Merge pull request #2696 from testssl/fix_segfault_error4-3.0

drwetter · web-flow · commit 7937c0b84567 · 2025-03-14T19:19:16.000+01:00
Fix segfault with error 4 in check_revocation_ocsp() when using --phone-out (3.0)
diff --git a/testssl.sh b/testssl.sh
@@ -1833,6 +1833,8 @@ check_revocation_ocsp() {
      local -i success
      local response=""
      local host_header=""
+     local openssl_bin="$OPENSSL"
+     local addtl_warning=""
 
      "$PHONE_OUT" || [[ -n "$stapled_response" ]] || return 0
      [[ -n "$GOOD_CA_BUNDLE" ]] || return 0
@@ -1851,6 +1853,16 @@ check_revocation_ocsp() {
                -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
                -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
      else
+          if [[ $OPENSSL =~ openssl.Linux.$(uname -m) ]]; then
+               # --phone-out doesn't lawyas work with "our" binary. We use just for that purpose
+               # the vendor supplied binary if available, see #2516 and probably also #2667 and #1275
+               if [[ -x "$OPENSSL2" ]]; then
+                    openssl_bin="$OPENSSL2"
+                    [[ $DEBUG -ge 3 ]] && echo "Switching to $openssl_bin "
+               fi
+          else
+               addtl_warning="(a segfault indicates here you need to test this with another binary)"
+          fi
           host_header=${uri##http://}
           host_header=${host_header%%/*}
           if [[ "$OSSL_NAME" =~ LibreSSL ]]; then
@@ -1861,7 +1873,7 @@ check_revocation_ocsp() {
           else
                host_header="-header Host ${host_header}"
           fi
-          $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \
+          $openssl_bin ocsp -no_nonce ${host_header} -url "$uri" \
                -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
                -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
      fi
@@ -1879,8 +1891,8 @@ check_revocation_ocsp() {
                fileout "$jsonID" "CRITICAL" "revoked"
           else
                out ", "
-               pr_warning "error querying OCSP responder"
-               fileout "$jsonID" "WARN" "$response"
+               pr_warning "error querying OCSP responder $addtl_warning"
+               fileout "$jsonID" "WARN" "$response $addtl_warning"
                if [[ $DEBUG -ge 2 ]]; then
                     outln
                     cat "$tmpfile"
