>Synopsis: When running 'openssl ocsp' and specifying a -url and a bad
-host the result is a core dump and possible double free
>Category: system
>Environment:
System : OpenBSD 6.2
Details : OpenBSD 6.2-current (GENERIC.MP) #237: Fri Nov 24
21:49:38 MST 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
When using openssl ocsp to try to make an OCSP verification request, there
is a core dump (double fee?) if you specify -url and then specify a bad
-host at the same time. Oddly, if you specify -host first, then -url, it
doesn't crash.
This is on a 11/24 snapshot.
$ openssl version
LibreSSL 2.6.3
>How-To-Repeat:
I exported the opensbd.org certs with Firefox to demonstrate with.
Here we give a bad hostname which causes the crash:
$ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert
wwwopenbsdorg.crt -text -url http://ocsp.int-x3.letsencrypt.org -host
proxy:8080
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial
Number: 0354E1E112110C442C49995B2D0AD60F927C
Request Extensions:
OCSP Nonce:
041036E6BD426C59991E274777C4256E483A
Error connecting BIO
Error querying OCSP responder
25287802291808:error:20FFF066:BIO routines:CRYPTO_internal:bad hostname
lookup:/usr/src/lib/libcrypto/bio/b_sock.c:55:getaddrinfo: host='proxy' :
no address associated with name'
openssl(7893) in free(): bogus pointer (double free?) 0x7f7fffff8305 Abort
trap (core dumped)
Here we have a no route to host and we crash:
$ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert
wwwopenbsdorg.crt -text -url http://ocsp.int-x3.letsencrypt.org -host
proxy.com:8080
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial
Number: 0354E1E112110C442C49995B2D0AD60F927C
Request Extensions:
OCSP Nonce:
0410008BC7317D20CC283FE054DF91372A61
Error connecting BIO
Error querying OCSP responder
4346488413024:error:02FFF041:system library:func(4095):No route to
host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080
4346488413024:error:20FFF067:BIO routines:CRYPTO_internal:connect
error:/usr/src/lib/libcrypto/bio/bss_conn.c:247:
openssl(95665) in free(): bogus pointer (double free?) 0x7f7ffffe03c5
Abort trap (core dumped)
No route to host in just -url, fails cleanly:
$ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert
wwwopenbsdorg.crt -text -url http://proxy.com:8080
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial
Number: 0354E1E112110C442C49995B2D0AD60F927C
Request Extensions:
OCSP Nonce:
04108D7FF462D5DD53AC56C8522B7748F475
Error connecting BIO
Error querying OCSP responder
16867518887008:error:02FFF041:system library:func(4095):No route to
host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080
16867518887008:error:20FFF067:BIO routines:CRYPTO_internal:connect
error:/usr/src/lib/libcrypto/bio/bss_conn.c:247:
No route to host in just -host fails cleanly:
$ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert
wwwopenbsdorg.crt -text -host proxy.com:8080
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial
Number: 0354E1E112110C442C49995B2D0AD60F927C
Request Extensions:
OCSP Nonce:
0410908E994C8B6E11B0E898872ADC9581B7
Error connecting BIO
Error querying OCSP responder
23554861359968:error:02FFF041:system library:func(4095):No route to
host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080
23554861359968:error:20FFF067:BIO routines:CRYPTO_internal:connect
error:/usr/src/lib/libcrypto/bio/bss_conn.c:247:
Reverse the failed parameters and it doens't crash but times out:
$ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert
wwwopenbsdorg.crt -text -host proxy.com:8080 -url
http://ocsp.int-x3.letsencrypt.org
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial
Number: 0354E1E112110C442C49995B2D0AD60F927C
Request Extensions:
OCSP Nonce:
0410B3B151DB0FA53DB0CFD1DBAAB2EE41F5
Error connecting BIO
Error querying OCSP responder
20274924111136:error:02FFF03C:system library:func(4095):Operation timed
out:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=ocsp.int-x3.letsencrypt.org:80
20274924111136:error:20FFF067:BIO routines:CRYPTO_internal:connect
error:/usr/src/lib/libcrypto/bio/bss_conn.c:247:
Running one of the failure cases through gdb for a backtrace:
$ gdb openssl.core --args openssl ocsp -issuer
Let\'sEncryptAuthorityX3.crt -cert wwwopenbsdorg.crt -text -url
http://ocsp.int-x3.letsencrypt.org -host proxy.com:8080
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd6.2"...(no debugging
symbols found)
(gdb) run
Starting program: /usr/bin/openssl ocsp -issuer
Let\'sEncryptAuthorityX3.crt -cert wwwopenbsdorg.crt -text -url
http://ocsp.int-x3.letsencrypt.org -host proxy.com:8080
(no debugging symbols found)
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial
Number: 0354E1E112110C442C49995B2D0AD60F927C
Request Extensions:
OCSP Nonce:
0410EC61A7D7CFB6025D0413DFE82445072F
Error connecting BIO
Error querying OCSP responder
9183520478944:error:02FFF041:system library:func(4095):No route to
host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080
9183520478944:error:20FFF067:BIO routines:CRYPTO_internal:connect
error:/usr/src/lib/libcrypto/bio/bss_conn.c:247:
openssl(13096) in free(): bogus pointer (double free?) 0x7f7ffffd47ae
Program received signal SIGABRT, Aborted.
thrkill () at -:3
3 -: No such file or directory.
in -
Current language: auto; currently asm
(gdb) bt
#0 thrkill () at -:3
#1 0x0000085a06956a2e in _libc_abort () at
/usr/src/lib/libc/stdlib/abort.c:51
#2 0x0000085a069befd9 in wrterror (d=Variable "d" is not available. ) at
/usr/src/lib/libc/stdlib/malloc.c:293
#3 0x0000085a069bf302 in ofree (argpool=Variable "argpool" is not available.
) at /usr/src/lib/libc/stdlib/malloc.c:1319
#4 0x0000085a069bf0b9 in free (ptr=0x7f7ffffd47ae) at
/usr/src/lib/libc/stdlib/malloc.c:1435
#5 0x00000857e521a895 in enc_main () from /usr/bin/openssl
#6 0x00000857e521cee4 in enc_main () from /usr/bin/openssl
#7 0x00000857e521cbfc in enc_main () from /usr/bin/openssl
#8 0x00000857e52040f6 in ?? () from /usr/bin/openssl
#9 0x0000000000000000 in ?? ()
(gdb)
dmesg:
OpenBSD 6.2-current (GENERIC.MP) #237: Fri Nov 24 21:49:38 MST 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130640896 (2031MB)
avail mem = 2059223040 (1963MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (242 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
S8F0(S3) S16F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3)
S1F0(S3) PE50(S3) S1F0(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2395.57 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,HV,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
acpitimer0: recalibrated TSC frequency 2395204436 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2395.40 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,HV,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 0, package 2
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xf0000000, bus 0-127
acpihpet0 at acpi0: 14318179 Hz
acpihpet0: recalibrated TSC frequency 2395206138 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
"VMW0003" at acpi0 not configured
"PNP0A05" at acpi0 not configured
acpiac0 at acpi0: AC unit online
pvbus0 at mainbus0: VMware
vmt0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive>
wd0: 64-sector PIO, LBA, 20480MB, 41943040 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> ATAPI
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
"VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18,
address 00:0c:29:18:ce:28
eap0 at pci2 dev 1 function 0 "Ensoniq AudioPCI97" rev 0x02: apic 1 int 19
ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3)
audio0 at eap0
midi0 at eap0: <AudioPCI MIDI UART>
ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01
pci3 at ppb2 bus 3
ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01
pci4 at ppb3 bus 4
ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01
pci5 at ppb4 bus 5
ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01
pci6 at ppb5 bus 6
ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01
pci7 at ppb6 bus 7
ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01
pci8 at ppb7 bus 8
ppb8 at pci0 dev 21 function 6 "VMware PCIE" rev 0x01
pci9 at ppb8 bus 9
ppb9 at pci0 dev 21 function 7 "VMware PCIE" rev 0x01
pci10 at ppb9 bus 10
ppb10 at pci0 dev 22 function 0 "VMware PCIE" rev 0x01
pci11 at ppb10 bus 11
ppb11 at pci0 dev 22 function 1 "VMware PCIE" rev 0x01
pci12 at ppb11 bus 12
ppb12 at pci0 dev 22 function 2 "VMware PCIE" rev 0x01
pci13 at ppb12 bus 13
ppb13 at pci0 dev 22 function 3 "VMware PCIE" rev 0x01
pci14 at ppb13 bus 14
ppb14 at pci0 dev 22 function 4 "VMware PCIE" rev 0x01
pci15 at ppb14 bus 15
ppb15 at pci0 dev 22 function 5 "VMware PCIE" rev 0x01
pci16 at ppb15 bus 16
ppb16 at pci0 dev 22 function 6 "VMware PCIE" rev 0x01
pci17 at ppb16 bus 17
ppb17 at pci0 dev 22 function 7 "VMware PCIE" rev 0x01
pci18 at ppb17 bus 18
ppb18 at pci0 dev 23 function 0 "VMware PCIE" rev 0x01
pci19 at ppb18 bus 19
ppb19 at pci0 dev 23 function 1 "VMware PCIE" rev 0x01
pci20 at ppb19 bus 20
ppb20 at pci0 dev 23 function 2 "VMware PCIE" rev 0x01
pci21 at ppb20 bus 21
ppb21 at pci0 dev 23 function 3 "VMware PCIE" rev 0x01
pci22 at ppb21 bus 22
ppb22 at pci0 dev 23 function 4 "VMware PCIE" rev 0x01
pci23 at ppb22 bus 23
ppb23 at pci0 dev 23 function 5 "VMware PCIE" rev 0x01
pci24 at ppb23 bus 24
ppb24 at pci0 dev 23 function 6 "VMware PCIE" rev 0x01
pci25 at ppb24 bus 25
ppb25 at pci0 dev 23 function 7 "VMware PCIE" rev 0x01
pci26 at ppb25 bus 26
ppb26 at pci0 dev 24 function 0 "VMware PCIE" rev 0x01
pci27 at ppb26 bus 27
ppb27 at pci0 dev 24 function 1 "VMware PCIE" rev 0x01
pci28 at ppb27 bus 28
ppb28 at pci0 dev 24 function 2 "VMware PCIE" rev 0x01
pci29 at ppb28 bus 29
ppb29 at pci0 dev 24 function 3 "VMware PCIE" rev 0x01
pci30 at ppb29 bus 30
ppb30 at pci0 dev 24 function 4 "VMware PCIE" rev 0x01
pci31 at ppb30 bus 31
ppb31 at pci0 dev 24 function 5 "VMware PCIE" rev 0x01
pci32 at ppb31 bus 32
ppb32 at pci0 dev 24 function 6 "VMware PCIE" rev 0x01
pci33 at ppb32 bus 33
ppb33 at pci0 dev 24 function 7 "VMware PCIE" rev 0x01
pci34 at ppb33 bus 34
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (2853f6f534a81279.a) swap on wd0b dump on wd0b
