[qca] [Bug 482819] kwalletd6 sometimes crashed in QCA::PrivateKey::deriveKey when starting Proton VPN GUI
Matt Fagnani
bugzilla_noreply at kde.org
Sun Mar 31 04:21:51 BST 2024
https://bugs.kde.org/show_bug.cgi?id=482819
Matt Fagnani <matt.fagnani at bell.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDSINFO |REPORTED
Resolution|WAITINGFORINFO |---
--- Comment #21 from Matt Fagnani <matt.fagnani at bell.net> ---
I created an OpenPGP key in KGpg. I exported my Blowfish encrypted wallet, and
then I deleted it in kwalletmanager. I created a new wallet with my OpenPGP key
in kwalletmanager. The Proton VPN GUI and kwalletd6 didn't crash when I started
the Proton VPN GUI, but when I tried to log in to Proton VPN, kwalletd6 crashed
with the same trace and an error popup like "Something went wrong. We're sorry,
a problem occurred" was shown in Proton VPN GUI. I think the problem occurred
when logging in instead of starting because the wallet was empty at that point.
This test and the following were with qca 2.3.8 plus the patch in comment 11.
In another Plasma session, I closed the new wallet encrypted with the OpenPGP
key in kwalletmanager. I ran killall kwalletd6 twice as suggested in comment 9.
I ran OPENSSL_CONF=openssl.cnf kwalletd6 I opened the wallet in kwalletmanager.
I ran Proton VPN GUI and logged in. The login completed without the kwalletd6
crash or the Proton VPN error happening. So this test supports your theory.
I closed the wallet again in kwalletmanager. I ran killall kwalletd6 twice. I
ran ltrace -fCl 'libcrypto*' kwalletd6. Proton VPN crashed when starting, and
kwalletd6 also crashed as shown in the following output.
kf.wallet.kwalletd: Lacking a socket, pipe: 0 env: 0
[pid 67660] +++ exited (status 0) +++
[pid 67659] +++ exited (status 0) +++
[pid 67658] +++ exited (status 0) +++
[pid 67657] +++ exited (status 0) +++
[pid 67656] +++ exited (status 0) +++
[pid 67655] +++ exited (status 0) +++
[pid 67702] +++ exited (status 0) +++
[pid 67703] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67703] +++ exited (status 0) +++
[pid 67708] +++ exited (status 0) +++
[pid 67709] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67709] +++ exited (status 0) +++
[pid 67710] +++ exited (status 0) +++
[pid 67711] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67711] +++ exited (status 0) +++
[pid 67712] +++ exited (status 0) +++
[pid 67713] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67713] +++ exited (status 0) +++
[pid 67714] +++ exited (status 0) +++
[pid 67715] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67715] +++ exited (status 0) +++
[pid 67716] +++ exited (status 0) +++
[pid 67717] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67717] +++ exited (status 0) +++
[pid 67731] +++ exited (status 0) +++
[pid 67732] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67732] +++ exited (status 0) +++
[pid 67645] libQt6Core.so.6->OSSL_PROVIDER_load(0, 0x7f8f9fe97499,
0x55d2a3168010, 2) = 0x7f8f78001ff0
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_new(0, 0x7f8f9e313480, 0, 0) =
0x55d2a347f150
[pid 67645] libQt6Core.so.6->EVP_MD_fetch(0, 0x7f8f9fe993b4, 0x7f8f9fe99415,
0x55d2a347f150) = 0x55d2a3525340
[pid 67645] libQt6Core.so.6->EVP_DigestInit_ex(0x55d2a347f150, 0x55d2a3525340,
0, 0) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_reset(0x55d2a347f150, 0, 0xffffffee, 0)
= 1
[pid 67645] libQt6Core.so.6->EVP_DigestInit_ex(0x55d2a347f150, 0x55d2a3525340,
0, 4) = 1
[pid 67645] libQt6Core.so.6->EVP_DigestUpdate(0x55d2a347f150, 0x55d2a34961c0,
9, 0x55d2a34961c0) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_new(0x55d2a31ea910, 1, 0x55d2a31eaab8,
3) = 0x55d2a3526430
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_copy_ex(0x55d2a3526430, 0x55d2a347f150,
72, 0x55d2a3526430) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_get_size(0x55d2a3525340, -1025,
0x55d2a3168010, 2) = 16
[pid 67645] libQt6Core.so.6->EVP_DigestFinal_ex(0x55d2a3526430, 0x55d2a31eaab8,
0, 2) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_free(0x55d2a3526430, 0, 0xcbbdf5df,
0x6f4d0cef) = 3
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_reset(0x55d2a347f150, 0, 0xffffffee, 0)
= 1
[pid 67645] libQt6Core.so.6->EVP_DigestInit_ex(0x55d2a347f150, 0x55d2a3525340,
0, 4) = 1
[pid 67645] libQt6Core.so.6->EVP_DigestUpdate(0x55d2a347f150, 0x55d2a35263f0,
18, 0x55d2a35263f0) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_new(0x55d2a31ea910, 1, 0x55d2a31eaab8,
2) = 0x55d2a35263e0
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_copy_ex(0x55d2a35263e0, 0x55d2a347f150,
72, 0x55d2a35263e0) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_get_size(0x55d2a3525340, -1025,
0x55d2a3168010, 2) = 16
[pid 67645] libQt6Core.so.6->EVP_DigestFinal_ex(0x55d2a35263e0, 0x55d2a31eaab8,
0, 2) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_free(0x55d2a35263e0, 0, 0x5d349bcd,
0x77b40417) = 3
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_reset(0x55d2a347f150, 0, 0xffffffee, 0)
= 1
[pid 67645] libQt6Core.so.6->EVP_DigestInit_ex(0x55d2a347f150, 0x55d2a3525340,
0, 4) = 1
[pid 67645] libQt6Core.so.6->EVP_DigestUpdate(0x55d2a347f150, 0x55d2a34961c0,
9, 0x55d2a34961c0) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_new(0x55d2a31ea910, 1, 0x55d2a31eaab8,
3) = 0x55d2a35263e0
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_copy_ex(0x55d2a35263e0, 0x55d2a347f150,
72, 0x55d2a35263e0) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_get_size(0x55d2a3525340, -1025,
0x55d2a3168010, 2) = 16
[pid 67645] libQt6Core.so.6->EVP_DigestFinal_ex(0x55d2a35263e0, 0x55d2a31eaab8,
0, 2) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_free(0x55d2a35263e0, 0, 0x732c9dae,
0x53e03c09) = 3
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_reset(0x55d2a347f150, 0x1000000,
0xffffffee, 0) = 1
[pid 67645] libQt6Core.so.6->EVP_DigestInit_ex(0x55d2a347f150, 0x55d2a3525340,
0, 4) = 1
[pid 67645] libQt6Core.so.6->EVP_DigestUpdate(0x55d2a347f150, 0x55d2a3526490,
14, 0x55d2a3526490) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_new(0x55d2a31ea910, 1, 0x55d2a31eaab8,
3) = 0x55d2a3526480
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_copy_ex(0x55d2a3526480, 0x55d2a347f150,
72, 0x55d2a3526480) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_get_size(0x55d2a3525340, -1025,
0x55d2a3168010, 2) = 16
[pid 67645] libQt6Core.so.6->EVP_DigestFinal_ex(0x55d2a3526480, 0x55d2a31eaab8,
0, 2) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_free(0x55d2a3526480, 0, 0x537ff04d,
0x8df18c35) = 3
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_reset(0x55d2a347f150,
0x5d005b0004000000, 0xffffffee, 0) = 1
[pid 67645] libQt6Core.so.6->EVP_DigestInit_ex(0x55d2a347f150, 0x55d2a3525340,
0, 4) = 1
[pid 67645] libQt6Core.so.6->EVP_DigestUpdate(0x55d2a347f150, 0x55d2a353e030,
46, 0x55d2a353e030) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_new(0x55d2a31ea910, 1, 0x55d2a31eaab8,
7) = 0x55d2a3526480
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_copy_ex(0x55d2a3526480, 0x55d2a347f150,
72, 0x55d2a3526480) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_get_size(0x55d2a3525340, -1025,
0x55d2a3168010, 2) = 16
[pid 67645] libQt6Core.so.6->EVP_DigestFinal_ex(0x55d2a3526480, 0x55d2a31eaab8,
0, 2) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_free(0x55d2a3526480, 0, 0x808c8b58,
0x54be220b) = 3
[pid 67736] +++ exited (status 0) +++
[pid 67737] --- Called exec() ---
[pid 67645] --- SIGCHLD (Child exited) ---
[pid 67737] +++ exited (status 0) +++
[pid 67645] libQt6Core.so.6->OSSL_PROVIDER_unload(0x7f8f78001ff0,
0x55d2a34da980, 0xfffffffa, 0x7f8f9f5f2b20) = 1
[pid 67645] libQt6Core.so.6->EVP_MD_CTX_free(0x55d2a347f150, 0, 0, 0) = 3
[pid 67645] libQt6Core.so.6->EVP_MD_free(0x55d2a3525340, 0x55d2a347f140,
0x55d2a347f, 1) = 1
[pid 67645] --- SIGSEGV (Segmentation fault) ---
[pid 67650] +++ killed by SIGSEGV +++
[pid 67654] +++ killed by SIGSEGV +++
[pid 67653] +++ killed by SIGSEGV +++
[pid 67652] +++ killed by SIGSEGV +++
[pid 67651] +++ killed by SIGSEGV +++
[pid 67649] +++ killed by SIGSEGV +++
[pid 67648] +++ killed by SIGSEGV +++
[pid 67647] +++ killed by SIGSEGV +++
[pid 67646] +++ killed by SIGSEGV +++
[pid 67645] +++ killed by SIGSEGV +++
Before those tests, I attached gdb to kwalletd6 with gdb -p $(pidof kwalletd6).
I set a breakpoint with b kwalletfreedesktopservice.cpp:415. I stepped through
each line. In the line auto privateKey =
QCA::PrivateKey(keygen.createDH(dlGroup)); I saw that the provider and
algorithm had null pointers.
(gdb) s
QCA::KeyGenerator::createDH (this=this at entry=0x7fffd8d8f0c0, domain=...,
provider=...)
at /usr/src/debug/qca-2.3.8-2.fc40.x86_64/src/qca_publickey.cpp:1265
1265 d->key = PrivateKey();
(gdb) l
1260 PrivateKey KeyGenerator::createDH(const DLGroup &domain, const QString
&provider)
1261 {
1262 if (isBusy())
1263 return PrivateKey();
1264
1265 d->key = PrivateKey();
1266 d->wasBlocking = d->blocking;
1267 d->k = static_cast<DHContext
*>(getContext(QStringLiteral("dh"), provider));
1268 d->dest = static_cast<PKeyContext
*>(getContext(QStringLiteral("pkey"), d->k->provider()));
1269
(gdb) p d
$7 = (QCA::KeyGenerator::Private *) 0x55bcd8644770
(gdb) p d->key
$8 = {<QCA::PKey> = {<QCA::Algorithm> = {_vptr.Algorithm = 0x7fb661b8a578
<vtable for QCA::PrivateKey+16>, d = {
d = 0x0}}, d = 0x55bcd834ac70}, d = 0x69007800710076}
(gdb) p domain
$9 = (const QCA::DLGroup &) @0x7fffd8d8f048: {d = 0x55bcd86155d0}
(gdb) p domain->d
$10 = (QCA::DLGroup::Private *) 0x55bcd86155d0
(gdb) p *(domain->d)
$11 = {p = {d = {d = 0x55bcd86151d0}}, q = {d = {d = 0x55bcd8617f90}}, g = {d =
{d = 0x55bcd835ba30}}}
(gdb) p provider
$12 = (const QString &) @0x7fffd8d8f180: {d = {d = 0x0, ptr = 0x0, size = 0},
static _empty = 0 u'\000'}
(gdb) p provider->d
$13 = {d = 0x0, ptr = 0x0, size = 0}
...
gdb) s
QCA::Algorithm::operator= (this=0x55bcd8644790, from=...)
at /usr/src/debug/qca-2.3.8-2.fc40.x86_64/src/qca_core.cpp:1310
1310 {
(gdb) l
1305 Algorithm::~Algorithm()
1306 {
1307 }
1308
1309 Algorithm &Algorithm::operator=(const Algorithm &from)
1310 {
1311 d = from.d;
1312 return *this;
1313 }
1314
(gdb) p from
$21 = (const QCA::Algorithm &) @0x7fffd8d8ef60: {_vptr.Algorithm =
0x7fb661b8a578 <vtable for QCA::PrivateKey+16>, d = {
d = 0x0}}
(gdb) p from.d
$22 = {d = 0x0}
(gdb) p *this
$23 = {_vptr.Algorithm = 0x7fb661b8a578 <vtable for QCA::PrivateKey+16>, d = {d
= 0x0}}
The programs checked various providers after that, but possibly no provider was
selected due to the issue you mentioned. Then, the private key had the null
pointer and kwalletd6 crashed as before.
Fedora's default crypto policy has a minimum DH key size of 2048 as I mentioned
in comment 17. The DH keys generated in
KWalletFreedesktopService::createSessionAlgorithmDhAes used QCA::IETF_1024.
Could that be an additional check leading to the legacy providers' path being
used? Thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Unassigned-bugs
mailing list