rpms/opensc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2023-40660

Browse Source 
Resolves: RHEL-16447
This commit is contained in:
Jakub Jelen 2023-10-03 18:15:23 +02:00
parent 4fd2766b66
commit dfa1aa2c3d
2 changed files with 111 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
opensc-0.23.0-pin-bypass.patch Normal file
View File

@ -0,0 +1,107 @@
From 868f76fb31255fd3fdacfc3e476452efeb61c3e7 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Wed, 21 Jun 2023 12:27:23 +0200
Subject: [PATCH] Fixed PIN authentication bypass
If two processes are accessing a token, then one process may leave the
card usable with an authenticated PIN so that a key may sign/decrypt any
data. This is especially the case if the token does not support a way of
resetting the authentication status (logout).
We have some tracking of the authentication status in software via
PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a
PIN-prompt will appear even though the card may technically be unlocked
as described in the above example. However, before this change, an empty
PIN was not verified (likely yielding an error during PIN-verification),
but it was just checked whether the PIN is authenticated. This defeats
the purpose of the PIN verification, because an empty PIN is not the
correct one. Especially during OS Logon, we don't want that kind of
shortcut, but we want the user to verify the correct PIN (even though
the token was left unattended and authentication at the computer).
This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864.
---
src/libopensc/pkcs15-pin.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
index 80a185fecd..393234efe4 100644
--- a/src/libopensc/pkcs15-pin.c
+++ b/src/libopensc/pkcs15-pin.c
@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
- /*
- * if pin cache is disabled, we can get here with no PIN data.
- * in this case, to avoid error or unnecessary pin prompting on pinpad,
- * check if the PIN has been already verified and the access condition
- * is still open on card.
- */
- if (pinlen == 0) {
- r = sc_pkcs15_get_pin_info(p15card, pin_obj);
-
- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN)
- LOG_FUNC_RETURN(ctx, r);
- }
-
r = _validate_pin(p15card, auth_info, pinlen);
if (r)
From 80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 24 Oct 2023 11:13:08 +0200
Subject: [PATCH] pkcs15init: Check login status before asking for a pin
The original code block from e6f7373 is still needed when pkcs15init
layer checks ACLs for PKCS#15 objects, but it should be kept out of
the libopensc, which is used for more authentication code paths
and can be used for PIN bypass.
---
src/libopensc/pkcs15-pin.c | 1 +
src/pkcs15init/pkcs15-lib.c | 16 ++++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
index 393234efe..b26e57236 100644
--- a/src/libopensc/pkcs15-pin.c
+++ b/src/libopensc/pkcs15-pin.c
@@ -307,6 +307,7 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
+ /* Check the provided pin matches pin requirements */
r = _validate_pin(p15card, auth_info, pinlen);
if (r)
diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
index 9148b83b5..cca11d1f1 100644
--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
@@ -3958,6 +3958,22 @@ sc_pkcs15init_verify_secret(struct sc_profile *profile, struct sc_pkcs15_card *p
found:
if (pin_obj) {
+ /*
+ * If pin cache is disabled or the reader is using pinpad, we can get here
+ * with no PIN data. This is ok as we can not asynchronously invoke the prompt
+ * (unless the pinpad is in use).
+ * In this case, check if the PIN has been already verified and
+ * the access condition is still open on card.
+ */
+ if (pinsize == 0) {
+ r = sc_pkcs15_get_pin_info(p15card, pin_obj);
+ /* update local copy of auth info */
+ memcpy(&auth_info, pin_obj->data, sizeof(auth_info));
+
+ if (r == SC_SUCCESS && auth_info.logged_in == SC_PIN_STATE_LOGGED_IN)
+ LOG_FUNC_RETURN(ctx, r);
+ }
+
r = sc_pkcs15_verify_pin(p15card, pin_obj, use_pinpad || pinsize == 0 ? NULL : pinbuf, use_pinpad ? 0 : pinsize);
LOG_TEST_RET(ctx, r, "Cannot validate pkcs15 PIN");
}
--
2.43.0

4
opensc.spec
View File

@ -26,6 +26,9 @@ Patch12: %{name}-0.23.0-cardos-pkcs15init.patch
# https://github.com/OpenSC/OpenSC/commit/bff98ff078a99e6864ba1a598fd7dc9af4a9476b # https://github.com/OpenSC/OpenSC/commit/bff98ff078a99e6864ba1a598fd7dc9af4a9476b
# https://github.com/OpenSC/OpenSC/commit/0875c69295ef28b45fb682b37cede58fc36b7a1a # https://github.com/OpenSC/OpenSC/commit/0875c69295ef28b45fb682b37cede58fc36b7a1a
Patch13: %{name}-0.23.0-cache-offsets.patch Patch13: %{name}-0.23.0-cache-offsets.patch
# https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7
# https://github.com/OpenSC/OpenSC/commit/80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f
Patch14: %{name}-0.23.0-pin-bypass.patch
BuildRequires: make BuildRequires: make
BuildRequires: pcsc-lite-devel BuildRequires: pcsc-lite-devel
@ -70,6 +73,7 @@ every software/card that does so, too.
%patch11 -p1 -b .openpgp %patch11 -p1 -b .openpgp
%patch12 -p1 -b .cardos-pkcs15init %patch12 -p1 -b .cardos-pkcs15init
%patch13 -p1 -b .cache-offsets %patch13 -p1 -b .cache-offsets
%patch14 -p1 -b .pin-bypass
cp -p src/pkcs15init/README ./README.pkcs15init cp -p src/pkcs15init/README ./README.pkcs15init
cp -p src/scconf/README.scconf . cp -p src/scconf/README.scconf .