I'm replying on behalf of Philip, who is email challenged a the momemet.. "Yeah, combining -url with any of -host, -port, or -path should simply be an error, as -url specifies all three of them (plus http vs https). What's happening is that with -url we have to parse the argument into allocated host, port, and path strings which should be freed, but the -host argument resets the host variable with the raw argv pointer, which must _not_ be freed. Making this a usage error is the best solution, IMO. Bob and I are testing a diff to do so."
I've tested philip's fix and ok'ed it. Thanks for the report. Having said that, if you're doing stuff for real go use ocspcheck(8) instead. -Bob He says: On Wed, Nov 29, 2017 at 3:49 PM, trondd <[email protected]> wrote: > >Synopsis: When running 'openssl ocsp' and specifying a -url and a bad > -host the result is a core dump and possible double free > >Category: system > >Environment: > System : OpenBSD 6.2 > Details : OpenBSD 6.2-current (GENERIC.MP) #237: Fri Nov 24 > 21:49:38 MST 2017 > [email protected]:/usr/src/sys/arch/amd64/compile/ > GENERIC.MP > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > > When using openssl ocsp to try to make an OCSP verification request, there > is a core dump (double fee?) if you specify -url and then specify a bad > -host at the same time. Oddly, if you specify -host first, then -url, it > doesn't crash. > > This is on a 11/24 snapshot. > $ openssl version > LibreSSL 2.6.3 > > > >How-To-Repeat: > > I exported the opensbd.org certs with Firefox to demonstrate with. > > Here we give a bad hostname which causes the crash: > > $ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert > wwwopenbsdorg.crt -text -url http://ocsp.int-x3.letsencrypt.org -host > proxy:8080 > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial > Number: 0354E1E112110C442C49995B2D0AD60F927C > Request Extensions: > OCSP Nonce: > 041036E6BD426C59991E274777C4256E483A > Error connecting BIO > Error querying OCSP responder > 25287802291808:error:20FFF066:BIO routines:CRYPTO_internal:bad hostname > lookup:/usr/src/lib/libcrypto/bio/b_sock.c:55:getaddrinfo: host='proxy' : > no address associated with name' > openssl(7893) in free(): bogus pointer (double free?) 0x7f7fffff8305 Abort > trap (core dumped) > > > Here we have a no route to host and we crash: > > $ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert > wwwopenbsdorg.crt -text -url http://ocsp.int-x3.letsencrypt.org -host > proxy.com:8080 > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial > Number: 0354E1E112110C442C49995B2D0AD60F927C > Request Extensions: > OCSP Nonce: > 0410008BC7317D20CC283FE054DF91372A61 > Error connecting BIO > Error querying OCSP responder > 4346488413024:error:02FFF041:system library:func(4095):No route to > host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080 > 4346488413024:error:20FFF067:BIO routines:CRYPTO_internal:connect > error:/usr/src/lib/libcrypto/bio/bss_conn.c:247: > openssl(95665) in free(): bogus pointer (double free?) 0x7f7ffffe03c5 > Abort trap (core dumped) > > > No route to host in just -url, fails cleanly: > > $ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert > wwwopenbsdorg.crt -text -url http://proxy.com:8080 > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial > Number: 0354E1E112110C442C49995B2D0AD60F927C > Request Extensions: > OCSP Nonce: > 04108D7FF462D5DD53AC56C8522B7748F475 > Error connecting BIO > Error querying OCSP responder > 16867518887008:error:02FFF041:system library:func(4095):No route to > host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080 > 16867518887008:error:20FFF067:BIO routines:CRYPTO_internal:connect > error:/usr/src/lib/libcrypto/bio/bss_conn.c:247: > > > No route to host in just -host fails cleanly: > > $ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert > wwwopenbsdorg.crt -text -host proxy.com:8080 > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial > Number: 0354E1E112110C442C49995B2D0AD60F927C > Request Extensions: > OCSP Nonce: > 0410908E994C8B6E11B0E898872ADC9581B7 > Error connecting BIO > Error querying OCSP responder > 23554861359968:error:02FFF041:system library:func(4095):No route to > host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080 > 23554861359968:error:20FFF067:BIO routines:CRYPTO_internal:connect > error:/usr/src/lib/libcrypto/bio/bss_conn.c:247: > > > Reverse the failed parameters and it doens't crash but times out: > > $ openssl ocsp -issuer Let\'sEncryptAuthorityX3.crt -cert > wwwopenbsdorg.crt -text -host proxy.com:8080 -url > http://ocsp.int-x3.letsencrypt.org > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial > Number: 0354E1E112110C442C49995B2D0AD60F927C > Request Extensions: > OCSP Nonce: > 0410B3B151DB0FA53DB0CFD1DBAAB2EE41F5 > Error connecting BIO > Error querying OCSP responder > 20274924111136:error:02FFF03C:system library:func(4095):Operation timed > out:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=ocsp. > int-x3.letsencrypt.org:80 > 20274924111136:error:20FFF067:BIO routines:CRYPTO_internal:connect > error:/usr/src/lib/libcrypto/bio/bss_conn.c:247: > > > Running one of the failure cases through gdb for a backtrace: > > $ gdb openssl.core --args openssl ocsp -issuer > Let\'sEncryptAuthorityX3.crt -cert wwwopenbsdorg.crt -text -url > http://ocsp.int-x3.letsencrypt.org -host proxy.com:8080 > GNU gdb 6.3 > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you > are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "amd64-unknown-openbsd6.2"...(no debugging > symbols found) > > (gdb) run > Starting program: /usr/bin/openssl ocsp -issuer > Let\'sEncryptAuthorityX3.crt -cert wwwopenbsdorg.crt -text -url > http://ocsp.int-x3.letsencrypt.org -host proxy.com:8080 > (no debugging symbols found) > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial > Number: 0354E1E112110C442C49995B2D0AD60F927C > Request Extensions: > OCSP Nonce: > 0410EC61A7D7CFB6025D0413DFE82445072F > Error connecting BIO > Error querying OCSP responder > 9183520478944:error:02FFF041:system library:func(4095):No route to > host:/usr/src/lib/libcrypto/bio/bss_conn.c:244:host=proxy.com:8080 > 9183520478944:error:20FFF067:BIO routines:CRYPTO_internal:connect > error:/usr/src/lib/libcrypto/bio/bss_conn.c:247: > openssl(13096) in free(): bogus pointer (double free?) 0x7f7ffffd47ae > > Program received signal SIGABRT, Aborted. > thrkill () at -:3 > 3 -: No such file or directory. > in - > Current language: auto; currently asm > (gdb) bt > #0 thrkill () at -:3 > #1 0x0000085a06956a2e in _libc_abort () at > /usr/src/lib/libc/stdlib/abort.c:51 > #2 0x0000085a069befd9 in wrterror (d=Variable "d" is not available. ) at > /usr/src/lib/libc/stdlib/malloc.c:293 > #3 0x0000085a069bf302 in ofree (argpool=Variable "argpool" is not > available. > ) at /usr/src/lib/libc/stdlib/malloc.c:1319 > #4 0x0000085a069bf0b9 in free (ptr=0x7f7ffffd47ae) at > /usr/src/lib/libc/stdlib/malloc.c:1435 > #5 0x00000857e521a895 in enc_main () from /usr/bin/openssl > #6 0x00000857e521cee4 in enc_main () from /usr/bin/openssl > #7 0x00000857e521cbfc in enc_main () from /usr/bin/openssl > #8 0x00000857e52040f6 in ?? () from /usr/bin/openssl > #9 0x0000000000000000 in ?? () > (gdb) > > > dmesg: > OpenBSD 6.2-current (GENERIC.MP) #237: Fri Nov 24 21:49:38 MST 2017 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 2130640896 (2031MB) > avail mem = 2059223040 (1963MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (242 entries) > bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015 > bios0: VMware, Inc. VMware Virtual Platform > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S1 S4 S5 > acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET > acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) > S8F0(S3) S16F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3) > S1F0(S3) PE50(S3) S1F0(S3) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2395.57 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL, > SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,HV, > NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT > cpu0: 256KB 64b/line 8-way L2 cache > acpitimer0: recalibrated TSC frequency 2395204436 Hz > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 65MHz > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2395.40 MHz > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL, > SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,HV, > NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT > cpu1: 256KB 64b/line 8-way L2 cache > cpu1: smt 0, core 0, package 2 > ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins > acpimcfg0 at acpi0 addr 0xf0000000, bus 0-127 > acpihpet0 at acpi0: 14318179 Hz > acpihpet0: recalibrated TSC frequency 2395206138 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpicpu0 at acpi0: C1(@1 halt!) > acpicpu1 at acpi0: C1(@1 halt!) > "VMW0003" at acpi0 not configured > "PNP0A05" at acpi0 not configured > acpiac0 at acpi0: AC unit online > pvbus0 at mainbus0: VMware > vmt0 at pvbus0 > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 > ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 > pci1 at ppb0 bus 1 > pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08 > pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, > channel 0 configured to compatibility, channel 1 configured to > compatibility > wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive> > wd0: 64-sector PIO, LBA, 20480MB, 41943040 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus1 at atapiscsi0: 2 targets > cd0 at scsibus1 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> ATAPI > 5/cdrom removable > cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 > piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus > disabled > "VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured > vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02 > pci2 at ppb1 bus 2 > em0 at pci2 dev 0 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18, > address 00:0c:29:18:ce:28 > eap0 at pci2 dev 1 function 0 "Ensoniq AudioPCI97" rev 0x02: apic 1 int 19 > ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3) > audio0 at eap0 > midi0 at eap0: <AudioPCI MIDI UART> > ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01 > pci3 at ppb2 bus 3 > ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01 > pci4 at ppb3 bus 4 > ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01 > pci5 at ppb4 bus 5 > ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01 > pci6 at ppb5 bus 6 > ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01 > pci7 at ppb6 bus 7 > ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01 > pci8 at ppb7 bus 8 > ppb8 at pci0 dev 21 function 6 "VMware PCIE" rev 0x01 > pci9 at ppb8 bus 9 > ppb9 at pci0 dev 21 function 7 "VMware PCIE" rev 0x01 > pci10 at ppb9 bus 10 > ppb10 at pci0 dev 22 function 0 "VMware PCIE" rev 0x01 > pci11 at ppb10 bus 11 > ppb11 at pci0 dev 22 function 1 "VMware PCIE" rev 0x01 > pci12 at ppb11 bus 12 > ppb12 at pci0 dev 22 function 2 "VMware PCIE" rev 0x01 > pci13 at ppb12 bus 13 > ppb13 at pci0 dev 22 function 3 "VMware PCIE" rev 0x01 > pci14 at ppb13 bus 14 > ppb14 at pci0 dev 22 function 4 "VMware PCIE" rev 0x01 > pci15 at ppb14 bus 15 > ppb15 at pci0 dev 22 function 5 "VMware PCIE" rev 0x01 > pci16 at ppb15 bus 16 > ppb16 at pci0 dev 22 function 6 "VMware PCIE" rev 0x01 > pci17 at ppb16 bus 17 > ppb17 at pci0 dev 22 function 7 "VMware PCIE" rev 0x01 > pci18 at ppb17 bus 18 > ppb18 at pci0 dev 23 function 0 "VMware PCIE" rev 0x01 > pci19 at ppb18 bus 19 > ppb19 at pci0 dev 23 function 1 "VMware PCIE" rev 0x01 > pci20 at ppb19 bus 20 > ppb20 at pci0 dev 23 function 2 "VMware PCIE" rev 0x01 > pci21 at ppb20 bus 21 > ppb21 at pci0 dev 23 function 3 "VMware PCIE" rev 0x01 > pci22 at ppb21 bus 22 > ppb22 at pci0 dev 23 function 4 "VMware PCIE" rev 0x01 > pci23 at ppb22 bus 23 > ppb23 at pci0 dev 23 function 5 "VMware PCIE" rev 0x01 > pci24 at ppb23 bus 24 > ppb24 at pci0 dev 23 function 6 "VMware PCIE" rev 0x01 > pci25 at ppb24 bus 25 > ppb25 at pci0 dev 23 function 7 "VMware PCIE" rev 0x01 > pci26 at ppb25 bus 26 > ppb26 at pci0 dev 24 function 0 "VMware PCIE" rev 0x01 > pci27 at ppb26 bus 27 > ppb27 at pci0 dev 24 function 1 "VMware PCIE" rev 0x01 > pci28 at ppb27 bus 28 > ppb28 at pci0 dev 24 function 2 "VMware PCIE" rev 0x01 > pci29 at ppb28 bus 29 > ppb29 at pci0 dev 24 function 3 "VMware PCIE" rev 0x01 > pci30 at ppb29 bus 30 > ppb30 at pci0 dev 24 function 4 "VMware PCIE" rev 0x01 > pci31 at ppb30 bus 31 > ppb31 at pci0 dev 24 function 5 "VMware PCIE" rev 0x01 > pci32 at ppb31 bus 32 > ppb32 at pci0 dev 24 function 6 "VMware PCIE" rev 0x01 > pci33 at ppb32 bus 33 > ppb33 at pci0 dev 24 function 7 "VMware PCIE" rev 0x01 > pci34 at ppb33 bus 34 > isa0 at pcib0 > isadma0 at isa0 > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > vscsi0 at root > scsibus2 at vscsi0: 256 targets > softraid0 at root > scsibus3 at softraid0: 256 targets > root on wd0a (2853f6f534a81279.a) swap on wd0b dump on wd0b > > >
