Bug#969559: curl segmentation fauls on any https URL

Mon, 07 Sep 2020 13:33:19 -0700 

On Sun, Sep  6, 2020 at 02:37:22PM +0200, Bernhard Übelacker wrote:
> Hello Bruce Momjian,
> thanks for the details and confirmation.
> 
> 
> Am 05.09.20 um 17:32 schrieb Bruce Momjian,,,:
> >     (gdb) print pmeth->init
> >     $1 = (int (*)(EVP_PKEY_CTX *)) 0xf0e0d0c0b0a0908
> 
> >     gdb) print *pmeth
> >     $8 = {pkey_id = 50462976, flags = 117835012, init = 0xf0e0d0c0b0a0908, 
> > copy = 0x1716151413121110, cleanup = 0x1f1e1d1c1b1a1918, paramgen_init = 
> > 0x98c476a19fc273a5, paramgen = 0x9cc072a593ce7fa9,
> 
> The pointer init copy and cleanup are really not looking like usual
> pointers or random ...
> 
> > I am using a pkcs11 hardware crypto device, and perhaps it is
> > misconfigured, but it probably shouldn't crash.  This might be a library
> > bug, not sure.  I will check the pkcs11's configuration now, but it used
> > to work.
> 
> But I have no knowledge about such crypto hardware, therefore
> I am not sure if I can be of any more help. Maybe you could
> provide the needed packages, libraries and configuration steps
> that are needed to use such a device of yours when starting with
> a fresh debian installation?

I was just able to reproduce this failure on a fresh install of Debian
10.5/Buster.  What I did was just to install pkcs11 support:

        apt-get install libengine-pkcs11-openssl

and then modify /etc/ssl/openssl.cnf with the attached patch to use
pkcs11 support;  'curl https://google.com' will then segmentation fault.

This server has no pkcs11 hardware;  it is an AWS instance.  If you
comment out the line:

        pkcs11 = pkcs11_section

curl works again.  Thanks for your research so far on this.

-- 
  Bruce Momjian  <br...@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee


--- /etc/ssl/openssl.cnf.orig	2019-05-30 11:27:48.000000000 -0400
+++ /etc/ssl/openssl.cnf	2020-09-07 16:02:31.448309714 -0400
@@ -353,6 +353,7 @@
 				# identifier (optional, default: sha1)
 [default_conf]
 ssl_conf = ssl_sect
+engines = engine_section
 
 [ssl_sect]
 system_default = system_default_sect
@@ -360,3 +361,14 @@
 [system_default_sect]
 MinProtocol = TLSv1.2
 CipherString = DEFAULT@SECLEVEL=2
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+# https://github.com/openssl/openssl/blob/master/README.ENGINE
+engine_id = pkcs11
+# same as SO_PATH
+dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
+MODULE_PATH = opensc-pkcs11.so
+init = 0

Reply via email to