[openssl.org #1713] One OpenSSL 0.9.8h Bug

Fri, 11 Jul 2008 01:14:54 -0700 

Hi OpenSSL Development Team,

I may find one bug for OpenSSL 0.9.8h.My box is HP-UX 11.31 IA.

The detail steps to reproduce the issue are as following.

Step1 Download OpenSSL 0.9.8h from official

Step2 ./configure threads zlib shared no-rc5 no-idea no-krb5 
       make

Step3 Try to use pkcs12 
      openssl req -x509 -out demoCA/cacert.pem  -new -keyout 
demoCA/private/cakey.pem  -subj /C=US/ST=California/L=Cupertino/O=Senas/CN=ca 
-nodes
      openssl req -out ksb_cert_req.pem -new -keyout ksb_priv_key.pem -nodes 
-subj /C=US/ST=California/L=Cupertino/O=Senas/CN=${req_name}
     openssl x509 -req -passin pass:pass -in ksb_cert_req.pem -CA ca_cert.pem 
-CAkey ca_priv_key.pem -CAcreateserial  -out  ksb_cert.pem -days 365 
      openssl pkcs12 -export -passout pass:pass -in ksb_cert.pem -inkey 
ksb_priv_key.pem -out ksb_cert.p12 -name "ksb certificate" 

The "pkcs12" failed. (bus error, core dump)

I look into the source code and find some clues for this issue.

In crypto/x509/x509_att.c, around line 285,

int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void 
*data, int len)
{
        ASN1_TYPE *ttmp;
        ASN1_STRING *stmp = NULL;
        int atype = 0;
        if (!attr) return 0;
        if(attrtype & MBSTRING_FLAG) {
                stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
                                                OBJ_obj2nid(attr->object));
                if(!stmp) {
                        X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, 
ERR_R_ASN1_LIB);
                        return 0;
                }
                atype = stmp->type;
        } else if (len != -1){
                if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
                if(!ASN1_STRING_set(stmp, data, len)) goto err;
                atype = attrtype;
        }
        if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
        if(!(ttmp = ASN1_TYPE_new())) goto err;
        if (len == -1)
                {
                if (!ASN1_TYPE_set1(ttmp, attrtype, data))
                        goto err;
                }
        else
                ASN1_TYPE_set(ttmp, atype, stmp);
        if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
        attr->single = 0;
        return 1;
        err:
        X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
        return 0;
}

For the "len == -1" branch, "ASN1_TYPE_set1(ttmp, attrtype, data)" is wrong. 
Maybe it should be "ASN1_TYPE_set1(ttmp, attrtype, stmp)".
After this modification, the pkcs12 function works fine.

Could you investigate this issue?
Thank you!

Bo
_________________________________________________________________
MSN 中文网,最新时尚生活资讯,白领聚集门户。
http://cn.msn.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to