Bug 391871 - segfault using some smart cards
segfault using some smart cards
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-20 05:28 EST by Pierre Ossman
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 4.7p1-4.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-28 20:36:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Pierre Ossman 2007-11-20 05:28:58 EST
For some reason, NSS won't always return a privk structure back to the client.
The card still works nicely for signing (and hence authentication), but OpenSSH
makes a bunch of assumptions on the privk being there.

1. ssh-keygen won't work. Preferably this tool would be modified to just read
the public key, also removing the need to enter a PIN code.

2. Segfault upon completed authentication. This is more critical. The problem is
line 201 in key.c:

    if (k->nss->privk->wincx != NULL) {

Replacing it with this line gets things up and running:

    if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) {

I have no idea if I'm causing any leaks by this, but it avoids the crash at least.
Comment 1 Pierre Ossman 2007-11-20 09:02:13 EST
Btw, I am looking into why this is happening. But feel free to dig in your end
as well. :)
Comment 2 Tomas Mraz 2007-11-20 09:25:39 EST
There is something weird in this analysis - the card cannot work fine for
signing if NSS doesn't return privk for it. So for usable card the privk must be
returned. But probably there are multiple keys on the card and for some
(unusable) the privk is not returned and for some others it is. I'd suspect that
not the privk but pubk conversion is failing.

Of course the bug in the code you mention is real and your change is 100% correct.
Comment 3 Fedora Update System 2007-11-21 22:27:45 EST
openssh-4.7p1-4.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openssh'
Comment 4 Pierre Ossman 2007-11-22 05:01:37 EST
(In reply to comment #2)
> There is something weird in this analysis - the card cannot work fine for
> signing if NSS doesn't return privk for it. So for usable card the privk must be
> returned. But probably there are multiple keys on the card and for some
> (unusable) the privk is not returned and for some others it is. I'd suspect that
> not the privk but pubk conversion is failing.
> 

You certainly earn your paycheck. Your guess was completely accurate. :)

One key is successfully extracted, and ssh crashes when getting a second one.
The call that fails is SECKEY_ConvertToPublicKey(privk); and the program then
crashes when calling key_free(k);.

> Of course the bug in the code you mention is real and your change is 100% correct.
> 

Quite. But ssh-keygen is still confused by this card, claiming it cannot find
anything useful. I used pkcs15-tool (from OpenSC) to extract the key, so it's
very do-able.

PS. I still haven't seen a reply from you on that mail I sent. I hope you got it
this time.
Comment 5 Tomas Mraz 2007-11-22 05:47:05 EST
So are there actually 2 private keys on the card or not? Could you try to insert
some debug logs into the nsskeys.c:nss_find_privkeys() code and see what it
extracts from the card and why it doesn't find the keys useful?
Comment 6 Pierre Ossman 2007-11-22 07:35:55 EST
Yes, there seems to be four of them bound to the first PIN (which is how I
assume OpenSC decided to group them for one token).

I'll try to find some time to do some printf debugging.
Comment 7 Fedora Update System 2007-11-28 20:36:19 EST
openssh-4.7p1-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.