Skip Menu |
Ticket metadata
The Basics
Id: 2211
Status: resolved
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

Owner: Stephen Henson
Requestors: Ronald Moesbergen

More about the requestors

Ronald Moesbergen

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Unprivileged
  • Everyone

New reminder:

Created: Tue Mar 30 14:49:46 2010
Starts: Not set
Started: Tue Jun 01 15:19:36 2010
Last Contact: Not set
Due: Not set
Closed: Tue Jun 01 15:19:36 2010
Updated: Tue Jun 01 15:19:36 2010 by Stephen Henson

Subject: Segfault running 'openssl cms -decrypt', version 1.0.0
Date: Tue, 30 Mar 2010 16:20:18 +0200
From: Ronald Moesbergen <>
Download (untitled) / with headers
text/plain 4.1k

I think I've found a bug in openssl. When I run the following command
to decrypt a file in CMS format (DER encoded), openssl crashes with a
segmentation fault:

Show quoted text
>openssl cms -decrypt -binary -inform der -in inputfile -recip certs/enc.crt-nopass -out outputfile

The inputfile is attached (and doesn't contain any secrets), the
certificate/private key is available on request. When I run the same
command in 'valgrind', it does complete and I get a successfully
decrypted file. I have also tried using other versions of openssl
(openssl-0.9.8n, openssl-1.0.0-beta4, openssl-1.0.0-beta5) and they
all fail in the same way.
The backtrace is as follows:

[New Thread 0xb7d5f6b0 (LWP 14207)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d5f6b0 (LWP 14207)]
0x08129638 in asn1_template_clear (pval=0xb3468004, tt=0x8202cc0) at
315 *pval = NULL;
(gdb) bt
#0 0x08129638 in asn1_template_clear (pval=0xb3468004, tt=0x8202cc0)
at tasn_new.c:315
#1 0x0812953e in ASN1_template_new (pval=0xb3468004, tt=0x8202cc0) at
#2 0x0812939b in asn1_item_ex_combine_new (pval=0xb367fff0,
it=0x8202cfc, combine=0) at tasn_new.c:201
#3 0x0812905d in ASN1_item_ex_new (pval=0xb367fff0, it=0x8202cfc) at
#4 0x0812b41d in ASN1_item_ex_d2i (pval=0xb367fff0, in=0xbfffd484,
len=871, it=0x8202cfc, tag=0, aclass=128, opt=1 '\001',
at tasn_dec.c:401
#5 0x0812bca4 in asn1_template_noexp_d2i (val=0xb367fff0,
in=0xbfffd544, len=2536, tt=0x82035d4, opt=1 '\001', ctx=0xbfffd730)
at tasn_dec.c:733
#6 0x0812b983 in asn1_template_ex_d2i (val=0xb367fff0, in=0xbfffd544,
inlen=2536, tt=0x82035d4, opt=1 '\001', ctx=0xbfffd730) at
#7 0x0812b55a in ASN1_item_ex_d2i (pval=0xb3656ffc, in=0xbfffd5e4,
len=2536, it=0x8203638, tag=16, aclass=0, opt=0 '\0', ctx=0xbfffd730)
at tasn_dec.c:449
#8 0x0812bd08 in asn1_template_noexp_d2i (val=0xb3656ffc,
in=0xbfffd640, len=2541, tt=0x82039b4, opt=0 '\0', ctx=0xbfffd730) at
#9 0x0812b8a7 in asn1_template_ex_d2i (val=0xb3656ffc, in=0xbfffd6a4,
inlen=2543, tt=0x82039b4, opt=0 '\0', ctx=0xbfffd730) at
#10 0x0812b55a in ASN1_item_ex_d2i (pval=0xbfffd72c, in=0xbfffd768,
len=2543, it=0x8203aa8, tag=16, aclass=0, opt=0 '\0', ctx=0xbfffd730)
at tasn_dec.c:449
#11 0x0812ad9d in ASN1_item_d2i (pval=0xbfffd72c, in=0xbfffd768,
len=2556, it=0x8203aa8) at tasn_dec.c:136
#12 0x08121a29 in ASN1_item_d2i_bio (it=0x8203aa8, in=0xb3591fc0,
x=0x0) at a_d2i_fp.c:116
#13 0x081649a4 in d2i_CMS_bio (bp=0xb3591fc0, cms=0x0) at cms_io.c:82
#14 0x08087eb0 in cms_main (argc=11, argv=0xbfffde58) at cms.c:793
#15 0x0804a7ad in do_cmd (prog=0xb3d59fa0, argc=11, argv=0xbfffde58)
at openssl.c:413
#16 0x0804a47d in main (Argc=11, Argv=0xbfffde58) at openssl.c:312

openssl was configured with: ./config enable-cms -d (to obtain a
proper backtrace).

The output of 'make report' without the '-d' flag is:
OpenSSL self-test report:

OpenSSL version: 1.0.0
Last change: Add "missing" function EVP_CIPHER_CTX_copy(). This copi...
Options: enable-cms no-gmp no-jpake no-krb5 no-md2 no-rc5
no-rfc3779 no-shared no-store no-zlib no-zlib-dynamic static-engine
OS (uname): Linux sdb-test 2.6.26-2-686 #1 SMP Wed Feb 10
08:59:21 UTC 2010 i686 GNU/Linux
OS (config): i686-whatever-linux2
Target (default): linux-elf
Target: linux-elf
Compiler: Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian
4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3
--enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc
--enable-mpfr --enable-targets=all --enable-cld
--enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu
Thread model: posix
gcc version 4.3.2 (Debian 4.3.2-1.1)

Test passed.

If I can do anything to aid in debugging this, let me know.

Best Regards,
Download inputfile
application/octet-stream 2.4k

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 186b
Fixed in latest releases, many thanks for the report.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: