5.28 built with libressl 3.3.3 segfaults with cert verification enabled on expired certificates

Issue #990 resolved
Val V created an issue

With this setting enabled in the config (as soon as this removed it no longer crashes):

set ssl options {
    verify: enable
}

and this check:

check host server with address host.domain.tld
  if failed port 443 protocol https
    for 2 cycles
    then alert

bt full is as follows:

#0  0x00007fb82ff5b159 in ASN1_TIME_to_generalizedtime (t=0x0, out=0x0) at asn1/a_time_tm.c:353
        tmp = 0x0
        tm = {tm_sec = 1528942400, tm_min = 32766, tm_hour = 4709164, tm_mday = 0, tm_mon = 1528941788, tm_year = 32766, tm_wday = 5073008, tm_yday = 0, tm_isdst = 0, tm_gmtoff = 0, tm_zone = 0x0}
        str = 0x0
#1  0x000000000047a26b in Ssl_getCertificateValidDays (C=0x19b9e20) at src/ssl/Ssl.c:769
        deltadays = 0
        t = 0x0
        __func__ = "Ssl_getCertificateValidDays"
#2  0x0000000000431dd9 in _testIp (p=0x19b6440) at src/net/socket.c:597
        Exception_flag = 1
        Exception_frame = {line = 661, env = {{__jmpbuf = {0, 7178093696638085856, 4246784, 140730427369456, 0, 0, 7178093697118333664, -7178455325744731424}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}, 
          func = 0x4d6edc <__func__.19039> "Ssl_connect", file = 0x4d62f6 "src/ssl/Ssl.c", exception = 0x6e5e18 <IOException>, prev = 0x7ffe5b21d040, 
          message = "SSL server certificate verification error: certificate has expired", '\000' <repeats 445 times>}
        Exception_flag = 0
        Exception_frame = {line = 0, env = {{__jmpbuf = {0, 7178093696638085856, 4246784, 140730427369456, 0, 0, 7178093697118333664, -7178455325540914464}, __mask_was_saved = 0, __saved_mask = {__val = {18446744073709551615, 0, 0, 
                  1024, 4294967295, 1621965146, 307686403, 140429050292032, 0, 1621965146, 27001040, 140730427368224, 27001040, 140429047179591, 26967936, 206158430224}}}}, func = 0x7ffe5b21d1e0 "", file = 0x7ffe5b21d120 "", 
          exception = 0x0, prev = 0x7ffe5b21d980, 
          message = "\000\322![\376\177\000\000\f\322![\376\177\000\000       4096     \000\000\000\000\001\000\000\000\245ky/\270\177\000\000\307\302\r1\270\177\000\000\232&z/\270\177", '\000' <repeats 18 times>, "\260\033z/\270\177\000\000\200\177\233\001", '\000' <repeats 12 times>, "\320\000\234\001\000\000\000\000\360\347![\376\177", '\000' <repeats 18 times>, "\361Ry/\270\177\000\000\320\000\234\001\000\000\000\000 \343![\376\177\000\000\320\000\234\001\000\000\000\000I\273F", '\000' <repeats 13 times>, "\260\343![\376\177\000\000\002\000\000\000\000\000\000\000"...}
        S = 0x19b85e0
        r = 0x19b9c40
        error = '\000' <repeats 511 times>
        is_available = Connection_Failed
        result = 0x19b9c40
        __func__ = "_testIp"
#3  0x0000000000432236 in Socket_test (P=0x19b6440) at src/net/socket.c:645
        start = 1625850049909904
        Exception_flag = 0
        Exception_frame = {line = 4918599, env = {{__jmpbuf = {0, 7178093696560491232, 4246784, 140730427369456, 0, 0, 7178093696635988704, -7178455324262044960}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 12, 0, 0, 0, 0, 
                  0, 0, 32, 0, 18446744069414584320, 0, 140728898420736, 140728898420748}}}}, func = 0xa <error: Cannot access memory at address 0xa>, file = 0x0, exception = 0x7ffe5b21daa0, prev = 0x7ffe5b21dcc0, 
          message = "\000\000\000\000\000\000\000\000\377\377\377\377\377\377\377\377", '\000' <repeats 16 times>, "B\rK\000\000\000\000\000\320\336![\376\177", '\000' <repeats 465 times>}
        p = 0x19b6440
        __func__ = "Socket_test"
#4  0x00000000004421f4 in _checkConnection (s=0x19ba6f0, p=0x19b6440) at src/validate.c:156
        Exception_flag = 0
        Exception_frame = {line = 0, env = {{__jmpbuf = {0, 7178093697848142560, 4246784, 140730427369456, 0, 0, 7178093696558394080, -7178455350031979808}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}, 
          func = 0x0, file = 0x0, exception = 0x0, prev = 0x0, message = '\000' <repeats 215 times>...}
        retry_count = 1
        rv = State_Succeeded
        buf = '\000' <repeats 20 times>, "&\000\000\000\260\252\233\001", '\000' <repeats 12 times>, "\300ț\001", '\000' <repeats 13 times>, "\340\347\\\326\366\252\341\060\344![\376\177\000\000\364\204F\000\000\000\000\000\000\000\000\000%\000\000\000\260\252\233\001", '\000' <repeats 12 times>, "\360Ǜ\001\000\000\000\000\000\000\000\000\001\000\000\000\000\340\347\\\326\366\252\341p\344![\376\177\000\000\364\204F\000\000\000\000\000`\000\000\000e\000\000\000\260\252\233\001\000\000\000\000[\000\000\000n\000\000\000\200\371\233\001", '\000' <repeats 13 times>, "\340\347\\\326\366\252\341\260\344![\376\177\000\000\364\204"...
        report = '\000' <repeats 1023 times>
#5  0x000000000044b7ff in check_remote_host (s=0x19ba6f0) at src/validate.c:1971
        p = 0x19b6440
        rv = State_Succeeded
        last_ping = 0x0
#6  0x00000000004494f0 in validate () at src/validate.c:1513
        state = State_Succeeded
        s = 0x19ba6f0
        errors = 0
#7  0x0000000000420671 in do_default () at src/monit.c:616
        __func__ = "do_default"
#8  0x000000000041faec in do_action (arguments=0x19a1ba0) at src/monit.c:437
        action = 0x0
#9  0x000000000041f1f0 in main (argc=1, argv=0x7ffe5b21e7f8) at src/monit.c:175
        arguments = 0x19a1ba0

Not sure if applies to openssl, as all my systems are openssl-free.

Comments (4)

  1. Val V reporter

    I suspect the reason is X509_getm_notAfter() returns NULL.

    ASN1_TIME *
    X509_getm_notAfter(const X509 *x)
    {
        if (x == NULL || x->cert_info == NULL || x->cert_info->validity == NULL)
            return (NULL);
        return x->cert_info->validity->notAfter;
    }
    

    The cert is typical letsencrypt.

    (gdb) f 1
    #1  0x000000000047a26b in Ssl_getCertificateValidDays (C=0x13572e0) at src/ssl/Ssl.c:769
    769 in src/ssl/Ssl.c
    (gdb) p *C->certificate
    $58 = {cert_info = 0x0, sig_alg = 0x0, signature = 0x0, valid = 0, references = 0, name = 0x0, ex_data = {sk = 0x0}, ex_pathlen = 0, ex_pcpathlen = 0, ex_flags = 279, ex_kusage = 134, ex_xkusage = 3, ex_nscert = 0, skid = 0x13ef880, 
      akid = 0x1378070, policy_cache = 0x0, crldp = 0x137d070, altname = 0x0, nc = 0x0, sha1_hash = "HPN\227L\r\254[\\\324v\310 \"t\262L\214qr", aux = 0x0}
    (gdb) p *C->certificate->cert_info
    Cannot access memory at address 0x0
    

  2. Log in to comment