Re: [openssl.org #2792] Crash in rc4 on x86_64

Kurt Roeckx Thu, 19 Apr 2012 13:02:36 -0700

On Thu, Apr 19, 2012 at 09:08:48PM +0200, Kurt Roeckx wrote:
> On Wed, Apr 18, 2012 at 08:04:28PM +0200, Andy Polyakov via RT wrote:
> > > I've had 2 users report a crash in RC4() on x86_64.  The
> > > backtrace looks like:
> > > #0  RC4 () at rc4-x86_64.s:343
> > > #1  0x000000000000012d in ?? ()
> > > #2  0x00000000000000df in ?? ()
> > > #3  0x00000000020b5660 in ?? ()
> > > #4  0x00007fc075f6a9c9 in rc4_hmac_md5_cipher (ctx=<optimized out>,
> > >     out=0x20aae98 
> > > ".\324\300\377AE'|#\242\300\233\025T\341\002}\237\242\240\273G\260\257\214z\321\001HK«RA\257HC0\"0\257N*1C/,$\252-N1&%&1\261\"/0C*'C\246-\"!/&C*\nb%
> > >  SO\261\067\303\060,17^'*\260\063/\":C7+\261&\"'^1&%\246\061&- 
> > > &0C\267+1&\"'^1\246%0C.6/7\252\"33&-'C\266-0&/& 7\303 
> > > +*/'1&\255C-\".&03\242 
> > > &C6*'3\257\066\060C/*07\316&;7&-'&\247C*R[-/&\265&/^RC ,\255"..., 
> > > in=<optimized out>, len=0) at e_rc4_hmac_md5.c:163
> > > #5  0x00007fc076272b8f in tls1_enc (s=0x209c120, send=1) at t1_enc.c:828
> > > #6  0x00007fc076269e18 in do_ssl3_write (s=0x209c120, type=23,
> > >     buf=0x209cf34 "2 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR 
> > > LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES 
> > > THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED 
> > > I18NLEVEL=1 CON"..., len=285, create_empty_fragment=0) at s3_pkt.c:808
> > > #7  0x00007fc07626a144 in ssl3_write_bytes (s=0x209c120, type=23, 
> > > buf_=0x209cf34, len=<optimized out>) at s3_pkt.c:605
> > > 
> > > 
> > > This looks simular to the AES problem with had, with a length of 0?
> > > 
> > > 
> > > More details are at:
> > > http://bugs.debian.org/666405
> > 
> > http://cvs.openssl.org/chngview?cn=22424 is combined patch.
> 
> This fails like this on non-i386/x86_64 arches:
> ../libcrypto.a(e_rc4_hmac_md5.o): In function `EVP_rc4_hmac_md5':
> /build/buildd-openssl_1.0.1a-1-ia64-b35uCp/openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c:294:
>  undefined reference to `OPENSSL_ia32cap_P'
> /build/buildd-openssl_1.0.1a-1-ia64-b35uCp/openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c:294:
>  undefined reference to `OPENSSL_ia32cap_P'


I've used this patch to fix it:

Index: openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c
===================================================================
--- openssl-1.0.1a.orig/crypto/evp/e_rc4_hmac_md5.c     2012-04-18 
19:51:33.000000000 +0200
+++ openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c  2012-04-19 21:53:36.000000000 
+0200
@@ -289,8 +289,14 @@
 
 const EVP_CIPHER *EVP_rc4_hmac_md5(void)
        {
+#if    defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
+       defined(__INTEL__) || \
+       defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || 
defined(_M_X64)
        extern unsigned int OPENSSL_ia32cap_P[];
        /* RC4_CHAR flag ------------vvvvv */
        return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher);
+#else
+       return(&r4_hmac_md5_cipher);
+#endif
        }
 #endif



Kurt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Re: [openssl.org #2792] Crash in rc4 on x86_64

Reply via email to