[openssl.org #2936] Properly set default trusted CA paths if -CAfile and -CApath not used

[Tomas Mraz via RT]

The current behavior of s_client, s_server and s_time commands in
regards to the default trusted CA store path is incorrect. The default
paths are loaded only in case SSL_CTX_load_verify_locations() does not
fail. This means that you have to use -CApath or -CAfile
The attached patch properly sets the default paths only if neither
-CApath nor -CAfile is specified.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb

diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
--- openssl-1.0.1c/apps/s_client.c.default-paths	2012-03-18 19:16:05.0 +0100
+++ openssl-1.0.1c/apps/s_client.c	2012-12-06 18:24:06.425933203 +0100
@@ -1166,12 +1166,19 @@ bad:
 	if (!set_cert_key_stuff(ctx,cert,key))
 		goto end;
 
-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-		(!SSL_CTX_set_default_verify_paths(ctx)))
+	if (CAfile == NULL  CApath == NULL)
 		{
-		/* BIO_printf(bio_err,error setting default verify locations\n); */
-		ERR_print_errors(bio_err);
-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
 		}
 
 #ifndef OPENSSL_NO_TLSEXT
diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
--- openssl-1.0.1c/apps/s_server.c.default-paths	2012-03-18 19:16:05.0 +0100
+++ openssl-1.0.1c/apps/s_server.c	2012-12-06 18:25:11.199329611 +0100
@@ -1565,13 +1565,21 @@ bad:
 		}
 #endif
 
-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-		(!SSL_CTX_set_default_verify_paths(ctx)))
+	if (CAfile == NULL  CApath == NULL)
 		{
-		/* BIO_printf(bio_err,X509_load_verify_locations\n); */
-		ERR_print_errors(bio_err);
-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
 		}
+
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
 
@@ -1622,8 +1630,11 @@ bad:
 		else
 			SSL_CTX_sess_set_cache_size(ctx2,128);
 
-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
-			(!SSL_CTX_set_default_verify_paths(ctx2)))
+		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
+		if (!SSL_CTX_set_default_verify_paths(ctx2))
 			{
 			ERR_print_errors(bio_err);
 			}
diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
--- openssl-1.0.1c/apps/s_time.c.default-paths	2006-04-17 14:22:13.0 +0200
+++ openssl-1.0.1c/apps/s_time.c	2012-12-06 18:27:41.694574044 +0100
@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
 
 	SSL_load_error_strings();
 
-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
+	if (CAfile == NULL  CApath == NULL)
 		{
-		/* BIO_printf(bio_err,error setting default verify locations\n); */
-		ERR_print_errors(bio_err);
-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
 		}
 
 	if (tm_cipher == NULL)

[openssl.org #2937] Handshake performance degradation in 1.0.1 and up.

[Andrey Kulikov via RT]

In comparison to 1.0.0, in 1.0.1 the implementation of PRF have been
changed.
In order to supporf TLS 1.1/1.2 features, in file ssl/t1_enc.c, in function
tls_P_hash() calls to HMAC_Init/HMAC_Update/HMAC_Final where replaced by
EVP_DigestSignInit/EVP_DigestSignUpdate/EVP_DigestSignFinal.

As a drawback, keyblock setup for a chiphersuites with 256-bit encryption and
MAC key require about 3 times more intensive usage of hash objects.
For example, in order to perform one handshake,
in OpenSSL 1.0.0i
Digest init called 30 times.
Digest copy called 69 times.
Digest cleanup called 98 times.

OpenSSL 1.0.1c
Digest init called 105 times.
Digest copy called 160 times.
Digest cleanup called 264 times.

~3 times more intensive hashes objects usage definitely not good for
performance.
In my case, handshake rate drops down to 5-6% on the same hardware in 1.0.1c
in comparison to 1.0.0i.

Also, more intense malloc usage leads to faster head fragmentation. But I
didn't able to measure impact of that factor yet.

Is there any way to reduce hash objects usage, while keeping TLS 1.1/1.2
features?

In comparison to 1.0.0, in 1.0.1 the implementation of PRF have been changed.In order to supporf TLS 1.1/1.2 features, in file ssl/t1_enc.c, in function tls_P_hash() calls to HMAC_Init/HMAC_Update/HMAC_Final where replaced by EVP_DigestSignInit/EVP_DigestSignUpdate/EVP_DigestSignFinal.
As a drawback, keyblock setup for a chiphersuites with 256-bit encryption and MAC key require about 3 times more intensive usage of hash objects.For example, in order to perform one handshake,
in OpenSSL 1.0.0iDigest init called 30 times.Digest copy called 69 times.Digest cleanup called 98 times.




OpenSSL 1.0.1c

Digest init called 105 times.

Digest copy called 160 times.Digest cleanup called 264 times.




~3 times more intensive hashes objects usage definitely not good for performance.In my case, handshake rate drops down to 5-6% on the same hardware in 1.0.1c in comparison to 1.0.0i.
Also, more intense malloc usage leads to faster head fragmentation. But I didnt able to measure impact of that factor yet.Is there any way to reduce hash objects usage, while keeping TLS 1.1/1.2 features?

[openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)

[Andrey Kulikov via RT]

Hello,

In v1.0.1 tls_P_hash() has been changed in comparison to early OpenSSL
versions.
Used hash objects is re-initializing during P_hash calculation.
It looks harmless, but only until we come to hash objects, holding
references to external objects.
E.g. engine-specific hashes, allocating handles to hardware device or some
external library.

Then re-initing these MACs does not result in memory loss, but  handlers to
external objects, stored in that memory being lost.
(this is why I call it resource leak, not memory).

In my case each handshake leads to 87 unfreed handles, and library,
interacting with hardware device starts to fail due to out of memory after
about 6000 handshakes.

Please find attached patch, correcting discovered issue.
It can be applied to 1.0.1, 1.0.2 and to latest source tarball.

make test
report success for 1.0.1c with this patch applied.

If anyone see any issues in supplied patch - please let me know.

Best wishes,
Andrey Kulikov.

Hello,In v1.0.1 tls_P_hash() has been changed in comparison to early OpenSSL versions.Used hash objects is re-initializing during P_hash calculation.It looks harmless, but only until we come to hash objects, holding references to external objects.
E.g. engine-specific hashes, allocating handles to hardware device or some external library.Then re-initing these MACs does not result in memory loss, but? handlers to external objects, stored in that memory being lost.
(this is why I call it resource leak, not memory).In my case each handshake leads to 87 unfreed handles, and library, interacting with hardware device starts to fail due to out of memory after about 6000 handshakes.
Please find attached patch, correcting discovered issue.It can be applied to 1.0.1, 1.0.2 and to latest source tarball.make testreport success for 1.0.1c with this patch applied.If anyone see any issues in supplied patch - please let me know.
Best wishes,Andrey Kulikov.


tls1_P_hash_resource_leak.patch
Description: Binary data

[openssl.org #2939] Re: [FIX] 1.0.0d: All platforms: GOST server MUST check correctness of shared UKM

[Andrey Kulikov via RT]

Just noticing the wrong goto label in case of EVP_PKEY_CTX_ctrl() failue.
Please find attached corrected patch (gost_server_to_check_ukm_v2.patch)

On 17 April 2011 17:54, Andrey Kulikov amde...@gmail.com wrote:

 According to this document:

 http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04#section-3.6

 Server, implementing GOST algost MUST check correctness of shared UKM,
 send by client.

 ==

  Server MUST verify, that keyBlob.transportParameters.ukm is equal to
GOSTR3411(client_random|server_random)[0..7], before decrypting the
premaster_secret.

 ==

 There is no such checks in 1.0.0d at all.
 Attachecd patch implements missing functionality.

 To apply patch use following command in root of current OpenSSL
 development tree:

 patch -p1 -l -u -b -i gost_server_to_check_ukm.patch

 Andrey.

 P.S. Checked to works fine with two CSP from different vendors, as well as
 openssl itself.


Just noticing the wrong goto label in case of EVP_PKEY_CTX_ctrl() failue.Please find attached corrected patch (gost_server_to_check_ukm_v2.patch)On 17 April 2011 17:54, Andrey Kulikov amde...@gmail.com wrote:
According to this document:http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04#section-3.6
Server, implementing GOST algost MUST check correctness of shared UKM, send by client.

== Server MUST verify, that keyBlob.transportParameters.ukm is equal to   GOSTR3411(client_random|server_random)[0..7], before decrypting the   premaster_secret.
==There is no such checks in 1.0.0d at all.Attachecd patch implements missing functionality.To apply patch use following command in root of current OpenSSL development tree:
patch -p1 -l -u -b -i gost_server_to_check_ukm.patchAndrey.P.S. Checked to works fine with two CSP from different vendors, as well as openssl itself.




gost_server_to_check_ukm_v2.patch
Description: Binary data

[openssl.org #2940] [Patch] Extend/correct documentation for SSL_CIPHER_get_description(), SSL_CIPHER_get_version(), SSL_get_version()

[Stefan Brüns via RT]

Hi,

the values are taken from ssl_ciph.c and ssl_lib.c respectively. The text for 
SSL_CIPHER_get_version() is an almost verbatim copy from doc/ssl/ssl.pod - 
Dealing with ciphers.

Regards,

Stefan
Index: SSL_CIPHER_get_name.pod
===
RCS file: /home/stefan/Documents/Sources/openssl/openssl/doc/ssl/SSL_CIPHER_get_name.pod,v
retrieving revision 1.7
diff -u -r1.7 SSL_CIPHER_get_name.pod
--- SSL_CIPHER_get_name.pod	12 Sep 2009 23:17:38 -	1.7
+++ SSL_CIPHER_get_name.pod	8 Dec 2012 03:39:24 -
@@ -23,8 +23,10 @@
 Balg_bits is not NULL, it contains the number of bits processed by the
 chosen algorithm. If Bcipher is NULL, 0 is returned.
 
-SSL_CIPHER_get_version() returns the protocol version for Bcipher, currently
-SSLv2, SSLv3, or TLSv1. If Bcipher is NULL, (NONE) is returned.
+SSL_CIPHER_get_version() returns a string which indicates the
+SSL/TLS protocol version to which Bcipher belongs (i.e. where it was defined
+in the specification the first time). Possible values are BTLSv1/SSLv3 and
+BSSLv2
 
 SSL_CIPHER_description() returns a textual description of the cipher used
 into the buffer Bbuf of length Blen provided. Blen must be at least
@@ -40,6 +42,9 @@
 does use the full 128 bits (which would be returned for Balg_bits), of
 which however 88bits are fixed. The search space is hence only 40 bits.
 
+SSL_CIPHER_get_version() should possibly return TLSv1.2, but it does
+not. Use SSL_CIPHER_description() instead.
+
 The string returned by SSL_CIPHER_description() in case of success consists
 of cleartext information separated by one or more blanks in the following
 sequence:
@@ -52,7 +57,8 @@
 
 =item protocol version
 
-Protocol version: BSSLv2, BSSLv3. The TLSv1 ciphers are flagged with SSLv3.
+Protocol version: BSSLv2, BSSLv3, BTLSv1.2. The TLSv1.0 ciphers are
+flagged with SSLv3. No new ciphers were added by TLSv1.1.
 
 =item Kx=key exchange
 
@@ -90,6 +96,11 @@
  EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH   Au=DSS  Enc=3DES(168) Mac=SHA1
  RC4-MD5 SSLv3 Kx=RSA  Au=RSA  Enc=RC4(128)  Mac=MD5
  EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+ CDH-RSA-AES128-SHA256   TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
+
+A complete list can be retrieved using:
+
+ openssl ciphers -v 'ALL:eNULL'
 
 =head1 BUGS
 
Index: SSL_get_version.pod
===
RCS file: /home/stefan/Documents/Sources/openssl/openssl/doc/ssl/SSL_get_version.pod,v
retrieving revision 1.2
diff -u -r1.2 SSL_get_version.pod
--- SSL_get_version.pod	30 Mar 2005 11:50:14 -	1.2
+++ SSL_get_version.pod	8 Dec 2012 03:44:16 -
@@ -12,7 +12,7 @@
 
 =head1 DESCRIPTION
 
-SSL_get_cipher_version() returns the name of the protocol used for the
+SSL_get_version() returns the name of the protocol used for the
 connection Bssl.
 
 =head1 RETURN VALUES
@@ -31,7 +31,15 @@
 
 =item TLSv1
 
-The connection uses the TLSv1 protocol.
+The connection uses the TLSv1.0 protocol.
+
+=item TLSv1.1
+
+The connection uses the TLSv1.1 protocol.
+
+=item TLSv1.2
+
+The connection uses the TLSv1.2 protocol.
 
 =item unknown
 


signature.asc
Description: PGP signature