package: pam-p11 version: 0.1.5-6 severity: grave tags: security, patch justification: unusable in most secure configurations; DOS, possibly exploitable
Hi.
I found that pam_p11_openssh was causing my login process to segfault.
Tracing the code through the debugger, I found the following in libp11:
if (relogin == 0) {
/* Calling PKCS11_login invalidates all cached
* keys we have */
if (slot->token) {
pkcs11_destroy_keys(slot->token, CKO_PRIVATE_KEY);
pkcs11_destroy_keys(slot->token, CKO_PUBLIC_KEY);
pkcs11_destroy_certs(slot->token);
}
That is, all certificate objects are invalidated on token login. That's
kind of expected: a pkcs11 token is likely to give you more objects when
you login than before you login.
Unfortunately, authcert is used in pam_sm_authenticate after the call to
PKCS11_login, so uninitialized memory is used. I'm surprised; I
actually managed it get it to work once yesterday, but it sure doesn't
work reliably, or on any machine but that one.
Here's a quick and dirty patch to rescan after login.
From 1392f5c0f1822e7c306ae6d9bdd3ede6f90b37c2 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartm...@debian.org>
Date: Fri, 20 Jan 2017 17:24:05 -0500
Subject: [PATCH] Read certs again on token login
PKCS11_login destroys all certs and keys retrieved from the token. So
after logging in it is necessary to enumerate the certificates again.
Without this, the library is very likely to crash.
---
debian/patches/reread_certs_on_token_login | 40 ++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 41 insertions(+)
create mode 100644 debian/patches/reread_certs_on_token_login
diff --git a/debian/patches/reread_certs_on_token_login b/debian/patches/reread_certs_on_token_login
new file mode 100644
index 0000000..f6c5557
--- /dev/null
+++ b/debian/patches/reread_certs_on_token_login
@@ -0,0 +1,40 @@
+Index: pam-p11/src/pam_p11.c
+===================================================================
+--- pam-p11.orig/src/pam_p11.c
++++ pam-p11/src/pam_p11.c
+@@ -56,6 +56,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ const char *user;
+ char *password;
+ char password_prompt[64];
++ int loggedin = 0;
+
+ struct pam_conv *conv;
+ struct pam_message msg;
+@@ -119,7 +120,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ }
+
+ /* get all certs */
+- rv = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
++ cert_scan: rv = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
+ if (rv) {
+ pam_syslog(pamh, LOG_ERR, "PKCS11_enumerate_certs failed");
+ rv = PAM_AUTHINFO_UNAVAIL;
+@@ -156,7 +157,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ goto out;
+ }
+
+- if (!slot->token->loginRequired)
++ if (!slot->token->loginRequired ||loggedin)
+ goto loggedin;
+
+ /* get password */
+@@ -209,6 +210,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ goto out;
+ }
+
++ loggedin = 1;
++ goto cert_scan;
++
+ loggedin:
+ /* get random bytes */
+ fd = open(RANDOM_SOURCE, O_RDONLY);
diff --git a/debian/patches/series b/debian/patches/series
index 2d7f923..04d6505 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Use-INSTALL-instead-of-libLTLIBRARIES_INSTALL.patch
+reread_certs_on_token_login
--
2.11.0
signature.asc
Description: PGP signature
