From 4f991f85c98b61ffc47bffdbaec7db5a800eff58eeb69704da2f63b1e94ceb97 Mon Sep 17 00:00:00 2001 From: Stanislav Brabec Date: Thu, 2 Aug 2018 16:35:40 +0000 Subject: [PATCH] Accepting request 624845 from home:sbrabec:branches:security:chipcard - Fix segfault and fetch problems when checking CRLs (pam_pkcs11-crl-check.patch). OBS-URL: https://build.opensuse.org/request/show/624845 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/pam_pkcs11?expand=0&rev=22 --- pam_pkcs11-crl-check.patch | 131 +++++++++++++++++++++++++++++++++++++ pam_pkcs11.changes | 6 ++ pam_pkcs11.spec | 7 +- 3 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 pam_pkcs11-crl-check.patch diff --git a/pam_pkcs11-crl-check.patch b/pam_pkcs11-crl-check.patch new file mode 100644 index 0000000..6f34775 --- /dev/null +++ b/pam_pkcs11-crl-check.patch @@ -0,0 +1,131 @@ +https://github.com/OpenSC/pam_pkcs11/pull/26 +https://github.com/gkloepfer/pam_pkcs11/commit/94325a2c2b03a10b7618375f828c90063881227e + +From 94325a2c2b03a10b7618375f828c90063881227e Mon Sep 17 00:00:00 2001 +From: Gil Kloepfer +Date: Thu, 17 Aug 2017 07:51:25 -0500 +Subject: [PATCH] Fixed segfault and fetch problems when checking CRLs + +Fixed segfault issue in src/common/cert_vfy.c that occurs when +an attempt is made to check a certificate's CRL. This seems to +be caused by changes that happened in the OpenSSL API, and got +overlooked during updates to the code. + +Also fixed a problem in src/common/uri.c in the builtin URI fetch +via HTTP where an extra newline (and missing carriage-returns) were +sent, causing the HTTP request to fail. +--- + src/common/cert_vfy.c | 29 ++++++++++++++--------------- + src/common/uri.c | 2 +- + 2 files changed, 15 insertions(+), 16 deletions(-) + +diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c +index 7efb0cb..6016ca0 100644 +--- a/src/common/cert_vfy.c ++++ b/src/common/cert_vfy.c +@@ -143,21 +143,20 @@ static X509_CRL *download_crl(const char *uri) + static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) + { + int rv; +- X509_OBJECT *obj = NULL; ++ X509_OBJECT obj; + EVP_PKEY *pkey = NULL; + X509 *issuer_cert; + + /* get issuer certificate */ +- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj); ++ rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj); + if (rv <= 0) { + set_error("getting the certificate of the crl-issuer failed"); + return -1; + } + /* extract public key and verify signature */ +- issuer_cert = X509_OBJECT_get0_X509(obj); ++ issuer_cert = X509_OBJECT_get0_X509((&obj)); + pkey = X509_get_pubkey(issuer_cert); +- if (obj) +- X509_OBJECT_free(obj); ++ X509_OBJECT_free_contents(&obj); + if (pkey == NULL) { + set_error("getting the issuer's public key failed"); + return -1; +@@ -203,13 +202,14 @@ static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) + static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) + { + int rv, i, j; +- X509_OBJECT *obj = NULL; ++ X509_OBJECT obj; + X509_REVOKED *rev = NULL; + STACK_OF(DIST_POINT) * dist_points; + DIST_POINT *point; + GENERAL_NAME *name; + X509_CRL *crl; + X509 *x509_ca = NULL; ++ EVP_PKEY crl_pkey; + + DBG1("crl policy: %d", policy); + if (policy == CRLP_NONE) { +@@ -227,28 +227,27 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t + } else if (policy == CRLP_OFFLINE) { + /* OFFLINE */ + DBG("looking for an dedicated local crl"); +- rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); ++ rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); + if (rv <= 0) { + set_error("no dedicated crl available"); + return -1; + } +- crl = X509_OBJECT_get0_X509_CRL(obj); +- if (obj) +- X509_OBJECT_free(obj); ++ crl = X509_OBJECT_get0_X509_CRL((&obj)); ++ X509_OBJECT_free_contents(&obj); + } else if (policy == CRLP_ONLINE) { + /* ONLINE */ + DBG("extracting crl distribution points"); + dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); + if (dist_points == NULL) { + /* if there is not crl distribution point in the certificate hava a look at the ca certificate */ +- rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj); ++ rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); + if (rv <= 0) { + set_error("no dedicated ca certificate available"); + return -1; + } +- x509_ca = X509_OBJECT_get0_X509(obj); ++ x509_ca = X509_OBJECT_get0_X509((&obj)); + dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); +- X509_OBJECT_free(obj); ++ X509_OBJECT_free_contents(&obj); + if (dist_points == NULL) { + set_error("neither the user nor the ca certificate does contain a crl distribution point"); + return -1; +@@ -296,10 +295,10 @@ static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t + } else if (rv == 0) { + return 0; + } ++ DBG("checking revocation"); + rv = X509_CRL_get0_by_cert(crl, &rev, x509); + X509_CRL_free(crl); +- X509_REVOKED_free(rev); +- return (rv == -1); ++ return (rv == 0); + } + + static int add_hash( X509_LOOKUP *lookup, const char *dir) { +diff --git a/src/common/uri.c b/src/common/uri.c +index 2d74c04..8e65884 100644 +--- a/src/common/uri.c ++++ b/src/common/uri.c +@@ -407,7 +407,7 @@ static int get_http(uri_t *uri, unsigned char **data, size_t *length, int rec_le + set_error("not enough free memory available"); + return -1; + } +- sprintf(request, "GET %s HTTP/1.0\nHost: %s\n\n\n", uri->http->path, uri->http->host); ++ sprintf(request, "GET %s HTTP/1.0\r\nHost: %s\r\n\r\n", uri->http->path, uri->http->host); + len = strlen(request); + rv = send(sock, request, len, 0); + free(request); +-- +2.18.0 + diff --git a/pam_pkcs11.changes b/pam_pkcs11.changes index f945f1d..6ba6e0c 100644 --- a/pam_pkcs11.changes +++ b/pam_pkcs11.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Jul 23 17:36:18 CEST 2018 - sbrabec@suse.com + +- Fix segfault and fetch problems when checking CRLs + (pam_pkcs11-crl-check.patch). + ------------------------------------------------------------------- Sun Sep 10 00:08:17 UTC 2017 - jengelh@inai.de diff --git a/pam_pkcs11.spec b/pam_pkcs11.spec index 19a9a3a..0927630 100644 --- a/pam_pkcs11.spec +++ b/pam_pkcs11.spec @@ -1,7 +1,7 @@ # # spec file for package pam_pkcs11 # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ Name: pam_pkcs11 Version: 0.6.9 Release: 0 Summary: PKCS #11 PAM Module -License: LGPL-2.1+ +License: LGPL-2.1-or-later Group: Productivity/Security Url: https://github.com/OpenSC/pam_pkcs11 Source: %{_name}-%{version}.tar.gz @@ -34,6 +34,8 @@ Source4: pkcs11_eventmgr.service Patch0: %{name}-fsf-address.patch Patch1: %{name}-0.5.3-nss-conf.patch Patch3: %{name}-0.6.0-nss-autoconf.patch +# PATCH-FIX-UPSTEAM-PENDING pam_pkcs11-crl-check.patch https://github.com/OpenSC/pam_pkcs11/pull/26 -- Fix segfault and fetch problems when checking CRLs. +Patch4: %{name}-crl-check.patch BuildRequires: curl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: doxygen @@ -88,6 +90,7 @@ authentication. %patch0 -p1 %patch1 -p1 %patch3 -p1 +%patch4 -p1 cp -a %{SOURCE1} common-auth-smartcard sed -i s:/lib/:/%{_lib}/:g etc/pam_pkcs11.conf.example.in etc/pkcs11_eventmgr.conf.example # make dist was not called and cannot be called on a non git snapshot.