Mailing List Archive

[PATCH gnupg] scd: Fix unblock (via a Reset Code) with KDF
* scd/app-openpgp.c (do_change_pin): Fix unblock with KDF
--

When KDF is enabled, instead of sending PIN verbatim we send its salted
hash. User PIN, Admin PIN, and Reset Code all use different salts.
When executing the `unblock` command (that allows the user to reset
their PIN using the Reset Code) we were incorrectly using salt number 0
(the one used for the Reset Code) to hash the User PIN.

Use the correct salt number 1 instead.

This bug was present since the original implementation of KDF back in
91303b7df9c3e810cfcd4920f78bac6f8b7df2b2.
---
scd/app-openpgp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 5508ec68e..506b58232 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -3454,7 +3454,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr,

rc = pin2hash_if_kdf (app, 0, resetcode, &result1, &resultlen1);
if (!rc)
- rc = pin2hash_if_kdf (app, 0, pinvalue, &result2, &resultlen2);
+ rc = pin2hash_if_kdf (app, 1, pinvalue, &result2, &resultlen2);
if (!rc)
{
bufferlen = resultlen1 + resultlen2;
--
2.29.3


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH gnupg] scd: Fix unblock (via a Reset Code) with KDF [ In reply to ]
Hello,

Thank you for the patch. It's pushed to master. Tracked as T5413.

Kirill Elagin wrote:
> Additionally, I think it would be important to back-port it to 2.2.

Yes, I'll do.
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH gnupg] scd: Fix unblock (via a Reset Code) with KDF [ In reply to ]
Maybe it would be desirable to use an
enum salt_types { Reset_Code_salt, User_PIN_salt, Admin_PIN_salt } ?

Directly passing those literals look quite fragile maintainability-
wise.

Good job figuring it out, Kirill!




_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel