Bug: expired CRL makes X509_verify_cert crash if X509_STORE_CTX is initialized without an X509_STORE

Yusheng Yang yusheng at rti.com
Tue Nov 17 23:08:31 UTC 2015 

Scenario:



RedHat Linux 2.6.32-131.0.15.el6.x86_64

OpenSSL 1.0.1L



openssl.cnf:



crlnumber = crlnumber

default_crl_days = 30



generate CRL:



echo 01 > crlnumber

openssl ca -config openssl.cnf -batch -revoke peerRevoked.pem

openssl ca -config openssl.cnf -batch -gencrl -out cacrl.crl



Let 30 days pass.



X509* x = *PEM_read_bio_X509_AUX*(memoryBioCorrespondingToPeerRevoked.pem,
NULL, NULL, NULL);

*STACK_OF*(X509) *tchain = result_of_load_certs_from_apps.c(cacert.pem);

*STACK_OF*(X509_CRL) *crls = result_of_load_crls_from_apps.c(cacrl.crl);

X509_STORE_CTX *csc = *X509_STORE_CTX_new*();

*X509_STORE_CTX_init*(csc, NULL, x, NULL); /* Problem doesn’t happen
if second argument is non-NULL, as it is in apps/verify.c. */

*X509_STORE_CTX_trusted_stack*(csc, tchain);

*X509_STORE_CTX_set0_crls*(csc, crls);

X509_VERIFY_PARAM *vpm = *X509_STORE_CTX_get0_param*(csc);

unsigned long flags = *X509_VERIFY_PARAM_get_flags*(vpm);

flags |= X509_V_FLAG_CRL_CHECK;

*X509_VERIFY_PARAM_set_flags*(vpm, flags);

*X509_verify_cert*(csc);



X509_verify_cert crashes with this stack trace:



Program received signal SIGSEGV, Segmentation fault.

0x0000000000fac5ed in X509_STORE_get1_crls (ctx=0x1700c40, nm=0x16fe5f0) at
x509_lu.c:546

546             idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm,
&cnt);

Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.25.el6.x86_64

(gdb) display ctx->ctx

1: ctx->ctx = (X509_STORE *) 0x0

(gdb) bt

#0  0x0000000000fac5ed in X509_STORE_get1_crls (ctx=0x1700c40,
nm=0x16fe5f0) at x509_lu.c:546

#1  0x0000000000fa8cab in get_crl_delta (ctx=0x1700c40,
pcrl=0x7fffffff6dd0, pdcrl=0x7fffffff6dc8, x=0x1700190) at x509_vfy.c:1322

#2  0x0000000000fa79d4 in check_cert (ctx=0x1700c40) at x509_vfy.c:711

#3  0x0000000000fa78d8 in check_revocation (ctx=0x1700c40) at x509_vfy.c:686

#4  0x0000000000fa6f45 in X509_verify_cert (ctx=0x1700c40) at x509_vfy.c:362



The problem is that ctx->ctx is NULL, and it’s dereferencing a NULL
pointer. Perhaps x509_vfy.c get_crl_delta should only call ctx->lookup_crls
if ctx->ctx is non-NULL. When running openssl verify on the same files, I
see that ctx->lookup_crls returns no skcrl, so having NULL ctx->ctx should
yield the same result.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-bugs-mod/attachments/20151117/c0b1574a/attachment-0001.html>

More information about the openssl-bugs-mod mailing list