| Message ID | 20231221121509.1880592-1-thakur.virendra1810@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,1/2] opensc: Fix CVE-2023-40660 | expand |
On 12/21/23 4:15 AM, virendra thakur wrote: > From: virendra thakur <virendrak@kpit.com> > > Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/940e8bc764047c873f88bb1396933a5368d03533] > > Signed-off-by: virendra thakur <virendrak@kpit.com> Please indicate the branch it is intended for in the subject field to get proper attention, something like ... [branch][layer] recipe: Summary of change .... > --- > .../opensc/opensc/CVE-2023-40660.patch | 55 +++++++++++++++++++ > .../recipes-support/opensc/opensc_0.20.0.bb | 1 + > 2 files changed, 56 insertions(+) > create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch > > diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch > new file mode 100644 > index 000000000..74e547298 > --- /dev/null > +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch > @@ -0,0 +1,55 @@ > +Origin: https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7 > +From: Frank Morgner <frankmorgner@gmail.com> > +Date: Wed, 21 Jun 2023 12:27:23 +0200 > +Subject: Fixed PIN authentication bypass > + > +If two processes are accessing a token, then one process may leave the > +card usable with an authenticated PIN so that a key may sign/decrypt any > +data. This is especially the case if the token does not support a way of > +resetting the authentication status (logout). > + > +We have some tracking of the authentication status in software via > +PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a > +PIN-prompt will appear even though the card may technically be unlocked > +as described in the above example. However, before this change, an empty > +PIN was not verified (likely yielding an error during PIN-verification), > +but it was just checked whether the PIN is authenticated. This defeats > +the purpose of the PIN verification, because an empty PIN is not the > +correct one. Especially during OS Logon, we don't want that kind of > +shortcut, but we want the user to verify the correct PIN (even though > +the token was left unattended and authentication at the computer). > + > +This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864. > + > +CVE: CVE-2023-40660 > +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/940e8bc764047c873f88bb1396933a5368d03533] > +Signed-off-by: Virendra Thakur <virendrak@kpit.com> > +--- > + src/libopensc/pkcs15-pin.c | 13 ------------- > + 1 file changed, 13 deletions(-) > + > +diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c > +index 80a185fecd..393234efe4 100644 > +--- a/src/libopensc/pkcs15-pin.c > ++++ b/src/libopensc/pkcs15-pin.c > +@@ -307,19 +307,6 @@ > + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); > + auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; > + > +- /* > +- * if pin cache is disabled, we can get here with no PIN data. > +- * in this case, to avoid error or unnecessary pin prompting on pinpad, > +- * check if the PIN has been already verified and the access condition > +- * is still open on card. > +- */ > +- if (pinlen == 0) { > +- r = sc_pkcs15_get_pin_info(p15card, pin_obj); > +- > +- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN) > +- LOG_FUNC_RETURN(ctx, r); > +- } > +- > + r = _validate_pin(p15card, auth_info, pinlen); > + > + if (r) > + > diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb > index b8cf203b7..3e77b8884 100644 > --- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb > +++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb > @@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" > #v0.19.0 > SRCREV = "45e29056ccde422e70ed3585084a7f150c632515" > SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ > + file://CVE-2023-40660.patch \ > " > DEPENDS = "virtual/libiconv openssl" >
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch new file mode 100644 index 000000000..74e547298 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch @@ -0,0 +1,55 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Wed, 21 Jun 2023 12:27:23 +0200 +Subject: Fixed PIN authentication bypass + +If two processes are accessing a token, then one process may leave the +card usable with an authenticated PIN so that a key may sign/decrypt any +data. This is especially the case if the token does not support a way of +resetting the authentication status (logout). + +We have some tracking of the authentication status in software via +PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a +PIN-prompt will appear even though the card may technically be unlocked +as described in the above example. However, before this change, an empty +PIN was not verified (likely yielding an error during PIN-verification), +but it was just checked whether the PIN is authenticated. This defeats +the purpose of the PIN verification, because an empty PIN is not the +correct one. Especially during OS Logon, we don't want that kind of +shortcut, but we want the user to verify the correct PIN (even though +the token was left unattended and authentication at the computer). + +This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864. + +CVE: CVE-2023-40660 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/940e8bc764047c873f88bb1396933a5368d03533] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + src/libopensc/pkcs15-pin.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c +index 80a185fecd..393234efe4 100644 +--- a/src/libopensc/pkcs15-pin.c ++++ b/src/libopensc/pkcs15-pin.c +@@ -307,19 +307,6 @@ + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); + auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; + +- /* +- * if pin cache is disabled, we can get here with no PIN data. +- * in this case, to avoid error or unnecessary pin prompting on pinpad, +- * check if the PIN has been already verified and the access condition +- * is still open on card. +- */ +- if (pinlen == 0) { +- r = sc_pkcs15_get_pin_info(p15card, pin_obj); +- +- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN) +- LOG_FUNC_RETURN(ctx, r); +- } +- + r = _validate_pin(p15card, auth_info, pinlen); + + if (r) + diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb index b8cf203b7..3e77b8884 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb @@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" #v0.19.0 SRCREV = "45e29056ccde422e70ed3585084a7f150c632515" SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ + file://CVE-2023-40660.patch \ " DEPENDS = "virtual/libiconv openssl"