Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 313076 Details for
Bug 457367
CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens CardOS M4 smart cards
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Upstream patch to be included in 0.11.5
opensc-CVE-2008-2235.diff (text/plain), 7.53 KB, created by
Tomas Hoger
on 2008-07-31 08:01:36 UTC
(
hide
)
Description:
Upstream patch to be included in 0.11.5
Filename:
MIME Type:
Creator:
Tomas Hoger
Created:
2008-07-31 08:01:36 UTC
Size:
7.53 KB
patch
obsolete
>diff -udrNPp --exclude=.svn opensc.orig/src/libopensc/card-cardos.c opensc/src/libopensc/card-cardos.c >--- opensc.orig/src/libopensc/card-cardos.c 2007-08-08 22:15:48.000000000 +0200 >+++ opensc/src/libopensc/card-cardos.c 2008-07-30 13:19:22.000000000 +0200 >@@ -385,7 +385,7 @@ static const int df_acl[9] = { > SC_AC_OP_REHABILITATE, /* DF */ > SC_AC_OP_DELETE, /* DF */ > >- -1, /* ADMIN DF */ >+ SC_AC_OP_UPDATE, /* ADMIN DF */ > SC_AC_OP_CREATE, /* Files */ > -1 /* Reserved */ > }; >@@ -400,7 +400,7 @@ static const int ef_acl[9] = { > > /* XXX: ADMIN should be an ACL type of its own, or mapped > * to erase */ >- -1, /* ADMIN EF (modify meta information?) */ >+ SC_AC_OP_UPDATE, /* ADMIN EF (modify meta information?) */ > -1, /* INC (-> cylic fixed files) */ > -1 /* DEC */ > }; >diff -udrNPp --exclude=.svn opensc.orig/src/tools/pkcs15-tool.c opensc/src/tools/pkcs15-tool.c >--- opensc.orig/src/tools/pkcs15-tool.c 2007-06-30 10:55:57.000000000 +0200 >+++ opensc/src/tools/pkcs15-tool.c 2008-07-30 13:19:42.000000000 +0200 >@@ -2,6 +2,7 @@ > * pkcs15-tool.c: Tool for poking with PKCS #15 smart cards > * > * Copyright (C) 2001 Juha Yrjölä <juha.yrjola@iki.fi> >+ * Copyright (C) 2008 Andreas Jellinghaus <aj@dungeon.inka.de> > * > * This library is free software; you can redistribute it and/or > * modify it under the terms of the GNU Lesser General Public >@@ -90,6 +91,8 @@ static const struct option options[] = { > #if defined(HAVE_OPENSSL) && (defined(_WIN32) || defined(HAVE_INTTYPES_H)) > { "read-ssh-key", required_argument, NULL, OPT_READ_SSH }, > #endif >+ { "test-update", no_argument, NULL, 'T' }, >+ { "update", no_argument, NULL, 'U' }, > { "reader", required_argument, NULL, OPT_READER }, > { "pin", required_argument, NULL, OPT_PIN }, > { "new-pin", required_argument, NULL, OPT_NEWPIN }, >@@ -116,6 +119,8 @@ static const char *option_help[] = { > "Lists public keys", > "Reads public key with ID <arg>", > "Reads public key with ID <arg>, outputs ssh format", >+ "Test if the card needs a security update", >+ "Update the card with a security update", > "Uses reader number <arg>", > "Specify PIN", > "Specify New PIN (when changing or unblocking)", >@@ -1175,6 +1180,182 @@ static int learn_card(void) > return 0; > } > >+static int test_update(sc_card_t *in_card) >+{ >+ sc_apdu_t apdu; >+ static u8 cmd1[2] = { 0x50, 0x15}; >+ u8 rbuf[258]; >+ int rc; >+ int r; >+ static u8 fci_bad[] = { 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; >+ static u8 fci_good[] = { 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00 }; >+ >+ >+ >+ if (strcmp("cardos",in_card->driver->short_name) != 0) { >+ printf("not using the cardos driver, card is fine."); >+ rc = 0; >+ goto end; >+ } >+ >+ if (strcmp("OpenSC Card",p15card->label) != 0) { >+ printf("not initialized by opensc, card is fine."); >+ rc = 0; >+ goto end; >+ } >+ >+ /* first select file on 5015 and get fci */ >+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_4_SHORT, 0xa4, 0x08, 0x00); >+ apdu.lc = sizeof(cmd1); >+ apdu.datalen = sizeof(cmd1); >+ apdu.data = cmd1; >+ apdu.le = 256; >+ apdu.resp = rbuf; >+ apdu.resplen = sizeof(rbuf); >+ >+ r = sc_transmit_apdu(card, &apdu); >+ if (r < 0) { >+ printf("selecting folder failed: %s\n", sc_strerror(r)); >+ rc = 2; >+ goto end; >+ } >+ >+ if (apdu.sw1 != 0x90) { >+ printf("apdu command select file: card returned %02X %02X\n", >+ apdu.sw1, apdu.sw2); >+ rc = 2; >+ goto end; >+ >+ } >+ >+ if (apdu.resplen < 6) { >+ printf("select file did not return enough data (length %d)\n", >+ (int) apdu.resplen); >+ goto bad_fci; >+ } >+ >+ if (rbuf[0] != 0x6f) { >+ printf("select file did not return the information we need\n"); >+ goto bad_fci; >+ } >+ >+ if (rbuf[1] != apdu.resplen -2) { >+ printf("select file did return inconsistent information\n"); >+ goto bad_fci; >+ } >+ >+ { >+ int i=0; >+ while(i < rbuf[1]) { >+ if (rbuf[2+i] == 0x86) { /* found our buffer */ >+ break; >+ } >+ /* other tag */ >+ i += 2 + rbuf[2+i+1]; /* length of this tag*/ >+ } >+ if (rbuf[2+i+1] < 9 || 2+i+2+9 > apdu.resplen) { >+ printf("select file did return short fci\n"); >+ goto bad_fci; >+ } >+ >+ if (memcmp(&rbuf[2+i+2],fci_good,sizeof(fci_good)) == 0) { >+ printf("fci is up-to-date, card is fine\n"); >+ rc = 0; >+ goto end; >+ } >+ >+ if (memcmp(&rbuf[2+i+2],fci_bad,sizeof(fci_bad)) == 0) { >+ printf("fci is out-off-date, card is vulnerable\n"); >+ rc = 1; >+ goto end; >+ } >+ >+ printf("select file returned fci with unknown data\n"); >+ goto bad_fci; >+ } >+end: >+ /* 0 = card ok, 1 = card vulnerable, 2 = problem! */ >+ return rc; >+ >+bad_fci: >+ hex_dump(stdout,rbuf,apdu.resplen," "); >+ printf("\n"); >+ return 2; >+} >+ >+static int update(sc_card_t *in_card) >+{ >+ sc_apdu_t apdu; >+ static u8 cmd1[2] = { 0x50, 0x15}; >+ static u8 cmd3[11] = { 0x86, 0x09, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, >+ 0xff, 0x00, 0x00}; >+ int r; >+ >+ /* first select file on 5015 */ >+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_3_SHORT, 0xa4, 0x08, 0x00); >+ apdu.lc = sizeof(cmd1); >+ apdu.datalen = sizeof(cmd1); >+ apdu.data = cmd1; >+ >+ r = sc_transmit_apdu(card, &apdu); >+ if (r < 0) { >+ printf("selecting folder failed: %s\n", sc_strerror(r)); >+ goto end; >+ } >+ >+ if (apdu.sw1 != 0x90) { >+ printf("apdu command select file: card returned %02X %02X\n", >+ apdu.sw1, apdu.sw2); >+ goto end; >+ >+ } >+ >+ /* next phase control / change lifecycle to operational */ >+ memset(&apdu, 0, sizeof(apdu)); >+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_1, 0x10, 0x00, 0x00); >+ apdu.cla = 0x80; >+ >+ r = sc_transmit_apdu(card, &apdu); >+ if (r < 0) { >+ printf("change lifecycle failed: %s\n", sc_strerror(r)); >+ goto end; >+ } >+ >+ if (apdu.sw1 != 0x90) { >+ printf("apdu command change lifecycle failed: card returned %02X %02X\n", >+ apdu.sw1, apdu.sw2); >+ goto end; >+ >+ } >+ >+ /* last update AC */ >+ memset(&apdu, 0, sizeof(apdu)); >+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_3_SHORT, 0xda, 0x01, 0x6f); >+ apdu.lc = sizeof(cmd3); >+ apdu.datalen = sizeof(cmd3); >+ apdu.data = cmd3; >+ apdu.le = 0; >+ apdu.resplen = 0; >+ apdu.resp = NULL; >+ >+ r = sc_transmit_apdu(card, &apdu); >+ if (r < 0) { >+ printf("update fci failed: %s\n", sc_strerror(r)); >+ goto end; >+ } >+ >+ if (apdu.sw1 != 0x90) { >+ printf("apdu command update fci failed: card returned %02X %02X\n", >+ apdu.sw1, apdu.sw2); >+ goto end; >+ >+ } >+ >+ printf("security update applied with success.\n"); >+end: >+ return 0; >+} >+ > int main(int argc, char * const argv[]) > { > int err = 0, r, c, long_optind = 0; >@@ -1193,11 +1374,13 @@ int main(int argc, char * const argv[]) > int do_change_pin = 0; > int do_unblock_pin = 0; > int do_learn_card = 0; >+ int do_test_update = 0; >+ int do_update = 0; > int action_count = 0; > sc_context_param_t ctx_param; > > while (1) { >- c = getopt_long(argc, argv, "r:cuko:va:LR:CwD", options, &long_optind); >+ c = getopt_long(argc, argv, "r:cuko:va:LR:CwDTU", options, &long_optind); > if (c == -1) > break; > if (c == '?') >@@ -1261,6 +1444,14 @@ int main(int argc, char * const argv[]) > do_learn_card = 1; > action_count++; > break; >+ case 'T': >+ do_test_update = 1; >+ action_count++; >+ break; >+ case 'U': >+ do_update = 1; >+ action_count++; >+ break; > case OPT_READER: > opt_reader = atoi(optarg); > break; >@@ -1388,6 +1579,18 @@ int main(int argc, char * const argv[]) > goto end; > action_count--; > } >+ if (do_test_update || do_update) { >+ err = test_update(card); >+ action_count--; >+ if (err == 2) { /* problem */ >+ err =1; >+ goto end; >+ } >+ if (do_update && err == 1) { /* card vulnerable */ >+ if ((err = update(card))) >+ goto end; >+ } >+ } > end: > if (p15card) > sc_pkcs15_unbind(p15card);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=313076">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 457367
: 313076