#19 100% CPU usage after receiving rejection message with failInfo badCertTemplate

[Paweł Fojcik]

Hello,
we have observed 100%CPU of process which uses opensslcmp client, when incorrect certificate template was used and rejection message was sent by cmp server.

attachement:
gdb info, problem.pcap

[Martin Peylo]

Seems to be related to the calculation of pbmac when validating the protection of the response received from the server.

[Martin Peylo]

I hope we can follow that up soon while it could take a month or two to have that really investigated and fixed. If you Pawel have everything still set up, could you do me a favor and print the value of "iterations" after line 188 in crmf_pbm.c when the issue occurs? Maybe together with a couple of 'printf ("This is line %d.\n", __LINE__);' (note that there are two underscores each before and after "LINE") between line 177 and 194? That should show us what is wrong and will make it much easier to find the root cause of the issue.

[mviljane]

I believe this is the same issue I ran into last summer, but it seemed to
only happen specifically when using PBMAC with the local installation of
Insta Certifier I was testing with. The code was going into an infinite
loop in one of the OpenSSL's SHA256 functions when we're verifying the
message. I'm not exactly sure what could be causing this as I was never
able to reproduce the problem on any other server than the one I had
configured locally. Could be something weird in the PBMAC parameters.

On Thu, Mar 19, 2015 at 4:12 PM, Martin Peylo mpeylo@users.sf.net wrote:

I hope we can follow that up soon while it could take a month or two to
have that really investigated and fixed. If you Pawel have everything still
set up, could you do me a favor and print the value of "iterations" after
line 188 in crmf_pbm.c when the issue occurs? Maybe together with a couple
of 'printf ("This is line %d.\n", LINE);' between line 177 and 194?
That should show us what is wrong and will make it much easier to find the
root cause of the issue.

---

• [bugs:#19] http://sourceforge.net/p/cmpforopenssl/bugs/19 100% CPU
  usage after receiving rejection message with failInfo badCertTemplate*

Status: open
Group: v1.0 (example)
Created: Thu Mar 19, 2015 09:50 AM UTC by Paweł Fojcik
Last Updated: Thu Mar 19, 2015 12:48 PM UTC
Owner: nobody

Hello,
we have observed 100%CPU of process which uses opensslcmp client, when
incorrect certificate template was used and rejection message was sent by
cmp server.

attachement:
gdb info, problem.pcap

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/cmpforopenssl/bugs/19/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Paweł Fojcik]

hello,
additional log added, if more needed let me know, I am able to reproduce the problem easily.

BR
Paweł

[Martin Peylo]

As suspected it does 500 iterations when sending - but for some reason attempts to do 140733193389056 (hex 7FFF00000400) when receiving.

[Kamil Snopek]

Hi,

I attached new logs with logging in CMP_calc_protection_pbmac method.
I couldn't print pbmStrUchar. Could @Martin Peylo write piece of code which do that?

Edit:
We changed in crmf_pbm.c in 157 line type variable interations from long to int. After that instead 140733193389056 we gain 1024. Although in "bugged" msg length is 49 in correct is 45.
Operations ends with error:
Requesting End Entity certificate
CMP Key Update failed with return code: 55 [CMP context error]

BR
Kamil

[Martin Peylo]

After closer look at ASN1_INTEGER_get that might have come from some fun compiler-dependent issue when casting uint64_t to long and bad MAX_LONG definitions.

changing to ASN1_INTEGER_get_uint64 might avoid that.

Also catching suspiciously high iteration counts might help to avoid intentional DoS through manipulated iterationCounts (which are naturally evaluated before their protection can be verified).

[Martin Peylo]

aimed to be fixed with commit 1efc1f8fa13eaf43a4fa7bec411bd9f762c69e5d