[openssl.org #2936] Properly set default trusted CA paths if -CAfile and -CApath not used
The current behavior of s_client, s_server and s_time commands in regards to the default trusted CA store path is incorrect. The default paths are loaded only in case SSL_CTX_load_verify_locations() does not fail. This means that you have to use -CApath or -CAfile The attached patch properly sets the default paths only if neither -CApath nor -CAfile is specified. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c --- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.0 +0100 +++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100 @@ -1166,12 +1166,19 @@ bad: if (!set_cert_key_stuff(ctx,cert,key)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) + if (CAfile == NULL CApath == NULL) { - /* BIO_printf(bio_err,error setting default verify locations\n); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_set_default_verify_paths(ctx)) + { + ERR_print_errors(bio_err); + } + } + else + { + if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } } #ifndef OPENSSL_NO_TLSEXT diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c --- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.0 +0100 +++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100 @@ -1565,13 +1565,21 @@ bad: } #endif - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) + if (CAfile == NULL CApath == NULL) { - /* BIO_printf(bio_err,X509_load_verify_locations\n); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_set_default_verify_paths(ctx)) + { + ERR_print_errors(bio_err); + } + } + else + { + if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } } + if (vpm) SSL_CTX_set1_param(ctx, vpm); @@ -1622,8 +1630,11 @@ bad: else SSL_CTX_sess_set_cache_size(ctx2,128); - if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx2))) + if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } + if (!SSL_CTX_set_default_verify_paths(ctx2)) { ERR_print_errors(bio_err); } diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c --- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.0 +0200 +++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100 @@ -373,12 +373,19 @@ int MAIN(int argc, char **argv) SSL_load_error_strings(); - if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(tm_ctx))) + if (CAfile == NULL CApath == NULL) { - /* BIO_printf(bio_err,error setting default verify locations\n); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_set_default_verify_paths(tm_ctx)) + { + ERR_print_errors(bio_err); + } + } + else + { + if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } } if (tm_cipher == NULL)
[openssl.org #2937] Handshake performance degradation in 1.0.1 and up.
In comparison to 1.0.0, in 1.0.1 the implementation of PRF have been changed. In order to supporf TLS 1.1/1.2 features, in file ssl/t1_enc.c, in function tls_P_hash() calls to HMAC_Init/HMAC_Update/HMAC_Final where replaced by EVP_DigestSignInit/EVP_DigestSignUpdate/EVP_DigestSignFinal. As a drawback, keyblock setup for a chiphersuites with 256-bit encryption and MAC key require about 3 times more intensive usage of hash objects. For example, in order to perform one handshake, in OpenSSL 1.0.0i Digest init called 30 times. Digest copy called 69 times. Digest cleanup called 98 times. OpenSSL 1.0.1c Digest init called 105 times. Digest copy called 160 times. Digest cleanup called 264 times. ~3 times more intensive hashes objects usage definitely not good for performance. In my case, handshake rate drops down to 5-6% on the same hardware in 1.0.1c in comparison to 1.0.0i. Also, more intense malloc usage leads to faster head fragmentation. But I didn't able to measure impact of that factor yet. Is there any way to reduce hash objects usage, while keeping TLS 1.1/1.2 features? In comparison to 1.0.0, in 1.0.1 the implementation of PRF have been changed.In order to supporf TLS 1.1/1.2 features, in file ssl/t1_enc.c, in function tls_P_hash() calls to HMAC_Init/HMAC_Update/HMAC_Final where replaced by EVP_DigestSignInit/EVP_DigestSignUpdate/EVP_DigestSignFinal. As a drawback, keyblock setup for a chiphersuites with 256-bit encryption and MAC key require about 3 times more intensive usage of hash objects.For example, in order to perform one handshake, in OpenSSL 1.0.0iDigest init called 30 times.Digest copy called 69 times.Digest cleanup called 98 times. OpenSSL 1.0.1c Digest init called 105 times. Digest copy called 160 times.Digest cleanup called 264 times. ~3 times more intensive hashes objects usage definitely not good for performance.In my case, handshake rate drops down to 5-6% on the same hardware in 1.0.1c in comparison to 1.0.0i. Also, more intense malloc usage leads to faster head fragmentation. But I didnt able to measure impact of that factor yet.Is there any way to reduce hash objects usage, while keeping TLS 1.1/1.2 features?
[openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)
Hello, In v1.0.1 tls_P_hash() has been changed in comparison to early OpenSSL versions. Used hash objects is re-initializing during P_hash calculation. It looks harmless, but only until we come to hash objects, holding references to external objects. E.g. engine-specific hashes, allocating handles to hardware device or some external library. Then re-initing these MACs does not result in memory loss, but handlers to external objects, stored in that memory being lost. (this is why I call it resource leak, not memory). In my case each handshake leads to 87 unfreed handles, and library, interacting with hardware device starts to fail due to out of memory after about 6000 handshakes. Please find attached patch, correcting discovered issue. It can be applied to 1.0.1, 1.0.2 and to latest source tarball. make test report success for 1.0.1c with this patch applied. If anyone see any issues in supplied patch - please let me know. Best wishes, Andrey Kulikov. Hello,In v1.0.1 tls_P_hash() has been changed in comparison to early OpenSSL versions.Used hash objects is re-initializing during P_hash calculation.It looks harmless, but only until we come to hash objects, holding references to external objects. E.g. engine-specific hashes, allocating handles to hardware device or some external library.Then re-initing these MACs does not result in memory loss, but? handlers to external objects, stored in that memory being lost. (this is why I call it resource leak, not memory).In my case each handshake leads to 87 unfreed handles, and library, interacting with hardware device starts to fail due to out of memory after about 6000 handshakes. Please find attached patch, correcting discovered issue.It can be applied to 1.0.1, 1.0.2 and to latest source tarball.make testreport success for 1.0.1c with this patch applied.If anyone see any issues in supplied patch - please let me know. Best wishes,Andrey Kulikov. tls1_P_hash_resource_leak.patch Description: Binary data
[openssl.org #2939] Re: [FIX] 1.0.0d: All platforms: GOST server MUST check correctness of shared UKM
Just noticing the wrong goto label in case of EVP_PKEY_CTX_ctrl() failue. Please find attached corrected patch (gost_server_to_check_ukm_v2.patch) On 17 April 2011 17:54, Andrey Kulikov amde...@gmail.com wrote: According to this document: http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04#section-3.6 Server, implementing GOST algost MUST check correctness of shared UKM, send by client. == Server MUST verify, that keyBlob.transportParameters.ukm is equal to GOSTR3411(client_random|server_random)[0..7], before decrypting the premaster_secret. == There is no such checks in 1.0.0d at all. Attachecd patch implements missing functionality. To apply patch use following command in root of current OpenSSL development tree: patch -p1 -l -u -b -i gost_server_to_check_ukm.patch Andrey. P.S. Checked to works fine with two CSP from different vendors, as well as openssl itself. Just noticing the wrong goto label in case of EVP_PKEY_CTX_ctrl() failue.Please find attached corrected patch (gost_server_to_check_ukm_v2.patch)On 17 April 2011 17:54, Andrey Kulikov amde...@gmail.com wrote: According to this document:http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04#section-3.6 Server, implementing GOST algost MUST check correctness of shared UKM, send by client. == Server MUST verify, that keyBlob.transportParameters.ukm is equal to GOSTR3411(client_random|server_random)[0..7], before decrypting the premaster_secret. ==There is no such checks in 1.0.0d at all.Attachecd patch implements missing functionality.To apply patch use following command in root of current OpenSSL development tree: patch -p1 -l -u -b -i gost_server_to_check_ukm.patchAndrey.P.S. Checked to works fine with two CSP from different vendors, as well as openssl itself. gost_server_to_check_ukm_v2.patch Description: Binary data
[openssl.org #2940] [Patch] Extend/correct documentation for SSL_CIPHER_get_description(), SSL_CIPHER_get_version(), SSL_get_version()
Hi, the values are taken from ssl_ciph.c and ssl_lib.c respectively. The text for SSL_CIPHER_get_version() is an almost verbatim copy from doc/ssl/ssl.pod - Dealing with ciphers. Regards, Stefan Index: SSL_CIPHER_get_name.pod === RCS file: /home/stefan/Documents/Sources/openssl/openssl/doc/ssl/SSL_CIPHER_get_name.pod,v retrieving revision 1.7 diff -u -r1.7 SSL_CIPHER_get_name.pod --- SSL_CIPHER_get_name.pod 12 Sep 2009 23:17:38 - 1.7 +++ SSL_CIPHER_get_name.pod 8 Dec 2012 03:39:24 - @@ -23,8 +23,10 @@ Balg_bits is not NULL, it contains the number of bits processed by the chosen algorithm. If Bcipher is NULL, 0 is returned. -SSL_CIPHER_get_version() returns the protocol version for Bcipher, currently -SSLv2, SSLv3, or TLSv1. If Bcipher is NULL, (NONE) is returned. +SSL_CIPHER_get_version() returns a string which indicates the +SSL/TLS protocol version to which Bcipher belongs (i.e. where it was defined +in the specification the first time). Possible values are BTLSv1/SSLv3 and +BSSLv2 SSL_CIPHER_description() returns a textual description of the cipher used into the buffer Bbuf of length Blen provided. Blen must be at least @@ -40,6 +42,9 @@ does use the full 128 bits (which would be returned for Balg_bits), of which however 88bits are fixed. The search space is hence only 40 bits. +SSL_CIPHER_get_version() should possibly return TLSv1.2, but it does +not. Use SSL_CIPHER_description() instead. + The string returned by SSL_CIPHER_description() in case of success consists of cleartext information separated by one or more blanks in the following sequence: @@ -52,7 +57,8 @@ =item protocol version -Protocol version: BSSLv2, BSSLv3. The TLSv1 ciphers are flagged with SSLv3. +Protocol version: BSSLv2, BSSLv3, BTLSv1.2. The TLSv1.0 ciphers are +flagged with SSLv3. No new ciphers were added by TLSv1.1. =item Kx=key exchange @@ -90,6 +96,11 @@ EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export + CDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 + +A complete list can be retrieved using: + + openssl ciphers -v 'ALL:eNULL' =head1 BUGS Index: SSL_get_version.pod === RCS file: /home/stefan/Documents/Sources/openssl/openssl/doc/ssl/SSL_get_version.pod,v retrieving revision 1.2 diff -u -r1.2 SSL_get_version.pod --- SSL_get_version.pod 30 Mar 2005 11:50:14 - 1.2 +++ SSL_get_version.pod 8 Dec 2012 03:44:16 - @@ -12,7 +12,7 @@ =head1 DESCRIPTION -SSL_get_cipher_version() returns the name of the protocol used for the +SSL_get_version() returns the name of the protocol used for the connection Bssl. =head1 RETURN VALUES @@ -31,7 +31,15 @@ =item TLSv1 -The connection uses the TLSv1 protocol. +The connection uses the TLSv1.0 protocol. + +=item TLSv1.1 + +The connection uses the TLSv1.1 protocol. + +=item TLSv1.2 + +The connection uses the TLSv1.2 protocol. =item unknown signature.asc Description: PGP signature