Fix CVE-2023-40660

Resolves: RHEL-16447
2023-10-03 18:15:23 +02:00 · 2023-10-03 18:15:23 +02:00 · dfa1aa2c3d
commit dfa1aa2c3d
parent 4fd2766b66
2 changed files with 111 additions and 0 deletions
--- a/opensc-0.23.0-pin-bypass.patch
+++ b/opensc-0.23.0-pin-bypass.patch
@ -0,0 +1,107 @@
+From 868f76fb31255fd3fdacfc3e476452efeb61c3e7 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Wed, 21 Jun 2023 12:27:23 +0200
+Subject: [PATCH] Fixed PIN authentication bypass
+
+If two processes are accessing a token, then one process may leave the
+card usable with an authenticated PIN so that a key may sign/decrypt any
+data. This is especially the case if the token does not support a way of
+resetting the authentication status (logout).
+
+We have some tracking of the authentication status in software via
+PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a
+PIN-prompt will appear even though the card may technically be unlocked
+as described in the above example. However, before this change, an empty
+PIN was not verified (likely yielding an error during PIN-verification),
+but it was just checked whether the PIN is authenticated. This defeats
+the purpose of the PIN verification, because an empty PIN is not the
+correct one. Especially during OS Logon, we don't want that kind of
+shortcut, but we want the user to verify the correct PIN (even though
+the token was left unattended and authentication at the computer).
+
+This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864.
+---
+ src/libopensc/pkcs15-pin.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
+index 80a185fecd..393234efe4 100644
+--- a/src/libopensc/pkcs15-pin.c
+++ b/src/libopensc/pkcs15-pin.c
+@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
+ 	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
+ 
+-	/*
+-	 * if pin cache is disabled, we can get here with no PIN data.
+-	 * in this case, to avoid error or unnecessary pin prompting on pinpad,
+-	 * check if the PIN has been already verified and the access condition
+-	 * is still open on card.
+-	 */
+-	if (pinlen == 0) {
+-	    r = sc_pkcs15_get_pin_info(p15card, pin_obj);
+-
+-	    if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN)
+-		LOG_FUNC_RETURN(ctx, r);
+-	}
+-
+ 	r = _validate_pin(p15card, auth_info, pinlen);
+ 
+ 	if (r)
+
+From 80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 24 Oct 2023 11:13:08 +0200
+Subject: [PATCH] pkcs15init: Check login status before asking for a pin
+
+The original code block from e6f7373 is still needed when pkcs15init
+layer checks ACLs for PKCS#15 objects, but it should be kept out of
+the libopensc, which is used for more authentication code paths
+and can be used for PIN bypass.
+---
+ src/libopensc/pkcs15-pin.c  |  1 +
+ src/pkcs15init/pkcs15-lib.c | 16 ++++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
+index 393234efe..b26e57236 100644
+--- a/src/libopensc/pkcs15-pin.c
+++ b/src/libopensc/pkcs15-pin.c
+@@ -307,6 +307,7 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
+ 	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
+ 
+	/* Check the provided pin matches pin requirements */
+ 	r = _validate_pin(p15card, auth_info, pinlen);
+ 
+ 	if (r)
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index 9148b83b5..cca11d1f1 100644
+--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
+@@ -3958,6 +3958,22 @@ sc_pkcs15init_verify_secret(struct sc_profile *profile, struct sc_pkcs15_card *p
+ 
+ found:
+ 	if (pin_obj)   {
+		/*
+		 * If pin cache is disabled or the reader is using pinpad, we can get here
+		 * with no PIN data. This is ok as we can not asynchronously invoke the prompt
+		 * (unless the pinpad is in use).
+		 * In this case, check if the PIN has been already verified and
+		 * the access condition is still open on card.
+		 */
+		if (pinsize == 0) {
+			r = sc_pkcs15_get_pin_info(p15card, pin_obj);
+			/* update local copy of auth info */
+			memcpy(&auth_info, pin_obj->data, sizeof(auth_info));
+
+			if (r == SC_SUCCESS && auth_info.logged_in == SC_PIN_STATE_LOGGED_IN)
+				LOG_FUNC_RETURN(ctx, r);
+		}
+
+ 		r = sc_pkcs15_verify_pin(p15card, pin_obj, use_pinpad || pinsize == 0 ? NULL : pinbuf, use_pinpad ? 0 : pinsize);
+ 		LOG_TEST_RET(ctx, r, "Cannot validate pkcs15 PIN");
+ 	}
+-- 
+2.43.0
+
--- a/opensc.spec
+++ b/opensc.spec
@ -26,6 +26,9 @@ Patch12:        %{name}-0.23.0-cardos-pkcs15init.patch
 # https://github.com/OpenSC/OpenSC/commit/bff98ff078a99e6864ba1a598fd7dc9af4a9476b
 # https://github.com/OpenSC/OpenSC/commit/0875c69295ef28b45fb682b37cede58fc36b7a1a
 Patch13:        %{name}-0.23.0-cache-offsets.patch
+# https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7
+# https://github.com/OpenSC/OpenSC/commit/80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f
+Patch14:        %{name}-0.23.0-pin-bypass.patch

 BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
@ -70,6 +73,7 @@ every software/card that does so, too.
 %patch11 -p1 -b .openpgp
 %patch12 -p1 -b .cardos-pkcs15init
 %patch13 -p1 -b .cache-offsets
+%patch14 -p1 -b .pin-bypass

 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .