CC'ing tech@.
The last commit to bn_print.c is wrong, it dereferences t while it's still NULL.
Backout diff below.
On 2015/09/17 22:42, Mikolaj Kucharski wrote:
> Hi,
>
> Does anyone see this as well? I've just upgraded to:
>
> OpenBSD 5.8-current (GENERIC) #1164: Wed Sep 16 21:16:53 MDT 2015
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>
> and to openvpn-2.3.8 from packages but it segfaulted during connecting
> by remote client. Then I've recompiled by hand with DEBUG='-g' from
> ports and now running openvpn-2.3.8p1, but facing the same issue.
>
> To be able to get core dump, needed to run openvpn as root, but the same
> segfault happens when openvpn drops priviliges.
>
> Before that I was running snapshot from Aug 13 with packages and I
> didn't had that problem.
>
> Let me know if you need any more info.
>
>
> # /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf --mtu-test
> Thu Sep 17 22:16:17 2015 OpenVPN 2.3.8 i386-unknown-openbsd5.8 [SSL
> (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 17 2015
> Thu Sep 17 22:16:17 2015 library versions: LibreSSL 2.3.0, LZO 2.09
> Thu Sep 17 22:16:17 2015 mlockall call succeeded
> Thu Sep 17 22:16:17 2015 WARNING: you are using chroot without specifying
> user and group -- this may cause the chroot jail to be insecure
> Thu Sep 17 22:16:22 2015 Diffie-Hellman initialized with 4096 bit key
> Thu Sep 17 22:16:22 2015 Control Channel Authentication: using
> 'certs/hmac.key' as a OpenVPN static key file
> Thu Sep 17 22:16:22 2015 Outgoing Control Channel Authentication: Using 512
> bit message hash 'SHA512' for HMAC authentication
> Thu Sep 17 22:16:22 2015 Incoming Control Channel Authentication: Using 512
> bit message hash 'SHA512' for HMAC authentication
> Thu Sep 17 22:16:22 2015 Socket Buffers: R=[41600->65536] S=[9216->65536]
> Thu Sep 17 22:16:22 2015 TUN/TAP device tun2 exists previously, keep at
> program end
> Thu Sep 17 22:16:22 2015 TUN/TAP device /dev/tun2 opened
> Thu Sep 17 22:16:22 2015 do_ifconfig, tt->ipv6=1,
> tt->did_ifconfig_ipv6_setup=1
> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 192.168.202.1 192.168.202.1 mtu
> 1500 netmask 255.255.255.0 up -link0
> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 inet6
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1/64
> Thu Sep 17 22:16:22 2015
> add_route_ipv6(2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:/64 ->
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1 metric 0) dev tun2
> Thu Sep 17 22:16:22 2015 /sbin/route add -inet6
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: -prefixlen 64
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1
> route: writing to routing socket: File exists
> add net 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:: gateway
> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1: File exists
> Thu Sep 17 22:16:22 2015 ERROR: OpenBSD route add -inet6 command failed:
> external program exited with error status: 1
> Thu Sep 17 22:16:22 2015 /sbin/route add -net 192.168.202.0 192.168.202.1
> -netmask 255.255.255.0
> add net 192.168.202.0: gateway 192.168.202.1
> Thu Sep 17 22:16:22 2015 chroot to '/var/openvpn' and cd to '/' succeeded
> Thu Sep 17 22:16:22 2015 UDPv4 link local (bound): [undef]
> Thu Sep 17 22:16:22 2015 UDPv4 link remote: [undef]
> Thu Sep 17 22:16:22 2015 MULTI: multi_init called, r=256 v=256
> Thu Sep 17 22:16:22 2015 IFCONFIG POOL IPv6: (IPv4) size=252,
> size_ipv6=65536, netbits=64, base_ipv6=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1000
> Thu Sep 17 22:16:22 2015 IFCONFIG POOL: base=192.168.202.2 size=252, ipv6=1
> Thu Sep 17 22:16:22 2015 Initialization Sequence Completed
> Thu Sep 17 22:16:32 2015 83.xxx.xxx.xxx:48100 TLS: Initial packet from
> [AF_INET]83.xxx.xxx.xxx:48100, sid=41b68ea4 12015b6e
> Segmentation fault (core dumped)
>
>
>
> (gdb) bt
> #0 BN_bn2dec (a=0x805e8460) at
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_print.c:117
> #1 0x179a2aa0 in backend_x509_get_serial (cert=0x8308b500, gc=0xcf7d0320) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:229
> #2 0x179a0345 in verify_cert_set_env (x509_track=<optimized out>,
> common_name=<optimized out>, subject=<optimized out>, cert_depth=<optimized
> out>, peer_cert=<optimized out>, es=0x78d2d230) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:438
> #3 verify_cert (session=0x8130a6bc, cert=0x8308b500, cert_depth=0) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:665
> #4 0x179a2d26 in verify_callback (preverify_ok=1, ctx=0xcf7d05d4) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:84
> #5 0x05aebfcf in internal_verify (ctx=0xcf7d05d4) at
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1612
> #6 0x05aed6b2 in X509_verify_cert (ctx=0xcf7d05d4) at
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:374
> #7 0x092eab0a in ssl_verify_cert_chain (s=0x87394000, sk=0x847b88c0) at
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_cert.c:452
> #8 0x092e57d4 in ssl3_get_client_certificate (s=0x87394000) at
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:2385
> #9 0x092e96e5 in ssl3_accept (s=0x87394000) at
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:447
> #10 0x092d7f5a in ssl3_read_bytes (s=0x87394000, type=23, buf=0x87395800 "",
> len=2048, peek=0) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_pkt.c:890
> #11 0x092d8f96 in ssl3_read_internal (s=0x87394000, buf=0x87395800, len=2048,
> peek=0) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_lib.c:2743
> #12 0x092cb208 in SSL_read (s=0x78d2d720, buf=0x87395800, num=2048) at
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:957
> #13 0x092c2736 in ssl_read (b=0x7af2d840, out=0x87395800 "", outl=2048) at
> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/bio_ssl.c:156
> #14 0x05b3e581 in BIO_read (b=0x7af2d840, out=0x87395800, outl=2048) at
> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bio_lib.c:217
> #15 0x1799cb4f in bio_read (bio=0x7af2d840, buf=0x8130a824, maxlen=2048,
> desc=0x37948f3d "tls_read_plaintext") at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_openssl.c:1098
> #16 0x17999ee2 in tls_process (multi=0x8130a520, session=0x8130a6bc,
> to_link=0x81309e90, to_link_addr=0xcf7d0b40, to_link_socket_info=0x85f054c4,
> wakeup=0xcf7d0b84) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl.c:2411
> #17 0x1799c1e2 in tls_multi_process (multi=0x8130a520, to_link=0x81309e90,
> to_link_addr=0x81309c34, to_link_socket_info=0x85f054c4, wakeup=0xcf7d0b84)
> at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl.c:2635
> #18 0x1793e1f4 in check_tls_dowork (c=0x813096b0) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward.c:100
> #19 0x1793eb38 in check_tls (c=<optimized out>) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward-inline.h:41
> #20 pre_select (c=0x813096b0) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward.c:1331
> #21 0x1795faa6 in multi_process_post (m=0xcf7d0f44, mi=0x81309630,
> flags=<optimized out>) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2050
> #22 0x17961d5a in multi_process_incoming_link (m=0xcf7d0f44, instance=0x0,
> mpp_flags=5) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2293
> #23 0x1795b8ba in multi_process_io_udp (m=<optimized out>) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:173
> #24 tunnel_server_udp_single_threaded (top=<optimized out>) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:266
> #25 tunnel_server_udp (top=0xcf7d19b0) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:288
> #26 0x1795bcfd in tunnel_server (top=0xcf7d19b0) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2875
> #27 0x1796447c in openvpn_main (argv=<optimized out>, argc=<optimized out>)
> at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/openvpn.c:271
> #28 main (argc=6, argv=0xcf7d2364) at
> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/openvpn.c:342
> (gdb)
>
>
> --
> best regards
> q#
>
Index: src/crypto/bn/bn_print.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/bn/bn_print.c,v
retrieving revision 1.25
diff -u -p -r1.25 bn_print.c
--- src/crypto/bn/bn_print.c 13 Sep 2015 16:02:11 -0000 1.25
+++ src/crypto/bn/bn_print.c 17 Sep 2015 22:18:44 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.25 2015/09/13 16:02:11 deraadt Exp $ */
+/* $OpenBSD: bn_print.c,v 1.24 2015/09/13 15:59:29 deraadt Exp $ */
/* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
* All rights reserved.
*
@@ -114,20 +114,6 @@ BN_bn2dec(const BIGNUM *a)
BIGNUM *t = NULL;
BN_ULONG *bn_data = NULL, *lp;
- if (BN_is_zero(t)) {
- buf = malloc(BN_is_negative(t) + 2);
- if (buf == NULL) {
- BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- p = buf;
- if (BN_is_negative(t))
- *(p++) = '-';
- *(p++) = '0';
- *(p++) = '\0';
- return (buf);
- }
-
/* get an upper bound for the length of the decimal integer
* num <= (BN_num_bits(a) + 1) * log(2)
* <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1 (rounding error)
@@ -147,26 +133,31 @@ BN_bn2dec(const BIGNUM *a)
#define BUF_REMAIN (num+3 - (size_t)(p - buf))
p = buf;
lp = bn_data;
- if (BN_is_negative(t))
- *p++ = '-';
+ if (BN_is_zero(t)) {
+ *(p++) = '0';
+ *(p++) = '\0';
+ } else {
+ if (BN_is_negative(t))
+ *p++ = '-';
- i = 0;
- while (!BN_is_zero(t)) {
- *lp = BN_div_word(t, BN_DEC_CONV);
- lp++;
- }
- lp--;
- /* We now have a series of blocks, BN_DEC_NUM chars
- * in length, where the last one needs truncation.
- * The blocks need to be reversed in order. */
- snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
- while (*p)
- p++;
- while (lp != bn_data) {
+ i = 0;
+ while (!BN_is_zero(t)) {
+ *lp = BN_div_word(t, BN_DEC_CONV);
+ lp++;
+ }
lp--;
- snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+ /* We now have a series of blocks, BN_DEC_NUM chars
+ * in length, where the last one needs truncation.
+ * The blocks need to be reversed in order. */
+ snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
while (*p)
p++;
+ while (lp != bn_data) {
+ lp--;
+ snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+ while (*p)
+ p++;
+ }
}
ok = 1;
