DRuggeri at primary
Jan 18, 2012, 8:40 AM
Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
I stumbled across this yesterday and was hoping some of our more
experienced openssl developers may be able to offer suggestions on how I
can track this down. I've been testing on 2.2.21 though the code should
be the same in trunk/2.4. The patch I've applied is currently proposed
for backport in 2.2 (and works fine until using an openssl engine).
Patch applied to 2.2.21 distribution - trunk already has this:
When the new SSLProxyMachineCertificateChainFile directive is set at the
same time SSLCryptoDevice is set, a segfault occurs during
ssl_hook_pre_config while calling SSL_load_error_strings. The backtrace
I gathered with dbx points to something deeper inside openssl, but I'm
sure I've done something to cause it.
t@1 (l@1) signal SEGV (no mapping at the fault address) in err_cmp at
0xffffffff7ab05540: err_cmp : ld [%o0 + 4], %o3
Current function is ssl_hook_pre_config (optimized)
current thread: t@1
 err_cmp(0xffffffff7ae542a8, 0xffffffff7fff9470, 0x22cd,
0x100251f30, 0xac, 0xab), at 0xffffffff7ab05540
 lh_retrieve(0x10023aa80, 0xffffffff7fff9470, 0x14064057, 0x57,
0x10024edc8, 0xffffffff7ab05540), at 0xffffffff7ab034bc
 int_err_get_item(0xffffffff7fff9470, 0xffffffff7acb4528, 0x14520,
0xffffffff7aca0008, 0x19b904, 0x14400), at 0xffffffff7ab0476c
 ERR_func_error_string(0x64, 0xffffffff7acbdf48, 0x14520,
0xffffffff7acbdf48, 0xffffffff7acb4528, 0x14400), at 0xffffffff7ab053d0
 ERR_load_SSL_strings(0x0, 0xffffffff77e542a8, 0xffffffff77e4f0d0,
0x51d8, 0x105df4, 0x5000), at 0xffffffff77d492f8
=> ssl_hook_pre_config(pconf = ???, plog = ???, ptemp = ???)
(optimized), at 0xffffffff77f08f04 (line ~280) in "mod_ssl.c"
 ap_run_pre_config(pconf = ???, plog = ???, ptemp = ???)
(optimized), at 0x10004cfe4 (line ~85) in "config.c"
 main(argc = ???, argv = ???) (optimized), at 0x100031954 (line
~709) in "main.c"
For reference, removing one directive or the other avoids the segfault.
This seems to be brought on by the combination of the two (and possibly
the engine implementation).