Hello,
I executed the following command on an X86 64bit Windows2003 Server (see full
specifications at the bottom):
$ ./openssl.exe rsa -in ../test/openssl/crypto/url/test_data/certchainfull.der
-text -noout -inform DER
and got an application error in rsa_lib.c, function RSA_free():
if (r->meth->finish)
r->meth->finish(r);
Analyzing the code I find out that r->meth was set to zero. This should never
be the
case so I tried to find out where the memory of &r->meth has been overwritten.
The problem lies in the fact, that the type 'long' has a size of 4 bytes on
x84/64bit, but
a pointer 8 bytes (as expected). In the file rsa.h you have the following
struct:
struct rsa_st
{
/* The first parameter is used to pickup errors where
* this is passed instead of aEVP_PKEY, it is set to 0 */
int pad;
long version;
const RSA_METHOD *meth;
/* functional reference if 'meth' is ENGINE-provided */
ENGINE *engine;
.
.
.
}
When reading the inputfile the function asn1_template_ex_d2i() (file
tasn_dec.c) is called:
static int asn1_template_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long inlen,
const ASN1_TEMPLATE *tt, char opt,
ASN1_TLC *ctx);
In our case *val is the address if the field 'version' in the 'struct rsa_st'
above.
If an error occurs, at the end of the function '*val' is set to NULL:
*val = NULL;
but this will write 8 bytes into the pointer so that the field 'meth' (which
just
follows 'version'), will be set to 0x0000 as well.
You may temporally solve the problem by putting a dummy-long between the field
'version'
and the field 'meth', but you still may have problem on other structs.
I personally thing, the setting of
*val = NULL;
is not necessary, because this should have be done in the
ASN1_template_free()-function.
Please let me know if and how you will fix the bug.
With kind regards
Paolo
OpenSSL version: output of 'openssl version -a'
OpenSSL 0.9.8i 15 Sep 2008
built on: Thu Mar 12 11:31:33 2009
platform: VC-WIN64A
options: bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long)
idea(int) blowfish(idx)
compiler: cl -DDEBUG /MD /Ox /W3 /Gs0 /GF /Gy /nologo
-DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DOPENSSL_SYSNAME_WIN32
-DOPENSSL_SYSNAME_WINNT -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE
-D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_USE_APPLINK -I. /Fdout32dll
-DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2
-DOPENSSL_NO_TLSEXT -DOPENSSL_NO_CMS -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5
-DOPENSSL_NO_DYNAMIC_ENGINE
OPENSSLDIR: "/usr/local/ssl"
OS Name, Version, Hardware platform:
Microsoft Windows Server 2003
Enterprise X64 Edition
Service Pack 2
Compiler Details (name, version):
Visual C++ 6.0 with SDK X64 Debug Build Environment
--
AdNovum Informatik AG
Paolo Ganci, Senior Software Engineer
Dipl. El.-Ing. ETH
Roentgenstrasse 22, CH-8005 Zurich
mailto:[email protected]
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch
AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
