Re: [Openvpn-devel] build against openssl 1.1.0

2017-04-28 Thread Hubert Kario 
On Friday, 17 February 2017 18:18:27 CEST David Sommerseth wrote:
> On 17/02/17 17:35, Emmanuel Deloget wrote:
> > I understand that I'm the new guy in town, but can you allow me to
> > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> > require at least version 1.0.2?
> 
> So to the RHEL releases and the OpenSSL versions.  RHEL 5 ships with
> openssl-0.9.8e.  Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.
> 
> The way Red Hat releases works is that versions are close to never
> rebased, at least not core libraries such as OpenSSL. 

Both core libraries and non-core libraries are rebased in RHEL. Case in point, 
RHEL 6 originally shipped with openssl-1.0.0[1].
But rebases to releases that are ABI incompatible happen only to packages that 
are explicitly excluded[2] from ABI guarantee. OpenSSL is not one of such 
packages. For obvious reasons, I hope.

> But Red Hat
> employs a lot of users to ensure all packages they distribute is secure
> and maintained.  That means that security and important bug fixes will
> be backported from newer OpenSSL releases to the openssl-1.0.1e
> baseline.  And this happens for the whole life cycle of each major release.

Correct[3].

> Sometimes even features are backported as well.

Unfortunately because RHEL-6 is currently in Production Phase 2, soon entering 
Phase 3, providing new feature like openssl-1.0.2 would be an exception[4].

> But I have gotten
> fairly clear signals that TLSv1.3 from openssl-1.1 will not be
> backported, as the code has changed too much since the 1.0.1 baseline.
> But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x

Well, openssl-1.1.0 is already available for Fedora rawhide :)

(Hope I don't sound too much like a markedroid, but I appreciate the support 
for RHEL you provide so I wanted to let you know exactly where everything is, 
the least I can do)

 1 - http://vault.centos.org/6.0/os/x86_64/Packages/
openssl-1.0.0-4.el6.x86_64.rpm
 2 - https://access.redhat.com/articles/rhel-abi-compatibility
 3 - https://access.redhat.com/security/updates/backporting
 4 - https://access.redhat.com/support/policy/updates/errata
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] fuzz testing by google ?

2017-01-04 Thread Hubert Kario 
On Wednesday, 7 December 2016 13:04:30 CET Gert Doering wrote:
> Hi,
> 
> On Wed, Dec 07, 2016 at 04:51:36PM +0500,  ?? wrote:
> > it used to crash on simple tcp connect (after immediate disconnect), it
> > was
> > reproducible to running login/password authentication mode
> > 
> > it might have been caught by fuzz testing.
> 
> I should point out that this was not a "crash" but an "openvpn detects
> invalid input and ASSERT()s out -> well-defined program exit".
> 
> Not exactly *friendly* behaviour (and stupid, in this case), but not
> a *crash*.
> 
> But that's exactly why fuzzing openvpn is hard: we detect bad stuff, and
> in doubt, we ASSERT() - which is well-defined behaviour, not "crashing
> randomly, possibly in a way that can be exploited to get access to
> security critical bits"

It still results in a denial of service. Yes, far less severe than private key 
leak or remote code execution, but a severe vulnerability none the less.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] ocsp_check - signature verification and cert staus results are separate

2014-09-26 Thread Hubert Kario 
when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.

Otherwise results like:

Response Verify Failure
140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer 
certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
This Update: Sep 23 12:12:28 2014 GMT

will be accepted as being trustworthy.

Note that "Response verify OK" is printed on stderr, so it can't
be discarded.

Signed-off-by: Hubert Kario 
---
 contrib/OCSP_check/OCSP_check.sh | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index 553c3dc..ce7ec04 100644
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -97,12 +97,15 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth 
]; then
 "$nonce" \
 -CAfile "$verify" \
 -url "$ocsp_url" \
--serial "${serial}" 2>/dev/null)
+-serial "${serial}" 2>&1)

 if [ $? -eq 0 ]; then
-  # check that it's good
+  # check that the reported status of certificate is ok
   if echo "$status" | grep -Fq "^${serial}: good"; then
-exit 0
+# check if signature on the OCSP response verified correctly
+if echo "$status" | grep -Fq "^Response verify OK"; then
+exit 0
+fi
   fi
 fi
   fi
-- 
1.9.3

[Openvpn-devel] [PATCH 2/2] ocsp_check - double check if ocsp didn't report any errors in execution

2014-09-26 Thread Hubert Kario 
in case the reposnses are too old, ocsp tool can return text like this:

Response verify OK
ca/cert.pem: WARNING: Status times invalid.
139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status 
expired:ocsp_cl.c:358:
good
This Update: Sep 21 12:12:48 2014 GMT
Next Update: Sep 22 12:12:48 2014 GMT

light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid
---
 contrib/OCSP_check/OCSP_check.sh | 4 
 1 file changed, 4 insertions(+)

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index ce7ec04..6876c6d 100644
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -100,6 +100,10 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq 
$check_depth ]; then
 -serial "${serial}" 2>&1)

 if [ $? -eq 0 ]; then
+  # check if ocsp didn't report any errors
+  if echo "$status" | grep -Eq "(error|fail)"; then
+  exit 1
+  fi
   # check that the reported status of certificate is ok
   if echo "$status" | grep -Fq "^${serial}: good"; then
 # check if signature on the OCSP response verified correctly
-- 
1.9.3

[Openvpn-devel] OCSP_check.sh fixup

2014-09-23 Thread Hubert Kario 
There are few serious issues with the OCSP_check.sh script:
 1. It will accept OCSP responses with bad signatures
 2. It may accept OCSP old responses as currently valid

detailed description on bug tracker:
https://community.openvpn.net/openvpn/ticket/450#ticket

Pull request with fixes:
https://github.com/OpenVPN/openvpn/pull/17

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hka...@redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic