Closed celic closed 5 years ago
Am Mittwoch, 22. Mai 2019, 17:44:37 CEST schrieb Chris Celi:
Hi Chris,
I ended up hitting this error again. Here is the message reported.
acvp-proxy(4014,0x700010c4b000) malloc: *** error for object 0x7ff93941af20: pointer being freed was not allocated acvp-proxy(4014,0x700010c4b000) malloc: *** set a breakpoint in malloc_error_break to debug ``` Do you know how to prevent it? Or what causes it?
Can you please send me the output of
otool -L acvp-proxy
The reason I am asking is that assume it is related to the OpenSSL locking issue.
How often do you see that issue?
Do you see the issue when you use the command line -v -v -v (which disables threading and thus the OpenSSL problem is not hit)?
Ciao Stephan
Unfortunately to test the bottleneck, I need the threading enabled, so I have not tested with -v -v -v
.
Here is the output of otool -L acvp-proxy
acvp-proxy:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1570.15.0)
/usr/lib/libcurl.4.dylib (compatibility version 7.0.0, current version 9.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.250.1)
/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1570.15.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
Could you please clarify what OpenSSL does here? I don't need an IUT to make these requests. Is OpenSSL providing some interfaces for the HTTPS connection? Or is it something I could disable entirely?
Am Mittwoch, 22. Mai 2019, 18:02:11 CEST schrieb Chris Celi:
Hi Chris,
Unfortunately to test the bottleneck, I need the threading enabled, so I have not tested with
-v -v -v
.Here is the output of
otool -L acvp-proxy
Let me test some more here.
Ciao Stephan
Am Mittwoch, 22. Mai 2019, 18:03:22 CEST schrieb Chris Celi:
Hi Chris,
Could you please clarify what OpenSSL does here? I don't need an IUT to make these requests. Is OpenSSL providing some interfaces for the HTTPS connection? Or is it something I could disable entirely?
The issue is that up to and including OpenSSL 1.0.2, OpenSSL required the caller to provide locking primitives. If these locking primitives are not registered with OpenSSL, it will randomly crash if you do use it in multithreaded environments.
But starting with OpenSSL 1.1.x, OpenSSL itself is fully thread-safe.
So, for OpenSSL 1.0.x, the code lib/openssl_thread_support.c must register the callbacks.
Note, even the acvp-proxy does not make use of OpenSSL, libcurl does. And libcurl does not make any precautions for OpenSSL thread-safety either. Thus, the proxy must ensure this.
Ciao Stephan
Could I update locally to 1.1.x so that libcurl uses a properly threaded version of OpenSSL? If it helps, I am on OSX (which I think just symlinks OpenSSL to LibreSSL; I'm not familiar enough to know the differences).
I installed OpenSSL 1.1.x locally and modified the Makefile to point to those libraries (which I am hoping is what libcurl is looking for). I'll test with that and see if that fixes the error for me.
Am Mittwoch, 22. Mai 2019, 18:18:06 CEST schrieb Chris Celi:
Hi Chris,
Could I update locally to 1.1.x so that libcurl uses a properly threaded version of OpenSSL? If it helps, I am on OSX (which I think just symlinks OpenSSL to LibreSSL; I'm not familiar enough to know the differences).
Ahhh, that may be certainly an issue. LibreSSL is a fork of OpenSSL. So at least they used to have the issue too. I have no idea when or whether that issue was solved. After looking into the upstream code, it seems that this issue is still present.
With that said, it is very likely that the OpenSSL threading code is not compiled. See in lib/openssl_thread_support.c: The code is only compiled if it finds the OpenSSL version < 1.1.0:
If you use libreSSL, that macro is not applicable and the code is not compiled.
One recommendation, can you either turn the aforementioned #if into an #if 1 or use the macro below and recompile the code?
LIBRESSL_VERSION_NUMBER)
Or you use OpenSSL 1.1.x
Ciao Stephan
I have no issues since updating to OpenSSL 1.1.x :^)
Thank you for the assistance.
Am Mittwoch, 22. Mai 2019, 20:28:40 CEST schrieb Chris Celi:
Hi Chris,
I have no issues since updating to OpenSSL 1.1.x :^)
Thank you for the assistance.
Oh, my. I will add the mentioned ifdef for LibreSSL as well.
Thanks a lot for reporting it. Just like I do: keep the reports coming :-)
Ciao Stephan
It feels nice to switch the roles every once in a while ;)
Short followup for the records. I managed to trigger the issue myself. The following backtrace is visible:
getrn + 108 frame #1: 0x00007fff5c86fb8f libcrypto.42.dylib
lh_retrieve + 45
frame #2: 0x00007fff5c8565d2 libcrypto.42.dylibint_thread_get_item + 105 frame #3: 0x00007fff5c855553 libcrypto.42.dylib
ERR_get_state + 81
frame #4: 0x00007fff5c855620 libcrypto.42.dylibERR_clear_error + 19 frame #5: 0x00007fff5e32fc08 libssl.44.dylib
ssl_set_pkey + 90
frame #6: 0x00007fff5e33067b libssl.44.dylibSSL_CTX_use_PrivateKey_file + 208 frame #7: 0x00007fff5c9b97df libcurl.4.dylib
ossl_connect_common + 12108
frame #8: 0x00007fff5c9bb364 libcurl.4.dylibCurl_ssl_connect_nonblocking + 93 frame #9: 0x00007fff5c97c2da libcurl.4.dylib
https_connecting + 23
frame #10: 0x00007fff5c97c2aa libcurl.4.dylibCurl_http_connect + 107 frame #11: 0x00007fff5c98acdc libcurl.4.dylib
Curl_protocol_connect + 146
frame #12: 0x00007fff5c99f180 libcurl.4.dylibmulti_runsingle + 1281 frame #13: 0x00007fff5c99eb84 libcurl.4.dylib
curl_multi_perform + 114
frame #14: 0x00007fff5c997db7 libcurl.4.dylibcurl_easy_perform + 362 frame #15: 0x0000000100015528 acvp-proxy
acvp_curl_http_common(netinfo=acvp_net_op(testid_ctx=<unavailable>, url=<unavailable>, submit=<unavailable>, response=0x000070000c952a30, nettype=<unavailable>) at network_helper.c:55:10 [opt] frame #17: 0x0000000100009448 acvp-proxy
acvp_process_retry(vsid_ctx=0x00000001054001c0, result_data=0x000070000c952a30, url="https://demo.acvts.nist.gov:443/acvp/v1/testSessions/14609/vectorSets/44530", debug_logger=(acvp-proxyacvp_store_vector_debug at debug_helper.c:81)) at acvp_testsession_request.c:370:9 [opt] frame #18: 0x0000000100009530 acvp-proxy
acvp_process_retry(vsid_ctx=0x00000001054001c0, result_data=0x000070000c952a30, url="https://demo.acvts.nist.gov:443/acvp/v1/testSessions/14609/vectorSets/44530", debug_logger=acvp_get_testvectors(vsid_ctx=0x00000001054001c0) at acvp_testsession_request.c:494:9 [opt] frame #20: 0x000000010000ab37 acvp-proxy
acvp_process_req_thread(arg=thread_worker(arg=0x000000010019dcb0) at threading_support.c:218:25 [opt] frame #22: 0x00007fff5f0f22eb libsystem_pthread.dylib
_pthread_body + 126
frame #23: 0x00007fff5f0f5249 libsystem_pthread.dylib_pthread_start + 66 frame #24: 0x00007fff5f0f140d libsystem_pthread.dylib
thread_start + 13So, the issue is definitely somewhere in the OpenSSL code. And it seems that the mutex code I use does not seem to fully solve the issue. And my default OpenSSL version 1.0.2r.
Confirming that it is an OpenSSL bug:
When using the ACVP Proxy code on MacOS and after converting curl to use Apple Secure Transport and applying the patch given in https://github.com/curl/curl/pull/3933 to curl no malloc issues or other random crashes were observed.
Note, you can easily obtain curl linked with Apple Secure Transport by using Homebrew: brew install curl
will give you a curl version linked with Apple Secure Transport. Just make sure you wait until the bug fix mentioned above is applied to Homebrew. See also https://github.com/Homebrew/brew/issues/6170 .
Using ACVP Proxy on Linux with curl linked to OpenSSL 1.1.x like on Fedora 29 does not exhibited such random crashes. This is another confirmation that OpenSSL <= 1.0.2 has still issues with threading even though threading callbacks as defined in https://linux.die.net/man/3/crypto_lock are set.
I ended up hitting this error again. Here is the message reported.
Do you know how to prevent it? Or what causes it?