Skip to content

[rt.openssl.org #4146] Bug: expired CRL makes X509_verify_cert crash if X509_STORE_CTX is initialized without an X509_STORE #2462

New issue
New issue
Closed
Closed
[rt.openssl.org #4146] Bug: expired CRL makes X509_verify_cert crash if X509_STORE_CTX is initialized without an X509_STORE#2462
Milestone
1.1.1
@richsalz

Description

@richsalz
richsalz
opened on Feb 2, 2017

Migrated from rt.openssl.org#4146 (status was 'new')

Requestors:

From [email protected] on 2015-11-17 23:26:20:

Scenario:

RedHat Linux 2.6.32-131.0.15.el6.x86_64
OpenSSL 1.0.1L

openssl.cnf:

crlnumber = crlnumber
default_crl_days = 30

generate CRL:

echo 01 > crlnumber
openssl ca -config openssl.cnf -batch -revoke peerRevoked.pem
openssl ca -config openssl.cnf -batch -gencrl -out cacrl.crl

Let 30 days pass.

X509* x = *PEM_read_bio_X509_AUX*(memoryBioCorrespondingToPeerRevoked.pem,
NULL, NULL, NULL);
*STACK_OF*(X509) *tchain = result_of_load_certs_from_apps.c(cacert.pem);
*STACK_OF*(X509_CRL) *crls = result_of_load_crls_from_apps.c(cacrl.crl);
X509_STORE_CTX *csc = *X509_STORE_CTX_new*();
*X509_STORE_CTX_init*(csc, NULL, x, NULL); /* Problem doesn�t happen
if second argument is non-NULL, as it is in apps/verify.c. */
*X509_STORE_CTX_trusted_stack*(csc, tchain);
*X509_STORE_CTX_set0_crls*(csc, crls);
X509_VERIFY_PARAM *vpm = *X509_STORE_CTX_get0_param*(csc);
unsigned long flags = *X509_VERIFY_PARAM_get_flags*(vpm);
flags |= X509_V_FLAG_CRL_CHECK;
*X509_VERIFY_PARAM_set_flags*(vpm, flags);
*X509_verify_cert*(csc);

X509_verify_cert crashes with this stack trace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000fac5ed in X509_STORE_get1_crls (ctx=0x1700c40, nm=0x16fe5f0) at
x509_lu.c:546
546             idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm,
&cnt);
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.25.el6.x86_64
(gdb) display ctx->ctx
1: ctx->ctx = (X509_STORE *) 0x0
(gdb) bt
#0  0x0000000000fac5ed in X509_STORE_get1_crls (ctx=0x1700c40,
nm=0x16fe5f0) at x509_lu.c:546
#1  0x0000000000fa8cab in get_crl_delta (ctx=0x1700c40,
pcrl=0x7fffffff6dd0, pdcrl=0x7fffffff6dc8, x=0x1700190) at x509_vfy.c:1322
#2  0x0000000000fa79d4 in check_cert (ctx=0x1700c40) at x509_vfy.c:711
#3  0x0000000000fa78d8 in check_revocation (ctx=0x1700c40) at x509_vfy.c:686
#4  0x0000000000fa6f45 in X509_verify_cert (ctx=0x1700c40) at x509_vfy.c:362

The problem is that ctx->ctx is NULL, and it�s dereferencing a NULL
pointer. Perhaps x509_vfy.c get_crl_delta should only call ctx->lookup_crls
if ctx->ctx is non-NULL. When running openssl verify on the same files, I
see that ctx->lookup_crls returns no skcrl, so having NULL ctx->ctx should
yield the same result.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions