Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
We are not going to check for NULL pointers in all arguments. Ever. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
On 6/20/16, 17:12 , "openssl-dev on behalf of Salz, Rich" wrote: >> Defensive programming is about handling gracefully the cases when the >> user/caller does something he “is not supposed to do”. > >There is a limit. True. >Should we return an error code that will most likely be ignored? Yes, as long as you don’t crash... >Should the C library be defensive about fprintf, strcpy, etc., etc.? Heck, yes! There are reasons why sane programmers don’t use strcpy() nowadays. ;) >>Software that relies on its users doing only the right things…? Really? > >OpenSSL *is not* going to check for NULL parameters where you don't >supply them. Is the interface partitioned that well? Perhaps it’s my ignorance, but I didn’t think so. >It never has (not universally) and it never will. If you want another >language... .:) ;-) smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
> Defensive programming is about handling gracefully the cases when the > user/caller does something he “is not supposed to do”. There is a limit. Should we return an error code that will most likely be ignored? Should the C library be defensive about fprintf, strcpy, etc., etc.? > Software that relies on its users doing only the right things…? Really? OpenSSL *is not* going to check for NULL parameters where you don't supply them. It never has (not universally) and it never will. If you want another language... .:) -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
On 6/20/16, 16:48 , "openssl-dev on behalf of Rich Salz via RT" wrote: >You are not supposed to pass NULL into OpenSSL API's. Just like doing >this will >cause a crash strcpy(NULL, "hello”) in a C program. Defensive programming is about handling gracefully the cases when the user/caller does something he “is not supposed to do”. I don’t know if this is an exploitable bug, nor do I care to craft a threat model to assess how bad it could be - but this whole approach doesn’t sound endearing to me. Software that relies on its users doing only the right things…? Really? smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
I know. The register be NULL therefore crashing. it dont find address. I'am search overflow in openssl but I found it while searching for something else. 2016-06-20 23:48 GMT+03:00 Rich Salz via RT : > You are not supposed to pass NULL into OpenSSL API's. Just like doing this > will > cause a crash > strcpy(NULL, "hello") > in a C program. > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
Yes, i know. I'am vulnerability researcher. Thanks. 2016-06-20 21:59 GMT+03:00 Rich Salz via RT : > When I added this line: > (if x509==NULL) { ERR_print_errors_fp(stderr); exit(1); } > it complained > 140259630204736:error:0906D06C:PEM routines:PEM_read_bio:no start > line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE > > > When I fixed the file to say "BEGIN CERTIFICATE" (added a space) and > changed > the code to print the result of calling the verify routine, it all works. > > Closing ticket. > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
I have a simple code; #include #include #include #include int verify_cert(const char* pem_c_str) { BIO *bio_mem = BIO_new(BIO_s_mem()); BIO_puts(bio_mem, pem_c_str); X509 * x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL); EVP_PKEY *pkey=X509_get_pubkey(x509); int r= X509_verify(x509, pkey); EVP_PKEY_free(pkey); BIO_free(bio_mem); X509_free(x509); return r; } int main(int argc, char **argv) { OpenSSL_add_all_algorithms(); FILE* fd = NULL; char publicKey[4000]; memset(publicKey,'\0',sizeof(publicKey)); fd = fopen(argv[1],"rw+"); fread(publicKey,1,4000,fd); fseek(fd,1,SEEK_CUR); fclose(fd); verify_cert(publicKey); EVP_cleanup(); } and i have a simple public key: -BEGINCERTIFICATE- MIIDIjCCAgoCCQCE8H4/ymXyrzANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJV UzENMAsGA1UECAwEVXRhaDENMAsGA1UEBwwET3JlbTEQMA4GA1UECgwHT3JnTmFt ZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTMwNDEwMjIxMjE5WhcNMTQwNDEw MjIxMjE5WjBTMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVXRhaDENMAsGA1UEBwwE T3JlbTEQMA4GA1UECgwHT3JnTmFtZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuzA1sONmXPc6aMt+cZExA37OZ kpVlfMCQUy8tTvqSs81F0DeTUGqq8ACdXT9iMlvENQ04xrtTEHPJcY93cAsaLowX 6pB1y1F+8Jj+rrOwmKjBM9EI0/M9TCS94IGqTcPwgQt1d+XOZ+EdL63SkTQtNFHH hGs+g9Q+zeSM0uD7WgVxJPWezjnzQUis4j9ICXwMpuAMcmTqmxSqTzOQZAINJ9Hv sazPMVKs+JPEZvCfP0r61d1C8WLE7QF4nmdmWUTaBO+92piqQSeF7rK3bWmCxJNX 8BFQd6h8g4XviMrybSwzf3JgM2Wxw27Vo9EADZ5Om8EjNPvB2UIbAokCOBN7AgMB AAEwDQYJKoZIhvcNAQEFBQADggEBAHhm2J8+Dg91S1b/i9LEpn41QSMpyyonzxqo o45CzJAuV5qN6x7FMBXB+1e+Na4Qn5K/8fJ8Z2M6jIO2MD+gB+ftVY830aN8cm+i /Cu/iUgB9kaSDLBUZvwu2uSEyDFwdxgmF5jK2BECNTP5A99WtL3w0dE60w5Bq23L Ivzd7XZF1orR9gJYOGHNK2s3S1vJQLBRvfRi78wfl25jyaZ2JWKGguFpQq1zJkrY PeCGvx+54fTOTi1PZcL4+xYfA//dvB1DnlHwpNSKnWkcNI5VK6IpDfBlh4ZjB3I3 h6v6zOyvgOcvTXBHmzPsfMym1AmFNTv9/bRlwrKUlGGPaRwSEKU= -END CERTIFICATE- my program have a one input. When i give input a public key. Program crashed. 2016-06-20 21:39 GMT+03:00 Salz, Rich via RT : > Need more information, like a full backtrace and how to reproduce it. > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
Need more information, like a full backtrace and how to reproduce it. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
1.0.2t version crashed in same place. Operating System Version: Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty Linux 3.19.0-28-generic OpenSSL Version : openssl-1.0.1t Critical Function : X509_verify (); And: 0x080e15ef in X509_verify (a=a@entry=0x0, r=r@entry=0x0) at x_all.c:75 75 if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature)) Author: Onur TAŞLIOĞLU 2016-06-20 21:24 GMT+03:00 Onur TAŞLIOĞLU : > Ok, i will try 1.0.2t version and open new ticket. > > Thanks. > > 2016-06-20 21:08 GMT+03:00 Rich Salz via RT : > >> 1.0.1 is end of life and only getting bugfixes now. >> If you can reproduce this on 1.0.2 or master, please open a new ticket. >> We also need more information, cannot reproduce this issue here. >> Thanks. closing ticket. >> >> -- >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 >> Please log in as guest with password guest if prompted >> >> > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug
Ok, i will try 1.0.2t version and open new ticket. Thanks. 2016-06-20 21:08 GMT+03:00 Rich Salz via RT : > 1.0.1 is end of life and only getting bugfixes now. > If you can reproduce this on 1.0.2 or master, please open a new ticket. > We also need more information, cannot reproduce this issue here. > Thanks. closing ticket. > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev