On 2/9/22 12:11, Theo Buehler wrote:
On Wed, Feb 09, 2022 at 09:17:26AM +0100, Volker Schlecht wrote:
Environment: -current, snapshot downloaded Feb 8th 2022
Architecture: amd64
The following command crashes
# openssl req -key <mykeyfile> -config <myconf> -new -x509 -days 365
-sha256 -extensions v3_ca -out <mycertfile>
openssl(59343) in free(): chunk is already free 0xa32e41b9310
Abort trap
Could you please provide full commands and a config file that lead to
this crash? We have scripts to create ca certs in our regress tests and
they do not crash like that, so this must be something specific to what
you have in there.
Here's a ca.conf.test that breaks:
---------
[ ca ]
default_ca = CA_default
[ CA_default ]
copy_extensions = copy
dir = .
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/testca.cert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/ca.key.pem
default_days = 365
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ req ]
x509_extensions = v3_ca
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = BY
localityName = Ursa Major
0.organizationName = Sirius Inc.
organizationalUnitName = Testing Dept.
commonName = Test Root CA
emailAddress = t...@example.com
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints=critical,CA:true, pathlen:0
keyUsage=critical,keyCertSign,cRLSign
nameConstraints=critical,@nc
[ nc ]
permitted;DNS.0=home.lan
permitted;DNS.1=home-guest.lan
permitted;IP.0=10.0.0.0/255.0.0.0
[ server_crt ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
----------
Full command:
# openssl req -config ca.conf.test -new -x509 -extensions v3_ca -out
testca.cert.pem
If use this repeatedly, I *sometimes* get
Error Loading extension section v3_ca
9259351224992:error:22FFF076:X509 V3
routines:func(4095):reason(118):/usr/src/lib/libcrypto/x509/x509_alt.c:679:name=IP
len=8
9259351224992:error:22FFF080:X509 V3
routines:func(4095):reason(128):/usr/src/lib/libcrypto/x509/x509_conf.c:102:name=nameConstraints,
value=@nc
openssl(98518) in free(): chunk is already free 0x86b241c3f40
Abort trap
But *mostly* it's just
openssl(9323) in free(): chunk is already free 0x3cb3a6a9780
Abort trap
The issue seems to be actually with the line
permitted;IP.0=10.0.0.0/255.0.0.0
Not sure if that's illegal, too, but at least according to
https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
it should work.
I changed it to
permitted;IP.0=10.0.0.0/8
just to see what would happen. That gives me a Segfault ...
Well, the name constraints with .personal.lan aren't legal, that's why
they are rejected. OpenSSL will let you write things in there that will
then fail to interoperate.
Rejecting illegal constraints is wonderful, but they shouldn't cause
crashes, no?
