rsautl openssl(1) command contains a careless-programming bug.

It can be reproduced as follows:

openssl genrsa -out /tmp/server.key
cp /etc/passwd /tmp/testfile
rm -f /tmp/test2
openssl rsautl -inkey /tmp/server.key -out /tmp/test2 \
-in /tmp/testfile \
-sign -keyform

after that it segfaults in:

core 'core' of 1325: openssl rsautl -inkey /tmp/server.key -out
/tmp/test2 -in /tmp/testfil
08060106 str2fmt (0) + a
0807ccf5 rsautl_main (9, 8047b08) + 3a5
0807493c do_cmd (80bc360, 9, 8047b08) + 44
08074814 main (a, 8047b04, 8047b30) + 2ac
0805fe66 _start (a, 8047c18, 8047c20, 8047c27, 8047c2e, 8047c3e) + 7a

The fix is as follows:

--- apps/rsautl.c.orig Thu Mar 27 10:52:24 2008
+++ apps/rsautl.c Thu Mar 27 10:54:27 2008
@@ -131,7 +131,11 @@
if (--argc < 1) badarg = 1;
passargin= *(++argv);
} else if (strcmp(*argv,"-keyform") == 0) {
- if (--argc < 1) badarg = 1;
+ if (--argc < 1)
+ {
+ badarg = 1;
+ goto badarg;
+ }
keyform=str2fmt(*(++argv));
#ifndef OPENSSL_NO_ENGINE
} else if(!strcmp(*argv, "-engine")) {
@@ -160,6 +164,7 @@
rsa_mode = RSA_DECRYPT;
need_priv = 1;
} else badarg = 1;
+badarg:
if(badarg) {
usage();
goto end;


There are probably more similar bugs lurking in the apps/*.c code.


v.

PS: http://www.openssl.org/support/rt2.html contains a bad link pointing
to http://www.aet.tu-cottbus.de/rt2/NoAuth/Buglist.html

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org