Bug 658230 - dirmngr crashes when OCSP reply contains a byKey responderID
Summary: dirmngr crashes when OCSP reply contains a byKey responderID
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: dirmngr
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-29 18:10 UTC by Tomáš Trnka
Modified: 2012-08-16 22:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-16 22:13:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Full OCSP response (dissected using Wireshark) (9.43 KB, text/plain)
2010-11-29 18:10 UTC, Tomáš Trnka 		no flags Details
Simple fix/workaround (624 bytes, patch)
2010-11-29 18:12 UTC, Tomáš Trnka 		no flags Details | Diff
View All

Description Tomáš Trnka 2010-11-29 18:10:11 UTC 
Created attachment 463543 [details]
Full OCSP response (dissected using Wireshark)

Description of problem:
After enabling OCSP validity checks, dirmngr keeps crashing as soon as he hits a certificate issued by Quo Vadis CA. My investigation revealed that the OCSP responder at http://ocsp.quovadisglobal.com returns responses without a responder name (the responderID field contains only a key ID):

Online Certificate Status Protocol
    responseStatus: successful (0)
    responseBytes
        ResponseType Id: 1.3.6.1.5.5.7.48.1.1 (id-pkix-ocsp-basic)
        BasicOCSPResponse
            tbsResponseData
                responderID: byKey (2)
                    byKey: bef04a7291f5dd978877cfb9bf3597dd90041011

When this is parsed by libksba's parse_response_data, the responder_id.name field remains NULL. The ksba_ocsp_get_responder_id() call in check_signature() (dirmngr's ocsp.c) then copies this NULL into the "name" argument. The subsequent call to find_cert_bysubject() passes this "name" (subject_dn) to strcmp, leading to a null pointer dereference crash.

Version-Release number of selected component (if applicable):
dirmngr-1.1.0-1.fc14.x86_64
libksba-1.0.8-1.fc14.x86_64

How reproducible:
100%

Steps to Reproduce:
1. LANG=C gpgsm --list-keys --with-validation 0x2D938845
2. Segfault in dirmngr
  
Actual results:
#0  0x00000034f2a8133a in __strcmp_sse2 () from /lib64/libc.so.6
#1  0x00000000004129f7 in find_cert_bysubject (ctrl=0x850020, subject_dn=0x0, 
    keyid=0x8558d0 "(20:\276\360Jr\221\365ݗ\210wϹ\277\065\227ݐ\004\020\021)") at certcache.c:1149
#2  0x000000000041acc5 in check_signature (ctrl=0x850020, cert=0x857590, cert_fpr=<value optimized out>, 
    force_default_responder=<value optimized out>) at ocsp.c:481
#3  ocsp_isvalid (ctrl=0x850020, cert=0x857590, cert_fpr=<value optimized out>, force_default_responder=<value optimized out>) at ocsp.c:663
#4  0x000000000040a8a8 in cmd_isvalid (ctx=0x8540b0, line=<value optimized out>) at server.c:540
#5  0x00000034f2e06c87 in dispatch_command (ctx=0x8540b0, 
    line=0x8541f8 "atement.0\"\006\b+\006\001\005\005\a\002\001\026\026http://www.quovadis.bm0\016\006\003U\035\017\001\001\377\004\004\003\002\001\006\060\201\256\006\003U\035#\004\201\246\060\201\243\200\024\213Km\355\323)\271\006\031\354\071\071\251\360\227\204j\313\357ߡ\201\204\244\201\201\060\177\061\v0\t\006\003U\004\006\023\002BM1\031\060\027\006\003U\004%0A\023\020QuoVadis Limited1%250#\006\003U\004\v\023\034Root Certification Authority1.0,\006\003U\004\003\023%25"..., linelen=<value optimized out>) at assuan-handler.c:561
#6  0x00000034f2e07af9 in process_request (ctx=0x8540b0) at assuan-handler.c:748
#7  assuan_process (ctx=0x8540b0) at assuan-handler.c:771
#8  0x000000000040b21f in start_command_handler (fd=<value optimized out>) at server.c:1445
#9  0x00000000004087d5 in main (argc=0, argv=0x7fffffffdfd8) at dirmngr.c:967
Comment 1 Tomáš Trnka 2010-11-29 18:12:28 UTC 
Created attachment 463544 [details]
Simple fix/workaround

This patch prevents the crash, but the validation still fails with:

gpgsm: unable to find the certificate used by the dirmngr: Unknown system error
  [checking the CRL failed: Invalid CRL]
  [validation model used: shell]
  [certificate is bad: Invalid CRL]
Comment 2 Tomas Mraz 2010-12-01 13:20:38 UTC 
I've reported the issue upstream. I suppose some substantial code changes will be needed to properly match such OCSP responses.

In the meanwhile I fix the crasher by your patch. Thanks.
Comment 3 Fedora End Of Life 2012-08-16 22:13:37 UTC 
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Note You need to log in before you can comment on or make changes to this bug.