[pkg-opensc-maint] Bug#852039: pam_p11: crashes with tokens that require login

Sam Hartman hartmans at mit.edu
Fri Jan 20 22:35:11 UTC 2017

package: pam-p11
version: 0.1.5-6
severity: grave
tags: security, patch
justification: unusable in most secure configurations; DOS, possibly

I found that pam_p11_openssh was causing my login process to segfault.
Tracing the code through the debugger, I found the following in libp11:
        if (relogin == 0) {
                /* Calling PKCS11_login invalidates all cached                  
                 * keys we have */ 
                if (slot->token) { 
                        pkcs11_destroy_keys(slot->token, CKO_PRIVATE_KEY);
                        pkcs11_destroy_keys(slot->token, CKO_PUBLIC_KEY);

That is, all certificate objects are invalidated on token login.  That's
kind of expected: a pkcs11 token is likely to give you more objects when
you login than before you login.

Unfortunately, authcert is used in pam_sm_authenticate after the call to
PKCS11_login, so uninitialized memory is used.  I'm surprised; I
actually managed it get it to work once yesterday, but it sure doesn't
work reliably, or on any machine but that one.

Here's a quick and dirty patch to rescan after login.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Read-certs-again-on-token-login.patch
Type: text/x-diff
Size: 2226 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-opensc-maint/attachments/20170120/e49148af/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 633 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-opensc-maint/attachments/20170120/e49148af/attachment.sig>

More information about the pkg-opensc-maint mailing list