Re: segmentation fault

Sat, 02 Apr 2005 08:26:25 -0800 

On Apr 1, 2005 11:40 PM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Larry Riffle <[EMAIL PROTECTED]> wrote:
> > I'm trying to decide if this is just a couple of us doing something
> > wrong or if check_cert_cn is broken.
> 
>  It might be broken.
> 
> > Does anybody have it working on any platform? By "working" I mean when
> > the CN doesn't match your server doesn't crash.
> 
>  I haven't tested it.
> 
> > > 177                     radlog(L_INFO, "--> User-Name = %s", 
> > > handler->identity);
> 
>  The identity SHOULD NOT be NULL.  The rest of the EAP code ensures
> that IF the handler exists, THEN the identity is valid.  I'm confused
> by why this is happening at all...
> 
>  Hmm.... in rlm_eap_tls.c, function eaptls_authenticate(), try adding
> the following code at the top:
> 
> ...
>        EAP_HANDLER *ssl_handler = SSL_get_ex_data(ssn->ssl, 0);
> 
>        rad_assert(ssl_handler == handler);
> ...

 */
static int eaptls_authenticate(void *arg UNUSED, EAP_HANDLER *handler)
{
        eaptls_status_t status;
        tls_session_t *tls_session = (tls_session_t *) handler->opaque;

        EAP_HANDLER *ssl_handler = SSL_get_ex_data(tls_session->ssl, 0);

        rad_assert(ssl_handler == handler);

        DEBUG2("  rlm_eap_tls: Authenticate");

Added the code, changed ssn for tls_session, as ssn is no avail in
this function, no assertion error, coredumps at same place as before.

#0  0x001c75ce in cbtls_verify (ok=1, ctx=0xbfe934b0) at cb.c:177
177                     radlog(L_INFO, "--> User-Name = %s", handler->identity);
(gdb) bt
#0  0x001c75ce in cbtls_verify (ok=1, ctx=0xbfe934b0) at cb.c:177
#1  0x035dcc58 in X509_verify_cert () from /lib/libcrypto.so.4
#2  0x035dc1a0 in X509_verify_cert () from /lib/libcrypto.so.4
#3  0x00d6dcc6 in ssl_verify_cert_chain () from /lib/libssl.so.4


>   If that assertion fails, then the problem is that the handler is
> getting freed part-way through the SSL session, when it shouldn't be.
> 
>  A hack to fix it would be to add one line to the top of that function:
> 
>        SSL_set_ex_data(ssn->ssl, 0, handler);
> 
>  That SHOULD work around the problem.  If so, I'll commit a fix.
> 
>  Alan DeKok.


Willem Eradus

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to