opensc/opensc-CVE-2023-40660-1of2.patch

From 74ddc3636db18ae78de62922a74bfdefae015c76 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Wed, 21 Jun 2023 12:27:23 +0200
Subject: [PATCH] Fixed PIN authentication bypass

If two processes are accessing a token, then one process may leave the
card usable with an authenticated PIN so that a key may sign/decrypt any
data. This is especially the case if the token does not support a way of
resetting the authentication status (logout).

We have some tracking of the authentication status in software via
PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a
PIN-prompt will appear even though the card may technically be unlocked
as described in the above example. However, before this change, an empty
PIN was not verified (likely yielding an error during PIN-verification),
but it was just checked whether the PIN is authenticated. This defeats
the purpose of the PIN verification, because an empty PIN is not the
correct one. Especially during OS Logon, we don't want that kind of
shortcut, but we want the user to verify the correct PIN (even though
the token was left unattended and authentication at the computer).

This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864.
---
 src/libopensc/pkcs15-pin.c | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
index 48e16fdc1c..2402675316 100644
--- a/src/libopensc/pkcs15-pin.c
+++ b/src/libopensc/pkcs15-pin.c
@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
 	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
 
-	/*
-	 * if pin cache is disabled, we can get here with no PIN data.
-	 * in this case, to avoid error or unnecessary pin prompting on pinpad,
-	 * check if the PIN has been already verified and the access condition
-	 * is still open on card.
-	 */
-	if (pinlen == 0) {
-	    r = sc_pkcs15_get_pin_info(p15card, pin_obj);
-
-	    if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN)
-		LOG_FUNC_RETURN(ctx, r);
-	}
-
 	r = _validate_pin(p15card, auth_info, pinlen);
 
 	if (r)
Accepting request 1116477 from home:ohollmann:branches:security:chipcard - Security Fix: [CVE-2023-40661, bsc#1215761] * opensc: multiple memory issues with pkcs15-init (enrollment tool) * Add patches: - opensc-CVE-2023-40661-1of12.patch - opensc-CVE-2023-40661-2of12.patch - opensc-CVE-2023-40661-3of12.patch - opensc-CVE-2023-40661-4of12.patch - opensc-CVE-2023-40661-5of12.patch - opensc-CVE-2023-40661-6of12.patch - opensc-CVE-2023-40661-7of12.patch - opensc-CVE-2023-40661-8of12.patch - opensc-CVE-2023-40661-9of12.patch - opensc-CVE-2023-40661-10of12.patch - opensc-CVE-2023-40661-11of12.patch - opensc-CVE-2023-40661-12of12.patch - Security Fix: [CVE-2023-4535, bsc#1215763] * Add patches: - opensc-CVE-2023-4535.patch - opensc-NULL_pointer_fix.patch - Security Fix: [CVE-2023-40660, bsc#1215762] * opensc: PIN bypass when card tracks its own login state * Add patches: - opensc-CVE-2023-40660-1of2.patch - opensc-CVE-2023-40660-2of2.patch OBS-URL: https://build.opensuse.org/request/show/1116477 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=75 2023-10-10 14:49:01 +02:00			`From 74ddc3636db18ae78de62922a74bfdefae015c76 Mon Sep 17 00:00:00 2001`
			`From: Frank Morgner <frankmorgner@gmail.com>`
			`Date: Wed, 21 Jun 2023 12:27:23 +0200`
			`Subject: [PATCH] Fixed PIN authentication bypass`

			`If two processes are accessing a token, then one process may leave the`
			`card usable with an authenticated PIN so that a key may sign/decrypt any`
			`data. This is especially the case if the token does not support a way of`
			`resetting the authentication status (logout).`

			`We have some tracking of the authentication status in software via`
			`PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a`
			`PIN-prompt will appear even though the card may technically be unlocked`
			`as described in the above example. However, before this change, an empty`
			`PIN was not verified (likely yielding an error during PIN-verification),`
			`but it was just checked whether the PIN is authenticated. This defeats`
			`the purpose of the PIN verification, because an empty PIN is not the`
			`correct one. Especially during OS Logon, we don't want that kind of`
			`shortcut, but we want the user to verify the correct PIN (even though`
			`the token was left unattended and authentication at the computer).`

			`This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864.`
			`---`
			`src/libopensc/pkcs15-pin.c \| 13 -------------`
			`1 file changed, 13 deletions(-)`

			`diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c`
			`index 48e16fdc1c..2402675316 100644`
			`--- a/src/libopensc/pkcs15-pin.c`
			`+++ b/src/libopensc/pkcs15-pin.c`
			`@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card p15card, struct sc_pkcs15_object pi`
			`LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);`
			`auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;`

			`- /*`
			`- * if pin cache is disabled, we can get here with no PIN data.`
			`- * in this case, to avoid error or unnecessary pin prompting on pinpad,`
			`- * check if the PIN has been already verified and the access condition`
			`- * is still open on card.`
			`- */`
			`- if (pinlen == 0) {`
			`- r = sc_pkcs15_get_pin_info(p15card, pin_obj);`
			`-`
			`- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN)`
			`- LOG_FUNC_RETURN(ctx, r);`
			`- }`
			`-`
			`r = _validate_pin(p15card, auth_info, pinlen);`

			`if (r)`