Re: [Openvpn-devel] OpenVPN affected? - Incorrect checks for malformed signatures in OpenSSL
Hi, OpenVPN can use DSA certificates if you choose one of the following --tls-cipher: DHE-DSS-AES256-SHA EDH-DSS-DES-CBC3-SHA DHE-DSS-AES128-SHA EDH-DSS-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA If someone use one of the above sipher suite, then he should change OpenSSL version to 0.9.8j. By the way, do you plan to add my patch with ECDH support to OpenVPN? Regards, Andrzej Chmielowiec I don't believe this issue significantly affects OpenVPN. OpenVPN does not use the EVP_VerifyFinal function. The issue is that some internal OpenSSL functions do not properly check the return value of this function. The issue is primarily of concern if you are using DSA or ECDSA certificates, however these are not generally used with OpenVPN (OpenVPN uses RSA certificates and does not currently support DSA or ECDSA certificates). James Michael A. Gütlbauer wrote: Hallo! I'm sure, you know the "OpenSSL Security Advisory [07-Jan-2009]" (http://www.openssl.org/news/secadv_20090107.txt) Because there's absolutely no information on your website, whether OpenVPN is affected and/or a bug-fix will be available, I'd like to ask you to do so. Many thanks! Michael -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN and ECC support
James Yonan pisze: Andrzej Chmielowiec wrote: Hi All, I send two patches to OpenVPN which gives Elliptic Curve support. Thanks for the patch. It would be great if you could resubmit the patch against the OpenVPN 2.1 head in the subversion repository, since that is where we will need to merge it. http://svn.openvpn.net/ Also, make sure that "./configure --enable-strict && make" compiles your code without warnings. Thanks, James Here is a patch for OpenVPN 2.1 which has been taken form http://svn.openvpn.net/ (11.06.2008). After patching OpenVPN project there are no new warnings. This OpenVPN version is tested by my company over one year in different configurations. I hope it will be also usefull for others. We are also under development of GPL GUI (Windows, MacOS and Linux) based on Qt. It will be used to * generate keys and certificete requests, * generate certificetes, manage them and CRLs distribution, * setup OpenVPN client connections based on certificates. I hope it will be ready soon. Regards, Andrzej diff -Naur openvpn/crypto.c openvpn-ecc/crypto.c --- openvpn/crypto.c 2008-06-11 18:48:23.0 +0200 +++ openvpn-ecc/crypto.c 2008-06-11 20:05:08.0 +0200 @@ -1571,12 +1571,29 @@ } static ENGINE * -setup_engine (const char *engine) +setup_engine (char *engine) { + char *engine_ctrl[128]; + char *engine_ptr = engine; ENGINE *e = NULL; + int n = 0; + int i; + ENGINE_load_builtin_engines (); + /* Read engine ctrol commands and its values. */ + while ((n < 128) && ((engine_ptr = strchr(engine_ptr, ':')) != 0)) +{ + engine_ptr[0] = '\0'; + engine_ctrl[n++] = ++engine_ptr; +} + + if (n & 1) +{ + msg (M_FATAL, "Wrong number of paramethers for engine '%s'", engine); +} + if (engine) { if (strcmp (engine, "auto") == 0) @@ -1591,6 +1608,22 @@ msg (M_FATAL, "OpenSSL error: cannot load engine '%s'", engine); } + /* Apply engine control commands. */ + for (i = 0; i < n; i += 2) +{ + if (!ENGINE_ctrl_cmd_string(e, engine_ctrl[i], engine_ctrl[i + 1], 0)) +{ + msg (M_FATAL, "OpenSSL error: ENGINE_ctrl_cmd_string failed on engine '%s', " +"command '%s' and value '%s'", engine, engine_ctrl[i], engine_ctrl[i + 1]); +} +} + + /* Clear engine commands and its values. */ + for (i = 0; i < n; i++) +{ + memset(engine_ctrl[i], 0, strlen(engine_ctrl[i])); +} + if (!ENGINE_set_default (e, ENGINE_METHOD_ALL)) { msg (M_FATAL, "OpenSSL error: ENGINE_set_default failed on engine '%s'", @@ -1605,7 +1638,7 @@ #endif void -init_crypto_lib_engine (const char *engine_name) +init_crypto_lib_engine (char *engine_name) { if (!engine_initialized) { @@ -1626,10 +1659,14 @@ */ void init_crypto_lib () { + /* Read OpenSSL default configuration file (loading CONF modules). */ + OPENSSL_config (NULL); } void uninit_crypto_lib () { + /* Unload OpenSSL CONF modules. */ + CONF_modules_unload (1); #if CRYPTO_ENGINE if (engine_initialized) { diff -Naur openvpn/crypto.h openvpn-ecc/crypto.h --- openvpn/crypto.h 2008-06-11 18:48:23.0 +0200 +++ openvpn-ecc/crypto.h 2008-06-11 20:36:47.0 +0200 @@ -37,6 +37,7 @@ #define CRYPTO_ENGINE 0 #endif +#include #include #include #include @@ -345,7 +346,7 @@ void show_available_engines (void); -void init_crypto_lib_engine (const char *engine_name); +void init_crypto_lib_engine (char *engine_name); void init_crypto_lib (void); diff -Naur openvpn/options.c openvpn-ecc/options.c --- openvpn/options.c 2008-06-11 18:48:23.0 +0200 +++ openvpn-ecc/options.c 2008-06-11 19:38:14.0 +0200 @@ -423,7 +423,10 @@ "--keysize n : Size of cipher key in bits (optional).\n" " If unspecified, defaults to cipher-specific default.\n" #endif - "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" + "--engine [name[:cmd:val]..[:cmd:val]] : Enable OpenSSL hardware crypto \n" + " engine functionality. You can also pass control commands\n" + " and its values to the engine (use ':' char to separate\n" + " them).\n" "--no-replay : Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" @@ -454,9 +457,16 @@ "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" "
[Openvpn-devel] OpenVPN and ECC support
Hi All, I send two patches to OpenVPN which gives Elliptic Curve support. New cipher suites (NSA Suit B) are not visible if OpenVPN works with standard version of OpenSSL. If you want to use them, there is a need to edit openssl/ssl/ssl_ciph.c. Simply remove options ~SSL_kECDH and ~SSL_kECDHE from cipher_aliases table. And compile OpenVPN with new OpenSSL version. This patch add two new options (--ecdh and --engkey) and extends one option (--engine). Works same as --dh, but with ECDH parameters: + "--ecdh file : File containing Elliptic Curve Diffie Hellman parameters\n" + " Object Identifier in .pem format (for --tls-server only).\n" + " Use \"openssl ecparam -out ecdh_oid.pem -name curve\" to\n" + " generate and \"openssl ecparam -list_curves\" to get\n" + " avaliable and supported domains.\n" Use it when key is stored in OpenSSL ENGINE (for example hardware device) + "--engkey: This option must be specified if key file is avaliable only\n" + " by OpenSSL engine indicated by --engine option.\n" Extends engine option to send some options to the engine during its setup. I think it should be better repleace by two options - --engine with previous statement and --engctrl [cmd:val]. Unfortunately I don't have too much time to work on this option. + "--engine [name[:cmd:val]..[:cmd:val]] : Enable OpenSSL hardware crypto \n" + " engine functionality. You can also pass control commands\n" + " and its values to the engine (use ':' char to separate\n" + " them).\n" Best Regards, Andrzej Chmielowiec, CMM Sigma (http://www.cmmsigma.eu) diff -Naur openvpn-2.0.9/crypto.c openvpn-2.0.9-ecc/crypto.c --- openvpn-2.0.9/crypto.c 2005-11-01 12:06:11.0 +0100 +++ openvpn-2.0.9-ecc/crypto.c 2008-06-09 12:17:54.0 +0200 @@ -1542,12 +1542,28 @@ } static ENGINE * -setup_engine (const char *engine) +setup_engine (char *engine) { + char *engine_ctrl[128]; + char *engine_ptr = engine; ENGINE *e = NULL; + + int n = 0; + int i; ENGINE_load_builtin_engines (); + while ((n < 128) && ((engine_ptr = strchr(engine_ptr, ':')) != 0)) +{ + engine_ptr[0] = '\0'; + engine_ctrl[n++] = ++engine_ptr; +} + + if (n & 1) +{ + msg (M_FATAL, "Wrong number of paramethers for engine '%s'", engine); +} + if (engine) { if (strcmp (engine, "auto") == 0) @@ -1562,6 +1578,22 @@ msg (M_FATAL, "OpenSSL error: cannot load engine '%s'", engine); } + /* Load engine control commands. */ + for (i = 0; i < n; i += 2) +{ + if (!ENGINE_ctrl_cmd_string(e, engine_ctrl[i], engine_ctrl[i + 1], 0)) + { + msg (M_FATAL, "OpenSSL error: ENGINE_ctrl_cmd_string failed on engine '%s', " + "command '%s' and value '%s'", engine, engine_ctrl[i], engine_ctrl[i + 1]); + } + } + + /* Clear engine commands and its values. */ + for (i = 0; i < n; i++) +{ + memset(engine_ctrl[i], 0, strlen(engine_ctrl[i])); + } + if (!ENGINE_set_default (e, ENGINE_METHOD_ALL)) { msg (M_FATAL, "OpenSSL error: ENGINE_set_default failed on engine '%s'", @@ -1576,7 +1608,7 @@ #endif void -init_crypto_lib_engine (const char *engine_name) +init_crypto_lib_engine (char *engine_name) { if (!engine_initialized) { @@ -1597,10 +1629,12 @@ */ void init_crypto_lib () { + OPENSSL_config (NULL); } void uninit_crypto_lib () { + CONF_modules_unload (1); #if CRYPTO_ENGINE if (engine_initialized) { diff -Naur openvpn-2.0.9/crypto.h openvpn-2.0.9-ecc/crypto.h --- openvpn-2.0.9/crypto.h 2005-11-01 12:06:11.0 +0100 +++ openvpn-2.0.9-ecc/crypto.h 2008-02-23 01:06:40.0 +0100 @@ -32,9 +32,10 @@ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_BUILTIN_ENGINES) && defined(HAVE_ENGINE_REGISTER_ALL_COMPLETE) && defined(HAVE_ENGINE_CLEANUP) #define CRYPTO_ENGINE 1 #else -#define CRYPTO_ENGINE 0 +#define CRYPTO_ENGINE 1 #endif +#include #include #include #include @@ -338,7 +339,7 @@ void show_available_engines (void); -void init_crypto_lib_engine (const char *engine_name); +void init_crypto_lib_engine (char *engine_name); void init_crypto_lib (void); diff -Naur openvpn-2.0.9/options.c openvpn-2.0.9-ecc/options.c --- openvpn-2.0.9/options.c 2005-12-13 00:50:43.0 +0100 +++ openvpn-2.0.9-ecc/options.c 2008-02-23 01:06:40.0 +0100 @@ -373,7 +373,10 @@ "--keysize n : Size of cipher key in bits (optional).\n" " If unspecified, defaults
[Openvpn-devel] OpenVPN and ECC support
Hi, I am finishing my USB hardware token with ECC support. It is integrated with OpenSSL by the engine interface. I have also integrated it with OpenVPN software. My version works with two new options: (1) --ecdh file - file with ECDH domain parameters to support Elliptic Curve Diffie-Hellman algorithm, (2) --engkey - bool option to indicate that private key is on hardware device and can be read only by engine interface. What do you think about adding this options to standard distribution of OpenVPN source code. Today ECC Cipher Suite is official standard described in RFC 4492 and its algorithms are implemented in OpenSSL (turn off by default in version 0.9.8, but will be on in version 0.9.9). Best Regards, Andrzej Chmielowiec, CMM Sigma (www.cmmsigma.eu)