pam_pkcs11 icon indicating copy to clipboard operation
pam_pkcs11 copied to clipboard

Published 20 hours ago verified publisher icon OpenSC

PKCS11 module crashes when no CRL defined for card

Open madscientist159 opened this issue 4 years ago • 2 comments

I'm seeing a crash in src/common/cert_vfy.c, verify_crl() is being passed a NULL X509_CRL * crl by check_for_revocation(). At minimum the module should not crash, it should detect the situation where crl == NULL and fail gracefully.

Debug output:

Enter your Smart card PIN on the pinpad
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   03
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn'
DEBUG:mapper_mgr.c:196: Inserting mapper [cn] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '<redacted 1>' to CACERT checks
DEBUG:cert_vfy.c:389: Adding hash dir '<redacted 1>' to CRL checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 3
DEBUG:cert_vfy.c:226: crl policy: 1
DEBUG:cert_vfy.c:259: extracting crl distribution points
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 2>.pem
DEBUG:cert_vfy.c:298: download_crl() failed: get_from_uri() failed: curl_easy_perform() failed: Couldn't open file <redacted 2>tdecrl.pem (37)
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 1>/<redacted 3>.crl
DEBUG:cert_vfy.c:113: crl is base64 encoded
DEBUG:cert_vfy.c:313: verifying crl
DEBUG:cert_vfy.c:235: check_for_revocation() failed: verify_crl() failed: getting the issuer's public key failed
DEBUG:cert_vfy.c:226: crl policy: 2
DEBUG:cert_vfy.c:241: looking for an dedicated local crl
DEBUG:cert_vfy.c:313: verifying crl

Thread 1 "login" received signal SIGSEGV, Segmentation fault.
X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108
108     ../crypto/x509/x509cset.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7052220 in X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108

This may be related to #42.

madscientist159 avatar Jun 03 '20 10:06 madscientist159

@madscientist159 I was running into a host of similar issues and found a bug, can you try my branch and see if it resolves your segfault?

lgarbarini avatar Jul 26 '20 08:07 lgarbarini

Hi! Does anybody know the status of this issue? I've just tested the crl_offline policy with applied #58 and it was OK.

wolneykien avatar Aug 30 '21 21:08 wolneykien