Skip to content

CRLs online fail to process after download and offline ones cause a segfault  #42

@neilfx1

Description

@neilfx1

Reported to Ubuntu initially #1879710 but may be better addressed here as it seems to affect any Linux distro I try.

Background:

Using a smart card (PIV) to log in to Ubuntu, utilising a Yubikey. Certificate is read, PIN prompts and logs in which is expected behavior. There is however no method for checking CRL's (Certificate Revocation Lists) reliably. This is needed for security in the event someone lost their smart card/Yubikey, it was compromised somehow, or just renewed with a new certificate. A CRL should be checked at each authentication attempt to validate that the certificate being presented is valid.

Issue:

When attempting to read a CRL, it either fails to download or causes a segfault.
CRL's are set within the certificate to download over http, this part of the process works OK. When it checks for revocation it seems to go wrong.

Online CRL's (crl_online in pam_pkcs11.conf) fail with the following error message:
ERROR:pkcs11_inspect.c:137: verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed

Offline CRL's (crl_offline in pam_pkcs11.conf) fail with a segfault which seems to point at an issue with libcrypto:

[ 1563.825006] pkcs11_inspect[3820]: segfault at 18 ip 00007ff8e1a95300 sp 00007ffd6db03088 error 4 in libcrypto.so.1.1[7ff8e190e000+19f000]
[ 1563.825013] Code: 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 20 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 28 c3 66 66 2e 0f 1f 84 00 00 00 00 00 <48> 8b 47 18 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 38 c3 66

Workaround:

None - disabling CRL checking defeats the point and is highly insecure.

ocsp could be another potential workaround however this doesn't appear to have been included in the package(s).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions