Page MenuHome GnuPG
Create Task
Maniphest T6843

after enable kdf-setup impossible change user/admin pin
Testing, NormalPublic
Actions

Description

Greetings,
after enabling kdf(kdf-setup)
I have strange behavior:

  1. I change the admin pin from the default 12345678 to 654321 - I get "PIN changed."
  2. I change the name - I get "gpg: error setting Name: Bad PIN", PIN retry counter: 3 0 3 - has not decreased
  3. I try to change the admin pin, enter the current one - then I get - "Error changing the PIN: Bad PIN"
  4. I change the user PIN from 123456 to 123123 - PIN changed.
  5. I change the user’s PIN, enter the current one - then I get Error changing the PIN: Bad PIN
  6. PIN retry counter - still 3 0 3

then just reset the card

Details

Version
gpg (GnuPG) 2.4.0

Revisions and Commits

rG GnuPG
rGefe325ffdf21 scd:openpgp: Add the length check for new PIN.
rG2376cdff1318 scd:openpgp: Add the length check for new PIN.

Related Objects

Event Timeline

Andry created this task.Nov 27 2023, 12:12 PM
Andry created this object in space S1 Public.
werner edited projects, added Support; removed Bug Report.Nov 28 2023, 1:25 PM
gniibe claimed this task.Dec 22 2023, 3:16 AM
gniibe triaged this task as Normal priority.
gniibe added a subscriber: gniibe.
This comment was removed by gniibe.
gniibe edited projects, added gnupg, scd; removed Support, Windows.Dec 22 2023, 3:44 AM

Thank you for the bug report. Although it's a corner case, it is a discrepancy in the implementation which results unrecoverable situation of the device.

Please use longer admin PIN at the step 1. The admin PIN should be more than or equals to 8 characters.

Since the OpenPGP card specification requires longer PIN, GnuPG has the check if admin PIN length is >= 8, when a user tries to verify.
The check is done before actually sending the command to card (thus, no error counter change in the card).

However, with KDF setup enabled, it is possible to change to the shorter PIN using current buggy GnuPG (because the data itself is a hash, which is longer).
After changing the PIN, (because GnuPG checks the PIN length), there is no way to authenticate with device using buggy GnuPG.

I think that we should add the check of PIN length for new PIN.

gniibe added a commit: rG2376cdff1318: scd:openpgp: Add the length check for new PIN..Dec 22 2023, 5:35 AM
gniibe changed the task status from Open to Testing.Dec 27 2023, 1:25 AM
gniibe added a project: backport.

It would be good to apply this to 2.2, so adding "backport" tag.

gniibe mentioned this in T6811: gpgv: Read-only trustedkeys.kbx should not be compressed.Jan 2 2024, 7:55 AM
werner edited projects, added gnupg22; removed backport, gnupg.Jan 12 2024, 4:26 PM
werner mentioned this in T6578: Release GnuPG 2.4.4.Jan 25 2024, 11:37 AM
werner added a commit: rGefe325ffdf21: scd:openpgp: Add the length check for new PIN..Jan 26 2024, 3:13 PM
werner moved this task from Backlog to QA on the gnupg22 board.Jan 26 2024, 3:14 PM
werner added a subscriber: werner.

We need to test the PIN, PUK and reset code stuff in 2.2

werner added a comment.Mar 6 2024, 12:34 PM

See also rG40b85d8e8cecadf35e51e84b30de4fac820d714b for gnupg 2.4.

werner mentioned this in T6960: Release GnuPG 2.4.5.Mar 7 2024, 3:23 PM
werner mentioned this in T6849: Release GnuPG 2.2.43.Tue, Apr 16, 9:47 AM