3.0.3 - EVP_EC_gen() segfault without init

Wed May 4 20:49:54 UTC 2022

Oh sorry, forgot to say that.

It's x86-64, compiled on Debian 10.12 (GCC 8.3.0) and CentOS 7 (GCC 
8.3.1) - other distributions/GCC versions not tested yet.

OpenSSL was compiled with common hardening flags:
CFLAGS="-fstack-protector --param ssp-buffer-size=4 -fPIC -O2"
CPPFLAGS="-D_FORTIFY_SOURCE=2"

arm64 and armhf also seem to be not affected (at least our unit tests 
there passed).

Best regards

    -Klaus

Am 04.05.2022 um 22:07 schrieb Blumenthal, Uri - 0553 - MITLL:
> What platform?
> 
> $ bat ossl3-tst.c
> ───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────
>         │ File: ossl3-tst.c
>         │ Size: 216 B
> ───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────
>     1   │ #include <openssl/crypto.h>
>     2   │ #include <openssl/ec.h>
>     3   │ #include <openssl/evp.h>
>     4   │
>     5   │ int main(int argc, const char *argv[]) {
>     6   │      //OPENSSL_init_crypto(0, NULL);
>     7   │      if (! EVP_EC_gen("P-384")) return -1;
>     8   │      return 0;
>     9   │ }
> ───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────
> $ gcc -Wall -Werror -pedantic -o ossl3-tst ossl3-tst.c -I/opt/local/include -L/opt/local/lib -lcrypto
> $ ./ossl3-tst
> $
> 
> Above is on MacOS Monterey with GCC-11.
> --
> V/R,
> Uri
>   
> There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
> The other is to make it so complex there are no obvious deficiencies.
>                                                                                                                                       -  C. A. R. Hoare
>   
> 
> On 5/4/22, 15:58, "openssl-users on behalf of Klaus Keppler" <openssl-users-bounces at openssl.org on behalf of kk at keppler-it.de> wrote:
> 
>      Hello,
> 
>      yesterday we updated OpenSSL from 3.0.2 to 3.0.3, what made some of our
>      unit tests crash.
> 
>      I've boiled the problem down to the following example code:
> 
>      ---cut---
>      #include <openssl/crypto.h>
>      #include <openssl/ec.h>
>      #include <openssl/evp.h>
> 
>      int main(int argc, const char *argv[]) {
>           //OPENSSL_init_crypto(0, NULL);
>           if (! EVP_EC_gen("P-384")) return -1;
>           return 0;
>      }
>      ---/cut---
> 
>      Compile with:
> 
>         gcc -Wall -Werror -pedantic -o test test.c -lcrypto
> 
>      With OpenSSL 3.0.2 this runs just fine, with OpenSSL 3.0.3 we get a
>      segmentation fault during a string comparison within EVP_PKEY_Q_keygen
>      (EVP_EC_gen is just a macro).
> 
>      I assume that the curve names are not properly initialized, when you
>      uncomment the call to "OPENSSL_init_crypto()", everything works just fine.
> 
>      The documentation [1] of OPENSSL_init_crypto() states that explicit
>      initialization is not required. Man page of EVP_EC_gen [2] says nothing
>      about initialization.
>      Considering that 3.0.3 is only a minor update and 3.0.2 worked as
>      expected, we might have hit a bug. If this (above) is "just" a usage
>      error, the documentation should describe in which cases an explicit
>      initialization is required.
> 
>      Anyway, thank you for all your efforts!
> 
>      Best regards
> 
>          -Klaus Keppler
> 
> 
>      [1] https://www.openssl.org/docs/man3.0/man3/OPENSSL_init_crypto.html
>      [2] https://www.openssl.org/docs/man3.0/man3/EVP_EC_gen.html