Fossil Forum

Fossil core dump with fossil ssl-config
Login

Fossil core dump with fossil ssl-config

(1.2) By sean (jungleboogie) on 2022-01-11 16:00:54 edited from 1.1 [source]

Hi,

I caused a core dump on Fossil version def53f0419 when attempting to override already set TLS certificate and private key. Using OpenBSD amd64.

Basic steps:

  1. init new repo
  2. fossil server
  3. edit ssl-cert-file & ssl-key-file
  4. logout
  5. stop server
  6. $ fossil ssl-config load-cert ../cert.pem ../privatekey.pem

unauthorized change to protected setting "ssl-cert" Abort trap (core dumped)

And the backtrace:

(gdb) bt
#0  thrkill () at /tmp/-:3
#1  0x00000e4703c356ae in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#2  0x00000e4415404cad in fossil_panic (zFormat=Variable "zFormat" is not available.
) at printf.c:1170
#3  0x00000e441539048e in db_assert_protection_off_or_not_sensitive (zName=Variable "zName" is not available.
) at db.c:481
#4  0x00000e4415395e88 in db_set (zName=0xe4415035b9c "ssl-cert",
    zValue=0xe46ffbb5000 "-----BEGIN CERTIFICATE-----\nMIID7jCCAtagAwIBAgIUEzx/rOaw+2peAg1uEFEoaHiz6JQwDQYJKoZIhvcNAQEL\nBQAwbjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk5ldmFkYTESMBAGA1UEBwwJTGFz\nIFZlZ2FzMQ0wCwYDVQQKDARzZWFuMRcwFQYDVQQLDA"..., globalFlag=0) at db.c:3258
#5  0x00000e44153cb86a in test_tlsconfig_info () at http_ssl.c:980
#6  0x00000e44153e274c in fossil_main (argc=Variable "argc" is not available.
) at main.c:964
#7  0x00000e44153e1fa9 in main (argc=Variable "argc" is not available.
) at main.c:665

(2) By sean (jungleboogie) on 2022-01-11 16:03:37 in reply to 1.2 [link] [source]

Also core dumps when provided full path to the cert/key...

$ fossil ssl-config load-cert /home/jerry/fossil-repos/cert.pem /home/jerry/fossil-repos/privatekey.pem
unauthorized change to protected setting "ssl-cert"
Abort trap (core dumped)

(3) By sean (jungleboogie) on 2022-01-11 16:17:32 in reply to 1.2 [link] [source]

It looks like I don't need to even edit the config option in the webpage.

Maybe it's a problem with my cert and key, but I don't see any issues with the files themselves.

$ file cert.pem privatekey.pem
cert.pem:       PEM certificate
privatekey.pem: ASCII text
$ fossil ssl-config load-cert ../cert.pem ../privatekey.pem
unauthorized change to protected setting "ssl-cert"
Abort trap (core dumped)

(4) By sean (jungleboogie) on 2022-01-11 18:14:40 in reply to 1.2 [link] [source]

Also happening on a linux machine...

$ fossil ssl-config load-cert ../stunnel.pem
unauthorized change to protected setting "ssl-cert"
Aborted

(5) By Richard Hipp (drh) on 2022-01-11 18:57:46 in reply to 4 [link] [source]

This is a deliberate call to panic() due to an assertion fault. It is not some kind of memory error that could lead to an exploit. This is the result of defensive code that is added to Fossil to make it rebust against exploits.

Yes, this is a bug. But it a bug that Fossil detected itself. Yes it needs to be fixed. But it is not a reason for you to panic. Chill. Somebody will get around to fixing the problem soon.

(6) By sean (jungleboogie) on 2022-01-11 20:34:16 in reply to 5 [link] [source]

I appreciate the defensiveness of Fossil being built in.

I wasn't in a panic and I knew nothing bad happened. I'm sorry for the posts.

(7) By Richard Hipp (drh) on 2022-01-12 00:47:24 in reply to 1.2 [link] [source]

Can you please try again with check-in 3f8ee9e1f3b5bafa or later and report back whether or not this fixes your problem?

(8) By Richard Bowden (sentinel) on 2022-01-12 04:10:42 in reply to 1.2 [link] [source]

I believe I have found a few issues, though it is my interpretation of the code...

  1. The load-cert commands logic needs adjusting. Currency its skipping setting the ssl-cert in to the config table. Also the delete sql commands had a typo in the field names. (Example fix patch below)

  2. The command decode_ssl_options https://fossil-scm.org/home/file?ci=trunk&name=src/main.c&ln=3099 requires an open connection to the repo (via https://fossil-scm.org/home/file?ci=trunk&name=src/http_ssl.c&ln=729), though it appears that decode_ssl_options is being called before the repo connection has been opened. I confirmed this by stepping thru the code and https://fossil-scm.org/home/file?ci=trunk&name=src/db.c&ln=3205 is false

I tried moving things around to no avail…still learning the conventions of the code base.

To fix the first set of things I found in item 1 above,

This does not fix item 2, I do not know how to fix that one...

fossil diff
Index: src/http_ssl.c
==================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -905,11 +905,11 @@
     }
     db_unprotect(PROTECT_ALL);
     db_multi_exec(
       "PRAGMA secure_delete=ON;"
       "DELETE FROM config "
-      " WHERE name IN ('ssl-cert','ssl-cert-file','ssl-cert-key');"
+      " WHERE name IN ('ssl-cert','ssl-cert-file','ssl-key-file');"
     );
     db_protect_pop();
   }else
   if( strncmp("load-cert",zCmd,nCmd)==0 && nCmd>=4 ){
     int bFN = find_option("filename",0,0)!=0;
@@ -921,11 +921,11 @@
     db_begin_transaction();
     db_unprotect(PROTECT_ALL);
     db_multi_exec(
       "PRAGMA secure_delete=ON;"
       "DELETE FROM config "
-      " WHERE name IN ('ssl-cert','ssl-cert-file','ssl-cert-key');"
+      " WHERE name IN ('ssl-cert','ssl-cert-file','ssl-key-file');"
     );
     nHit = 0;
     for(i=3; i<g.argc; i++){
       Blob x;
       int isCert;
@@ -944,11 +944,10 @@
           fossil_fatal("more than one certificate provided");
         }
         haveCert = 1;
         if( bFN ){
           db_set("ssl-cert-file", file_canonical_name_dup(g.argv[i]), 0);
-        }else{
           blob_append(&allText, blob_buffer(&x), blob_size(&x));
         }
         if( isKey && !haveKey ){
           haveKey = 1;
           isKey = 0;
@@ -959,11 +958,10 @@
           fossil_fatal("more than one private key provided");
         }
         haveKey = 1;
         if( bFN ){
           db_set("ssl-key-file", file_canonical_name_dup(g.argv[i]), 0);
-        }else{
           blob_append(&allText, blob_buffer(&x), blob_size(&x));
         }
       }
     }
     if( !haveCert ){
@@ -973,11 +971,11 @@
         fossil_fatal("missing certificate");
       }
     }else if( !haveKey ){
       fossil_fatal("missing private-key");
     }
-    if( !bFN ){
+    if( bFN ){
       db_set("ssl-cert", blob_str(&allText), 0);
     }
     db_protect_pop();
     db_commit_transaction();
   }else

(9) By sean (jungleboogie) on 2022-01-12 15:27:39 in reply to 7 [link] [source]

There is no longer a core dump occurring, so that is fixed.

However, I see this...

$ fossil ssl-config load-cert ../cert.pem ../privatekey.pem
$ fossil ssl-config
OpenSSL-version:   LibreSSL 3.5.0  (0x020000000)
OpenSSL-cert-file: /etc/ssl/cert.pem
OpenSSL-cert-dir:  /etc/ssl/certs
SSL_CERT_FILE:
SSL_CERT_DIR:
ssl-ca-location:
ssl-identity:
ssl-cert:          (3132-byte PEM)
ssl-cert-file:
ssl-key-file:

Since I have the private key and certificate in separate files, I think they would show up on the corresponding lines. But that's not the case above.

This is fossil version 2.18 [d1ac2f90da] 2022-01-12 03:46:21 UTC

(10) By Stephan Beal (stephan) on 2022-01-13 03:31:46 in reply to 9 [link] [source]

Since I have the private key and certificate in separate files, I think they would show up on the corresponding lines. But that's not the case above.

From the load-cert help:

**   load-cert PEM-FILES...      Identify server certificate files. These
**                               should be in the PEM format.  There are
**                               normally two files, the certificate and the
**                               private-key.  By default, the text of both
**                               files is concatenated and added to the
**                               "ssl-cert" setting.  Use --filename to store
**                               just the filenames.

which is consistent with your config output.