[qca] [Bug 482819] kwalletd6 sometimes crashed in QCA::PrivateKey::deriveKey when starting Proton VPN GUI

Matt Fagnani bugzilla_noreply at kde.org
Sun Mar 24 18:02:21 GMT 2024 

https://bugs.kde.org/show_bug.cgi?id=482819

--- Comment #7 from Matt Fagnani <matt.fagnani at bell.net> ---
In frame 1 in KWalletFreedesktopService::createSessionAlgorithmDhAes,
privateKey and publicKey had null d pointers and clientPublicKey had d = 0x75.
Those keys were generated by qca functions.

(gdb) frame 1
#1  0x000055fc1a8bc992 in
KWalletFreedesktopService::createSessionAlgorithmDhAes (this=0x7fcc2400a8a0,
clientKey=...)
    at
/usr/src/debug/kf6-kwallet-6.0.0-1.fc40.x86_64/src/runtime/kwalletd/kwalletfreedesktopservice.cpp:424
424         const auto commonSecret = privateKey.deriveKey(clientPublicKey);
(gdb) l
419         }
420
421         auto privateKey = QCA::PrivateKey(keygen.createDH(dlGroup));
422         const auto publicKey = QCA::PublicKey(privateKey);
423         const auto clientPublicKey = QCA::DHPublicKey(dlGroup,
QCA::BigInteger(QCA::SecureArray(clientKey)));
424         const auto commonSecret = privateKey.deriveKey(clientPublicKey);
425         const auto symmetricKey = QCA::HKDF().makeKey(commonSecret, {}, {},
FDO_SECRETS_CIPHER_KEY_SIZE);
426
427         return
std::make_unique<KWalletFreedesktopSessionAlgorithmDhAes>(publicKey,
symmetricKey);
428     }
(gdb) p privateKey
$5 = {<QCA::PKey> = {<QCA::Algorithm> = {_vptr.Algorithm = 0x7fcc3e18e598
<vtable for QCA::PrivateKey+16>, d = {
        d = 0x0}}, d = 0x55fc1c7b50e0}, d = 0x7ffff0079b90}
(gdb) p publicKey
$6 = {<QCA::PKey> = {<QCA::Algorithm> = {_vptr.Algorithm = 0x7fcc3e18e5b8
<vtable for QCA::PublicKey+16>, d = {
        d = 0x0}}, d = 0x55fc1c7dca80}, d = 0x7ffff0079b90}
(gdb) p clientPublicKey
$7 = {<QCA::PublicKey> = {<QCA::PKey> = {<QCA::Algorithm> = {
        _vptr.Algorithm = 0x7fcc3e18d880 <vtable for QCA::DHPublicKey+16>, d =
{d = 0x55fc1c7dcaa0}}, 
      d = 0x55fc1c819ac0}, d = 0x75}, <No data fields>}
(gdb) p commonSecret
$8 = {<QCA::SecureArray> = {<QCA::MemoryRegion> = {_secure = 96, d = {
        d = 0x7fcc3bc3dc88 <_dbus_type_writer_write_basic+152>}}, <No data
fields>}, <No data fields>}
(gdb) p symmetricKey
$9 = {<QCA::SecureArray> = {<QCA::MemoryRegion> = {_secure = 38, d = {
        d = 0x7ffff0079a50}}, <No data fields>}, <No data fields>}

I used evince (Document Viewer) to open an encrypted pdf in Plasma 6.0.2, and
kwalletd6 crashed with the same kind of trace when the password dialog box
appeared. I used GNOME Disks to mount a LUKS encrypted partition in Plasma
6.0.2, and kwalletd6 crashed with the same sort of trace. The problem might be
with GTK programs using the Secret Service interface in Plasma and qca 2.3.8
generating keys with those null or invalid pointers.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Unassigned-bugs mailing list