Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Salz, Rich 
We are not going to check for NULL pointers in all arguments.  Ever.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Blumenthal, Uri - 0553 - MITLL 
On 6/20/16, 17:12 , "openssl-dev on behalf of Salz, Rich"
 wrote:

>> Defensive programming is about handling gracefully the cases when the
>> user/caller does something he “is not supposed to do”.
>
>There is a limit.

True.

>Should we return an error code that will most likely be ignored?

Yes, as long as you don’t crash...

>Should the C library be defensive about fprintf, strcpy, etc., etc.?

Heck, yes! There are reasons why sane programmers don’t use strcpy()
nowadays. ;)

>>Software that relies on its users doing only the right things…? Really?
>
>OpenSSL *is not* going to check for NULL parameters where you don't
>supply them.  

Is the interface partitioned that well? Perhaps it’s my ignorance, but I
didn’t think so.

>It never has (not universally) and it never will.  If you want another
>language... .:)

;-)


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Salz, Rich 
> Defensive programming is about handling gracefully the cases when the
> user/caller does something he “is not supposed to do”.

There is a limit.

Should we return an error code that will most likely be ignored?

Should the C library be defensive about fprintf, strcpy, etc., etc.?

> Software that relies on its users doing only the right things…? Really?

OpenSSL *is not* going to check for NULL parameters where you don't supply 
them.  It never has (not universally) and it never will.  If you want another 
language... .:)
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Blumenthal, Uri - 0553 - MITLL 
On 6/20/16, 16:48 , "openssl-dev on behalf of Rich Salz via RT"
 wrote:

>You are not supposed to pass NULL into OpenSSL API's. Just like doing
>this will
>cause a crash strcpy(NULL, "hello”) in a C program.

Defensive programming is about handling gracefully the cases when the
user/caller does something he “is not supposed to do”.

I don’t know if this is an exploitable bug, nor do I care to craft a
threat model to assess how bad it could be - but this whole approach
doesn’t sound endearing to me. Software that relies on its users doing
only the right things…? Really?


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Onur TAŞLIOĞLU via RT 
I know. The register be NULL therefore crashing. it dont find address.
I'am search overflow in openssl but I found it while searching for
something else.

2016-06-20 23:48 GMT+03:00 Rich Salz via RT :

> You are not supposed to pass NULL into OpenSSL API's. Just like doing this
> will
> cause a crash
> strcpy(NULL, "hello")
> in a C program.
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
> Please log in as guest with password guest if prompted
>
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Onur TAŞLIOĞLU via RT 
Yes, i know. I'am vulnerability researcher.

Thanks.

2016-06-20 21:59 GMT+03:00 Rich Salz via RT :

> When I added this line:
> (if x509==NULL) { ERR_print_errors_fp(stderr); exit(1); }
> it complained
> 140259630204736:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE
>
>
> When I fixed the file to say "BEGIN CERTIFICATE" (added a space) and
> changed
> the code to print the result of calling the verify routine, it all works.
>
> Closing ticket.
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
> Please log in as guest with password guest if prompted
>
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Onur TAŞLIOĞLU via RT 
I have a simple code;

#include 
#include 
#include 
#include 

int verify_cert(const char* pem_c_str)
{
BIO *bio_mem = BIO_new(BIO_s_mem());
BIO_puts(bio_mem, pem_c_str);
X509 * x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL);

EVP_PKEY *pkey=X509_get_pubkey(x509);
int r= X509_verify(x509, pkey);
EVP_PKEY_free(pkey);

BIO_free(bio_mem);
X509_free(x509);
return r;
}

int main(int argc, char **argv)
{
OpenSSL_add_all_algorithms();

FILE* fd = NULL;
char publicKey[4000];
memset(publicKey,'\0',sizeof(publicKey));
fd = fopen(argv[1],"rw+");
fread(publicKey,1,4000,fd);
fseek(fd,1,SEEK_CUR);
fclose(fd);

verify_cert(publicKey);
EVP_cleanup();
}


and i have a simple public key:

-BEGINCERTIFICATE-
MIIDIjCCAgoCCQCE8H4/ymXyrzANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJV
UzENMAsGA1UECAwEVXRhaDENMAsGA1UEBwwET3JlbTEQMA4GA1UECgwHT3JnTmFt
ZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTMwNDEwMjIxMjE5WhcNMTQwNDEw
MjIxMjE5WjBTMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVXRhaDENMAsGA1UEBwwE
T3JlbTEQMA4GA1UECgwHT3JnTmFtZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuzA1sONmXPc6aMt+cZExA37OZ
kpVlfMCQUy8tTvqSs81F0DeTUGqq8ACdXT9iMlvENQ04xrtTEHPJcY93cAsaLowX
6pB1y1F+8Jj+rrOwmKjBM9EI0/M9TCS94IGqTcPwgQt1d+XOZ+EdL63SkTQtNFHH
hGs+g9Q+zeSM0uD7WgVxJPWezjnzQUis4j9ICXwMpuAMcmTqmxSqTzOQZAINJ9Hv
sazPMVKs+JPEZvCfP0r61d1C8WLE7QF4nmdmWUTaBO+92piqQSeF7rK3bWmCxJNX
8BFQd6h8g4XviMrybSwzf3JgM2Wxw27Vo9EADZ5Om8EjNPvB2UIbAokCOBN7AgMB
AAEwDQYJKoZIhvcNAQEFBQADggEBAHhm2J8+Dg91S1b/i9LEpn41QSMpyyonzxqo
o45CzJAuV5qN6x7FMBXB+1e+Na4Qn5K/8fJ8Z2M6jIO2MD+gB+ftVY830aN8cm+i
/Cu/iUgB9kaSDLBUZvwu2uSEyDFwdxgmF5jK2BECNTP5A99WtL3w0dE60w5Bq23L
Ivzd7XZF1orR9gJYOGHNK2s3S1vJQLBRvfRi78wfl25jyaZ2JWKGguFpQq1zJkrY
PeCGvx+54fTOTi1PZcL4+xYfA//dvB1DnlHwpNSKnWkcNI5VK6IpDfBlh4ZjB3I3
h6v6zOyvgOcvTXBHmzPsfMym1AmFNTv9/bRlwrKUlGGPaRwSEKU=
-END CERTIFICATE-

my program have a one input. When i give input a public key. Program
crashed.

2016-06-20 21:39 GMT+03:00 Salz, Rich via RT :

> Need more information, like a full backtrace and how to reproduce it.
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
> Please log in as guest with password guest if prompted
>
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Salz, Rich via RT 
Need more information, like a full backtrace and how to reproduce it.

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Onur TAŞLIOĞLU via RT 
1.0.2t version crashed in same place.

Operating System Version:
Distributor ID: Ubuntu
Description: Ubuntu 14.04.3 LTS
Release: 14.04
Codename: trusty
Linux 3.19.0-28-generic

OpenSSL Version : openssl-1.0.1t

Critical Function : X509_verify ();

And:

0x080e15ef in X509_verify (a=a@entry=0x0, r=r@entry=0x0) at x_all.c:75
75 if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))

Author: Onur TAŞLIOĞLU


2016-06-20 21:24 GMT+03:00 Onur TAŞLIOĞLU :

> Ok, i will try 1.0.2t version and open new ticket.
>
> Thanks.
>
> 2016-06-20 21:08 GMT+03:00 Rich Salz via RT :
>
>> 1.0.1 is end of life and only getting bugfixes now.
>> If you can reproduce this on 1.0.2 or master, please open a new ticket.
>> We also need more information, cannot reproduce this issue here.
>> Thanks. closing ticket.
>>
>> --
>> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
>> Please log in as guest with password guest if prompted
>>
>>
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

2016-06-20 Thread Onur TAŞLIOĞLU via RT 
Ok, i will try 1.0.2t version and open new ticket.

Thanks.

2016-06-20 21:08 GMT+03:00 Rich Salz via RT :

> 1.0.1 is end of life and only getting bugfixes now.
> If you can reproduce this on 1.0.2 or master, please open a new ticket.
> We also need more information, cannot reproduce this issue here.
> Thanks. closing ticket.
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
> Please log in as guest with password guest if prompted
>
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev