[openssl.org #1067] OpenSSL symmetric crypto padding check incompatible with XMLENC

[[EMAIL PROTECTED] via RT]

Please find below a patch, with spec reference, against OpenSSL 0.9.7g. 

It could be argued that XMLENC spec is wrong in insisting on unpredictable
values for the padding because this allows padding to be used as a
covert channel. However, to deploy interoperable implementations it seems
patching OpenSSL is the right thing to do. It has been observed that
other crypto libraries, such as bouncing castle (a pure Java
implementation) do not set all padding bytes to OpenSSL's satisfaction. 

 --Sampo 

 --- evp_enc.c~  2005-01-28 14:03:53.0 +
+++ evp_enc.c   2005-05-12 03:26:44.0 +
@@ -509,6 +509,21 @@
   EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
   return(0);
   }
+#ifdef PADDING_CHECK
+   /* Following loop checks that all padding has known value,
+* presumably to prevent covert channel or some form of
+* chosen text attack. However this check is in violation
+* of [XMLENC] specification section 5.2 subsection
+* Padding, which states that only last octet of the
+* block matters and values of other octets are not
+* predictable. Thus to implement XMLENC decryption with
+* openssl it is necessary to disable this code.
+* -- 11.5.2005, Sampo Kellomaki ([EMAIL PROTECTED])
+*
+* [XMLENC] D. Eastlake, ed., XML Encryption Syntax and
+*   Processing, W3C Recommendation 10. Dec. 2002,
+*   http://www.w3.org/TR/2002/REC-xmlenc-core-20021210 */
+
   for (i=0; in; i++)
   {
   if (ctx-final[--b] != n)
@@ -517,6 +532,7 @@
   return(0);
   }
   }
+#endif
   n=ctx-cipher-block_size-n;
   for (i=0; in; i++)
   out[i]=ctx-final[i]; 


Sampo Kellomaki --- Chief Architect --- DirectoryScript
M: +351-918.731.007  F: +351-213.422.185  W: www.symlabs.com
Customize directories - LDAP SOAP Liberty SIP - Directory Extender

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1068] X509_NAME_add_entry: inserting with loc == 0 and set == 0 creates wrong set

[via RT]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1068] X509_NAME_add_entry: inserting with loc == 0 and set == 0 creates wrong set

[[EMAIL PROTECTED] via RT]

Hi,

I've created the RT entry above before noticing that I cannot further edit 
it, sorry! Here are the relevant details to add:

The function X509_NAME_add_entry has the following bug: When called with 
loc == 0 and set == 0, the local variable inc is set using inc = 
(set == 0) ? 1 : 0; after (!) the parameter set is already overwritten. 


I noticed this behaviour when writing a function to convert a 
Distinguished Name from the RFC2253 ASCII representation to the ASN.1 
encoding. I created a X509_NAME structure and called the function 
X509_NAME_add_entry for each RDN with loc == 0 to change the order of 
RDNs as demanded by RFC2253. When using 3 RDNs, two of them are put in the 
same set because of the bug.

This bug exists at least since version 0.9.5a up to the current CVS 
version I checked.

Regards, Frank

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: version 2 is used for Client Hello when version 3 was requested in client code

[Bodo Moeller]

On Thu, May 12, 2005 at 09:40:38AM +0200, Thomas wrote:
 Am Freitag, 13. Mai 2005 20:32 schrieb Bodo Moeller:
  On Wed, May 11, 2005 at 02:14:23PM +0200, Thomas Biege wrote:

 You see I use SSLv23_method() and later SSL_CTX_set_options(ctx,
 SSL_OP_ALL

 | SSL_OP_NO_SSLv2); to disable SSLv2 support.

 Is it normal that the Client Hello message is SSLv2 and later TLS is
 used?

 Yes.  In the past this used to be necessary because some SSL 3.0
 implementations were confused by seeing TLS 1.0 records in the Client
 Hello.  But now these issues should be history.

 Why wasn't SSLv3(.0) be used? Or will only headers of SSLv3(.1) be
 identified as real SSLv3? I am confused a bit b/c everyone tells you that
 SSLv2 isn't secure and so usage of it should be avoided... and then it was
 used silently. Maybe its insecurity doesn't matter in this early stage.

With SSL_OP_NO_SSLv2, SSL 2.0 was never used, so its security problems
did not apply.  The SSL 2.0 compatible client hello message that was
generated by SSLv23_client_method() is just a different way of
arranging essentially the same information that occurs in an SSL 3.0
or TLS 1.0 client hello message.  (You just can't list compression
techniques in the SSL 2.0 format, and you can't include TLS
extensions.  TLS extensions are not yet supported by OpenSSL, though.)

When the SSL 2.0 compatible client hello is *not* used, the data sent
by the client contains two version numbers: One is the version number
in the record headers (the SSL 2.0 format does not have anything like
this); the second is the version number given in the actual client
hello message (the maximum protocol version supported by the client).
In the past when many servers supported only SSL 2.0 and 3.0 but not
TLS 1.0, setting the version number in the record header to 3.1 (for
TLS 1.0) could lead to some servers rejecting such packets because,
not recognizing the record header format, they did not even look at
the actual client hello message -- clients had to use the SSL 2.0
format to avoid this server bug.  By now, this is no longer a problem,
and even when clients use a nonsense version number such as 3.42,
servers will simply reply with the maximum protocol version that they
support (i.e., either TLS 1.0 or SSL 3.0).

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: version 2 is used for Client Hello when version 3 was requested in client code

[Thomas]

  Why wasn't SSLv3(.0) be used? Or will only headers of SSLv3(.1) be
  identified as real SSLv3? I am confused a bit b/c everyone tells you
  that SSLv2 isn't secure and so usage of it should be avoided... and then
  it was used silently. Maybe its insecurity doesn't matter in this early
  stage.

 With SSL_OP_NO_SSLv2, SSL 2.0 was never used, so its security problems
 did not apply.  The SSL 2.0 compatible client hello message that was
 generated by SSLv23_client_method() is just a different way of
 arranging essentially the same information that occurs in an SSL 3.0
 or TLS 1.0 client hello message.  (You just can't list compression
 techniques in the SSL 2.0 format, and you can't include TLS
 extensions.  TLS extensions are not yet supported by OpenSSL, though.)

[...]

Thanks for the answer! :)

Thomas

-- 
Tom [EMAIL PROTECTED]
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #1068] AutoReply: X509_NAME_add_entry: inserting with loc == 0 and set == 0 creates wrong set

[[EMAIL PROTECTED] via RT]

Hi,

an additional bug in the same function, triggered with the same setup:

The loop for incrementing the set value (near the end of the function) 
has to increment at index i and not at index i-1.

Regards, Frank

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1060] [Bug Report] can't build user/issuer certificate chain with different asn1 types in issuer/subject

[Stephen Henson via RT]

[EMAIL PROTECTED] - Fri May  6 19:20:48 2005]:

 Hello,
 
 I have noticed a problem while using TC Trustcenter certificates with
 OpenSSL.
 The encoding of the 'Subject' in the issuer cert contrains 'T61String'
 elements while the user cert issued by that sub-CA contains only
 'Printablestring' in the 'Issuer' field.
 Based on that difference in types, OpenSSL is unable to
 a) find the issuer cert in the certstore because the hashes are different
 and
 b) locate the certificate in the stack using sk_find after I placed the
 issuer cert in the store twice, with both names/hashes.
 
 Neither 0.9.7e nord 0.9.8 are able to build the cert chain.
 I did some debugging with 0.9.7e, which lead me to the conclusions stated
 above.
 
 I rate this behaviour as a bug because the connection between two certs
 shouldn't be based on the way a string is encoded but on it's value.
 I'm working on a temp workaround for our specific case but it's by no
means
 a fix for the problem.
 


Almost all certificates not only keeps the same string type but also the
same encoding. Doing otherwise would break quite a lot of software.

This also violates various standards.

For example in RFC3280.

The DN comparision algorithm states:

  (a)  attribute values encoded in different types (e.g.,
  PrintableString and BMPString) MAY be assumed to represent
  different strings;

Later on it also states:

   CAs MUST encode the distinguished name in the subject field of a CA
   certificate identically to the distinguished name in the issuer field
   in certificates issued by that CA.  


Nevertheless newer versions of OpenSSL should handle this situation but
not for the directory (CApath) based lookup. If the certificate is added
in a file based manner (CAfile) or directly it should be OK.

Directory based lookup will be supported at some point but it would
break existing hashes.

Steve.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1040] ctrls of type NO_INPUT don't work

[Stephen Henson via RT]

[guest - Wed Apr  6 21:34:12 2005]:

 Please see proposed patch for crypto/engine/eng_cnf.c.

Fix applied, thanks for the report.

Steve.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1069] How to change default port 443 to 8443?

[via RT]

I am using Oracle HTTP Server Powered by Apache/1.3.19 (Unix) 
mod_ssl/2.8.1 OpenSSL/0.9.5a mod_fastcgi/2.2.10 mod_perl/1.25 
mod_oprocmgr/1.0 configured 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #1069] How to change default port 443 to 8443?

[Jim Schneider]

This is a question that is well-answered in the relevant documentation (go to 
http://httpd.apache.org/docs/), and has nothing to do with OpenSSL.  Please 
read it before asking off-topic questions on a developer mailing list.

On Thursday 12 May 2005 14:03, via RT wrote:
 I am using Oracle HTTP Server Powered by Apache/1.3.19 (Unix)
 mod_ssl/2.8.1 OpenSSL/0.9.5a mod_fastcgi/2.2.10 mod_perl/1.25
 mod_oprocmgr/1.0 configured
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-dev@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]