[qca] [Bug 482819] kwalletd6 sometimes crashed in QCA::PrivateKey::deriveKey when starting Proton VPN GUI

Sun, 24 Mar 2024 11:02:35 -0700 

https://bugs.kde.org/show_bug.cgi?id=482819

--- Comment #7 from Matt Fagnani <matt.fagn...@bell.net> ---
In frame 1 in KWalletFreedesktopService::createSessionAlgorithmDhAes,
privateKey and publicKey had null d pointers and clientPublicKey had d = 0x75.
Those keys were generated by qca functions.

(gdb) frame 1
#1  0x000055fc1a8bc992 in
KWalletFreedesktopService::createSessionAlgorithmDhAes (this=0x7fcc2400a8a0,
clientKey=...)
    at
/usr/src/debug/kf6-kwallet-6.0.0-1.fc40.x86_64/src/runtime/kwalletd/kwalletfreedesktopservice.cpp:424
424         const auto commonSecret = privateKey.deriveKey(clientPublicKey);
(gdb) l
419         }
420
421         auto privateKey = QCA::PrivateKey(keygen.createDH(dlGroup));
422         const auto publicKey = QCA::PublicKey(privateKey);
423         const auto clientPublicKey = QCA::DHPublicKey(dlGroup,
QCA::BigInteger(QCA::SecureArray(clientKey)));
424         const auto commonSecret = privateKey.deriveKey(clientPublicKey);
425         const auto symmetricKey = QCA::HKDF().makeKey(commonSecret, {}, {},
FDO_SECRETS_CIPHER_KEY_SIZE);
426
427         return
std::make_unique<KWalletFreedesktopSessionAlgorithmDhAes>(publicKey,
symmetricKey);
428     }
(gdb) p privateKey
$5 = {<QCA::PKey> = {<QCA::Algorithm> = {_vptr.Algorithm = 0x7fcc3e18e598
<vtable for QCA::PrivateKey+16>, d = {
        d = 0x0}}, d = 0x55fc1c7b50e0}, d = 0x7ffff0079b90}
(gdb) p publicKey
$6 = {<QCA::PKey> = {<QCA::Algorithm> = {_vptr.Algorithm = 0x7fcc3e18e5b8
<vtable for QCA::PublicKey+16>, d = {
        d = 0x0}}, d = 0x55fc1c7dca80}, d = 0x7ffff0079b90}
(gdb) p clientPublicKey
$7 = {<QCA::PublicKey> = {<QCA::PKey> = {<QCA::Algorithm> = {
        _vptr.Algorithm = 0x7fcc3e18d880 <vtable for QCA::DHPublicKey+16>, d =
{d = 0x55fc1c7dcaa0}}, 
      d = 0x55fc1c819ac0}, d = 0x75}, <No data fields>}
(gdb) p commonSecret
$8 = {<QCA::SecureArray> = {<QCA::MemoryRegion> = {_secure = 96, d = {
        d = 0x7fcc3bc3dc88 <_dbus_type_writer_write_basic+152>}}, <No data
fields>}, <No data fields>}
(gdb) p symmetricKey
$9 = {<QCA::SecureArray> = {<QCA::MemoryRegion> = {_secure = 38, d = {
        d = 0x7ffff0079a50}}, <No data fields>}, <No data fields>}

I used evince (Document Viewer) to open an encrypted pdf in Plasma 6.0.2, and
kwalletd6 crashed with the same kind of trace when the password dialog box
appeared. I used GNOME Disks to mount a LUKS encrypted partition in Plasma
6.0.2, and kwalletd6 crashed with the same sort of trace. The problem might be
with GTK programs using the Secret Service interface in Plasma and qca 2.3.8
generating keys with those null or invalid pointers.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to