CRLs online fail to process after download and offline ones cause a segfault

[neilfx1]

Reported to Ubuntu initially #1879710 but may be better addressed here as it seems to affect any Linux distro I try.

Background:

Using a smart card (PIV) to log in to Ubuntu, utilising a Yubikey. Certificate is read, PIN prompts and logs in which is expected behavior. There is however no method for checking CRL's (Certificate Revocation Lists) reliably. This is needed for security in the event someone lost their smart card/Yubikey, it was compromised somehow, or just renewed with a new certificate. A CRL should be checked at each authentication attempt to validate that the certificate being presented is valid.

Issue:

When attempting to read a CRL, it either fails to download or causes a segfault.
CRL's are set within the certificate to download over http, this part of the process works OK. When it checks for revocation it seems to go wrong.

Online CRL's (crl_online in pam_pkcs11.conf) fail with the following error message:
ERROR:pkcs11_inspect.c:137: verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed

Offline CRL's (crl_offline in pam_pkcs11.conf) fail with a segfault which seems to point at an issue with libcrypto:

[ 1563.825006] pkcs11_inspect[3820]: segfault at 18 ip 00007ff8e1a95300 sp 00007ffd6db03088 error 4 in libcrypto.so.1.1[7ff8e190e000+19f000]
[ 1563.825013] Code: 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 20 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 28 c3 66 66 2e 0f 1f 84 00 00 00 00 00 <48> 8b 47 18 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 38 c3 66

Workaround:

None - disabling CRL checking defeats the point and is highly insecure.

ocsp could be another potential workaround however this doesn't appear to have been included in the package(s).

[lgarbarini]

@neilmw1 I was running into a host of similar issues and found a bug, can you try my branch and see if it resolves your segfault?

[neilfx1]

@lgarbarini This has fixed the issue for the segfault, online CRL checking is also working. I'll do some extended testing in the week but thank you for your help!

[neilfx1]

@lgarbarini This has fixed the issue for the segfault, online CRL checking is also working. I'll do some extended testing in the week but thank you for your help!

Just to confirm I've completed my testing and everything works as it should. If someone can include this fix in the next release that would be great. For now I'll patch and compile source but a permanent fix would be good.

Thanks again @lgarbarini !

[AngusMcGyver]

I have the same issue with Ubuntu 20.04. Is there a complied deb package or something i can simply copy and paste into system directory of the fixed version available? I'm to stupid to compile this by myself. After 2 hours of going from one error to the next and installing missing dependencies on the system i gave up.

[AngusMcGyver]

Got it compiled with some help now and can confirm the segmentation fault is gone. so waiting for merge.
thanks @lgarbarini

[wolneykien]

Hi! Does anybody know the status of this issue? I've just tested the crl_offline policy with applied #58 and it was OK.