System: FreeBSD 6.0-STABLE @amd64 gcc 3.4.4 GNU ld 2.15 perl 5.8.7 OpenSSL 0.9.8a is installed below /usr/local OpenSSL 0.9.7e-p1 is installed below /usr libc.so.6 libpthread.so.2
Related configuration setting: Configuring OpenCA using: --with-openssl-prefix=/usr/local (asking for OpenSSL 0.9.8a) Problem observed:Sermentation fault is produced when cert chain verification is triggered in module:
1) openca-sv
Versions of OpenCA affected:
0.9.2.5, 0.9.2.4, 0.9.2.2, and maybe others.
Vulnerability:
If you have only one set of OpenSSL installed on your
system, AND it is installed on the default ldpath, then
you are not vulnerable. Debugging results:openca-sv respects my "--with-openssl-prefix" setting only partially:
It uses *.h file from OpenSSL pointed out by "--with-openssl-prefix" (in my case OpenSSL 0.9.8a) but executable referes to OpenSSL *.so.* libs from the default ldpath, (in my case it is OpenSSL 0.9.7e-p1).
Other modules with similar design solutions, which SHOULD mix different sets of OpenSSL if present in the system: 2) SCEP 3) OCSPD 4) musclecard-engine Patho-anatomy: - openca-sv/configure reads "openssl_prefix" before it is passed into it, thus ending up with empty value during certain stage of this script. - Other affected modules read "openssl_prefix" correctly.- All affected modules use "openssl_prefix" setting only when building INCLUDE variable, but do NOT pass it to the linker. (Note, that -L... option does store full crypto lib (.so.) path in the executable. One has to use linker option -rpath instead.) Hence the linker uses OpenSSL libs found on the default ldpath.
Why it used to work in the past: - Actually it did not. Simply, lots of Linux boxes were notvulnerable (see above). Also, e.g. remember a legend, that Firefox has problems with "Test Certificate" (which is not a problem of Firefox really).
- Also, differences between OpenSSL-8 and OpenSSL-7 has finally reached some critical mass.
- New gcc and ld more accurately distinguish between preprocessor, compiler and linker options.
The patch:Attached patch solves the problem in all affected modules for the version 0.9.2.5 dated of Dec 24, 2005. Please do not forget to apply autoconf259 to the files:
configure.in src/openca-sv/configure.in src/scep/configure.in src/musclecard-engine/configure.in src/ocspd/configure.inIn case of OCSPD this fix is purely theoretical, as the version of the OCSPD found in 0.9.2.5, does not even compile with OpenSSL-8. Recall, that my old patch for it was ignored. This new and that old patches BOTH should be applied to OCSPD in any order. Alternatively, please consider idea to remove dead OCSPD code from ver 0.9.2.5 in favor of a nice stand-alone OCSPD product found from www.openca.org.
Observable gain: Now "Test Certificate" menu button works.At least with IE-6 and Firefox-1.5. You may check it at http://demo2.openca.info where patched 0.9.2.5 version is installed. Pathed tarball is available from there too.
Backward compatibility:I would greatly appreciate, if somebody could check how this patch works with older versions of gcc and ld. Also, it would be great if you could provide me (for low level investigation) with executables from the affected modules (built with older gcc and ld after patching), along with the employed value of "--with-openssl-prefix".
Happy New Year to all of you and all the best, Sergei
patch_for_conf.tgz
Description: Binary data
