pam_pkcs11/pam_pkcs11-CVE-2025-24032.patch

From b665b287ff955bbbd9539252ff9f9e2754c3fb48 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 6 Dec 2024 04:39:04 +0100
Subject: [PATCH] fixed possible authentication bypass: Use signatures to
 verify authentication by default

If cert_policy is set to none (the default value), then pam_pkcs11 will
only check if the user is capable of logging into the token. An attacker
may create a different token with the user's public data (e.g. the
user's certificate) and a PIN known to the attacker. If no signature
with the private key is required, then the attacker may now login as
user with that created token.

This change, by default, uses the private key to crate a signature. A
new policy, `no_signature` is introduced if the module should really
*not* validate the key's signature
---
 src/common/cert_vfy.h       |  2 +-
 src/pam_pkcs11/pam_config.c | 16 +++++++++++-----
 src/pam_pkcs11/pam_pkcs11.c |  2 +-
 3 files changed, 13 insertions(+), 7 deletions(-)

Index: pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/common/cert_vfy.h
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
@@ -48,7 +48,7 @@ typedef enum {
 struct cert_policy_st {
 	int ca_policy;
 	int crl_policy;
-	int signature_policy;
+	int no_signature_policy;
 	const char *ca_dir;
 	const char *crl_dir;
 	const char *nss_dir;
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
@@ -87,7 +87,7 @@ static void display_config (void) {
         DBG1("support_threads %d",configuration.support_threads);
         DBG1("ca_policy %d",configuration.policy.ca_policy);
         DBG1("crl_policy %d",configuration.policy.crl_policy);
-        DBG1("signature_policy %d",configuration.policy.signature_policy);
+        DBG1("no_signature_policy %d",configuration.policy.no_signature_policy);
         DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);
 		DBG1("err_display_time %d", configuration.err_display_time);
 }
@@ -180,7 +180,7 @@ static void parse_config_file(void) {
 			configuration.policy.crl_policy=CRLP_NONE;
 			configuration.policy.ocsp_policy=OCSP_NONE;
 			configuration.policy.ca_policy=0;
-			configuration.policy.signature_policy=0;
+			configuration.policy.no_signature_policy=0;
 			break;
 		} else if ( !strcmp(policy_list->data,"crl_auto") ) {
 			configuration.policy.crl_policy=CRLP_AUTO;
@@ -193,7 +193,10 @@ static void parse_config_file(void) {
 		} else if ( !strcmp(policy_list->data,"ca") ) {
 			configuration.policy.ca_policy=1;
 		} else if ( !strcmp(policy_list->data,"signature") ) {
-			configuration.policy.signature_policy=1;
+			// ignore this setting for legacy reasons
+		} else if ( !strcmp(policy_list->data,"no_signature") ) {
+			// ignore this setting for legacy reasons
+			configuration.policy.no_signature_policy=1;
 		} else {
                    DBG1("Invalid CRL policy: %s",policy_list->data);
 	        }
@@ -321,7 +324,7 @@ struct configuration_st *pk_configure( i
 		if (strstr(argv[i],"none")) {
 			configuration.policy.crl_policy=CRLP_NONE;
 			configuration.policy.ca_policy=0;
-			configuration.policy.signature_policy=0;
+			configuration.policy.no_signature_policy=0;
 			configuration.policy.ocsp_policy=OCSP_NONE;
 		}
 		if (strstr(argv[i],"crl_online")) {
@@ -340,7 +343,10 @@ struct configuration_st *pk_configure( i
 			configuration.policy.ca_policy=1;
 		}
 		if (strstr(argv[i],"signature")) {
-			configuration.policy.signature_policy=1;
+			// ignore this setting for legacy reasons
+		}
+		if (strstr(argv[i],"no_signature")) {
+			configuration.policy.no_signature_policy=1;
 		}
 		continue;
 	   }
Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
===================================================================
--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_pkcs11.c
+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
@@ -618,8 +618,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
 
 
   /* if signature check is enforced, generate random data, sign and verify */
-  if (configuration->policy.signature_policy) {
-		pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
+  if (!configuration->policy.no_signature_policy) {
+  	pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
 
 
 #ifdef notdef
Sync from SUSE:SLFO:Main pam_pkcs11 revision 02ddf1130cb41a568b110dd00e9a5c7a 2025-02-25 17:21:43 +01:00			`From b665b287ff955bbbd9539252ff9f9e2754c3fb48 Mon Sep 17 00:00:00 2001`
			`From: Frank Morgner <frankmorgner@gmail.com>`
			`Date: Fri, 6 Dec 2024 04:39:04 +0100`
			`Subject: [PATCH] fixed possible authentication bypass: Use signatures to`
			`verify authentication by default`

			`If cert_policy is set to none (the default value), then pam_pkcs11 will`
			`only check if the user is capable of logging into the token. An attacker`
			`may create a different token with the user's public data (e.g. the`
			`user's certificate) and a PIN known to the attacker. If no signature`
			`with the private key is required, then the attacker may now login as`
			`user with that created token.`

			`This change, by default, uses the private key to crate a signature. A`
			new policy, `no_signature` is introduced if the module should really
			`not validate the key's signature`
			`---`
			`src/common/cert_vfy.h \| 2 +-`
			`src/pam_pkcs11/pam_config.c \| 16 +++++++++++-----`
			`src/pam_pkcs11/pam_pkcs11.c \| 2 +-`
			`3 files changed, 13 insertions(+), 7 deletions(-)`

			`Index: pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h`
			`===================================================================`
			`--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/common/cert_vfy.h`
			`+++ pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h`
			`@@ -48,7 +48,7 @@ typedef enum {`
			`struct cert_policy_st {`
			`int ca_policy;`
			`int crl_policy;`
			`- int signature_policy;`
			`+ int no_signature_policy;`
			`const char *ca_dir;`
			`const char *crl_dir;`
			`const char *nss_dir;`
			`Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c`
			`===================================================================`
			`--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_config.c`
			`+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c`
			`@@ -87,7 +87,7 @@ static void display_config (void) {`
			`DBG1("support_threads %d",configuration.support_threads);`
			`DBG1("ca_policy %d",configuration.policy.ca_policy);`
			`DBG1("crl_policy %d",configuration.policy.crl_policy);`
			`- DBG1("signature_policy %d",configuration.policy.signature_policy);`
			`+ DBG1("no_signature_policy %d",configuration.policy.no_signature_policy);`
			`DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);`
			`DBG1("err_display_time %d", configuration.err_display_time);`
			`}`
			`@@ -180,7 +180,7 @@ static void parse_config_file(void) {`
			`configuration.policy.crl_policy=CRLP_NONE;`
			`configuration.policy.ocsp_policy=OCSP_NONE;`
			`configuration.policy.ca_policy=0;`
			`- configuration.policy.signature_policy=0;`
			`+ configuration.policy.no_signature_policy=0;`
			`break;`
			`} else if ( !strcmp(policy_list->data,"crl_auto") ) {`
			`configuration.policy.crl_policy=CRLP_AUTO;`
			`@@ -193,7 +193,10 @@ static void parse_config_file(void) {`
			`} else if ( !strcmp(policy_list->data,"ca") ) {`
			`configuration.policy.ca_policy=1;`
			`} else if ( !strcmp(policy_list->data,"signature") ) {`
			`- configuration.policy.signature_policy=1;`
			`+ // ignore this setting for legacy reasons`
			`+ } else if ( !strcmp(policy_list->data,"no_signature") ) {`
			`+ // ignore this setting for legacy reasons`
			`+ configuration.policy.no_signature_policy=1;`
			`} else {`
			`DBG1("Invalid CRL policy: %s",policy_list->data);`
			`}`
			`@@ -321,7 +324,7 @@ struct configuration_st *pk_configure( i`
			`if (strstr(argv[i],"none")) {`
			`configuration.policy.crl_policy=CRLP_NONE;`
			`configuration.policy.ca_policy=0;`
			`- configuration.policy.signature_policy=0;`
			`+ configuration.policy.no_signature_policy=0;`
			`configuration.policy.ocsp_policy=OCSP_NONE;`
			`}`
			`if (strstr(argv[i],"crl_online")) {`
			`@@ -340,7 +343,10 @@ struct configuration_st *pk_configure( i`
			`configuration.policy.ca_policy=1;`
			`}`
			`if (strstr(argv[i],"signature")) {`
			`- configuration.policy.signature_policy=1;`
			`+ // ignore this setting for legacy reasons`
			`+ }`
			`+ if (strstr(argv[i],"no_signature")) {`
			`+ configuration.policy.no_signature_policy=1;`
			`}`
			`continue;`
			`}`
			`Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c`
			`===================================================================`
			`--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_pkcs11.c`
			`+++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c`
			`@@ -618,8 +618,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_h`


			`/* if signature check is enforced, generate random data, sign and verify */`
			`- if (configuration->policy.signature_policy) {`
			`- pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));`
			`+ if (!configuration->policy.no_signature_policy) {`
			`+ pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));`


			`#ifdef notdef`