Possible bug in crypto/engine

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible bug in crypto/engine

Antonio Iacono
Hi,

I sign a text file with:
openssl cms -sign -signer cert.pem -inkey 01 -keyform engine -engine pkcs11
in openssl.cnf
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /path/pkcs11.so
MODULE_PATH = /path/opensc-pkcs11.so

everything works well but if I write a wrong key, es. -inkey 101, this is gdb result:

PKCS11_get_private_key returned NULL
cannot load signing key file from engine
140737353990592:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load signing key file
Program received signal SIGSEGV, Segmentation fault.
__GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
27    pthread_rwlock_wrlock.c: No such file or directory

I realized that the error is probably here:
crypto/engine/eng_lib.c line 93
if (e->destroy)
        e->destroy(e);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);
if I comment these lines openssl does not crash

I do not know engine well and I do not know what these two lines do, if anyone has any suggestions I can do some tests

Thanks,
Antonio Iacono

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in crypto/engine

Dmitry Belyavsky-3
Hello

вс, 6 янв. 2019 г., 21:55 Antonio Iacono [hidden email]:
Hi,

I sign a text file with:
openssl cms -sign -signer cert.pem -inkey 01 -keyform engine -engine pkcs11
in openssl.cnf
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /path/pkcs11.so
MODULE_PATH = /path/opensc-pkcs11.so

everything works well but if I write a wrong key, es. -inkey 101, this is gdb result:

PKCS11_get_private_key returned NULL
cannot load signing key file from engine
140737353990592:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load signing key file
Program received signal SIGSEGV, Segmentation fault.
__GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
27    pthread_rwlock_wrlock.c: No such file or directory

I realized that the error is probably here:
crypto/engine/eng_lib.c line 93
if (e->destroy)
        e->destroy(e);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);
if I comment these lines openssl does not crash

I do not know engine well and I do not know what these two lines do, if anyone has any suggestions I can do some tests

I am not sure that the bug you found is in OpenSSL. I suspect it can be in pkcs11 engine. The lines you've commented are a call of the engine cleanup code.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in crypto/engine

Dr. Matthias St. Pierre
In reply to this post by Antonio Iacono

Antonio,

 

did you debug the preinstalled openssl app or have you tried to debug your own version, built with a debug configuration?

 

You get the best results in the debugger if you use the `debug-linux-x86_64` config target and
after building (you only need to run `make`, not `make install`) run it in the debugger directly from the source

directory as follows:

 

    util/shlib_wrap.sh  gdb  apps/openssl cms -sign -signer cert.pem -inkey 101 -keyform engine -engine pkcs11

 

If you can reproduce the crash with your debug version, please post a backtrace of the call stack when it’s stopped

at the segmentation fault.

 

HTH,

Matthias

 

Von: openssl-users <[hidden email]> Im Auftrag von Antonio Iacono
Gesendet: Sonntag, 6. Januar 2019 19:55
An: [hidden email]
Betreff: [openssl-users] Possible bug in crypto/engine

 

Hi,

 

I sign a text file with:

openssl cms -sign -signer cert.pem -inkey 01 -keyform engine -engine pkcs11

in openssl.cnf

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /path/pkcs11.so
MODULE_PATH = /path/opensc-pkcs11.so

everything works well but if I write a wrong key, es. -inkey 101, this is gdb result:

 

PKCS11_get_private_key returned NULL
cannot load signing key file from engine
140737353990592:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load signing key file
Program received signal SIGSEGV, Segmentation fault.
__GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
27    pthread_rwlock_wrlock.c: No such file or directory

 

I realized that the error is probably here:

crypto/engine/eng_lib.c line 93

if (e->destroy)
        e->destroy(e);

CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);

if I comment these lines openssl does not crash

 

I do not know engine well and I do not know what these two lines do, if anyone has any suggestions I can do some tests

 

Thanks,

Antonio Iacono


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in crypto/engine

Dr. Matthias St. Pierre
Sorry, the command contains a little error: please replace `gdb …` by `gdb –args …`:

    util/shlib_wrap.sh  gdb  --args apps/openssl cms -sign -signer cert.pem -inkey 101 -keyform engine -engine pkcs11

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in crypto/engine

Antonio Iacono
In reply to this post by Dr. Matthias St. Pierre
Thanks Dmitry and Matthias,

I solved, as suggested the problem was not openssl, but libp11 I had compiled with version 1.1 of libcrypto instead version 3.

Antonio


Il giorno dom 6 gen 2019 alle ore 23:53 Dr. Matthias St. Pierre <[hidden email]> ha scritto:

Antonio,

 

did you debug the preinstalled openssl app or have you tried to debug your own version, built with a debug configuration?

 

You get the best results in the debugger if you use the `debug-linux-x86_64` config target and
after building (you only need to run `make`, not `make install`) run it in the debugger directly from the source

directory as follows:

 

    util/shlib_wrap.sh  gdb  apps/openssl cms -sign -signer cert.pem -inkey 101 -keyform engine -engine pkcs11

 

If you can reproduce the crash with your debug version, please post a backtrace of the call stack when it’s stopped

at the segmentation fault.

 

HTH,

Matthias

 

Von: openssl-users <[hidden email]> Im Auftrag von Antonio Iacono
Gesendet: Sonntag, 6. Januar 2019 19:55
An: [hidden email]
Betreff: [openssl-users] Possible bug in crypto/engine

 

Hi,

 

I sign a text file with:

openssl cms -sign -signer cert.pem -inkey 01 -keyform engine -engine pkcs11

in openssl.cnf

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /path/pkcs11.so
MODULE_PATH = /path/opensc-pkcs11.so

everything works well but if I write a wrong key, es. -inkey 101, this is gdb result:

 

PKCS11_get_private_key returned NULL
cannot load signing key file from engine
140737353990592:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load signing key file
Program received signal SIGSEGV, Segmentation fault.
__GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
27    pthread_rwlock_wrlock.c: No such file or directory

 

I realized that the error is probably here:

crypto/engine/eng_lib.c line 93

if (e->destroy)
        e->destroy(e);

CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);

if I comment these lines openssl does not crash

 

I do not know engine well and I do not know what these two lines do, if anyone has any suggestions I can do some tests

 

Thanks,

Antonio Iacono

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users