This bug(?) is reproducible. The files can be found here:
wget http://www.pki2.com/openssl.loop.overload.tgz
There is a README, certificate, and other files. The password used for the
certificate private keys is "foobar".
(Note: this server is undergoing maintenance and upgrades and is unavailable
from time-to-time.)
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of EXT-Glatting, Dennis P
> Sent: Monday, December 06, 2010 8:30 PM
> To: [email protected]
> Subject: RE: Loop bug(?) in X509_verify_cert() => x509_vrfy.c:254
>
> Sorry, that's: x509_vfy.c:234. I added some debug statements and I can't
> type. :)
>
> Roughly, this loop:
>
> /* We now lookup certs from the certificate store */
> for (;;)
> {
> /* If we have enough, we break */
> if (depth < num) break;
>
> /* If we are self signed, we break */
> if (ctx->check_issued(ctx,x,x)) break;
>
> ok = ctx->get_issuer(&xtmp, ctx, x);
>
> if (ok < 0) return ok;
> if (ok == 0) break;
>
> ...
>
>
> > -----Original Message-----
> > From: [email protected] [mailto:owner-openssl-
> [email protected]]
> > On Behalf Of EXT-Glatting, Dennis P
> > Sent: Monday, December 06, 2010 8:00 PM
> > To: [email protected]
> > Subject: Loop bug(?) in X509_verify_cert() => x509_vrfy.c:254
> >
> > I have a set of cross certified CAs feeding a wireless Access Point and
> > supplicant. This structure will look a bit strange but that is by design
> > (testing). I have four CAs: CAa, CAb, CAc, and CAd.
> >
> > My structure is:
> >
> > CAd ------> supplicant
> > |
> > |--> CAa -----> CAb --> hostapd
> > ^ |
> > |-- CAc <--|
> >
> > Specifically, CAd is the Trust Anchor CA in this test case. CAa/Cab/CAc
> > are cross certified certificates off their respective CAs. Their
> > respective Trust Anchors /are not/ included in this test case -- just
> the
> > cross certified certificates.
> >
> > CAd generated a certificate for the supplicant. CAd signed CAa, which
> > signed CAb, which generated a certificate for hostapd. Inclusion of the
> > CAb->CAc->CAa loop is the specific test I am running.
> >
> > I have reduced my test apparatus to s_client and s_server because
> wireless
> > introduces too much debug overhead.
> >
> > I am running this test under FreeBSD 8.1 with OpenSSL 0.9.8p but version
> > matters little as I have also used "g" (Debian) and 1.0.0b.
> >
> > What happens is X509_verify_cert() gets stuck in a loop around line
> > x509_vrfy.c:254 loading the looped certificates until depth==num .
> >
> > This loop is fairly simple and I /think/ the problem could be resolved
> if
> > there was an additional check to see if the certificate it's loading is
> > already loaded. I am not an OpenSSL source jockey.
> >
> >
> > My command lines are, roughly (I have to remove certain information):
> >
> > openssl s_client -connect localhost:443 -verify 64 -cert
> > /etc/hostapd/CAd.supp.cert.pem -certform pem -key
> > /etc/hostapd/CAd.supp.priv.pem -keyform pem -pass "pass:xyzzy" -CAfile
> > /etc/hostapd/CAd.cert.pem -debug -no_ssl2
> >
> >
> > openssl s_server -accept 443 -verify 64
> > -cert /etc/hostapd/CAb.hostapd.cert.pem
> > -certform pem -key /etc/hostapd/CAd.hostapd.priv.pem -keyform pem -pass
> > "pass:xyzzy" -debug -CAfile /etc/hostapd/CAd.cert.sll.pem
> > -no_tmp_rsa -no_ssl2 -no_dhe
> >
> >
> > The file CAd.cert.sll.pem contains the CAd self signed root, the cross
> > signed certificates, and the hostapd certificate.
> >
> >
> >
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List [email protected]
> > Automated List Manager [email protected]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [email protected]
> Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
