Bug 423349

Summary: Plasma-nm crashed every time when configuring WPA2-Enterprise Wifi with EAP-TLS with public key only CA certificate file
Product: [Plasma] plasma-nm Reporter: einbert-xeride
Component: editorAssignee: Jan Grulich <jgrulich>
Status: RESOLVED FIXED    
Severity: crash CC: jgrulich, nate
Priority: NOR    
Version: 5.19.1   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=423355
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Stacktrace with plasma-nm recompiled with debug symbols

Description einbert-xeride 2020-06-22 09:19:04 UTC 
Qt Version: 5.15.0
Frameworks Version: 5.71.0
Operating System: Linux 5.7.4-arch1-1 x86_64
Windowing system: X11
Distribution: "Arch Linux"

-- Information about the crash:
- What I was doing when the application crashed:

 * Creating WPA2-Enterprise wifi connection with EAP-TLS, after selected the CA certificate file.
 * Viewing information of such wifi connection (manually created by nmcli, since kcm page kept crashing after selected the CA certificate file).

The certificate file is self-signed, using ECDSA signature with SHA-384, contains only public key. Exported from macOS 10.15 "Keychain Access" application.

`openssl x509 -in *********RootCert.crt -inform DER -text -noout` got:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <hidden>
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = <hidden>, ST = <hidden>, L = <hidden>, O = <hidden>, OU = <hidden>, CN = <hidden>
        Validity
            Not Before: <hidden> GMT
            Not After : <hidden> GMT
        Subject: C = <hidden>, ST = <hidden>, L = <hidden>, O = <hidden>, OU = <hidden>, CN = <hidden>
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    <hidden>
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                <hidden>
    Signature Algorithm: ecdsa-with-SHA384
         <hidden>

QCA version is 2.3.0.

The crash can be reproduced every time.

-- Backtrace:
Application: System Settings Module (kcmshell5), signal: Segmentation fault

[KCrash Handler]
#4  0x00007fd9d4c47631 in QCA::PKey::type() const (this=<optimized out>) at /usr/src/debug/qca-2.3.0/src/qca_publickey.cpp:626
#5  QCA::PKey::type() const (this=<optimized out>) at /usr/src/debug/qca-2.3.0/src/qca_publickey.cpp:622
#6  0x00007fd9d4c4767a in QCA::PKey::isRSA() const (this=<optimized out>) at /usr/src/debug/qca-2.3.0/src/qca_publickey.cpp:636
#7  0x00007fd9d5064e19 in Security8021x::isValid() const () at /usr/lib/libplasmanm_editor.so
#8  0x00007fd9d5093333 in SettingWidget::slotWidgetChanged() () at /usr/lib/libplasmanm_editor.so
#9  0x00007fd9dc9cb906 in  () at /usr/lib/libQt5Core.so.5
#10 0x00007fd9d503b923 in PasswordField::textChanged(QString const&) () at /usr/lib/libplasmanm_editor.so
#11 0x00007fd9dc9cb906 in  () at /usr/lib/libQt5Core.so.5
#12 0x00007fd9dd5a8313 in QLineEdit::textChanged(QString const&) () at /usr/lib/libQt5Widgets.so.5
#13 0x00007fd9dc9cb940 in  () at /usr/lib/libQt5Core.so.5
#14 0x00007fd9dd5af106 in QWidgetLineControl::textChanged(QString const&) () at /usr/lib/libQt5Widgets.so.5
#15 0x00007fd9dd5b269e in QWidgetLineControl::finishChange(int, bool, bool) () at /usr/lib/libQt5Widgets.so.5
#16 0x00007fd9dd5b291e in QWidgetLineControl::internalSetText(QString const&, int, bool) () at /usr/lib/libQt5Widgets.so.5
#17 0x00007fd9d5061212 in Security8021x::loadSecrets(QSharedPointer<NetworkManager::Setting> const&) () at /usr/lib/libplasmanm_editor.so
#18 0x00007fd9d50748cb in WifiSecurity::loadSecrets(QSharedPointer<NetworkManager::Setting> const&) () at /usr/lib/libplasmanm_editor.so
#19 0x00007fd9d509848a in ConnectionEditorBase::replyFinished(QDBusPendingCallWatcher*) () at /usr/lib/libplasmanm_editor.so
#20 0x00007fd9dc9cb906 in  () at /usr/lib/libQt5Core.so.5
#21 0x00007fd9dda9f8e0 in QDBusPendingCallWatcher::finished(QDBusPendingCallWatcher*) () at /usr/lib/libQt5DBus.so.5
#22 0x00007fd9dc9c10b2 in QObject::event(QEvent*) () at /usr/lib/libQt5Core.so.5
#23 0x00007fd9dd464702 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/libQt5Widgets.so.5
#24 0x00007fd9dc99469a in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/libQt5Core.so.5
#25 0x00007fd9dc997183 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () at /usr/lib/libQt5Core.so.5
#26 0x00007fd9dc9edbd4 in  () at /usr/lib/libQt5Core.so.5
#27 0x00007fd9daa4643c in g_main_context_dispatch () at /usr/lib/libglib-2.0.so.0
#28 0x00007fd9daa93fa9 in  () at /usr/lib/libglib-2.0.so.0
#29 0x00007fd9daa45221 in g_main_context_iteration () at /usr/lib/libglib-2.0.so.0
#30 0x00007fd9dc9ed211 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/libQt5Core.so.5
#31 0x00007fd9dc99301c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/libQt5Core.so.5
#32 0x00007fd9dc99b4a4 in QCoreApplication::exec() () at /usr/lib/libQt5Core.so.5
#33 0x000055ebdbcc81d4 in  ()
#34 0x00007fd9dc365002 in __libc_start_main () at /usr/lib/libc.so.6
#35 0x000055ebdbcc8bce in _start ()
[Inferior 1 (process 27871) detached]
Comment 1 einbert-xeride 2020-06-22 09:28:53 UTC 
Created attachment 129576 [details]
Stacktrace with plasma-nm recompiled with debug symbols
Comment 2 Jan Grulich 2020-06-22 10:28:34 UTC 
Can you install debug symbols for qt-qca2? Any chance this or similar certificate can be downloaded somewhere so I can try?
Comment 3 einbert-xeride 2020-06-22 10:32:48 UTC 
(In reply to Jan Grulich from comment #2)
> Can you install debug symbols for qt-qca2? Any chance this or similar
> certificate can be downloaded somewhere so I can try?

Debug symbols for `qca` (arch linux package name) is actually installed by recompiled it from source, enable "debug" and disable "strip" in /etc/makepkg.conf

------------

After investigation, seems that the crash is actually caused by private key, not CA certificate file.

Test code:

```
#include <QtCrypto>
#include <QDebug>

int main()
{
    QCA::Initializer init;
    qDebug() << "isSupported(\"pkcs12\"):" << QCA::isSupported("pkcs12"); // got "true"
    QCA::ConvertResult convRes;
    QCA::KeyBundle keyBundle = QCA::KeyBundle::fromFile("/opt/****/cert.p12", "************", &convRes);
    qDebug() << "convRes:" << convRes; // got "0"
    const QCA::PrivateKey pkey = keyBundle.privateKey();
    // QCA::PrivateKey::canDecrypt() calls QCA::PrivateKey::isRSA()
    // which calls QCA::PrivateKey::type()
    // which calls `static_cast<const PKeyContext *>(context())->key()->type()`
    const QCA::Provider::Context *context = pkey.context();
    auto pkey_context = static_cast<const QCA::PKeyContext *>(context);
    const QCA::PKeyBase *pkey_base = pkey_context->key(); // got nullptr
    const QCA::PKey::Type pkey_type = pkey_base->type(); // segmentation fault
    qDebug() << "pkey_type:" << pkey_type;
    return 0;
}
```
Comment 4 Jan Grulich 2020-06-22 10:37:31 UTC 
I'm not that much familiar with QCA2, can you maybe open a bug there to see if this is something expected and problem on our side or if it's a bug there?
Comment 5 einbert-xeride 2020-06-22 10:44:05 UTC 
(In reply to Jan Grulich from comment #4)
> I'm not that much familiar with QCA2, can you maybe open a bug there to see
> if this is something expected and problem on our side or if it's a bug there?

I'm also not familiar with QCA2 (didn't know what's it before investigate into this issue). I may try my best to find the root cause.
Comment 6 einbert-xeride 2020-06-22 11:21:13 UTC 
Turns out that it may be QCA2's fault.

Stacktrace:
#0 opensslQCAPlugin::MyPKeyContext::pkeyToBase
#1 opensslQCAPlugin::MyPKCS12Context::fromPKCS12
#2 QCA::get_pkcs12_der
#3 QCA::KeyBundle::fromFile

In opensslQCAPlugin::MyPKeyContext::pkeyToBase, the pkey_type it got was 408, which is EVP_PKEY_EC. pkeyToBase only supports EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_DH. For unknown types, it returns nullptr, and opensslQCAPlugin::MyPKCS12Context::fromPKCS12 doesn't check the return value. That nullptr is what we get from pkey_context->key(). Have no idea if it's intended or it's a bug.

I may open another bug for QCA2 later.
Comment 7 einbert-xeride 2020-06-22 12:48:48 UTC 
QCA bug opened at https://bugs.kde.org/show_bug.cgi?id=423355.
Comment 8 einbert-xeride 2020-06-23 03:56:25 UTC 
Manually patched https://invent.kde.org/libraries/qca/-/merge_requests/30 to qca 2.3.0 and plasma-nm didn't crash any more, so mark this bug as RESOLVED FIXED as well.
Comment 9 Jan Grulich 2020-06-23 04:37:02 UTC 
Great. Thank you for your collaboration.