[pkg-opensc-maint] Bug#852039: pam_p11: crashes with tokens that require login
Sam Hartman
hartmans at mit.edu
Fri Jan 20 22:35:11 UTC 2017
package: pam-p11
version: 0.1.5-6
severity: grave
tags: security, patch
justification: unusable in most secure configurations; DOS, possibly
exploitable
Hi.
I found that pam_p11_openssh was causing my login process to segfault.
Tracing the code through the debugger, I found the following in libp11:
if (relogin == 0) {
/* Calling PKCS11_login invalidates all cached
* keys we have */
if (slot->token) {
pkcs11_destroy_keys(slot->token, CKO_PRIVATE_KEY);
pkcs11_destroy_keys(slot->token, CKO_PUBLIC_KEY);
pkcs11_destroy_certs(slot->token);
}
That is, all certificate objects are invalidated on token login. That's
kind of expected: a pkcs11 token is likely to give you more objects when
you login than before you login.
Unfortunately, authcert is used in pam_sm_authenticate after the call to
PKCS11_login, so uninitialized memory is used. I'm surprised; I
actually managed it get it to work once yesterday, but it sure doesn't
work reliably, or on any machine but that one.
Here's a quick and dirty patch to rescan after login.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Read-certs-again-on-token-login.patch
Type: text/x-diff
Size: 2226 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-opensc-maint/attachments/20170120/e49148af/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 633 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-opensc-maint/attachments/20170120/e49148af/attachment.sig>
More information about the pkg-opensc-maint
mailing list