openssl dumps core in 10.3-RELEASE-p7 during build of security/ca_root_nss # gdb /usr/bin/openssl -c openssl.core GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)... Core was generated by `openssl'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libssl.so.7...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libssl.so.7 Reading symbols from /lib/libcrypto.so.7...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypto.so.7 Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.7 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x000000080103b3cb in strlen () from /lib/libc.so.7 (gdb) where #0 0x000000080103b3cb in strlen () from /lib/libc.so.7 #1 0x0000000800c49b18 in BIO_new_fp () from /lib/libcrypto.so.7 #2 0x0000000800c6ce4c in BIO_puts () from /lib/libcrypto.so.7 #3 0x0000000800be7efb in X509_POLICY_NODE_print () from /lib/libcrypto.so.7 #4 0x0000000800be6f59 in a2i_GENERAL_NAME () from /lib/libcrypto.so.7 #5 0x0000000800be088e in X509V3_EXT_print () from /lib/libcrypto.so.7 #6 0x0000000800be0a46 in X509V3_extensions_print () from /lib/libcrypto.so.7 #7 0x0000000800c44822 in X509_print_ex () from /lib/libcrypto.so.7 #8 0x0000000000460199 in ?? () #9 0x0000000000437dbb in ?? () #10 0x0000000000437c59 in ?? () #11 0x000000000041911f in ?? () #12 0x0000000800699000 in ?? () #13 0x0000000000000000 in ?? () (gdb)
This is how the build stops with poudriere: ... =========================================================================== =======================<phase: build >============================ ===> Building for ca_root_nss-3.26 ## Untrusted certificates omitted from this bundle: 20 openssl x509 failed with exit code 11 at /wrkdirs/usr/ports/security/ca_root_nss/work/MAca-bundle.pl line 78. *** Error code 255 Stop. make: stopped in /usr/ports/security/ca_root_nss ====>> Cleaning up wrkdir ===> Cleaning for ca_root_nss-3.26 build of security/ca_root_nss ended at Fri Sep 23 13:58:19 CEST 2016 build time: 00:00:25 !!! build failure encountered !!!
I can reproduce the problem with the last FreeBSD-SA-16:26.openssl applied.
It appears that this bug can be triggered by the data for two StartCom certs: # Certificate "StartCom Certification Authority" # Certificate "StartCom Certification Authority G2" Commenting out those two chunks of certificate and trust data results in 'perl work/MAca-bundle.pl < work/certdata.txt' finishing successfully.
Created attachment 175115 [details] An upstream patch to fix the problem Please try this patch. This upstream patch fixed the problem for me. https://github.com/openssl/openssl/commit/3612ff6
(In reply to Jung-uk Kim from comment #4) Confirmed: that patch fixes the issue here.
A commit references this bug: Author: delphij Date: Mon Sep 26 08:19:34 UTC 2016 New revision: 306335 URL: https://svnweb.freebsd.org/changeset/base/306335 Log: Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582: Fix overflow check in BN_bn2dec() Fix an off by one error in the overflow check added by 07bed46 ("Check for errors in BN_bn2dec()"). This fixes a regression introduced in SA-16:26.openssl. Submitted by: jkim PR: 212921 Changes: stable/9/crypto/openssl/crypto/bn/bn_print.c
A commit references this bug: Author: delphij Date: Mon Sep 26 08:21:30 UTC 2016 New revision: 306336 URL: https://svnweb.freebsd.org/changeset/base/306336 Log: Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582: Fix overflow check in BN_bn2dec() Fix an off by one error in the overflow check added by 07bed46 ("Check for errors in BN_bn2dec()"). This fixes a regression introduced in SA-16:26.openssl. Submitted by: jkim PR: 212921 Approved by: so Changes: releng/10.1/UPDATING releng/10.1/crypto/openssl/crypto/bn/bn_print.c releng/10.1/sys/conf/newvers.sh releng/10.2/UPDATING releng/10.2/crypto/openssl/crypto/bn/bn_print.c releng/10.2/sys/conf/newvers.sh releng/10.3/UPDATING releng/10.3/crypto/openssl/crypto/bn/bn_print.c releng/10.3/sys/conf/newvers.sh releng/9.3/UPDATING releng/9.3/crypto/openssl/crypto/bn/bn_print.c releng/9.3/sys/conf/newvers.sh
Surprisingly, it still fail in poudriere with p8. No problem directly on hardware. ====>> Building security/ca_root_nss build started at Mon Sep 26 11:22:03 CEST 2016 port directory: /usr/ports/security/ca_root_nss building for: FreeBSD 10-3amd64-local-job-01 10.3-RELEASE-p8 FreeBSD 10.3-RELEASE-p8 amd64 maintained by: ports-secteam@FreeBSD.org Makefile ident: $FreeBSD: head/security/ca_root_nss/Makefile 422682 2016-09-23 14:59:28Z mat $ Poudriere version: 3.1.14 Host OSVERSION: 1003000 Jail OSVERSION: 1003000 ---Begin Environment--- SHELL=/bin/csh UNAME_v=FreeBSD 10.3-RELEASE-p8 UNAME_r=10.3-RELEASE-p8 BLOCKSIZE=K MAIL=/var/mail/root STATUS=1 ARCH=amd64 SAVED_TERM=screen MASTERMNT=/usr/local/poudriere/data/.m/10-3amd64-local/ref UID=0 FORCE_PACKAGE=yes PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin _JAVA_VERSION_LIST_REGEXP=1.6\|1.7\|1.8\|1.6+\|1.7+\|1.8+ POUDRIERE_BUILD_TYPE=bulk PKGNAME=ca_root_nss-3.26 OSREL=10.3 _OSRELEASE=10.3-RELEASE-p8 PYTHONBASE=/usr/local OLDPWD=/ _SMP_CPUS=8 PWD=/usr/local/poudriere/data/.m/10-3amd64-local/ref/.p/pool HAVE_COMPAT_IA32_KERN=YES OPSYS=FreeBSD MASTERNAME=10-3amd64-local SCRIPTPREFIX=/usr/local/share/poudriere _JAVA_VENDOR_LIST_REGEXP=openjdk\|oracle\|sun USER=root HOME=/root POUDRIERE_VERSION=3.1.14 SCRIPTPATH=/usr/local/share/poudriere/bulk.sh CONFIGURE_MAX_CMD_LEN=262144 LIBEXECPREFIX=/usr/local/libexec/poudriere LOCALBASE=/usr/local PACKAGE_BUILDING=yes _JAVA_OS_LIST_REGEXP=native\|linux OSVERSION=1003000 ---End Environment--- ---Begin OPTIONS List--- ===> The following configuration options are available for ca_root_nss-3.26: ETCSYMLINK=off: Add symlink to /etc/ssl/cert.pem ===> Use 'make config' to modify these settings ---End OPTIONS List--- --CONFIGURE_ARGS-- --End CONFIGURE_ARGS-- --CONFIGURE_ENV-- ac_cv_path_PERL=/usr/local/bin/perl ac_cv_path_PERL_PATH=/usr/local/bin/perl XDG_DATA_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work XDG_CONFIG_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work HOME=/wrkdirs/usr/ports/security/ca_root_nss/work TMPDIR="/tmp" SHELL=/bin/sh CONFIG_SHELL=/bin/sh --End CONFIGURE_ENV-- --MAKE_ENV-- OPENSSLBASE=/usr OPENSSLDIR=/etc/ssl OPENSSLINC=/usr/include OPENSSLLIB=/usr/lib XDG_DATA_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work XDG_CONFIG_HOME=/wrkdirs/usr/ports/security/ca_root_nss/work HOME=/wrkdirs/usr/ports/security/ca_root_nss/work TMPDIR="/tmp" NO_PIE=yes WITHOUT_DEBUG_FILES=yes WITHOUT_KERNEL_SYMBOLS=yes SHELL=/bin/sh NO_LINT=YES PREFIX=/usr/local LOCALBASE=/usr/local LIBDIR="/usr/lib" CC="cc" CFLAGS="-O2 -pipe -fstack-protector -fno-strict-aliasing" CPP="cpp" CPPFLAGS="" LDFLAGS=" -fstack-protector" LIBS="" CXX="c++" CXXFLAGS="-O2 -pipe -fstack-protector -fno-strict-aliasing " MANPREFIX="/usr/local" BSD_INSTALL_PROGRAM="install -s -m 555" BSD_INSTALL_LIB="install -s -m 444" BSD_INSTALL_SCRIPT="install -m 555" BSD_INSTALL_DATA="install -m 0644" BSD_INSTALL_MAN="install -m 444" --End MAKE_ENV-- --PLIST_SUB-- CERTDIR=share/certs ETCSYMLINK="@comment " NO_ETCSYMLINK="" OSREL=10.3 PREFIX=%D LOCALBASE=/usr/local RESETPREFIX=/usr/local PORTDOCS="" PORTEXAMPLES="" LIB32DIR=lib PERL_VERSION=5.20.3 PERL_VER=5.20 PERL5_MAN1=lib/perl5/site_perl/man/man1 PERL5_MAN3=lib/perl5/site_perl/man/man3 SITE_PERL=lib/perl5/site_perl SITE_ARCH=lib/perl5/site_perl/mach/5.20 DOCSDIR="share/doc/ca_root_nss" EXAMPLESDIR="share/examples/ca_root_nss" DATADIR="share/ca_root_nss" WWWDIR="www/ca_root_nss" ETCDIR="etc/ca_root_nss" --End PLIST_SUB-- --SUB_LIST-- VERSION_NSS=3.26 ETCSYMLINK="@comment " NO_ETCSYMLINK="" PREFIX=/usr/local LOCALBASE=/usr/local DATADIR=/usr/local/share/ca_root_nss DOCSDIR=/usr/local/share/doc/ca_root_nss EXAMPLESDIR=/usr/local/share/examples/ca_root_nss WWWDIR=/usr/local/www/ca_root_nss ETCDIR=/usr/local/etc/ca_root_nss --End SUB_LIST-- ---Begin make.conf--- USE_PACKAGE_DEPENDS=yes BATCH=yes WRKDIRPREFIX=/wrkdirs PORTSDIR=/usr/ports PACKAGES=/packages DISTDIR=/distfiles ---End make.conf--- =======================<phase: check-sanity >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 =========================================================================== =======================<phase: pkg-depends >============================ ===> ca_root_nss-3.26 depends on file: /usr/local/sbin/pkg - not found ===> Installing existing package /packages/All/pkg-1.8.7_3.txz [10-3amd64-local-job-01] Installing pkg-1.8.7_3... [10-3amd64-local-job-01] Extracting pkg-1.8.7_3: .......... done ===> ca_root_nss-3.26 depends on file: /usr/local/sbin/pkg - found ===> Returning to build of ca_root_nss-3.26 =========================================================================== =======================<phase: fetch-depends >============================ =========================================================================== =======================<phase: fetch >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 ===> Fetching all distfiles required by ca_root_nss-3.26 for building =========================================================================== =======================<phase: checksum >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 ===> Fetching all distfiles required by ca_root_nss-3.26 for building => SHA256 Checksum OK for nss-3.26.tar.gz. =========================================================================== =======================<phase: extract-depends>============================ =========================================================================== =======================<phase: extract >============================ ===> License MPL accepted by the user ===> Found saved configuration for ca_root_nss-3.17.2_1 ===> Fetching all distfiles required by ca_root_nss-3.26 for building ===> Extracting for ca_root_nss-3.26 => SHA256 Checksum OK for nss-3.26.tar.gz. =========================================================================== =======================<phase: patch-depends >============================ =========================================================================== =======================<phase: patch >============================ ===> Patching for ca_root_nss-3.26 =========================================================================== =======================<phase: build-depends >============================ ===> ca_root_nss-3.26 depends on package: perl5>=5.20<5.21 - not found ===> Installing existing package /packages/All/perl5-5.20.3_15.txz [10-3amd64-local-job-01] Installing perl5-5.20.3_15... [10-3amd64-local-job-01] Extracting perl5-5.20.3_15: .......... done Message from perl5-5.20.3_15: The /usr/bin/perl symlink has been removed starting with Perl 5.20. For shebangs, you should either use: #!/usr/local/bin/perl or #!/usr/bin/env perl The first one will only work if you have a /usr/local/bin/perl, the second will work as long as perl is in PATH. ===> ca_root_nss-3.26 depends on package: perl5>=5.20<5.21 - found ===> Returning to build of ca_root_nss-3.26 =========================================================================== =======================<phase: lib-depends >============================ =========================================================================== =======================<phase: configure >============================ ===> Configuring for ca_root_nss-3.26 =========================================================================== =======================<phase: build >============================ ===> Building for ca_root_nss-3.26 ## Untrusted certificates omitted from this bundle: 20 openssl x509 failed with exit code 11 at /wrkdirs/usr/ports/security/ca_root_nss/work/MAca-bundle.pl line 78. *** Error code 255 Stop. make: stopped in /usr/ports/security/ca_root_nss ====>> Cleaning up wrkdir ===> Cleaning for ca_root_nss-3.26 build of security/ca_root_nss ended at Mon Sep 26 11:22:15 CEST 2016 build time: 00:00:12 !!! build failure encountered !!!
With 10.3-RELEASE-p9 it builds in poudriere. ====>> Building security/ca_root_nss build started at Mon Sep 26 12:31:24 CEST 2016 port directory: /usr/ports/security/ca_root_nss building for: FreeBSD 103amd64-default-job-01 10.3-RELEASE-p9 FreeBSD 10.3-RELEASE-p9 amd64 maintained by: ports-secteam@FreeBSD.org Makefile ident: $FreeBSD: head/security/ca_root_nss/Makefile 422682 2016-09-23 14:59:28Z mat $ Poudriere version: 3.1.14 Host OSVERSION: 1003000 Jail OSVERSION: 1003000 ---Begin Environment--- SHELL=/bin/csh UNAME_v=FreeBSD 10.3-RELEASE-p9 UNAME_r=10.3-RELEASE-p9 BLOCKSIZE=K MAIL=/var/mail/root STATUS=1 ARCH=amd64 SAVED_TERM=screen MASTERMNT=/usr/local/poudriere/data/.m/103amd64-default/ref UID=0 FORCE_PACKAGE=yes PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin _JAVA_VERSION_LIST_REGEXP=1.6\|1.7\|1.8\|1.6+\|1.7+\|1.8+ POUDRIERE_BUILD_TYPE=bulk PKGNAME=ca_root_nss-3.26 OSREL=10.3 _OSRELEASE=10.3-RELEASE-p9 PYTHONBASE=/usr/local OLDPWD=/ _SMP_CPUS=1 PWD=/usr/local/poudriere/data/.m/103amd64-default/ref/.p/pool HAVE_COMPAT_IA32_KERN=YES OPSYS=FreeBSD MASTERNAME=103amd64-default SCRIPTPREFIX=/usr/local/share/poudriere _JAVA_VENDOR_LIST_REGEXP=openjdk\|oracle\|sun USER=root HOME=/root POUDRIERE_VERSION=3.1.14 SCRIPTPATH=/usr/local/share/poudriere/bulk.sh CONFIGURE_MAX_CMD_LEN=262144 LIBEXECPREFIX=/usr/local/libexec/poudriere LOCALBASE=/usr/local PACKAGE_BUILDING=yes _JAVA_OS_LIST_REGEXP=native\|linux OSVERSION=1003000 ---End Environment--- [...] =========================================================================== =======================<phase: configure >============================ ===> Configuring for ca_root_nss-3.26 =========================================================================== =======================<phase: build >============================ ===> Building for ca_root_nss-3.26 ## Untrusted certificates omitted from this bundle: 20 ## Number of certificates: 175 =========================================================================== =======================<phase: run-depends >============================ =========================================================================== =======================<phase: stage >============================ ===> Staging for ca_root_nss-3.26 ===> Generating temporary packing list /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs install -m 0644 /wrkdirs/usr/ports/security/ca_root_nss/work/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/s hare/certs /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/etc/ssl /bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/etc/ssl/cert.pem /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl /bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl/cert.pem.sample /bin/mkdir -p /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/openssl /bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /wrkdirs/usr/ports/security/ca_root_nss/work/stage/usr/local/openssl/cert.pem.sample ====> Compressing man pages (compress-man) =========================================================================== =======================<phase: package >============================ ===> Building package for ca_root_nss-3.26 =========================================================================== ====>> Cleaning up wrkdir ===> Cleaning for ca_root_nss-3.26 build of security/ca_root_nss ended at Mon Sep 26 12:31:47 CEST 2016 build time: 00:00:23
This was fixed in the revised FreeBSD-SA-16:26.openssl security advisory: https://lists.freebsd.org/pipermail/freebsd-announce/2016-September/001751.html