Ubuntu
pam-pkcs11 package

CRL checking of smart card causes Segmentation Fault

Bug #1907465 reported by Judd Tracy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam-pkcs11 (Ubuntu)
New
Undecided
Unassigned

Bug Description

I was following the Ubuntu white paper for setting up smart cards (SmartCardLogin_WhitePapaer_04.03.20.pdf) and ran into an issue with CRL checking.

Running on 18.04 server minimal install using package version 0.6.9-2build2

I performed the following steps to install and setup:
 * Installed the packages required in the white paper
 * Added my Root and Intermediate certificates to /etc/pam_pkcs11/cacerts and ran pkcs11_make_hash_link
 * Installed local versions of the CRLs in /etc/pam_pkcs11/crls and ran pkcs11_make_hash_link
 * Copied and unziped the example config file from /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz to /etc/pam_pkcs11/pam_pkcs11.conf
 * Modified /etc/pam_pkcs11/pam_pkcs11.conf to use the subject mapper and added crl_auto to the cert_policy
 * Added a subject to the /etc/pam_pkcs11/subject_mapping file

When I try to login as the user I get a segmentation fault and when running pkcs11_inspect I also get the same fault.

With debugging enabled in the pam config file it tries first to download the CRLs of the cert and fails it then attempts to use the local crls and that where it fails.

# pkcs11_inspect
....
DEBUG:cert_vfy.c:229: looking for and dedicated local crl

If is remove crl_auto from the pam config I can authenticate with the user just fine but there is no crl checking being done.

If I perform a strace of pkcs11_inspect it looks like it is trying to load a crl that does not exist and fails. There is a recent patch upstream that seems to address this issue.

#strace pkcs11_inspect
....
stat("/etc/pam_pkcs11/cacerts/37f834c3.r0", 0x7ffecea217b0) = -1 ENOENT (No such file or directory)
stat("/etc/pam_pkcs11/crls/37f834c3.r0", {st_mode=S_IFREG|0644, st_size=1105, ...}) = 0
openat(AT_FDCWD, "/etc/pam_pkcs11/crls/37f834c3.r0", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=1105, ...}) = 0
read(4, "-----BEGIN X509 CRL-----\nMIIDBjC"..., 4096) = 1105
read(4, "", 4096) = 0
close(4) = 0
stat("/etc/pam_pkcs11/crls/37f834c3.r1", 0x7ffecea217b0) = -1 ENOENT (No such file or directory)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++

As seen in the logs it inspects crl 37f834c3.r0 but then tries to inspect 37f834c3.r1 which does not exist.

Here is an upstream bug report
https://github.com/OpenSC/pam_pkcs11/issues/43

Here is an upstream pull request
https://github.com/OpenSC/pam_pkcs11/pull/45

#lsb_release -rd
Descripton: Ubuntu 10.04.5 LTS
Release: 18.04

#apt-cache policy pkgname
libpam-pkcs11:
  Installed: 0.6.9-2build2
  Candidate: 0.6.9-2build2
  Version table:
 *** 0.6.9-2build2 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        100 /var/lib/dpkg/status

Tags: bionic amd64
Judd Tracy (juddtracy-das)
tags: added: amd64 bionic
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.