[openssl-dev] [openssl.org #4146] Bug: expired CRL makes X509_verify_cert crash if X509_STORE_CTX is initialized without an X509_STORE

Yusheng Yang via RT rt at openssl.org
Tue Nov 17 23:26:21 UTC 2015 

Scenario:

RedHat Linux 2.6.32-131.0.15.el6.x86_64
OpenSSL 1.0.1L

openssl.cnf:

crlnumber = crlnumber
default_crl_days = 30

generate CRL:

echo 01 > crlnumber
openssl ca -config openssl.cnf -batch -revoke peerRevoked.pem
openssl ca -config openssl.cnf -batch -gencrl -out cacrl.crl

Let 30 days pass.

X509* x = *PEM_read_bio_X509_AUX*(memoryBioCorrespondingToPeerRevoked.pem,
NULL, NULL, NULL);
*STACK_OF*(X509) *tchain = result_of_load_certs_from_apps.c(cacert.pem);
*STACK_OF*(X509_CRL) *crls = result_of_load_crls_from_apps.c(cacrl.crl);
X509_STORE_CTX *csc = *X509_STORE_CTX_new*();
*X509_STORE_CTX_init*(csc, NULL, x, NULL); /* Problem doesn’t happen
if second argument is non-NULL, as it is in apps/verify.c. */
*X509_STORE_CTX_trusted_stack*(csc, tchain);
*X509_STORE_CTX_set0_crls*(csc, crls);
X509_VERIFY_PARAM *vpm = *X509_STORE_CTX_get0_param*(csc);
unsigned long flags = *X509_VERIFY_PARAM_get_flags*(vpm);
flags |= X509_V_FLAG_CRL_CHECK;
*X509_VERIFY_PARAM_set_flags*(vpm, flags);
*X509_verify_cert*(csc);

X509_verify_cert crashes with this stack trace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000fac5ed in X509_STORE_get1_crls (ctx=0x1700c40, nm=0x16fe5f0) at
x509_lu.c:546
546             idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm,
&cnt);
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.25.el6.x86_64
(gdb) display ctx->ctx
1: ctx->ctx = (X509_STORE *) 0x0
(gdb) bt
#0  0x0000000000fac5ed in X509_STORE_get1_crls (ctx=0x1700c40,
nm=0x16fe5f0) at x509_lu.c:546
#1  0x0000000000fa8cab in get_crl_delta (ctx=0x1700c40,
pcrl=0x7fffffff6dd0, pdcrl=0x7fffffff6dc8, x=0x1700190) at x509_vfy.c:1322
#2  0x0000000000fa79d4 in check_cert (ctx=0x1700c40) at x509_vfy.c:711
#3  0x0000000000fa78d8 in check_revocation (ctx=0x1700c40) at x509_vfy.c:686
#4  0x0000000000fa6f45 in X509_verify_cert (ctx=0x1700c40) at x509_vfy.c:362

The problem is that ctx->ctx is NULL, and it’s dereferencing a NULL
pointer. Perhaps x509_vfy.c get_crl_delta should only call ctx->lookup_crls
if ctx->ctx is non-NULL. When running openssl verify on the same files, I
see that ctx->lookup_crls returns no skcrl, so having NULL ctx->ctx should
yield the same result.

-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list