-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation Fault using OpenSC with pam_pkcs11 (pkcs11_inspect) #1244
Comments
Here is the GBD output: |
for what its worth, if I force opensc to use the coolkey driver, i do not get a seg fault... |
Which version of SC-HSM are you using? Could you write out the APDUs ( |
To my knowledge, i am not running SC-HSM. The card is a SafeNet SC650. |
At least OpenSC is thinking you're using a SC-HSM. Please send a debug log from something like |
FWIW, I had to specify the module explicitly... |
card-sc-hsm.c issues SELECT AID for
But in
where it does some additional checking of the response. Even that code is questionable. The card may assume this was a valid select file, as there is no requirement to support AID and it did not ask for any response data. I think the sc_match_card should request a response and check it closely to make sure this is a More issues with the |
Forcing coolkey allows me to use pkcs11_inspect and see the cn and pwent data. But, if I do pkcs11 --test --login, I get a pkcs11 function error: C_SignFinal failed: rv = CKR_ARGUMENTS_BAD(0x7). I read on another forum that someone was getting the same error in 0.16 using slackware and they fixed it by increasing the max send and receive size to 511 and 512, respectively. I tried that and got the same error, I even tried increasing it to max size. I am guess this is because OpenSC doesn't fully support the SafeNet SC650 card, even using coolkey libraries. |
I fixed the segmentation fault in the pull request. From the product sheet it looks like your token is a java card that can load other applets, in particular it is possible that it contains the SC-HSM applet. If that should not be the case, then you should report to SafeNet that your card erroneously reports the existence of the SC-HSM applet. You should ask what kind of PKI applet exists on your card so that forcing an internal card driver allows you using the token. |
I don't quite understand why the other card issues a SW1/SW2=9000 in response to a SELECT with unknown FID or AID. This is severe bug in the other card implementation. However what puzzles me, is that the driver tries to select the sc-hsm applet even though the ATR does not match the ATR whitelist. I have a feeling that the issue is caused by 3e7f7e6. |
@CardContact the whitelist is a shortcut to avoid the selection (to be faster). If it doesn't match then |
With a card not in the match list, such as Yubikey the atr are matched twice. ../../../src/src/libopensc/card.c:273:sc_connect_card: trying driver 'sc-hsm' This is an example of another driver using the SELECT AID causing interference because the older Yubikey loses the login state. So the bug looks like it is the user's card should not have returned |
Problem Description
Last week, I was able to use a token that OpenSC identifies as SmartCard-HSM. I would at least get to the PIN request. This week, I rebuilt a machine and reinstalled OpenSC 0.17 using the default options. Now, I get a segmentation fault in pam_pkcs11 using the exact same token.
Steps to reproduce
Install OpenSC and pam_pkcs11. Token identifies as SmartCard-HSM by default.
pam_pkcs11.conf is set up to use opensc.
module is set to 'module = "/usr/lib/opensc-pkcs11.so";' (if left without the absolute path, the module is not found)
Run pkcs11_inspect. Segmentation Fault.
The text was updated successfully, but these errors were encountered: