Follow-up Comment #6, bug #97585 (project xrootd):
Hi Brian,
This is a follow-up.
I have got access to another SLC6 machine (the one used by SPI for they
builds); the problem appears there too and I even get a crash, always related
to the issue of the key.
The valgrind output of the crash shows something fishy in the reading of the
private key, e.g.
==15234==
==15234== 2 errors in context 28 of 28:
==15234== Invalid write of size 8
==15234== at 0x3257860217: OPENSSL_cleanse (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x325788C860: BN_clear_free (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x325789D34E: RSA_free (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578C254A: ??? (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578C27EC: ??? (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578C2918: EVP_PKEY_assign (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578A0152: ??? (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578D2431: d2i_PrivateKey (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578E755F: PEM_read_bio_PrivateKey (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578E7680: PEM_read_PrivateKey (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x6BB1ED1: XrdCryptosslX509::XrdCryptosslX509(char const*,
char const*) (XrdCryptosslX509.cc:123)
==15234== by 0x6BAD443: XrdCryptosslFactory::X509(char const*, char
const*) (XrdCryptosslFactory.cc:320)
==15234== Address 0x5ac73d8 is 8 bytes inside a block of size 24 free'd
==15234== at 0x4A06469: free (vg_replace_malloc.c:446)
==15234== by 0x325785DA8C: CRYPTO_free (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x325789D34E: RSA_free (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578C254A: ??? (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578C27EC: ??? (in /usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578D240E: d2i_PrivateKey (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578E755F: PEM_read_bio_PrivateKey (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x32578E7680: PEM_read_PrivateKey (in
/usr/lib64/libcrypto.so.1.0.0)
==15234== by 0x6BB1ED1: XrdCryptosslX509::XrdCryptosslX509(char const*,
char const*) (XrdCryptosslX509.cc:123)
==15234== by 0x6BAD443: XrdCryptosslFactory::X509(char const*, char
const*) (XrdCryptosslFactory.cc:320)
==15234== by 0x698B6A8:
XrdSecProtocolgsi::GetSrvCertEnt(XrdCryptoFactory*, int, XrdOucString&)
(XrdSecProtocolgsi.cc:5113)
==15234== by 0x699008F: XrdSecProtocolgsi::Init(gsiOptions,
XrdOucErrInfo*) (XrdSecProtocolgsi.cc:618)
=
The openssl version on these machines is
$ openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
I have tried to install the latest 1.0.0 tag (1.0.0j) on one of the machines
using the script coming with xrootd (utils/installOpenSSL.sh); when I do this
the problem goes away and the valgrind output is clean (the script builds with
the PURIFY switch so you do not get the usual BN_ unitialized stuff).
So, I suspect that there is an issue with the openssl build; or maybe a bug
fix not included; for example, I have found this:
http://rhn.redhat.com/errata/RHBA-2012-1195.html
which is not included in the version installed on the machines I used for
these checks.
I'll try to get this fix installed at least on one of these machines and see
what happens.
Gerri
_______________________________________________________
Reply to this item at:
<http://savannah.cern.ch/bugs/?97585>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
