Created attachment 463543 [details] Full OCSP response (dissected using Wireshark) Description of problem: After enabling OCSP validity checks, dirmngr keeps crashing as soon as he hits a certificate issued by Quo Vadis CA. My investigation revealed that the OCSP responder at http://ocsp.quovadisglobal.com returns responses without a responder name (the responderID field contains only a key ID): Online Certificate Status Protocol responseStatus: successful (0) responseBytes ResponseType Id: 1.3.6.1.5.5.7.48.1.1 (id-pkix-ocsp-basic) BasicOCSPResponse tbsResponseData responderID: byKey (2) byKey: bef04a7291f5dd978877cfb9bf3597dd90041011 When this is parsed by libksba's parse_response_data, the responder_id.name field remains NULL. The ksba_ocsp_get_responder_id() call in check_signature() (dirmngr's ocsp.c) then copies this NULL into the "name" argument. The subsequent call to find_cert_bysubject() passes this "name" (subject_dn) to strcmp, leading to a null pointer dereference crash. Version-Release number of selected component (if applicable): dirmngr-1.1.0-1.fc14.x86_64 libksba-1.0.8-1.fc14.x86_64 How reproducible: 100% Steps to Reproduce: 1. LANG=C gpgsm --list-keys --with-validation 0x2D938845 2. Segfault in dirmngr Actual results: #0 0x00000034f2a8133a in __strcmp_sse2 () from /lib64/libc.so.6 #1 0x00000000004129f7 in find_cert_bysubject (ctrl=0x850020, subject_dn=0x0, keyid=0x8558d0 "(20:\276\360Jr\221\365ݗ\210wϹ\277\065\227ݐ\004\020\021)") at certcache.c:1149 #2 0x000000000041acc5 in check_signature (ctrl=0x850020, cert=0x857590, cert_fpr=<value optimized out>, force_default_responder=<value optimized out>) at ocsp.c:481 #3 ocsp_isvalid (ctrl=0x850020, cert=0x857590, cert_fpr=<value optimized out>, force_default_responder=<value optimized out>) at ocsp.c:663 #4 0x000000000040a8a8 in cmd_isvalid (ctx=0x8540b0, line=<value optimized out>) at server.c:540 #5 0x00000034f2e06c87 in dispatch_command (ctx=0x8540b0, line=0x8541f8 "atement.0\"\006\b+\006\001\005\005\a\002\001\026\026http://www.quovadis.bm0\016\006\003U\035\017\001\001\377\004\004\003\002\001\006\060\201\256\006\003U\035#\004\201\246\060\201\243\200\024\213Km\355\323)\271\006\031\354\071\071\251\360\227\204j\313\357ߡ\201\204\244\201\201\060\177\061\v0\t\006\003U\004\006\023\002BM1\031\060\027\006\003U\004%0A\023\020QuoVadis Limited1%250#\006\003U\004\v\023\034Root Certification Authority1.0,\006\003U\004\003\023%25"..., linelen=<value optimized out>) at assuan-handler.c:561 #6 0x00000034f2e07af9 in process_request (ctx=0x8540b0) at assuan-handler.c:748 #7 assuan_process (ctx=0x8540b0) at assuan-handler.c:771 #8 0x000000000040b21f in start_command_handler (fd=<value optimized out>) at server.c:1445 #9 0x00000000004087d5 in main (argc=0, argv=0x7fffffffdfd8) at dirmngr.c:967
Created attachment 463544 [details] Simple fix/workaround This patch prevents the crash, but the validation still fails with: gpgsm: unable to find the certificate used by the dirmngr: Unknown system error [checking the CRL failed: Invalid CRL] [validation model used: shell] [certificate is bad: Invalid CRL]
I've reported the issue upstream. I suppose some substantial code changes will be needed to properly match such OCSP responses. In the meanwhile I fix the crasher by your patch. Thanks.
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping