Home » Forums » Support

ePass2003 not working with libcurl-openssl [solved]

Submitted by johans on Tue, 01/31/2012 - 16:36
Posted in

My application uses libcurl to fetch an URL. This works fine with the Feitan ePass PKI token. But exactly the same code crashes with a segmentation fault when using the ePass2003 token. Any suggestions?

Stack trace from gdb:
#0 memset () at ../sysdeps/x86_64/memset.S:619
#1 0x00007ffff3b2ea08 in sc_transmit_apdu () from /usr/lib/libopensc.so.3
#2 0x00007ffff3b2992a in ?? () from /usr/lib/libopensc.so.3
#3 0x00007ffff3b258ed in sc_get_challenge () from /usr/lib/libopensc.so.3
#4 0x00007ffff3b77415 in ?? () from /usr/lib/libopensc.so.3
#5 0x00007ffff3b23b11 in sc_pin_cmd () from /usr/lib/libopensc.so.3
#6 0x00007ffff3e5dc9b in ?? () from /usr/lib/opensc-pkcs11.so
#7 0x00007ffff427d343 in ?? () from /usr/lib/libp11.so.1
#8 0x00007ffff427dcdb in PKCS11_enumerate_slots () from /usr/lib/libp11.so.1
#9 0x00007ffff448447e in ?? () from /usr/lib/engines/engine_pkcs11.so
#10 0x00007ffff673799e in ENGINE_ctrl_cmd () from /lib/libcrypto.so.0.9.8
#11 0x00007ffff7544b54 in ?? () from /usr/lib/libcurl.so.4
#12 0x00007ffff7545305 in Curl_ossl_connect () from /usr/lib/libcurl.so.4
#13 0x00007ffff7559ca7 in Curl_ssl_connect () from /usr/lib/libcurl.so.4
#14 0x00007ffff7532a24 in Curl_http_connect () from /usr/lib/libcurl.so.4
#15 0x00007ffff753a0ea in Curl_protocol_connect () from /usr/lib/libcurl.so.4
#16 0x00007ffff7540ca2 in Curl_connect () from /usr/lib/libcurl.so.4
#17 0x00007ffff754b9e8 in ?? () from /usr/lib/libcurl.so.4

Will try and rebuild the libraries to produce more detailed debugging information.

We are using the following software on a 64-bit Linux 2.6.35 system:
opensc 0.12.2
libccid 1.4.5
pcsc-lite 1.8.2
openssl 0.9.8o
libp11-1 0.2.7
engine-pkcs11-openssl 0.1.8
curl 7.21.3

Bookmark/Search this post with
0
Your rating: None
‹ pfSense <-> OTPRadServer Authentication/Accounting No groups are shown A little help sorting these concepts ›

Re: ePass2003 not working with libcurl-openssl

Submitted by johans on Thu, 02/02/2012 - 11:55.

The trace with a bit more detail:

#0 memset () at ../sysdeps/x86_64/memset.S:619
#1 0x00007ffff3b2daf8 in sc_transmit_apdu (card=0x663620, apdu=0x7ffff7fa80e0)
at apdu.c:627
#2 0x00007ffff3b28a1a in iso7816_get_challenge (card=0x663620,
rnd=0x7ffff7fa8250 "", len=8) at iso7816.c:530
#3 0x00007ffff3b249dd in sc_get_challenge (card=0x663620,
rnd=0x7ffff7fa8250 "", len=8) at card.c:635
#4 0x00007ffff3b76505 in get_external_key_retries (card=0x663620,
data=0x7ffff7fa82e0, tries_left=)
at card-epass2003.c:2075
#5 epass2003_pin_cmd (card=0x663620, data=0x7ffff7fa82e0,
tries_left=) at card-epass2003.c:2170
#6 0x00007ffff3b22c01 in sc_pin_cmd (card=0x663620, data=0x7ffff7fa82e0,
tries_left=0x0) at sec.c:159
#7 0x00007ffff3e5dccb in C_GetTokenInfo (slotID=,
pInfo=0x7ffff7faa5e0) at framework-pkcs15.c:355
#8 0x00007ffff427d343 in ?? () from /usr/lib/libp11.so.1
#9 0x00007ffff427dcdb in PKCS11_enumerate_slots () from /usr/lib/libp11.so.1
#10 0x00007ffff448447e in ?? () from /usr/lib/engines/engine_pkcs11.so
#11 0x00007ffff673799e in ENGINE_ctrl_cmd () from /lib/libcrypto.so.0.9.8
#12 0x00007ffff7544b54 in ?? () from /usr/lib/libcurl.so.4
#13 0x00007ffff7545305 in Curl_ossl_connect () from /usr/lib/libcurl.so.4

(gdb) frame 1
#1 0x00007ffff3b2daf8 in sc_transmit_apdu (card=0x663620, apdu=0x7ffff7fa80e0)
at apdu.c:627
627 u8 resp[SC_MAX_EXT_APDU_BUFFER_SIZE] = {0};
(gdb) print *card
$1 = {ctx = 0x64b220, reader = 0x662970, atr = {
value = ";\237\225\201\061\376\237\000fFS\005\001\000\021q\337\000\000\003\220\000\200\000\000\000\000\000\000\000\000\000", len = 23}, type = 19003,
caps = 5, flags = 0, cla = 0, max_send_size = 0, max_recv_size = 0, app = {
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, app_count = 0, ef_dir = 0x6640c0,
ef_atr = 0x0, algorithms = 0x661ff0, algorithm_count = 4, lock_count = 0,
driver = 0x7ffff3e41aa0, ops = 0x6637d0, name = 0x7ffff3bfff31 "epass2003",
drv_data = 0x0, max_pin_len = 0, cache = {current_path = {
value = "?\000P\025", '\000' , len = 4, index = 0,
count = 0, type = 2, aid = {value = '\000' ,
len = 0}}, current_ef = 0x0, current_df = 0x0, valid = 1}, serialnr = {
value = '\000' , len = 0, iin = {mii = 0 '\000',
country = 0, issuer_id = 0}}, mutex = 0x0, magic = 0}
(gdb) print *apdu
$2 = {cse = 2, cla = 0 '\000', ins = 132 '\204', p1 = 0 '\000', p2 = 0 '\000',
lc = 0, le = 8, data = 0x0, datalen = 0, resp = 0x7ffff7fa8140 "",
resplen = 8, control = 0 '\000', sw1 = 0, sw2 = 0, flags = 0, next = 0x0}

Re: ePass2003 not working with libcurl-openssl

Submitted by gooze on Fri, 02/03/2012 - 11:26.

The ePass2003 is compatible with OpenSC GIT branch and is being integrated into main trunk.
To compile from GIT, read: http://www.gooze.eu/howto/smartcard-quickstarter-guide/opensc-installati...

Re: ePass2003 not working with libcurl-openssl

Submitted by johans on Wed, 02/08/2012 - 14:09.

I did compile OpenSC from the git branch, following those instructions. With a basic OpenSC, it wouldn't have gotten this far and print a friendly error message early.

But with the OpenSC from git, it crashes with a segmentation fault.

Re: ePass2003 not working with libcurl-openssl

Submitted by gooze on Mon, 02/20/2012 - 16:02.

I am pushing this to Feitian R&D team.

Re: ePass2003 not working with libcurl-openssl

Submitted by Hooben on Wed, 02/22/2012 - 04:18.

Hi, johans
This is ben from Feitian tech support team, nice to meet you.
Could you tell me how to reproduce the problem or provide for us the sample code?

We appreciate.

My email:ben@ftsafe.com

Thanks.

Re: ePass2003 not working with libcurl-openssl

Submitted by johans on Mon, 02/27/2012 - 16:14.

I'm having a lot of trouble creating a simple C code example that demonstrates this issue. There is no problem when calling the individual functions. We assume it has something to do with multiple threads in our application that try to use the same token (although this access is not simultaneously).

We initialise the token using the OpenSSL engine interface and set a default PIN upon initialisation, using

ENGINE_ctrl_cmd_string(e, "PIN", "0000", 0);

Key and certificate load fine with

params.cert_id = name;
ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1));
key = ENGINE_load_private_key(e, name, NULL, NULL);

But when using the key for https authentication with curl (from another thread), it fails with the previous error. What we do here:

curl_easy_setopt(handle, CURLOPT_SSLENGINE, "pkcs11");
curl_easy_setopt(handle, CURLOPT_SSLKEYTYPE, "ENG");
curl_easy_setopt(handle, CURLOPT_SSLCERTTYPE, "ENG");
curl_easy_setopt(handle, CURLOPT_SSLCERT, name);
curl_easy_setopt(handle, CURLOPT_SSLKEY, name);
curl_easy_setopt(handle, CURLOPT_SSLENGINE_DEFAULT, 1L);
curl_easy_perform(handle);

Re: ePass2003 not working with libcurl-openssl

Submitted by Hooben on Tue, 02/28/2012 - 10:41.

Hijohans,
In my opinion:
1. Could you please test single thread or two threads ?
2. Below information, have you already login to ePass2003?
The trace with a bit more detail:

#0 memset () at ../sysdeps/x86_64/memset.S:619
#1 0x00007ffff3b2daf8 in sc_transmit_apdu (card=0x663620, apdu=0x7ffff7fa80e0)
at apdu.c:627
#2 0x00007ffff3b28a1a in iso7816_get_challenge (card=0x663620,
rnd=0x7ffff7fa8250 "", len=8) at iso7816.c:530

//sc_get_challenge means get random numbers from ePass2003
#3 0x00007ffff3b249dd in sc_get_challenge (card=0x663620, rnd=0x7ffff7fa8250 "", len=8) at card.c:635
#4 0x00007ffff3b76505 in get_external_key_retries (card=0x663620,
data=0x7ffff7fa82e0, tries_left=)
at card-epass2003.c:2075

Could you please print resp's data?

(gdb) print *apdu
$2 = {cse = 2, cla = 0 '\000', ins = 132 '\204', p1 = 0 '\000', p2 = 0 '\000',
lc = 0, le = 8, data = 0x0, datalen = 0, resp = 0x7ffff7fa8140 "",
resplen = 8, control = 0 '\000', sw1 = 0, sw2 = 0, flags = 0, next = 0x0}

3. I think the best way is to provide us your sample code, what do you think? or if you have any suggestion, please tell me.

Re: ePass2003 not working with libcurl-openssl

Submitted by Hooben on Sun, 03/04/2012 - 17:56.

Hi,johans

Our R&D have analysed the information you provided, but sorry to find nothing. Therefore here are two pieces of adivce on debugging of ePass2003 below:

1. Could you please offer the binary application for us to test? If your application call the OpenSC library, we R&D can debug of ePass2003.
2. If not, what about offering such a remote seesion, so that we can login to debug(SSH/TeamViewer)

Re: ePass2003 not working with libcurl-openssl

Submitted by Hooben on Wed, 03/14/2012 - 06:07.

Hi, Jean
Please help to change the bug status, Johan has resolved this problem.

Re: ePass2003 not working with libcurl-openssl

Submitted by gooze on Thu, 03/15/2012 - 14:37.

Yes, I changed status to resolved.