cisco / libest

Other
98 stars 94 forks source link

strnlen_s returns 0 when built with --with-system-libsafec #108

Open mwcw opened 2 years ago

mwcw commented 2 years ago

Hi,

I had a problem with getting the est server to start.

To Reproduce:

Host directory setup:

Dockerfile
libest/

# where libest it a clone of the repo, which in this case is at:
# commit f8a6e5b53a5f70e72fe4029981df0693b17cbb32 (HEAD -> main, origin/main, origin/HEAD)

Dockerfile:

FROM ubuntu:latest

RUN apt update
RUN apt install -y build-essential
RUN apt install -y openssl libssl-dev libsafec-dev
ARG DEBIAN_FRONTEND=noninteractive 
RUN apt install -y pkg-config
RUN apt install -y net-tools
COPY libest libest
RUN cd libest; ./configure --with-system-libsafec; make; make install
RUN cd libest/example/server; ./createCA.sh

To run

docker build -t estserver .
docker run -it estserver 

# then in the image

root@3ee56ea7e92f:/# cd libest/example/server
root@3ee56ea7e92f:/libest/example/server# ./runserver.sh 
Using OpenSSL 1.1.1f  31 Mar 2020
***EST [INFO][est_log_version:231]--> libest 3.2.0p (API level 4)
***EST [INFO][est_log_version:235]--> Compiled against OpenSSL 1.1.1f  31 Mar 2020
***EST [INFO][est_log_version:236]--> Linking to OpenSSL 1.1.1f  31 Mar 2020
***EST [ERROR][est_server_init:3225]--> Length of ca_chain doesn't match ca_chain_len

/libest/src/est/.libs/libest-3.2.0p.so(+0xbed0) [0x7fc4ea033ed0]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_init+0x247) [0x7fc4ea041c37]
/libest/example/server/.libs/estserver(+0x8af8) [0x5608e2766af8]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7fc4e9ace0b3]
/libest/example/server/.libs/estserver(+0x96ce) [0x5608e27676ce]

Unable to initialize EST context.  Aborting!!!
root@3ee56ea7e92f:/libest/example/server# 

So with respect to the following line, https://github.com/cisco/libest/blob/f8a6e5b53a5f70e72fe4029981df0693b17cbb32/src/est/est_server.c#L3223

I added added a print statement: printf("len: %d, sizeof(size_t): %d, EST_CA_MAX: %d\n\n strlen(ca_chain): %d\nCA:\n%s\n\n", len, sizeof(size_t), EST_CA_MAX, strlen((char *)ca_chain), (char *)ca_chain); and got the following:

len: 0, sizeof(size_t): 8, EST_CA_MAX: 2000000

strlen(ca_chain): 1076
CA:
-----BEGIN CERTIFICATE-----
MIIBXzCCAQWgAwIBAgIUR735rp0oYM9BQn7F+9ZZrfH9tuMwCgYIKoZIzj0EAwIw
FzEVMBMGA1UEAwwMZXN0RXhhbXBsZUNBMB4XDTIyMDIyMzA2MDIyMloXDTIzMDIy
MzA2MDIyMlowFzEVMBMGA1UEAwwMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEm+ZXo3yAvGBU7UnnSNQKpNDJZltn3t1adF/Wim1oY6Bbf7GA
bs0Bkt8cqUtFlmdaLhTKyHislSP5JaJIC/BAFqMvMC0wDAYDVR0TBAUwAwEB/zAd
BgNVHQ4EFgQUf5TdCPnL27tWI77Jk3eQmATA19UwCgYIKoZIzj0EAwIDSAAwRQIg
EcDDVpGQO8JpaACJ8daS2v8m2ir7QoOkpNikwmnIfxYCIQCQf693hYQDlZYr3ptG
lzSYKKcOFPptoCice2Yk3H2n4A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBYTCCAQegAwIBAgIUSFHn+OukUNb2bX/P3INI/CKO+H0wCgYIKoZIzj0EAwIw
GDEWMBQGA1UEAwwNZXN0RVhURVJOQUxDQTAeFw0yMjAyMjMwNjAyMjJaFw0yMzAy
MjMwNjAyMjJaMBgxFjAUBgNVBAMMDWVzdEVYVEVSTkFMQ0EwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAQrsj3pU59k92woJp17aoZ/Xu7SYjvK2FEJ0YbnwmzZ/yPQ
+A5pPT4PM409vBezl5XhJOz0YF81QHGeM4aSa8dVoy8wLTAMBgNVHRMEBTADAQH/
MB0GA1UdDgQWBBTGHAPyHVXCKaF81X4vN3AgK+ABrDAKBggqhkjOPQQDAgNIADBF
AiATPGNCOqth/PhnsoGX9S+N0izF7xGmUftvBXkADh+5YQIhAKnVFLId1SZORUQn
8hRs38Qv7U/f4Hvqsq+mSc7JWlhn
-----END CERTIFICATE-----

***EST [ERROR][est_server_init:3228]--> Length of ca_chain doesn't match ca_chain_len

Out of curiosity I replaced EST_CA_MAX with 32000 and it fell to the next error on about line 3234.

***EST [ERROR][est_server_init:3234]--> Actual length of cacerts_resp_chain does not match passed in length value

So I did the same there and it appears to get to the point of waiting for connections:


***EST [INFO][ossl_init_cert_store_from_raw:257]--> Cert being added to trust store: CN = estExampleCA 
***EST [INFO][ossl_init_cert_store_from_raw:257]--> Cert being added to trust store: CN = estEXTERNALCA 

Retry period being set to: 300 

Disabling PoP check
Launching EST server...
***EST [INFO][set_ssl_option:1409]--> Using default ECDHE curve (prime256v1)
***EST [INFO][set_ssl_option:1459]--> TLS SRP not enabled

Image details:

uname -a
Linux 24ef38b9e87a 5.10.47-linuxkit #1 SMP Sat Jul 3 21:51:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

I stared to do some digging but ran out of time so I ended up rebuilding with: --disable-safec

Let me know if you need any more information.