From 6f62ba150d6bd137eb88aad020165c9d50793b40 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 3 Oct 2023 18:15:23 +0200
Subject: [PATCH] Fix CVE-2023-40660

Resolves: RHEL-17085
---
 opensc-0.23.0-pin-bypass.patch | 107 +++++++++++++++++++++++++++++++++
 opensc.spec                    |   4 ++
 2 files changed, 111 insertions(+)
 create mode 100644 opensc-0.23.0-pin-bypass.patch

diff --git a/opensc-0.23.0-pin-bypass.patch b/opensc-0.23.0-pin-bypass.patch
new file mode 100644
index 0000000..de871d4
--- /dev/null
+++ b/opensc-0.23.0-pin-bypass.patch
@@ -0,0 +1,107 @@
+From 868f76fb31255fd3fdacfc3e476452efeb61c3e7 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Wed, 21 Jun 2023 12:27:23 +0200
+Subject: [PATCH] Fixed PIN authentication bypass
+
+If two processes are accessing a token, then one process may leave the
+card usable with an authenticated PIN so that a key may sign/decrypt any
+data. This is especially the case if the token does not support a way of
+resetting the authentication status (logout).
+
+We have some tracking of the authentication status in software via
+PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a
+PIN-prompt will appear even though the card may technically be unlocked
+as described in the above example. However, before this change, an empty
+PIN was not verified (likely yielding an error during PIN-verification),
+but it was just checked whether the PIN is authenticated. This defeats
+the purpose of the PIN verification, because an empty PIN is not the
+correct one. Especially during OS Logon, we don't want that kind of
+shortcut, but we want the user to verify the correct PIN (even though
+the token was left unattended and authentication at the computer).
+
+This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864.
+---
+ src/libopensc/pkcs15-pin.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
+index 80a185fecd..393234efe4 100644
+--- a/src/libopensc/pkcs15-pin.c
++++ b/src/libopensc/pkcs15-pin.c
+@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
+ 	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
+ 
+-	/*
+-	 * if pin cache is disabled, we can get here with no PIN data.
+-	 * in this case, to avoid error or unnecessary pin prompting on pinpad,
+-	 * check if the PIN has been already verified and the access condition
+-	 * is still open on card.
+-	 */
+-	if (pinlen == 0) {
+-	    r = sc_pkcs15_get_pin_info(p15card, pin_obj);
+-
+-	    if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN)
+-		LOG_FUNC_RETURN(ctx, r);
+-	}
+-
+ 	r = _validate_pin(p15card, auth_info, pinlen);
+ 
+ 	if (r)
+
+From 80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 24 Oct 2023 11:13:08 +0200
+Subject: [PATCH] pkcs15init: Check login status before asking for a pin
+
+The original code block from e6f7373 is still needed when pkcs15init
+layer checks ACLs for PKCS#15 objects, but it should be kept out of
+the libopensc, which is used for more authentication code paths
+and can be used for PIN bypass.
+---
+ src/libopensc/pkcs15-pin.c  |  1 +
+ src/pkcs15init/pkcs15-lib.c | 16 ++++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
+index 393234efe..b26e57236 100644
+--- a/src/libopensc/pkcs15-pin.c
++++ b/src/libopensc/pkcs15-pin.c
+@@ -307,6 +307,7 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
+ 	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
+ 
++	/* Check the provided pin matches pin requirements */
+ 	r = _validate_pin(p15card, auth_info, pinlen);
+ 
+ 	if (r)
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index 9148b83b5..cca11d1f1 100644
+--- a/src/pkcs15init/pkcs15-lib.c
++++ b/src/pkcs15init/pkcs15-lib.c
+@@ -3958,6 +3958,22 @@ sc_pkcs15init_verify_secret(struct sc_profile *profile, struct sc_pkcs15_card *p
+ 
+ found:
+ 	if (pin_obj)   {
++		/*
++		 * If pin cache is disabled or the reader is using pinpad, we can get here
++		 * with no PIN data. This is ok as we can not asynchronously invoke the prompt
++		 * (unless the pinpad is in use).
++		 * In this case, check if the PIN has been already verified and
++		 * the access condition is still open on card.
++		 */
++		if (pinsize == 0) {
++			r = sc_pkcs15_get_pin_info(p15card, pin_obj);
++			/* update local copy of auth info */
++			memcpy(&auth_info, pin_obj->data, sizeof(auth_info));
++
++			if (r == SC_SUCCESS && auth_info.logged_in == SC_PIN_STATE_LOGGED_IN)
++				LOG_FUNC_RETURN(ctx, r);
++		}
++
+ 		r = sc_pkcs15_verify_pin(p15card, pin_obj, use_pinpad || pinsize == 0 ? NULL : pinbuf, use_pinpad ? 0 : pinsize);
+ 		LOG_TEST_RET(ctx, r, "Cannot validate pkcs15 PIN");
+ 	}
+-- 
+2.43.0
+
diff --git a/opensc.spec b/opensc.spec
index f09039e..e8bf6d6 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -57,6 +57,9 @@ Patch19:        opensc-0.20.0-reader-removal.patch
 # https://github.com/OpenSC/OpenSC/commit/bff98ff078a99e6864ba1a598fd7dc9af4a9476b
 # https://github.com/OpenSC/OpenSC/commit/0875c69295ef28b45fb682b37cede58fc36b7a1a
 Patch20:        %{name}-0.23.0-cache-offsets.patch
+# https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7
+# https://github.com/OpenSC/OpenSC/commit/80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f
+Patch21:        %{name}-0.23.0-pin-bypass.patch
 
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
@@ -99,6 +102,7 @@ every software/card that does so, too.
 %patch18 -p1 -b .CVE-2023-2977
 %patch19 -p1 -b .reader-removal
 %patch20 -p1 -b .cache-offsets
+%patch21 -p1 -b .pin-bypass
 
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .