Hi! I'm resending this, seem my initial email (to r...@openssl.org only, Cc:'ed again) didn't show up, neither here, nor in RT.
My coworker Sebastian discovered a glitch while playing with `pkitool' of OpenVPN's `easy-rsa'[1]. This was observed with Debian's libssl-1.0.1g-3: If input for a country name is longer than the expected two bytes. openssl will spit out an endless stream of ----------- >8 ======================= error message = string is too long, it needs to be less than 2 bytes long ========================================= 8< --------- We noticed that there's configury for the country name's length (countryName_min and countryName_max). Those have some effect, but there seems to be a hardcoded limit imposed, too. But whatever is configured as a minimum/maximum length, openssl shouldn't just go to 100% CPU. This is a working testcase: ----------- >8 ========================= testcase.sh = #!/usr/bin/env bash CFG="/tmp/openssl-conf-$$.cnf" export PKCS11TOOL="pkcs11-tool" export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_EXPIRE=3650 export KEY_ORG=Fort-Funston export KEY_CITY=SanFrancisco export KEY_SIZE=2048 export KEY_OU=MyOrganizationalUnit export KEY_EMAIL=me@myhost.mydomain export KEY_CONFIG="${CFG}" export KEY_NAME=EasyRSA export KEY_COUNTRY=US- export KEY_DIR=/tmp export KEY_CN=Fort-Funston CA export KEY_PROVINCE=CA cat > "${CFG}" << 'EOF' HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf = openssl_init [ openssl_init ] oid_section = new_oids engines = engine_section [ new_oids ] [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = $ENV::KEY_DIR # Where everything is kept certs = $dir # Where the issued certs are kept crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering policy = policy_anything [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional [ req ] default_bits = $ENV::KEY_SIZE default_keyfile = privkey.pem default_md = sha256 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = $ENV::KEY_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $ENV::KEY_PROVINCE localityName = Locality Name (eg, city) localityName_default = $ENV::KEY_CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ENV::KEY_ORG organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 name = Name name_max = 64 emailAddress = Email Address emailAddress_default = $ENV::KEY_EMAIL emailAddress_max = 40 organizationalUnitName_default = $ENV::KEY_OU commonName_default = $ENV::KEY_CN name_default = $ENV::KEY_NAME [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "Easy-RSA Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth keyUsage = digitalSignature [ server ] basicConstraints=CA:FALSE nsCertType = server nsComment = "Easy-RSA Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always [ engine_section ] [ pkcs11_section ] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = $ENV::PKCS11_MODULE_PATH PIN = $ENV::PKCS11_PIN init = 0 EOF exec openssl req -batch \ -days 3650 \ -nodes \ -new \ -newkey rsa:2048 \ -x509 \ -keyout ca.key \ -out ca.crt \ -config "${CFG}" ========================================= 8< --------- If you change $KEY_COUNTRY back to "US" (or anything else with a length smaller than 3), openssl will work as expected. Thanks, Jan-Benedict [1] https://github.com/OpenVPN/easy-rsa, tested with v2.2.2 . -- Getslash GmbH, Bahnhofstraße 16, 59302 Oelde Tel: +49-2522-834349-5 Fax: +49-2522-834349-1 http://www.getslash.de Mobil: +49-152-33822499 Sitz der Gesellschaft: Oelde Handelsregister: Amtsgericht Münster, HRB 11911 Ust-Id-Nr.: DE 815060326 Geschäftsführung: Andre Peitz, Tobias Hanisch
signature.asc
Description: Digital signature