Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS11 module crashes when no CRL defined for card #43

Open
madscientist159 opened this issue Jun 3, 2020 · 2 comments
Open

PKCS11 module crashes when no CRL defined for card #43

madscientist159 opened this issue Jun 3, 2020 · 2 comments

Comments

@madscientist159
Copy link
Contributor

madscientist159 commented Jun 3, 2020
edited
Loading

I'm seeing a crash in src/common/cert_vfy.c, verify_crl() is being passed a NULL X509_CRL * crl by check_for_revocation(). At minimum the module should not crash, it should detect the situation where crl == NULL and fail gracefully.

Debug output:

Enter your Smart card PIN on the pinpad
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   03
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn'
DEBUG:mapper_mgr.c:196: Inserting mapper [cn] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '<redacted 1>' to CACERT checks
DEBUG:cert_vfy.c:389: Adding hash dir '<redacted 1>' to CRL checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 3
DEBUG:cert_vfy.c:226: crl policy: 1
DEBUG:cert_vfy.c:259: extracting crl distribution points
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 2>.pem
DEBUG:cert_vfy.c:298: download_crl() failed: get_from_uri() failed: curl_easy_perform() failed: Couldn't open file <redacted 2>tdecrl.pem (37)
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 1>/<redacted 3>.crl
DEBUG:cert_vfy.c:113: crl is base64 encoded
DEBUG:cert_vfy.c:313: verifying crl
DEBUG:cert_vfy.c:235: check_for_revocation() failed: verify_crl() failed: getting the issuer's public key failed
DEBUG:cert_vfy.c:226: crl policy: 2
DEBUG:cert_vfy.c:241: looking for an dedicated local crl
DEBUG:cert_vfy.c:313: verifying crl

Thread 1 "login" received signal SIGSEGV, Segmentation fault.
X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108
108     ../crypto/x509/x509cset.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7052220 in X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108

This may be related to #42.
@lgarbarini lgarbarini mentioned this issue Jul 26, 2020
Closed
@lgarbarini
Copy link

@madscientist159 I was running into a host of similar issues and found a bug, can you try my branch and see if it resolves your segfault?

@aodhan-domhnaill aodhan-domhnaill mentioned this issue Jul 17, 2021
Closed
@wolneykien wolneykien mentioned this issue Aug 30, 2021
Merged
@wolneykien
Copy link
Member

Hi! Does anybody know the status of this issue? I've just tested the crl_offline policy with applied #58 and it was OK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wolneykien @lgarbarini @madscientist159