Segfault in X509 object from verify callback

[tiran]

This script causes a segfault:

#!/usr/bin/env python2.7
import sys
import socket
from OpenSSL import SSL

def connect(host, port):
    chain = []
    def cb(conn, x509, errnum, errdepth, ok):
        chain.append(x509)
        return True

    ctx = SSL.Context(SSL.SSLv23_METHOD)
    ctx.set_verify(SSL.VERIFY_PEER, cb)
    sock = socket.create_connection((host, port))
    ssock = SSL.Connection(ctx, sock)
    ssock.set_connect_state()
    ssock.set_tlsext_host_name(host)
    ssock.do_handshake()
    ssock.close()
    return chain

if __name__ == '__main__':
    host = sys.argv[1]
    port = 443
    chain = connect(host, port)
    for x509 in chain:
        print(x509.get_issuer(), x509.get_subject())

(gdb) run cb_x509.py python.org
Starting program: /home/heimes/.virtualenvs/pyopenssl/bin/python cb_x509.py python.org
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.21-5.fc22.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
X509_NAME_oneline (a=0x98dd50, buf=0x7c85b0 "", len=<optimized out>, len@entry=512) at x509_obj.c:106
106                     n=OBJ_obj2nid(ne->object);
Missing separate debuginfos, use: dnf debuginfo-install libffi-3.1-7.fc22.x86_64 nss-mdns-0.10-15.fc22.x86_64 python-libs-2.7.9-6.fc22.x86_64 zlib-1.2.8-7.fc22.x86_64
(gdb) bt
#0  X509_NAME_oneline (a=0x98dd50, buf=0x7c85b0 "", len=<optimized out>, len@entry=512) at x509_obj.c:106
#1  0x00007fffeb8563e9 in _cffi_f_X509_NAME_oneline (self=<optimized out>, args=<optimized out>)
    at src/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_e7d09016xc302a38b.c:46920
#2  0x00007ffff7af590e in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#3  0x00007ffff7af6704 in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#4  0x00007ffff7a8258c in function_call () from /lib64/libpython2.7.so.1.0
#5  0x00007ffff7a5daf3 in PyObject_Call () from /lib64/libpython2.7.so.1.0
#6  0x00007ffff7a6c94c in instancemethod_call () from /lib64/libpython2.7.so.1.0
#7  0x00007ffff7a5daf3 in PyObject_Call () from /lib64/libpython2.7.so.1.0
#8  0x00007ffff7aefb17 in PyEval_CallObjectWithKeywords () from /lib64/libpython2.7.so.1.0
#9  0x00007ffff7ab4af0 in slot_tp_repr () from /lib64/libpython2.7.so.1.0
#10 0x00007ffff7a98ae0 in PyObject_Repr () from /lib64/libpython2.7.so.1.0
#11 0x00007ffff7a98e0a in internal_print () from /lib64/libpython2.7.so.1.0
#12 0x00007ffff7aad66f in tupleprint () from /lib64/libpython2.7.so.1.0
#13 0x00007ffff7a98ddf in internal_print () from /lib64/libpython2.7.so.1.0
#14 0x00007ffff7a7b26b in PyFile_WriteObject () from /lib64/libpython2.7.so.1.0
#15 0x00007ffff7af3bcf in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#16 0x00007ffff7af6704 in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#17 0x00007ffff7af6829 in PyEval_EvalCode () from /lib64/libpython2.7.so.1.0
#18 0x00007ffff7b0fb5f in run_mod () from /lib64/libpython2.7.so.1.0
#19 0x00007ffff7b10d32 in PyRun_FileExFlags () from /lib64/libpython2.7.so.1.0
#20 0x00007ffff7b11f47 in PyRun_SimpleFileExFlags () from /lib64/libpython2.7.so.1.0
#21 0x00007ffff7b24141 in Py_Main () from /lib64/libpython2.7.so.1.0
#22 0x00007ffff6d48790 in __libc_start_main () from /lib64/libc.so.6
#23 0x0000000000400729 in _start ()

Possible solutions:

1. always X509_dup() the X509 ptr
2. invalidate the pointer after the callback has finished and raise an error

if you go for 2, please also include a dup() method

[hynek]

I think you might have slightly fornicated up your markup. :)

Which BTW added references to issue 1 thru 23. :D

(fixed it for you)

[alex]

This doesn't segfault anymore.