On Fri, 19 Jul 2024 14:49:25 +0200 Ulrich Teichert <ulrich.teich...@kumkeo.de> wrote:> Package: libsofthsm2
When using OpenSSL 3.0.13 (installed by the latest security update for OpenSSL), signing with pkcs11 fails with a segmentation fault. This is not the case with openSSL OpenSSL 3.0.11. Maybe the library just needs a rebuild against the newer openSSL library? Traceback with gdb:
Hello, I am no maintainer for a related package, just tried to collect some more information. I could reproduce the crash inside a temporary bookworm/stable amd64 VM with the command sequence in [2]. This created a backtrace with debug symbols in [1]. (Package p11-kit-modules-dbgsym is installed, but seems not to contain matching debug symbols for p11-kit-proxy.so.) The crash happens because of the getSession method called with "this=0x0". The difference seems to be in 3.0.13 in engine_unlocked_finish is the value e->funct_ref decremented to 0, and therefore engine_finish gets executed. Comparing all modifications of this reference counter leads to this [3] additional call to engine_unlocked_finish which happens in 3.0.13 but not in 3.0.11. I cannot say if new behaviour in openssl 3.0.13 is wrong, or if the issue is in libsofthsm2. The same commands do not cause a crash in a trixie/testing VM. The openssl 3.2.2-1 seems to contain the commit [4], which just removes lines from ENGINE_load_private_key below a comment "We enforce check for legacy key", therefore the hurting call to engine_unlocked_finish seems in trixie/testing no longer getting reached. Kind regards, Bernhard [1] (gdb) bt #0 0x00007fe53b52ad4e in HandleManager::getSession (this=0x0, hSession=hSession@entry=1) at ./src/lib/handle_mgr/HandleManager.cpp:75 #1 0x00007fe53b4def69 in SoftHSM::C_CloseSession (this=0x561d3abf75a0, hSession=hSession@entry=1) at ./src/lib/SoftHSM.cpp:1366 #2 0x00007fe53b4bf3f4 in C_CloseSession (hSession=1) at ./src/lib/main.cpp:332 #3 0x00007fe53ad3189b in ?? () from /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so #4 0x00007fe53ad174a0 in ?? () from /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so #5 0x00007fe53ad17618 in ?? () from /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so #6 0x00007fe53b5939aa in pkcs11_slot_unref (slot=slot@entry=0x561d3ac54610) at ./src/p11_slot.c:433 #7 0x00007fe53b593a40 in pkcs11_release_slot (slot=0x561d3ac14140) at ./src/p11_slot.c:477 #8 pkcs11_release_all_slots (slots=0x561d3ac14140, nslots=<optimized out>) at ./src/p11_slot.c:464 #9 0x00007fe53b594348 in PKCS11_release_all_slots (pctx=<optimized out>, slots=<optimized out>, nslots=<optimized out>) at ./src/p11_front.c:111 #10 0x00007fe53b58cf5e in ctx_finish (ctx=0x561d3abf52c0) at ./src/eng_back.c:352 #11 0x00007fe53b58ae38 in engine_finish (engine=<optimized out>) at ./src/eng_front.c:163 #12 0x00007fe53b1e352f in engine_unlocked_finish (e=0x561d3abf7640, unlock_for_handlers=unlock_for_handlers@entry=0) at ../crypto/engine/eng_init.c:64 #13 0x00007fe53b1e5a52 in int_cleanup_cb_doall (p=0x561d3abf9340) at ../crypto/engine/eng_table.c:183 #14 int_cleanup_cb_doall (p=0x561d3abf9340) at ../crypto/engine/eng_table.c:177 #15 0x00007fe53b22c6f4 in doall_util_fn (arg=0x0, func_arg=0x0, func=func@entry=0x7fe53b1e5a30 <int_cleanup_cb_doall>, use_arg=0, lh=0x561d3abf8a10) at ../crypto/lhash/lhash.c:197 #16 OPENSSL_LH_doall (lh=0x561d3abf8a10, func=func@entry=0x7fe53b1e5a30 <int_cleanup_cb_doall>) at ../crypto/lhash/lhash.c:205 #17 0x00007fe53b1e5e31 in lh_ENGINE_PILE_doall (doall=0x7fe53b1e5a30 <int_cleanup_cb_doall>, lh=<optimized out>) at ../crypto/engine/eng_local.h:159 #18 engine_table_cleanup (table=0x7fe53b47f6f8 <rsa_table>) at ../crypto/engine/eng_table.c:192 #19 0x00007fe53b1e37a6 in engine_cleanup_cb_free (item=0x561d3abf9320) at ../crypto/engine/eng_lib.c:169 #20 0x00007fe53b2add20 in OPENSSL_sk_pop_free (st=0x561d3abfbdd0, func=0x7fe53b1e37a0 <engine_cleanup_cb_free>) at ../crypto/stack/stack.c:426 #21 0x00007fe53b1e3b89 in sk_ENGINE_CLEANUP_ITEM_pop_free (freefunc=0x7fe53b1e37a0 <engine_cleanup_cb_free>, sk=<optimized out>) at ../crypto/engine/eng_local.h:48 #22 engine_cleanup_int () at ../crypto/engine/eng_lib.c:176 #23 0x00007fe53b230e2e in OPENSSL_cleanup () at ../crypto/init.c:418 #24 OPENSSL_cleanup () at ../crypto/init.c:344 #25 0x00007fe53ae5d55d in __run_exit_handlers (status=status@entry=0, listp=0x7fe53aff1820 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at ./stdlib/exit.c:116 #26 0x00007fe53ae5d69a in __GI_exit (status=status@entry=0) at ./stdlib/exit.c:146 #27 0x0000561d393b82f1 in main (argc=<optimized out>, argv=<optimized out>) at ../apps/openssl.c:311 [2] export SOFTHSM2_CONF=$HOME/softhsm-config.file cat /usr/share/softhsm/softhsm2.conf | sed "s@/var/lib/softhsm/tokens/@$HOME/tokens@g" > $SOFTHSM2_CONF mkdir $HOME/tokens/ softhsm2-util --init-token --free --label "example" openssl req -newkey rsa:2048 -x509 -sha256 -days 365 -out example.crt -keyout key.pem openssl pkcs8 -in key.pem -out key_unencrypted.pem softhsm2-util --import key_unencrypted.pem --label "update" --id 1111 --token "example" echo sw-description.in > sw-description.in openssl cms -sign -engine pkcs11 -keyform engine -in sw-description.in -out sw-description.sig -signer example.crt -inkey "pkcs11:token=example;object=update" -outform DER -nosmimecap -binary [3] Old value = 6 New value = 7 0x00007fbc3efe3517 in engine_unlocked_finish (e=e@entry=0x56197f0db640, unlock_for_handlers=unlock_for_handlers@entry=1) at ../crypto/engine/eng_init.c:59 59 e->funct_ref--; (rr) bt #0 0x00007fbc3efe3517 in engine_unlocked_finish (e=e@entry=0x56197f0db640, unlock_for_handlers=unlock_for_handlers@entry=1) at ../crypto/engine/eng_init.c:59 #1 0x00007fbc3efe3725 in ENGINE_finish (e=0x56197f0db640) at ../crypto/engine/eng_init.c:108 #2 0x00007fbc3f01a68e in evp_pkey_free_legacy (x=x@entry=0x56197f0dd020) at ../crypto/evp/p_lib.c:1756 #3 0x00007fbc3f01a77e in evp_pkey_free_it (x=0x56197f0dd020) at ../crypto/evp/p_lib.c:1767 #4 pkey_set_type (pkey=0x56197f0dd020, e=<optimized out>, type=6, str=0x0, len=-1, keymgmt=0x0) at ../crypto/evp/p_lib.c:1518 #5 0x00007fbc3f01aa71 in EVP_PKEY_assign (pkey=pkey@entry=0x56197f0dd020, type=type@entry=6, key=key@entry=0x56197f10b710) at ../crypto/evp/p_lib.c:774 #6 0x00007fbc3f0190d6 in EVP_PKEY_set1_RSA (pkey=pkey@entry=0x56197f0dd020, key=key@entry=0x56197f10b710) at ../crypto/evp/p_legacy.c:27 #7 0x00007fbc3efe5486 in ENGINE_load_private_key (e=<optimized out>, key_id=0x56197f0e6910 "pkcs11:token=example;object=update", ui_method=ui_method@entry=0x56197f0ddda0, callback_data=callback_data@entry=0x7ffd57ebab70) at ../crypto/engine/eng_pkey.c:87 #8 0x000056197df1b1c7 in engine_load (ctx=0x56197f0e67c0, ui_method=0x56197f0ddda0, ui_data=0x7ffd57ebab70) at ../apps/lib/engine_loader.c:126 #9 0x00007fbc3f0af2e2 in OSSL_STORE_load (ctx=ctx@entry=0x56197f0df3b0) at ../crypto/store/store_lib.c:441 #10 0x000056197df1817a in load_key_certs_crls_suppress (uri=0x56197f0e6680 "org.openssl.engine:pkcs11:pkcs11:token=example;object=update", format=format@entry=8, maybe_stdin=maybe_stdin@entry=0, pass=<optimized out>, desc=0x56197df2cf77 "signing key", ppkey=ppkey@entry=0x7ffd57ebacb0, ppubkey=0x0, pparams=0x0, pcert=0x0, pcerts=0x0, pcrl=0x0, pcrls=0x0, suppress_decode_errors=0) at ../apps/lib/apps.c:974 #11 0x000056197df18db3 in load_key_certs_crls (uri=<optimized out>, format=format@entry=8, maybe_stdin=maybe_stdin@entry=0, pass=<optimized out>, desc=<optimized out>, ppkey=ppkey@entry=0x7ffd57ebacb0, ppubkey=0x0, pparams=0x0, pcert=0x0, pcerts=0x0, pcrl=0x0, pcrls=0x0) at ../apps/lib/apps.c:1101 #12 0x000056197df192fb in load_key (uri=<optimized out>, uri@entry=0x7ffd57ebb59e "pkcs11:token=example;object=update", format=8, may_stdin=may_stdin@entry=0, pass=<optimized out>, e=e@entry=0x56197f0db640, desc=desc@entry=0x56197df2cf77 "signing key") at ../apps/lib/apps.c:560 #13 0x000056197dece3ee in cms_main (argc=<optimized out>, argv=<optimized out>) at ../apps/cms.c:1077 #14 0x000056197dee29b1 in do_cmd (prog=prog@entry=0x56197f0db180, argc=argc@entry=18, argv=argv@entry=0x7ffd57ebb0f0) at ../apps/openssl.c:418 #15 0x000056197debe381 in main (argc=<optimized out>, argv=0x7ffd57ebb0f0) at ../apps/openssl.c:296 [4] https://github.com/openssl/openssl/commit/39ea78379826fa98e8dc8c0d2b07e2c17cd68380
