Segfault validating CMP pkiConf in 3GPP quirk mode PERMIT_TA_IN_EXTRACERTS_FOR_IR #29285
Description
Encountering sigsegv when executing CMP IR using PBM while server is using signature to protect the responses.
CMP profile used by EJBCA was using HMAC authentication module in RA mode but used signature to protect responses. Crash occurs when trying to validate signature of pkiconf. Validation goes to crypto/cmp/cmp_vfy.c:353:check_cert_path_3gpp and crep is null.
Self-issued certificate from the msg extraCerts field is allowed to be used for as trust anchor for path validation:
OSSL_CMP_CTX_set_option(cmpCtx, OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR, 1)messages:
ir:
ip:
certConf:
pkiconf:
bt
#0 ossl_cmp_certresponse_get1_cert (ctx=ctx@entry=0x754030005a60, crep=0x0) at crypto/cmp/cmp_msg.c:1118
#1 0x0000754037a0fdfb in check_cert_path_3gpp (ctx=ctx@entry=0x754030005a60, msg=msg@entry=0x754030013c20, scrt=scrt@entry=0x754030014a40)
at crypto/cmp/cmp_vfy.c:353
#2 0x0000754037a108a3 in check_cert_path_3gpp (ctx=0x754030005a60, msg=0x754030013c20, scrt=0x754030014a40) at crypto/cmp/cmp_vfy.c:332
#3 check_msg_given_cert (ctx=ctx@entry=0x754030005a60, cert=cert@entry=0x754030014a40, msg=msg@entry=0x754030013c20) at crypto/cmp/cmp_vfy.c:374
#4 0x0000754037a111e3 in check_msg_find_cert (ctx=0x754030005a60, msg=0x754030013c20) at crypto/cmp/cmp_vfy.c:492
#5 OSSL_CMP_validate_msg (ctx=0x754030005a60, msg=0x754030013c20) at crypto/cmp/cmp_vfy.c:640
#6 0x0000754037a11636 in ossl_cmp_msg_check_update (ctx=0x754030005a60, msg=0x754030013c20, cb=0x754037a04f50 <unprotected_exception>, cb_arg=19)
at crypto/cmp/cmp_vfy.c:770
#7 0x0000754037a06a5c in send_receive_check (ctx=ctx@entry=0x754030005a60, req=req@entry=0x754030046f30, rep=rep@entry=0x75403523d968,
expected_type=expected_type@entry=19) at crypto/cmp/cmp_client.c:212
#8 0x0000754037a06ebd in send_receive_also_delayed (ctx=ctx@entry=0x754030005a60, req=req@entry=0x754030046f30, rep=rep@entry=0x75403523d968,
expected_type=expected_type@entry=19) at crypto/cmp/cmp_client.c:423
#9 0x0000754037a07ee7 in ossl_cmp_exchange_certConf (ctx=0x754030005a60, certReqId=<optimized out>, fail_info=0, txt=0x0) at crypto/cmp/cmp_client.c:466
#10 cert_response (ctx=ctx@entry=0x754030005a60, sleep=sleep@entry=0, rid=<optimized out>, rid@entry=0, resp=resp@entry=0x75403523d9d0,
checkAfter=checkAfter@entry=0x75403523da4c, expected_type=expected_type@entry=1, req_type=<optimized out>) at crypto/cmp/cmp_client.c:786
#11 0x0000754037a08ca2 in OSSL_CMP_try_certreq (ctx=0x754030005a60, req_type=<optimized out>, crm=<optimized out>, checkAfter=0x75403523da4c)
at crypto/cmp/cmp_client.c:852
Versions
OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025)
EJBCA 7.4.3.2