[PATCH gnupg] scd: Fix unblock (via a Reset Code) with KDF

Mon Apr 26 04:55:23 CEST 2021

* scd/app-openpgp.c (do_change_pin): Fix unblock with KDF
--

When KDF is enabled, instead of sending PIN verbatim we send its salted
hash. User PIN, Admin PIN, and Reset Code all use different salts.
When executing the `unblock` command (that allows the user to reset
their PIN using the Reset Code) we were incorrectly using salt number 0
(the one used for the Reset Code) to hash the User PIN.

Use the correct salt number 1 instead.

This bug was present since the original implementation of KDF back in
91303b7df9c3e810cfcd4920f78bac6f8b7df2b2.
---
 scd/app-openpgp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 5508ec68e..506b58232 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -3454,7 +3454,7 @@ do_change_pin (app_t app, ctrl_t ctrl,  const char *chvnostr,
 
       rc = pin2hash_if_kdf (app, 0, resetcode, &result1, &resultlen1);
       if (!rc)
-        rc = pin2hash_if_kdf (app, 0, pinvalue, &result2, &resultlen2);
+        rc = pin2hash_if_kdf (app, 1, pinvalue, &result2, &resultlen2);
       if (!rc)
         {
           bufferlen = resultlen1 + resultlen2;
-- 
2.29.3


