3.0.3 - EVP_EC_gen() segfault without init
Tomas Mraz
tomas at openssl.org
Thu May 5 05:54:33 UTC 2022
Yes, this is unfortunately a bug in 3.0.3 release. Calling
OPENSSL_init_crypto should not be necessary.
Tomas Mraz
On Wed, 2022-05-04 at 21:58 +0200, Klaus Keppler wrote:
> Hello,
>
> yesterday we updated OpenSSL from 3.0.2 to 3.0.3, what made some of
> our
> unit tests crash.
>
> I've boiled the problem down to the following example code:
>
> ---cut---
> #include <openssl/crypto.h>
> #include <openssl/ec.h>
> #include <openssl/evp.h>
>
> int main(int argc, const char *argv[]) {
> //OPENSSL_init_crypto(0, NULL);
> if (! EVP_EC_gen("P-384")) return -1;
> return 0;
> }
> ---/cut---
>
> Compile with:
>
> gcc -Wall -Werror -pedantic -o test test.c -lcrypto
>
> With OpenSSL 3.0.2 this runs just fine, with OpenSSL 3.0.3 we get a
> segmentation fault during a string comparison within
> EVP_PKEY_Q_keygen
> (EVP_EC_gen is just a macro).
>
> I assume that the curve names are not properly initialized, when you
> uncomment the call to "OPENSSL_init_crypto()", everything works just
> fine.
>
> The documentation [1] of OPENSSL_init_crypto() states that explicit
> initialization is not required. Man page of EVP_EC_gen [2] says
> nothing
> about initialization.
> Considering that 3.0.3 is only a minor update and 3.0.2 worked as
> expected, we might have hit a bug. If this (above) is "just" a usage
> error, the documentation should describe in which cases an explicit
> initialization is required.
>
> Anyway, thank you for all your efforts!
>
> Best regards
>
> -Klaus Keppler
>
>
> [1] https://www.openssl.org/docs/man3.0/man3/OPENSSL_init_crypto.html
> [2] https://www.openssl.org/docs/man3.0/man3/EVP_EC_gen.html
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list