So my understanding from #34 and #35 is that this is an upstream OpenSSL
issue, that should be discussed with the OpenSSL people.
The feedback in #34 suggests that this problem can be solved by not
parsing the configuration file twice, I have not investigated that as of
yet.
The feedback in #35 suggests a solution for duplicate destruction
handling that requires an API change which is again a discussion best
had with OpenSSL upstream, and something that won't be applicable to
existing releases, only a future OpenSSL version that breaks API.
With regards to possible workarounds with the OpenSSL API as is:
1. I don't fully understand if we get two different ENGINE* pointers, if
that is the case, the PKA engine could work around this by avoid static
singletons and instead store all globals in a struct and do something
like
struct engine_private {
ENGINE *engine;
EVP_PKEY_METHOD *engine_pka_pmeth_X25519;
EVP_PKEY_METHOD *engine_pka_pmeth_X448;
EVP_PKEY_ASN1_METHOD *engine_pka_ameth_X25519;
EVP_PKEY_ASN1_METHOD *engine_pka_ameth_X448;
}
keeping a dynamic array or linked list of that, and then looking up the
one for the correct engine when we get asked to return by OpenSSL in
engine_pka_pkey_meths and engine_pka_X25519_keygen().
2. It might also be worth to see if those methods could be allocated
statically instead of using _new, from what I see, the deletion then
becomes a no-op, leaving only the variables in destroy() to worry about.
Since they are not really linked to the ENGINE AFAICT, it seems one
could implement a reference count for them.
3. There certainly are ways we could "hack" around the issue by setting
an external setting somewhere when retrieving the pmeth and ameth to say
that the value returned will be invalidated, currently openssl loops
over all pkey meths and does
if (e->pkey_meths(e, &pkm, NULL, pknids[i]))
{
EVP_PKEY_meth_free(pkm);
}
It could be hacked into something like
setenv("UBUNTU_PKEY_METH_TO_BE_INVALIDATED", "1");
if (e->pkey_meths(e, &pkm, NULL, pknids[i]))
{
unsetenv("UBUNTU_PKEY_METH_TO_BE_INVALIDATED");
EVP_PKEY_meth_free(pkm);
}
But this is arguably the worst of all possible workarounds.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518
Title:
OpenSSL "double free" error
Status in openssl package in Ubuntu:
Incomplete
Status in openssl source package in Focal:
Incomplete
Bug description:
"double free" error is seen when using curl utility. Error is from
libcrypto.so which is part of the OpenSSL package. This happens only
when OpenSSL is configured to use a dynamic engine.
OpenSSL version is 1.1.1f
The issue is not encountered if
http://www.openssl.org/source/openssl-1.1.1f.tar.gz is used instead.
OpenSSL can be configured to use a dynamic engine by editing the default
openssl config file which is located at '/etc/ssl/openssl.cnf' on Ubuntu
systems.
On Bluefield systems, config diff to enable PKA dynamic engine, is as
below:
+openssl_conf = conf_section
+
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
+[ conf_section ]
+engines = engine_section
+
+[ engine_section ]
+bf = bf_section
+
+[ bf_section ]
+engine_id=pka
+dynamic_path=/usr/lib/aarch64-linux-gnu/engines-1.1/pka.so
+init=0
+
engine_id above refers to dynamic engine name/identifier.
dynamic_path points to the .so file for the dynamic engine.
# curl -O https://tpo.pe/pathogen.vim
double free or corruption (out)
Aborted (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
