Backport CVE

meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch

@@ -1,7 +1,8 @@
 Origin: https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7
+From 23f240e7098305f77eed90631ee995a731eb3a94 Mon Sep 17 00:00:00 2001
 From: Frank Morgner <frankmorgner@gmail.com>
 Date: Wed, 21 Jun 2023 12:27:23 +0200
-Subject: Fixed PIN authentication bypass
+Subject: [PATCH 1/2] Fixed PIN authentication bypass
 
 If two processes are accessing a token, then one process may leave the
 card usable with an authenticated PIN so that a key may sign/decrypt any
@@ -20,19 +21,15 @@ shortcut, but we want the user to verify the correct PIN (even though
 the token was left unattended and authentication at the computer).
 
 This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864.
-
-CVE: CVE-2023-40660
-Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/940e8bc764047c873f88bb1396933a5368d03533]
-Signed-off-by: Virendra Thakur <virendrak@kpit.com>
 ---
  src/libopensc/pkcs15-pin.c | 13 -------------
  1 file changed, 13 deletions(-)
 
 diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
-index 80a185fecd..393234efe4 100644
+index 48e16fdc1..240267531 100644
 --- a/src/libopensc/pkcs15-pin.c
 +++ b/src/libopensc/pkcs15-pin.c
-@@ -307,19 +307,6 @@
+@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
  		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
  	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
 
@@ -52,4 +49,63 @@ index 80a185fecd..393234efe4 100644
  	r = _validate_pin(p15card, auth_info, pinlen);
 
  	if (r)
+-- 
+2.43.0
+
+Origin: https://github.com/OpenSC/OpenSC/commit/80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f 
+From 8f95dfa8d6d27bc6c8f7b1284661ed441d8b6198 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 24 Oct 2023 11:13:08 +0200
+Subject: [PATCH 2/2] pkcs15init: Check login status before asking for a pin
+
+The original code block from e6f7373 is still needed when pkcs15init
+layer checks ACLs for PKCS#15 objects, but it should be kept out of
+the libopensc, which is used for more authentication code paths
+and can be used for PIN bypass.
+---
+ src/libopensc/pkcs15-pin.c  |  1 +
+ src/pkcs15init/pkcs15-lib.c | 16 ++++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
+index 240267531..b3453c4b4 100644
+--- a/src/libopensc/pkcs15-pin.c
++++ b/src/libopensc/pkcs15-pin.c
+@@ -307,6 +307,7 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
+ 	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
+
++	/* Check the provided pin matches pin requirements */
+ 	r = _validate_pin(p15card, auth_info, pinlen);
+
+ 	if (r)
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index 1269bd9c2..b1da64318 100644
+--- a/src/pkcs15init/pkcs15-lib.c
++++ b/src/pkcs15init/pkcs15-lib.c
+@@ -3798,6 +3798,22 @@ sc_pkcs15init_verify_secret(struct sc_profile *profile, struct sc_pkcs15_card *p
+
+ found:
+ 	if (pin_obj)   {
++		/*
++		 * If pin cache is disabled or the reader is using pinpad, we can get here
++		 * with no PIN data. This is ok as we can not asynchronously invoke the prompt
++		 * (unless the pinpad is in use).
++		 * In this case, check if the PIN has been already verified and
++		 * the access condition is still open on card.
++		 */
++		if (pinsize == 0) {
++			r = sc_pkcs15_get_pin_info(p15card, pin_obj);
++			/* update local copy of auth info */
++			memcpy(&auth_info, pin_obj->data, sizeof(auth_info));
++
++			if (r == SC_SUCCESS && auth_info.logged_in == SC_PIN_STATE_LOGGED_IN)
++				LOG_FUNC_RETURN(ctx, r);
++		}
++
+ 		r = sc_pkcs15_verify_pin(p15card, pin_obj, use_pinpad || pinsize == 0 ? NULL : pinbuf, use_pinpad ? 0 : pinsize);
+ 		LOG_TEST_RET(ctx, r, "Cannot validate pkcs15 PIN");
+ 	}
+-- 
+2.43.0