pkg/47908: OpenSSL SSL connection fails with unaligned access error with SHA256

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/47908: OpenSSL SSL connection fails with unaligned access error with SHA256
From: gary_grebus%dell.com@localhost
Date: Fri, 7 Jun 2013 20:15:00 +0000 (UTC)

>Number:         47908
>Category:       pkg
>Synopsis:       OpenSSL SSL connection fails with unaligned access error with 
>SHA256
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 07 20:15:00 +0000 2013
>Originator:     Gary Grebus
>Release:        5.0_STABLE
>Organization:
Dell Inc.
>Environment:
NetBSD kirt4 5.0_STABLE NetBSD 5.0_STABLE (EQL.PSS) #0: Thu Jun  6 14:52:36 EDT 
2013  gary_grebus@ggrebus:/b/sb/bin/destdir.sbmips.64.release/EQL.PSS.64 sbmips

>Description:
An OpenSSL SSL connection fails with an unaligned access error
(SIGBUS) while performing a SHA256_Transform() operation.  This occurred on a
NetBSD 5.0_STABLE system running on MIPS architecture:

netmgtd: ELF 32-bit N32 LSB MIPS32 executable, MIPS, version 1 (SYSV),
for NetBSD, dynamically linked (uses shared libs)


The stack backtrace shows that _SHA56_Transform is in fact trying to
access unaligned data: 

#0  _SHA256_Transform (context=0x69fff580, data=0x77d4004b)
    at 
../../../../../../NetBSD/src/lib/libc/../../common/lib/libc/hash/sha2/sha2.c:427
#1  0x784c748c in ssl3_cbc_digest_record (ctx=0x69fff750, md_out=0x69fff7e0 "", 
    md_out_size=0x69fff730, header=0x69fff740 "", 
    data=0x77d40018 "GET /logo.png HTTP/1.1\r\nAccept: image/png, 
image/svg+xml, image/*;q=0.8, */*;q=0.5\r\nReferer: 
https://[fc00:2496::10:124:111:141]/welcome.html\r\nAccept-Language: 
en-US\r\nUser-Agent: Mozilla/5.0 (compatib"..., data_plus_mac_size=<optimized 
out>, 
    data_plus_mac_plus_padding_size=<optimized out>, 
    mac_secret=0x77d73814 
"\351\275A\324\370$P\022?\316?!x\207Sg[\a\246\070S\204{H^\373$\362\345f)l", 
mac_secret_length=32, is_sslv3=0 '\000')
    at ../../../../../../NetBSD/src/crypto/dist/openssl/ssl/s3_cbc.c:662
#2  0x784bc5c8 in tls1_mac (ssl=0x77d60160, md=0x69fff7e0 "", send=0)
    at ../../../../../../NetBSD/src/crypto/dist/openssl/ssl/t1_enc.c:1019
#3  0x784c3b58 in ssl3_get_record (s=0x77d60160)
    at ../../../../../../NetBSD/src/crypto/dist/openssl/ssl/s3_pkt.c:469
#4  ssl3_read_bytes (s=0x77d60160, type=23, 
    buf=0x77d74800 "GET /welcome.html HTTP/1.1\r\nAccept: text/html, 
application/xhtml+xml, */*\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; 
Windows NT 6.1; WOW64; Trident/5.0)\r\nAccept-Encoding: gzip, 
deflate\r\nCookie: p"..., len=1, peek=0)
    at ../../../../../../NetBSD/src/crypto/dist/openssl/ssl/s3_pkt.c:1006
#5  0x784c92e8 in ssl3_read_internal (s=0x77d60160, buf=0x77d74800, len=1, 
peek=0)
    at ../../../../../../NetBSD/src/crypto/dist/openssl/ssl/s3_lib.c:4207
---Type <return> to continue, or q <return> to quit---
#6  0x10095874 in EQL_generic_SocketRead (sock=<optimized out>, 
    pBuf=0x77d74800 "GET /welcome.html HTTP/1.1\r\nAccept: text/html, 
application/xhtml+xml, */*\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; 
Windows NT 6.1; WOW64; Trident/5.0)\r\nAccept-Encoding: gzip, 
deflate\r\nCookie: p"..., BufSize=1)
    at 
../../../../../../../../../../NetBSD/src/EQL/netmgt/RC/src/equallogic/cli/ssl_utils.c:655
#7  0x10053c5c in REQUEST_Construct (sock=26, pp_envInit=0x69fffb50)
    at 
../../../../../../../../../../NetBSD/src/EQL/netmgt/RC/src/rli_code/wcontrol/rcw_request.c:600

... etc ..

src/common/lib/libc/hash/sha2/sha2.c

426:    do {
427:            W256[j] = be32toh(*data);
428:            ++data;


src/crypto/dist/openssl/ssl/s3_cbc.c:662

661             for (i = 1; i < k/md_block_size; i++)
662                     md_transform(md_state.c, data + md_block_size*i - 13);
663             }


The underlying cause is that on NetBSD, the OpenSSL build does not use
the OpenSSL implementation of SHA256, but rather uses the above
version from libc.  The OpenSSL version correctly handles unaligned
accesses, while the NetBSD libc implementation does not.  I confirmed
this by rebuilding my code to reference the OpenSSL version of 
SHA256_Transform() from  /src/crypto/dist/openssl/crypto/sha/sha256.c.
Doing so fixed the unaligned access. 

SHA256_Transform() is effectively an internal OpenSSL API so it
shouldn't be replaced with a different implementation with different behavior.
It appears that all the SHA-2 hashes (SHA256, SHA384, SHA512) will
suffer from this problem.

>How-To-Repeat:
We've observed this problem consistently with our SSL based application, but I 
have no portable way to demonstrate it.
>Fix:
The description above gives what I believe to be the underlying cause.  
Restoring OpenSSL to use its original SHA256_Transform() resolves the problem, 
but I don't know the best solution to avoid the name conflicts
between libc and OpenSSL without modifying OpenSSL.

Prev by Date: PR/47848 CVS commit: [pkgsrc-2013Q1] pkgsrc/devel/transifex-client
Next by Date: Re: pkg/47903: bootstrap bmake: configure: WARNING: cache variable ac_cv_host contains a newline
Previous by Thread: PR/47848 CVS commit: [pkgsrc-2013Q1] pkgsrc/devel/transifex-client
Next by Thread: PR/47908 CVS commit: src/common/lib/libc/hash/sha2
Indexes:

Home | Main Index | Thread Index | Old Index