (kk_to_nr (kk), algo);
@@ -1385,7 +1389,7 @@ proc_key_import (const uint8_t *data, int len)
       uint8_t hash[64];
 
       if (len - 12 != 32)
-	return 1;		/* Error.  */
+	return 0;		/* Error.  */
 
       sha512 (&data[12], 32, hash);
       hash[0] &= 248;
@@ -1399,7 +1403,7 @@ proc_key_import (const uint8_t *data, int len)
       int i;
 
       if (len - 12 != 32)
-	return 1;		/* Error.  */
+	return 0;		/* Error.  */
 
       for (i = 0; i < 32; i++)
 	priv[31-i] = data[12+i];
@@ -2094,10 +2098,10 @@ gpg_do_keygen (uint8_t kk_byte)
       for (i = 0; i < 32; i++)
 	d[32 - i - 1] = p[i];
 
-      random_bytes_free (rnd);      
+      random_bytes_free (rnd);
 
       prv = d;
-      pubkey = NULL; 
+      pubkey = NULL;
     }
   else if (attr == ALGO_ED25519)
     {
@@ -2108,7 +2112,7 @@ gpg_do_keygen (uint8_t kk_byte)
       d[31] &= 127;
       d[31] |= 64;
       prv = d;
-      pubkey = NULL; 
+      pubkey = NULL;
     }
   else if (attr == ALGO_CURVE25519)
     {
@@ -2119,7 +2123,7 @@ gpg_do_keygen (uint8_t kk_byte)
       d[31] &= 127;
       d[31] |= 64;
       prv = d;
-      pubkey = NULL; 
+      pubkey = NULL;
     }
   else
     {

src/openpgp.c

@@ -817,6 +817,7 @@ cmd_pso (void)
   int attr;
   int pubkey_len;
   unsigned int result_len = 0;
+  int cs;
 
   DEBUG_INFO (" - PSO: ");
   DEBUG_WORD ((uint32_t)&r);
@@ -867,6 +868,7 @@ cmd_pso (void)
 	      return;
 	    }
 
+	  cs = chopstx_setcancelstate (0);
 	  result_len = ECDSA_SIGNATURE_LENGTH;
 	  if (attr == ALGO_NISTP256R1)
 	    r = ecdsa_sign_p256r1 (apdu.cmd_apdu_data, res_APDU,
@@ -874,6 +876,7 @@ cmd_pso (void)
 	  else			/* ALGO_SECP256K1 */
 	    r = ecdsa_sign_p256k1 (apdu.cmd_apdu_data, res_APDU,
 				   kd[GPG_KEY_FOR_SIGNING].data);
+	  chopstx_setcancelstate (cs);
 	}
       else if (attr == ALGO_ED25519)
 	{
@@ -886,11 +889,13 @@ cmd_pso (void)
 	      return;
 	    }
 
+	  cs = chopstx_setcancelstate (0);
 	  result_len = EDDSA_SIGNATURE_LENGTH;
 	  r = eddsa_sign_25519 (apdu.cmd_apdu_data, len, output,
 				kd[GPG_KEY_FOR_SIGNING].data,
 				kd[GPG_KEY_FOR_SIGNING].data+32,
 				kd[GPG_KEY_FOR_SIGNING].pubkey);
+	  chopstx_setcancelstate (cs);
 	  memcpy (res_APDU, output, EDDSA_SIGNATURE_LENGTH);
 	}
       else
@@ -947,6 +952,7 @@ cmd_pso (void)
 	      return;
 	    }
 
+	  cs = chopstx_setcancelstate (0);
 	  result_len = 65;
 	  if (attr == ALGO_NISTP256R1)
 	    r = ecdh_decrypt_p256r1 (apdu.cmd_apdu_data + header, res_APDU,
@@ -954,6 +960,7 @@ cmd_pso (void)
 	  else
 	    r = ecdh_decrypt_p256k1 (apdu.cmd_apdu_data + header, res_APDU,
 				     kd[GPG_KEY_FOR_DECRYPTION].data);
+	  chopstx_setcancelstate (cs);
 	}
       else if (attr == ALGO_CURVE25519)
 	{
@@ -965,9 +972,11 @@ cmd_pso (void)
 	      return;
 	    }
 
+	  cs = chopstx_setcancelstate (0);
 	  result_len = 32;
 	  r = ecdh_decrypt_curve25519 (apdu.cmd_apdu_data + header, res_APDU,
 				       kd[GPG_KEY_FOR_DECRYPTION].data);
+	  chopstx_setcancelstate (cs);
 	}
       else
 	{
@@ -1003,6 +1012,7 @@ cmd_internal_authenticate (void)
   int len = apdu.cmd_apdu_data_len;
   int r = -1;
   unsigned int result_len = 0;
+  int cs;
 
   DEBUG_INFO (" - INTERNAL AUTHENTICATE\r\n");
 
@@ -1036,7 +1046,7 @@ cmd_internal_authenticate (void)
       result_len = pubkey_len;
       r = rsa_sign (apdu.cmd_apdu_data, res_APDU, len,
 		    &kd[GPG_KEY_FOR_AUTHENTICATION], pubkey_len);
-    }	  
+    }
   else if (attr == ALGO_NISTP256R1)
     {
       if (len != ECDSA_HASH_LEN)
@@ -1046,9 +1056,11 @@ cmd_internal_authenticate (void)
 	  return;
 	}
 
+      cs = chopstx_setcancelstate (0);
       result_len = ECDSA_SIGNATURE_LENGTH;
       r = ecdsa_sign_p256r1 (apdu.cmd_apdu_data, res_APDU,
 			     kd[GPG_KEY_FOR_AUTHENTICATION].data);
+      chopstx_setcancelstate (cs);
     }
   else if (attr == ALGO_SECP256K1)
     {
@@ -1059,9 +1071,11 @@ cmd_internal_authenticate (void)
 	  return;
 	}
 
+      cs = chopstx_setcancelstate (0);
       result_len = ECDSA_SIGNATURE_LENGTH;
       r = ecdsa_sign_p256k1 (apdu.cmd_apdu_data, res_APDU,
 			     kd[GPG_KEY_FOR_AUTHENTICATION].data);
+      chopstx_setcancelstate (cs);
     }
   else if (attr == ALGO_ED25519)
     {
@@ -1074,11 +1088,13 @@ cmd_internal_authenticate (void)
 	  return;
 	}
 
+      cs = chopstx_setcancelstate (0);
       result_len = EDDSA_SIGNATURE_LENGTH;
       r = eddsa_sign_25519 (apdu.cmd_apdu_data, len, output,
 			    kd[GPG_KEY_FOR_AUTHENTICATION].data,
 			    kd[GPG_KEY_FOR_AUTHENTICATION].data+32,
 			    kd[GPG_KEY_FOR_AUTHENTICATION].pubkey);
+      chopstx_setcancelstate (cs);
       memcpy (res_APDU, output, EDDSA_SIGNATURE_LENGTH);
     }
 
@@ -1322,7 +1338,11 @@ process_command_apdu (void)
       break;
 
   if (i < NUM_CMDS)
-    cmds[i].cmd_handler ();
+    {
+      chopstx_setcancelstate (1);
+      cmds[i].cmd_handler ();
+      chopstx_setcancelstate (0);
+    }
   else
     {
       DEBUG_INFO (" - ??");
@@ -1355,10 +1375,10 @@ card_thread (chopstx_t thd, struct eventflag *ccid_comm)
 
   while (1)
     {
-      eventmask_t m = eventflag_wait (openpgp_comm);
 #if defined(PINPAD_SUPPORT)
       int len, pw_len, newpw_len;
 #endif
+      eventmask_t m = eventflag_wait (openpgp_comm);
 
       DEBUG_INFO ("GPG!: ");
 

src/pin-cir.c

@@ -1044,7 +1044,7 @@ cir_init (void)
   TIMx->PSC = 72 - 1;		/* 1 MHz */
   TIMx->ARR = 18000;		/* 18 ms */
   /* Generate UEV to upload PSC and ARR */
-  TIMx->EGR = TIM_EGR_UG;	
+  TIMx->EGR = TIM_EGR_UG;
 
   chopstx_create (PRIO_TIM, __stackaddr_tim, __stacksize_tim, tim_main, NULL);
   chopstx_create (PRIO_EXT, __stackaddr_ext, __stacksize_ext, ext_main, NULL);

src/sha512.c

@@ -1,7 +1,7 @@
 /*
  * sha512.c -- Compute SHA-512 hash (for little endian architecture).
  *
- * This module is written by gniibe, following the API of sha256.c. 
+ * This module is written by gniibe, following the API of sha256.c.
  *
  * Copyright (C) 2014 Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>

src/sys.h

@@ -9,6 +9,7 @@
 #define BOARD_ID_STM8S_DISCOVERY   0x2f0976bb
 #define BOARD_ID_ST_DONGLE         0x2cd4e471
 #define BOARD_ID_ST_NUCLEO_F103    0x9b87c16d
+#define BOARD_ID_NITROKEY_START    0xad1e7ebd
 
 extern const uint8_t sys_version[8];
 extern const uint32_t sys_board_id;

src/usb-icc.c

@@ -1,7 +1,7 @@
 /*
  * usb-icc.c -- USB CCID protocol handling
  *
- * Copyright (C) 2010, 2011, 2012, 2013, 2014
+ * Copyright (C) 2010, 2011, 2012, 2013, 2014, 2015
  *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
@@ -179,8 +179,6 @@ struct icc_header {
 } __attribute__((packed));
 
 
-enum icc_state *icc_state_p;
-
 /* Data structure handled by CCID layer */
 struct ccid {
   enum icc_state icc_state;
@@ -256,10 +254,7 @@ static void ccid_init (struct ccid *c, struct ep_in *epi, struct ep_out *epo,
 
   c->icc_state = ICC_STATE_NOCARD;
   c->state = APDU_STATE_WAIT_COMMAND;
-  /*
-   * Note: a is not yet initialized yet, we can't use c->a->cmd_apdu_data here.
-   */
-  c->p = &icc_buffer[5];
+  c->p = a->cmd_apdu_data;
   c->len = MAX_CMD_APDU_DATA_SIZE;
   c->err = 0;
   memset (&c->icc_header, 0, sizeof (struct icc_header));
@@ -748,7 +743,7 @@ const size_t __stacksize_gpg = (size_t)&__process3_stack_size__;
 
 
 /* Send back ATR (Answer To Reset) */
-enum icc_state
+static enum icc_state
 icc_power_on (struct ccid *c)
 {
   size_t size_atr = sizeof (ATR);
@@ -814,7 +809,7 @@ icc_send_status (struct ccid *c)
 #endif
 }
 
-enum icc_state
+static enum icc_state
 icc_power_off (struct ccid *c)
 {
   if (c->application)
@@ -1300,6 +1295,7 @@ icc_handle_timeout (struct ccid *c)
 }
 
 static struct ccid ccid;
+enum icc_state *icc_state_p = &ccid.icc_state;
 
 /*
  * Another Tx done callback
@@ -1310,6 +1306,25 @@ EP2_IN_Callback (void)
 }
 
 
+void
+ccid_card_change_signal (int how)
+{
+  struct ccid *c = &ccid;
+
+  if (how == CARD_CHANGE_TOGGLE
+      || (c->icc_state == ICC_STATE_NOCARD && how == CARD_CHANGE_INSERT)
+      || (c->icc_state != ICC_STATE_NOCARD && how == CARD_CHANGE_REMOVE))
+    eventflag_signal (&c->ccid_comm, EV_CARD_CHANGE);
+}
+
+void
+ccid_usb_reset (void)
+{
+  struct ccid *c = &ccid;
+  eventflag_signal (&c->ccid_comm, EV_USB_RESET);
+}
+
+
 #define USB_ICC_TIMEOUT (1950*1000)
 
 #define GPG_THREAD_TERMINATED 0xffff
@@ -1326,18 +1341,6 @@ USBthread (void *arg)
   return ccid_thread (thd);
 }
 
-void
-ccid_card_change_signal (int how)
-{
-  struct ccid *c = &ccid;
-
-  if (how == CARD_CHANGE_TOGGLE
-      || (c->icc_state == ICC_STATE_NOCARD && how == CARD_CHANGE_INSERT)
-      || (c->icc_state != ICC_STATE_NOCARD && how == CARD_CHANGE_REMOVE))
-    eventflag_signal (&c->ccid_comm, EV_CARD_CHANGE);
-}
-
-
 #define NOTIFY_SLOT_CHANGE 0x50
 
 static void * __attribute__ ((noinline))
@@ -1347,14 +1350,12 @@ ccid_thread (chopstx_t thd)
   struct ep_out *epo = &endpoint_out;
   struct ccid *c = &ccid;
   struct apdu *a = &apdu;
-  uint8_t int_msg[2];
-
-  int_msg[0] = NOTIFY_SLOT_CHANGE;
 
+ reset:
   epi_init (epi, ENDP1, notify_tx, c);
   epo_init (epo, ENDP1, notify_icc, c);
-  ccid_init (c, epi, epo, a, thd);
   apdu_init (a);
+  ccid_init (c, epi, epo, a, thd);
 
   icc_prepare_receive (c);
   while (1)
@@ -1363,8 +1364,21 @@ ccid_thread (chopstx_t thd)
 
       m = eventflag_wait_timeout (&c->ccid_comm, USB_ICC_TIMEOUT);
 
-      if (m == EV_CARD_CHANGE)
+      if (m == EV_USB_RESET)
 	{
+	  if (c->application)
+	    {
+	      chopstx_cancel (c->application);
+	      chopstx_join (c->application, NULL);
+	      c->application = 0;
+	    }
+	  goto reset;
+	}
+      else if (m == EV_CARD_CHANGE)
+	{
+	  uint8_t int_msg[2];
+
+	  int_msg[0] = NOTIFY_SLOT_CHANGE;
 	  if (c->icc_state == ICC_STATE_NOCARD)
 	    { /* Inserted!  */
 	      c->icc_state = ICC_STATE_START;

src/usb-msc.c

@@ -319,7 +319,7 @@ msc_handle_command (void)
       /* Error occured, ignore the request and go into error state */
       msc_state = MSC_ERROR;
       usb_lld_stall_rx (ENDP6);
-      goto done; 
+      goto done;
     }
 
   n = ep6_out.rxcnt;

src/usb_ctrl.c

@@ -1,7 +1,8 @@
 /*
  * usb_ctrl.c - USB control pipe device specific code for Gnuk
  *
- * Copyright (C) 2010, 2011, 2012, 2013 Free Software Initiative of Japan
+ * Copyright (C) 2010, 2011, 2012, 2013, 2015
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -57,6 +58,8 @@ static struct line_coding line_coding = {
   0x08    /* bits:      8         */
 };
 
+#define CDC_CTRL_DTR            0x0001
+
 static int
 vcom_port_data_setup (uint8_t req, uint8_t req_no, struct control_info *detail)
 {
@@ -76,7 +79,7 @@ vcom_port_data_setup (uint8_t req, uint8_t req_no, struct control_info *detail)
 	{
 	  uint8_t connected_saved = stdout.connected;
 
-	  if (detail->value != 0)
+	  if ((detail->value & CDC_CTRL_DTR) != 0)
 	    {
 	      if (stdout.connected == 0)
 		/* It's Open call */
@@ -208,10 +211,12 @@ usb_cb_device_reset (void)
   usb_lld_setup_endpoint (ENDP0, EP_CONTROL, 0, ENDP0_RXADDR, ENDP0_TXADDR,
 			  GNUK_MAX_PACKET_SIZE);
 
+  /* Stop the interface */
   for (i = 0; i < NUM_INTERFACES; i++)
-    gnuk_setup_endpoints_for_interface (i, 0);
+    gnuk_setup_endpoints_for_interface (i, 1);
 
   bDeviceState = ATTACHED;
+  led_blink (LED_USB_RESET);	/* Notify the main.  */
 }
 
 #define USB_CCID_REQ_ABORT			0x01
@@ -276,7 +281,7 @@ usb_cb_setup (uint8_t req, uint8_t req_no, struct control_info *detail)
 
 	  if (req_no == USB_FSIJ_GNUK_DOWNLOAD)
 	    {
-	      if (icc_state_p == NULL || *icc_state_p != ICC_STATE_EXITED)
+	      if (*icc_state_p != ICC_STATE_EXITED)
 		return USB_UNSUPPORT;
 
 	      if (addr < &_regnual_start || addr + detail->len > __heap_end__)
@@ -290,7 +295,7 @@ usb_cb_setup (uint8_t req, uint8_t req_no, struct control_info *detail)
 	    }
 	  else if (req_no == USB_FSIJ_GNUK_EXEC && detail->len == 0)
 	    {
-	      if (icc_state_p == NULL || *icc_state_p != ICC_STATE_EXITED)
+	      if (*icc_state_p != ICC_STATE_EXITED)
 		return USB_UNSUPPORT;
 
 	      if (((uint32_t)addr & 0x03))
@@ -394,12 +399,12 @@ usb_cb_ctrl_write_finish (uint8_t req, uint8_t req_no, uint16_t value)
     {
       if (USB_SETUP_SET (req) && req_no == USB_FSIJ_GNUK_EXEC)
 	{
-	  if (icc_state_p == NULL || *icc_state_p != ICC_STATE_EXITED)
+	  if (*icc_state_p != ICC_STATE_EXITED)
 	    return;
 
 	  (void)value; (void)index;
 	  usb_lld_prepare_shutdown (); /* No further USB communication */
-	  *icc_state_p = ICC_STATE_EXEC_REQUESTED;
+	  led_blink (LED_GNUK_EXEC);	/* Notify the main.  */
 	}
     }
 #ifdef HID_CARD_CHANGE_SUPPORT

src/usb_stm32f103.c

@@ -727,7 +727,7 @@ static int std_set_interface (uint8_t req, struct control_info *detail)
 
   if ((req & REQUEST_DIR) == 1 || rcp != INTERFACE_RECIPIENT
       || detail->len != 0 || (detail->index >> 8) != 0
-      || (detail->value >> 8) != 0 || dev_p->current_configuration != 0)
+      || (detail->value >> 8) != 0 || dev_p->current_configuration == 0)
     return USB_UNSUPPORT;
 
   return usb_cb_interface (USB_SET_INTERFACE, detail);

tool/upgrade_by_passwd.py

@@ -32,7 +32,7 @@ BY_ADMIN = 3
 
 KEYNO_FOR_AUTH=2 
 
-def main(keyno, passwd, data_regnual, data_upgrade):
+def main(wait_e, keyno, passwd, data_regnual, data_upgrade):
     l = len(data_regnual)
     if (l & 0x03) != 0:
         data_regnual = data_regnual.ljust(l + 4 - (l & 0x03), chr(0))
@@ -67,17 +67,18 @@ def main(keyno, passwd, data_regnual, data_upgrade):
     del gnuk
     gnuk = None
     #
-    print("Wait 3 seconds...")
-    time.sleep(3)
-    # Then, send upgrade program...
     reg = None
-    for dev in gnuk_devices_by_vidpid():
-        try:
-            reg = regnual(dev)
-            print("Device: %s" % dev.filename)
-            break
-        except:
-            pass
+    while reg == None:
+        print("Wait %d seconds..." % wait_e)
+        time.sleep(wait_e)
+        for dev in gnuk_devices_by_vidpid():
+            try:
+                reg = regnual(dev)
+                print("Device: %s" % dev.filename)
+                break
+            except:
+                pass
+    # Then, send upgrade program...
     mem_info = reg.mem_info()
     print("%08x:%08x" % mem_info)
     print("Downloading the program")
@@ -89,6 +90,9 @@ def main(keyno, passwd, data_regnual, data_upgrade):
 
 from getpass import getpass
 
+# This should be event driven, not guessing some period, or polling.
+DEFAULT_WAIT_FOR_REENUMERATION=1
+
 if __name__ == '__main__':
     if os.getcwd() != os.path.dirname(os.path.abspath(__file__)):
         print("Please change working directory to: %s" % os.path.dirname(os.path.abspath(__file__)))
@@ -96,11 +100,15 @@ if __name__ == '__main__':
 
     keyno = 0
     passwd = None
+    wait_e = DEFAULT_WAIT_FOR_REENUMERATION
     while len(sys.argv) > 3:
         option = sys.argv[1]
         sys.argv.pop(1)
         if option == '-f':      # F for Factory setting
             passwd = DEFAULT_PW3
+        elif option == '-e':    # E for Enumeration
+            wait_e = int(sys.argv[1])
+            sys.argv.pop(1)
         elif option == '-k':    # K for Key number
             keyno = int(sys.argv[1])
             sys.argv.pop(1)
@@ -119,4 +127,4 @@ if __name__ == '__main__':
     f.close()
     print("%s: %d" % (filename_upgrade, len(data_upgrade)))
     # First 4096-byte in data_upgrade is SYS, so, skip it.
-    main(keyno, passwd, data_regnual, data_upgrade[4096:])
+    main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])