Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2695 from testssl/fix_segfault_error4

Browse Source 
Fix segfault with error 4 in check_revocation_ocsp() when using --phone-out
This commit is contained in:
Dirk Wetter
2025-03-14 19:19:38 +01:00
committed by GitHub
parent c53f4a3e44 4f1a91f92e
commit 73be4f7381
1 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
testssl.sh
View File

@@ -2050,6 +2050,8 @@ check_revocation_ocsp() {
local -i success=1 local -i success=1
local response="" local response=""
local host_header="" local host_header=""
local openssl_bin="$OPENSSL"
local addtl_warning=""
"$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0 "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
[[ -n "$GOOD_CA_BUNDLE" ]] || return 0 [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -2079,6 +2081,17 @@ check_revocation_ocsp() {
success=$? success=$?
fi fi
else else
if [[ $OPENSSL =~ openssl.Linux.$(uname -m) ]]; then
# --phone-out in some cases throws a segfault with "our" binary, probably because a static binary with
# NSS and gethostbyname(3) doesn't work under Linux. So we use the vendor supplied binary if available.
# See #2516 and probably also #2667 and #1275 .
if [[ -x "$OPENSSL2" ]]; then
openssl_bin="$OPENSSL2"
[[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
fi
else
addtl_warning="(a segfault indicates here you need to test this with another binary)"
fi
host_header=${uri##http://} host_header=${uri##http://}
host_header=${host_header%%/*} host_header=${host_header%%/*}
if [[ "$OSSL_NAME" =~ LibreSSL ]]; then if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
@@ -2089,7 +2102,7 @@ check_revocation_ocsp() {
else else
host_header="-header Host ${host_header}" host_header="-header Host ${host_header}"
fi fi
$OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \ $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
success=$? success=$?
@@ -2109,8 +2122,8 @@ check_revocation_ocsp() {
set_grade_cap "T" "Certificate revoked" set_grade_cap "T" "Certificate revoked"
else else
out ", " out ", "
pr_warning "error querying OCSP responder" pr_warning "error querying OCSP responder $addtl_warning"
fileout "$jsonID" "WARN" "$response" fileout "$jsonID" "WARN" "$response $addtl_warning"
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
outln outln
cat "$tmpfile" cat "$tmpfile"