-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Asking for user PIN when already logged in. #2903
Comments
To see pin operations in OpenSC debug log requires
Shows it took 93 seconds to login to the card after first C_Login. Can you get a debug log with debug = 8? |
Is there some other application that might be accessing the PKCS#11 token in the meantime? On the first sight, this sounds like related to 56d1abe but this was already part of 0.23.0 and the logout is called also only twice. The other guess would be file caching, which was enabled in 0.24 and which interfered the card enrollment in the past. This should have been solved with #2798, but there might be still some corner case. The log says the card is Can you try with file caching disabled by setting @popovec @hhonkanen any thoughts about the older myeid cards and features supported? |
I'll look into it, I don't think it has anything to do with the logout function already implemented in 0.23 and it has nothing to do with the file cache either. Recently, however, I noticed repeated PIN requests when using MyEID with openvpn. But I have to check the version of opensc used in this solution. I have a suspicion that this could also happen to me when I upgraded opensc to a version from GIT. It certainly didn't happen with 0.23. MyEID can be configured so that it automatically performs a logout after a security operation. |
The starting comment has now been update with more request after the request from @dengert |
Yes to @dengert . My fork places the trust on the card: it the card requires a new login - software prompts for the PIN, otherwise it doesn't. |
e6f7373 tested for @frankmorgner and I disagree on how to handle multiple processes each running their own PKCS11 module. @frankmorgner has taken a more restrictive approach which is force login per process and logout after last PKCS11 session is closed. This issue is very similar. I take the approach if the user logs in to the card on one process, that login state should remain as long as user is logged in to OS. User is expected to remove card when they are done. Logout or lock screen need to be addressed which looks like RedHat and PCSC-lite have addressed by using PolKit. Ubuntu appears to not build PCSC-lite with PolKit. |
@Jakuje : No difference with |
Good point. This is indeed the place where the code goes in different direction in the both debug logs. But I think this is still related only to the enrollment phase. If I see right, the first diff comes from I would be interested in the behavior with normal reader without pinpad. There is no way to prompt the user for the PIN interactively from OpenSC internals so what does it do? Just skips the login and work ok? @larssilven can you check (and provide debug logs if you have some throw-away pins to share)? if you do not have non-pinpad reader, you can try with So there are ways out:
On a side note with 0.24.0 I see that for every file read, the MyEID driver calls the |
@popovec , |
MyEID uses the It also failed to repeat the problem I observed with openvpn with OpenSC version 0.24-rc1.. Everything works as I expected. Since the problem occurs only with an external PIN pad, I would look for this place. I'll try to reproduce it somehow, but I don't have a reader with an external PIN pad at hand at the moment. |
The CCID Emulator is capable of emulating a reader with PIN pad, but it may be a little complex to set up... |
@popovec , |
I thought the pin cache is disabled by default. My bad. |
The problem with CKR_GENERAL_ERROR is caused by some logical error during pin verification. It seems that we really have a problem if the PIN length is 0, and this occurs when the pin cache is disabled.
|
@Jakuje: The key wrapping/unwrapping features were developed with MyEID 4.0.18 and 4.0.19 and should work with these versions. These versions were not widely distributed, 4.5.5 replaced them soon. This is a familiar issue which I resolved in e6f7373 when developing these features, but has appeared again with later changes and has been discussed in #2806. In e6f7373 my intention was to check the authentication state from card, when ending up to sc_pkcs15_verify_pin in situations the PIN has already been verified. I have understood a reason for later changes was that explicitly calling C_Login with a zero length PIN also leads here, and in this case it does not behave correctly. My thoughts on maintaining the login state:
Could this issue be fixed by intercepting C_Login calls with zero length PIN or NULL pin without pinpad in higher level and returning the check introduced in e6f7373? |
I did this on my clone of the master branch:
You can clone it from: |
Rebasing with commit removal back in the history is confusing. I would propose rather revert the commit
Thanks for verifying the 868f76f is indeed the culprit as we assumed. It will need to go back in some form. I think the file caching nor pin caching should have any effects here (but feel free to double-check). |
I am wondering if we should not change this actually somewhere inside of the https://github.com/Jakuje/OpenSC/commits/bypass-pkcs15init @larssilven can you try with this branch that it does what it is supposed to do? I have pinpad reader, but I learned that the MyEID card I have at work died so I will have to dig up some more tomorrow. |
Haven't had time to debug it, but I was thinking of checking for zero length PIN in pkcs15_login function in framework_pkcs15.c, before calling sc_pkcs15_verify_pin(), and return the check introduced in e6f7373 to sc_pkcs15_verify_pin. In pkcs15_login, we would return an error if C_Login is called with an empty PIN, but when we end up to sc_pkcs15_verify_pin when accessing a private object, it would check the authentication state and avoid unnecessary PIN verifications. @Jakuje your suggestion might do the job to resolve the issue as well. I'm just not sure, do we get to sc_pkcs15_verify_pin with pinlen=0 from other code paths than sc_pkcs15init_verify_secret and pkcs15_login (which my suggestion would handle). |
PKCS11 C_Login with pinlen = 0 is used for more then PIN PAD readers. https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-pin.c#L275-L279 SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH is used in |
@hhonkanen , see https://github.com/OpenSC/OpenSC/wiki/CVE-2023-40660 for what is wrong with e6f7373 In PKCS#11, we have slot->login_user which we can leverage to avoid unneeded reauthentication. If the user has authenticated before in the running process, then, I agree, she is free to use the card if it is authenticated to avoid a pin pad prompt. And I think we are already doing this independent from all changes discussed here: OpenSC/src/pkcs11/pkcs11-session.c Lines 375 to 381 in 5c1f08d
Thanks @Jakuje , for analyzing the given log, which reveals that sc_pkcs15init_verify_secret is causing the repeated PIN prompting. Indeed, Jakuje@5ea4bdf, solves this exclusively in the pkcs15layer since, luckily, sc_pkcs15init_verify_secret is not used by framework-pkcs15init.c. However, I have some fear that handling this in the pkcs15init library may eventually trickle through to PKCS#11 at some point. Ideally, pkcs15-init (the executable) should keep some global state on who has authenticated previously, similar to slot->login_user in the case of the PKCS#11 context. On the other hand, we need to sort this out quickly to finally publish the release, so I would be fine with your proposed workaround. |
SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH is basically a PIN pad on the card itself (sc-hsm even supports an integrated finger print reader). Handling from the PC side should be identical to a pin pad reader, though. |
Note, that the reproducer from #2903 (comment) does not go through the pkcs15-init nor pkcs15-tool, but the code is called from the pkcs11 module by I have finally working MyEID card (@hhonkanen your shipping service is awesomely fast!), and I see my fix does not actually work, but I hope the concept and direction I wanted to point is clear. I updated the branch with tested code with MyEID card: https://github.com/Jakuje/OpenSC/commits/bypass-pkcs15init |
@Jakuje : I used this script to initialize the card: /#!/bin/bash
failing() {
echo "Command failed. Card not initialized."
exit 1
}
sopin=12345
sopuk=23456789
pin=4321
puk=54321
#set -x
echo ${sopin}| pkcs15-init -E || failing
pkcs15-init -C --so-pin "${sopin}" --pin "" --so-puk "${sopuk}" --puk "" || failing
pkcs15-init -P -a 1 -l "${label}" --pin "${pin}" --puk "${puk}" --so-pin "notUsed" || failing
pkcs15-init -F || failing
echo "Smart card initialized." Then I just run a test application that produced the logs. Note that it not just I have not yet tested the fix that @Jakuje presented 2 days ago. Is it still of any value to test it? Please let me know if I should test anything else. |
Thank you. Testing the changes would be still useful. They are now in #2916. I do not think there was any other proposal that could fix this issue in the meantime, except for the discussion in the above PR. |
Problem Description
0.24.0-rc1 asks for for PIN all the time regardless if the user is logged in or not. According to PKCS#11 PIN must only be provided to the token after C_Login.
I am using a PIN pad reader so I recognizes all logins.
Version 0.23.0 is working as expected. master branch and 0.24.0-rc1 has this problem.
Proposed Resolution
If this new behavior is wanted for some application it must be enabled by the configuration.
Default must be to have it working according to PKCS#11 (as in version 0.23.0).
Steps to reproduce
Just run any application that has "private" objects and you will have to provide PIN all the time.
Logs
Logs from a test that show what is happening. The name of the file tells opensc log level (_llevel) and version of opensc (_version.log).
Here are the files that have been produced
PIN is provided at these lines in pksc11_llevel_0.24.0-rc1.log (yes it was the same lines for both levels):
60 89 234 308 383 693 905 1237 1836 2319 2392 2423
In pkcs11_l8_0.23.0.log PIN is just provided 2 times each time after C_Login: 60 1237
In the opensc logs you can see when PIN was provided (all lines with "sc_pin_cmd"). It was done 32 times for 0.24.0-rc1. So some pkcs#11 functions generates several PIN authentications.
C_Login was just called 2 times so it should just have been 2 PIN authentications.
When not using PIN pad everything is working as expected if PIN caching is enabled. PIN is only provided by the application 2 times by using C_Login:
But if PIN caching is not enabled CKR_GENERAL_ERROR is returned:
The text was updated successfully, but these errors were encountered: