pam_pkcs11 segfaults when checking certificate CRLs. This is due a known issue (upstream reason) resulting from changes in the OpenSSL API and the lack of a maintainer for the code. Because pam_pkcs11 is still practically the only solution in this space it is still widely used. Upstream bug report (with extensive detail) is at: https://github.com/OpenSC/pam_pkcs11/issues/25 Reproducible: Always Steps to Reproduce: in /etc/pam_pkcs11/pam_pkcs11.conf: 1. Enable crl_dir 2. Set cert_policy to include crl_online, crl_offline, or crl_auto Actual Results: Authentication always fails when CRLs are enabled (no cause given to user), but when debugging is enabled it is apparent that the PAM module is segfaulting when authentication is performed. Expected Results: Authentication succeeds (as appropriate), or fails due to certificate being revoked by CRL. Patch (in use locally for the past several weeks) has been submitted to upstream (see https://github.com/OpenSC/pam_pkcs11/pull/26 ), but since there is not an official maintainer, it is not clear whether this will ever be applied. I am submitting as a Gentoo bug in the hopes that this can at least become an official fix for Gentoo Linux (which I use). Note that after fixing the CRL bug, I also discovered that the builtin HTTP retrieval mechanism (for Gentoo, this is enabled when the "curl" USE flag is *not* enabled) was sending three newlines after the HTTP GET request, rather than two carriage-return/linefeed sequences, causing the HTTP GET to always fail. The patches associated with the CRL bugfix also address this bug as well, since that causes the online CRL retrieval to fail. I will attach both proposed patches and update to ebuild to this bug report. emerge --info follows: Portage 2.3.6 (python 2.7.12-final-0, default/linux/amd64/13.0, gcc-5.4.0, glibc-2.23-r4, 4.9.34-gentoo x86_64) ================================================================= System uname: Linux-4.9.34-gentoo-x86_64-Intel-R-_Core-TM-_i7-2600_CPU_@_3.40GHz-with-gentoo-2.3 KiB Mem: 8151600 total, 1526436 free KiB Swap: 4000180 total, 4000180 free Timestamp of repository gentoo: Thu, 24 Aug 2017 03:15:01 +0000 Timestamp of repository arlut: Tue, 16 Aug 2016 18:09:06 +0000 Timestamp of repository kloepfer: Mon, 12 Jun 2017 19:47:30 +0000 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.28 p1.2) 2.28 app-shells/bash: 4.3_p48-r1::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.24.1-r2::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/cmake: 3.7.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.28::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.15-r2::gentoo sys-devel/binutils: 2.28-r2::gentoo sys-devel/gcc: 5.4.0-r3::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r4::gentoo Repositories: gentoo location: /space/sysbuild/portage sync-type: rsync sync-uri: rsync://mirror.arlut.utexas.edu/gentoo-portage priority: -1000 arlut location: /space/sysbuild/arlut-overlay masters: gentoo kloepfer location: /space/sysbuild/kloepfer-overlay masters: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=core2 -fomit-frame-pointer -fno-ident -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/init.d/ /etc/revdep-rebuild /etc/sandbox.d /etc/ssl/certs /etc/terminfo" CXXFLAGS="-O2 -march=core2 -fomit-frame-pointer -fno-ident -pipe" DISTDIR="/sysbuild/distfiles" EMERGE_DEFAULT_OPTS="--jobs=2 --load-average=3" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.arlut.utexas.edu/gentoo" INSTALL_MASK="/usr/lib/systemd /etc/systemd /lib/systemd" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j9" PKGDIR="/sysbuild/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X acl amd64 berkdb bzip2 cli cracklib crypt cxx dri gdbm iconv ipv6 mmx mmxext modules multilib ncurses nls nptl openmp pam pcre readline seccomp session sse sse2 ssl ssse3 tcpd unicode xattr zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" L10N="en_US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_US" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby22" USERLAND="GNU" VIDEO_CARDS="radeon r600 vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 490532 [details, diff] Patch to address CRL segfault issue This is the primary patch to address the CRL checking issues. These are addressing the OpenSSL API usage problems.
Created attachment 490534 [details, diff] Patch to address improper newlines after HTTP GET request This patch addresses the issue with the builtin HTTP GET request (not using CURL library) that sends three newline rather than two carriage-return/linefeed sequences.
Created attachment 490536 [details, diff] Patch to ebuild to apply patches (trivial patch)
Simpler to remove this package... I will mask it in 1 week. If you use it and capable of maintaining it upstream, please contact LudovicRousseau. Thanks! --- https://github.com/opensc/pam_pkcs11 This project is no more maintained I @LudovicRousseau do not use this software any more and have no time to take care of it. See "Pam-pkcs#11 needs a new maintainer(s) soon, or it will die" https://sourceforge.net/p/opensc/mailman/message/35191905/ If you want to become the new maintainer just ask me @LudovicRousseau to add you in the https://github.com/orgs/OpenSC/teams/pam_pkcs11-maintainers group.
Removed from tree.
i wrote an ebuild for 0.6.12 not sure what happened to the whole "loosing upstream" maintainer story, i guess there are enough people out there caring and we could bring it back to gentoo maybe i would take care, any thoughts?
