Re: [PATCH] Fix IV check and padding removal.
On 11 February 2013 13:19, David Woodhouse dw...@infradead.org wrote: On Mon, 2013-02-11 at 20:59 +, David Woodhouse wrote: From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001 From: Dr. Stephen Henson st...@openssl.org Date: Thu, 7 Feb 2013 21:06:37 + Subject: [PATCH] Fix IV check and padding removal. ... + if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) That's redundant, isn't it? DTLS1_VERSION (0xfeff) is greater than TLS1_1_version (0x302) anyway. DTLS1_BAD_VER isn't though. Changing the DTLS1_VERSION to DTLS1_BAD_VER makes OpenConnect work again... diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 2e93657..1db1d8c 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -146,7 +146,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) + if (s-version = TLS1_1_VERSION || s-version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. Ah, it looks like you only moved the offending code; it was actually Ben's fault in commit 9f27de17 / 014265eb. Gah! I wish tests would pick up stuff like this! (I'm so happy you finally moved to git :) -- dwmw2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, Mac OS X 10.8.2, Xcode 4.6, clang leom:openssl-1.0.1e.test leo$ uname -a Darwin leom-3.local 12.2.0 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64 leom:openssl-1.0.1e.test leo$ xcodebuild -version Xcode 4.6 Build version 4H127 leom:openssl-1.0.1e.test leo$ cc --version Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn) Target: x86_64-apple-darwin12.2.0 Thread model: posix openssl-1.0.1e.test leo$ make clean leom:openssl-1.0.1e.test leo$ ./Configure darwin64-x86_64-cc no-asm openssl-1.0.1e.test leo$ make clean openssl-1.0.1e.test leo$ make leom:openssl-1.0.1e.test leo$ util/opensslwrap.sh s_client -connect www.google.com:443 -CAfile ~/Temp/Equifax\ Secure\ Certificate\ Authority.pem WARNING: can't open config file: /usr/local/ssl/openssl.cnf CONNECTED(0003) depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com verify return:1 140735223624156:error:1006706B:elliptic curve routines:ec_GFp_simple_oct2point:point is not on curve:ecp_oct.c:421: 140735223624156:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad ecpoint:s3_clnt.c:1679: --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- MIIDgDCCAumgAwIBAgIKGI35CwB4CzANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMzAxMDMxMjE1NTJaFw0xMzA2MDcxOTQzMjda MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAp0uFsoDllANv ykrlbKlxgKFn97lG6Ca16b1ZT3vdGlBoxzrfcxXOqGkA1CcJqc3h0W4txqPpO9aq lGODGmQnv/6HkNTmuOSJqHYjFRPgJ2s4CvofsexxCuw0/w2cHKfWRw/scGwqa4mQ 9d5Y6U6uTW/w8cp9csB6eZQo/oUBWMkCAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUnkW9Yw+kcEJIu1VoSIQ8dwfb 6JQwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA A4GBAFjwEoRMraJ+bM81lTrnT/qXXV1A2JwE+slBdVUysd4xAeg+yKnpxvfZ2H/i AxELBVfQLO5R4f+Vr6axNFv4c8ne+FT4ZyNCEyD0sspESwhZXuXupc4ZMzm9xFa0 lxea+NUbP1EEgjiXkbtV6hcFVjFVgx7LsnSbuzp/SS418OFl -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority --- No client certificate CA names sent --- SSL handshake has read 1891 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1360646350 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- Sorry for my bests English. Serguei E. Leontiev w:+7(495)939-2382 USSR,Moscow,Universitetskij 13 Sternberg Astronom. w:+7(495)780-4820 USSR,Moscow,127018,Sushchevskij val 16-5 Institute, MSU h:+7(495)318-1146 USSR,Moscow,113303,Kakhovka 6-40 m:+7(916)686-1081 SMS: http://www.mts.ru/sms http://lnfm1.sai.msu.ru/~leo __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2982] Security Advisory as of 2013-02-05
http://www.openssl.org/news/secadv_20130205.txt says in the latest section: Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y It should say Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y Otherwise the Advisory does not make sense. Regards, Ernst. -- Ernst G Giessmann Security and SmartCard Solutions T-Systems International GmbH Ringbahnstraße 130, D-12103 Berlin Tel:+49-30-835-384-836 Hinweis: Dies ist eine interne Mitteilung und keine geschäftliche E-Mail im Sinne des GmbHG. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2983] type errors in different configurations of openssl??
Hi, I'm analyzing different versions of OpenSSL for type errors. To do so, I analyze different configuration options of OpenSSL provided by the configure scripts and #ifdefs in the source code. I may found some configurations in which type errors occur, but I'm not sure whether this configurations are valid. Below are two type error that I found that occur in different configuration options. I'm not sure whether these configuration options are set by default or can be set by a user. 1. The configuration option RENEG must be set to undef (#undef RENEG); variable total_bytes is not declared otherwise in file ./apps/s_server.c on Line 2866. 2. The configuration option LINT must be set to undef (#undef LINT); variable n is not declared otherwise in file ./apps/genpkey.c on Line 437. system: Ubuntu 12.04 (64Bit) OpenSSL version 1.0.1c (but the errors occur in the current version 1.0.1e also) Joerg -- Jörg Liebig University of Passau http://www.infosun.fim.uni-passau.de/cl/staff/liebig/ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
P.S. 64-bit test elliptic curves fail for openssl-SNAP-20130212.test-x86_64 with no-asm flag. $ ./Configure darwin64-x86_64-cc no-asm $ make depend $ make $ make test ... test elliptic curves ../util/shlib_wrap.sh ./ectest Curve defined by Weierstrass equation y^2 = x^3 + a*x + b (mod 0x17) a = 0x1 b = 0x1 A cyclic subgroup: ... long/negative scalar tests ... ok combined multiplication . ok testing internal curves: ... EC_GROUP_check() failed with curve secp384r1 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] After patch: $ diff -u ../openssl-SNAP-20130212/crypto/bn/bn_nist.c crypto/bn/bn_nist.c --- ../openssl-SNAP-20130212/crypto/bn/bn_nist.c2013-01-11 18:13:43.0 +0400 +++ crypto/bn/bn_nist.c 2013-02-12 13:51:12.0 +0400 @@ -421,7 +421,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -701,7 +701,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -906,7 +906,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; Mac OSX compiler fail test/ectest: gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 Mac OSX compiler test/ectest OK: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 clang-mp-3.3 [clang version 3.3 (trunk 173279)] -- Sorry for my bests English. Serguei E. Leontiev w:+7(495)939-2382 USSR,Moscow,Universitetskij 13 Sternberg Astronom. w:+7(495)780-4820 USSR,Moscow,127018,Sushchevskij val 16-5 Institute, MSU h:+7(495)318-1146 USSR,Moscow,113303,Kakhovka 6-40 m:+7(916)686-1081 SMS: http://www.mts.ru/sms http://lnfm1.sai.msu.ru/~leo 12.02.2013, в 13:21, Serguei E. Leontiev via RT r...@openssl.org написал(а): P.S. 64-bit test elliptic curves fail for openssl-SNAP-20130212.test-x86_64 with no-asm flag. $ ./Configure darwin64-x86_64-cc no-asm $ make depend $ make $ make test ... test elliptic curves ../util/shlib_wrap.sh ./ectest Curve defined by Weierstrass equation y^2 = x^3 + a*x + b (mod 0x17) a = 0x1 b = 0x1 A cyclic subgroup: ... long/negative scalar tests ... ok combined multiplication . ok testing internal curves: ... EC_GROUP_check() failed with curve secp384r1 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2984] OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER
Since commit a693ead6 in HEAD, 820988a0 in 1.0.2, 014265eb in 1.0.1 and f852b6079 in 1.0.0, DTLS_BAD_VER (needed for Cisco AnyConnect compatibility) has been broken. The check 's-version = TLS1_1_VERSION || s-version == DTLS1_VERSION' is redundant anyway since DTLS1_VERSION (0xfeff) is greater than TLS1_1_VERSION (0x302). We *do*, however, need to include DTLS1_BAD_VER (0x100) in the set of versions which have an explicit IV. A patch for 1.0.[12] and HEAD, and a separate patch for 1.0.0, are attached. -- dwmw2 diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 5b3f371..61413b8 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s-version == DTLS1_VERSION) + if (s-version == DTLS1_VERSION || s-version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 2e93657..1db1d8c 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -146,7 +146,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) + if (s-version = TLS1_1_VERSION || s-version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. smime.p7s Description: S/MIME cryptographic signature
[openssl.org #2984] OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER
On Tue Feb 12 15:20:48 2013, dw...@infradead.org wrote: Since commit a693ead6 in HEAD, 820988a0 in 1.0.2, 014265eb in 1.0.1 and f852b6079 in 1.0.0, DTLS_BAD_VER (needed for Cisco AnyConnect compatibility) has been broken. Applied now. Thanks for the report. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2985] Infinite loop in openssl.cfg configuration file parser
Hi, I accidentally entered a section header with double open square brackets in openssl.cfg and the ca program hangs on start up with 100% CPU (e.g. type [[ ca ]). The culprit seems to be line 322 of crypto/conf/conf_def.c: again: end=eat_alpha_numeric(conf, ss); p=eat_ws(conf, end); if (*p != ']') { if (*p != '\0') { ss=p; goto again; } CONFerr(CONF_F_DEF_LOAD_BIO, CONF_R_MISSING_CLOSE_SQUARE_BRACKET); goto err; } The character is neither alpha numeric nor whitespace, so p = ss forever. Probably you should go for some variety of: if (*p != '\0' ss != p) This will guarantee that the loop terminates. Regards, David L __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Idea -- counting alerts
What do you think about adding a counter (or two) to the SSL structure, to count every time an alert is sent, and/or every time a crypto operation fails? Wouldn't this help make it easier to detect (and then prevent) multi-message-timing attacks? -- Principal Security Engineer Akamai Technology Cambridge, MA
[openssl.org #2986] aix building of openssl-1.0.1e
Hi I am installing openssl-1.0.1e on a pair of AIX systems and am having two problems. one system is running AIX 5.2 in 32 bit mode, a model 44P model 170 It has 16GB of memory. the second system is a AIX 7.1 model P7 in 64 bit mode with a lot of memory when running the config I have been using ./config shared to create *.a and *.so files on the aix 7.1 system when I run make test I get this error Target rehash is up to date. Target all is up to date. Target all is up to date. ../util/shlib_wrap.sh ./destest Could not load program ./destest: Dependent module libc.a(shr_64.o) could not be loaded. Could not load module libc.a(shr_64.o). System error: No such file or directory make: The error code from the last command is 255. Stop. make: The error code from the last command is 2. Stop. sox:/opt/freeware/src/packages/SOURCES/openssl-1.0.1e sox:/usr/lib ar vt libc.a |grep shr r-xr-xr-x 2/2 5790180 Jan 24 16:11 2012 shr_64.o sox:/usr/lib - Problem two, both systems when I run the make install give me this error bach:/opt/freeware/src/packages/SOURCES/openssl-1.0.1e make install making all in crypto... making all in crypto/objects... Target all is up to date. making all in crypto/md4... Target all is up to date. making all in crypto/md5... Target all is up to date. making all in crypto/sha... Target all is up to date. making all in crypto/mdc2... Target all is up to date. making all in crypto/hmac... Target all is up to date. making all in crypto/ripemd... Target all is up to date. making all in crypto/whrlpool... Target all is up to date. making all in crypto/des... Target all is up to date. making all in crypto/aes... Target all is up to date. making all in crypto/rc2... Target all is up to date. making all in crypto/rc4... Target all is up to date. making all in crypto/idea... Target all is up to date. making all in crypto/bf... Target all is up to date. making all in crypto/cast... Target all is up to date. making all in crypto/camellia... Target all is up to date. making all in crypto/seed... Target all is up to date. making all in crypto/modes... Target all is up to date. making all in crypto/bn... Target all is up to date. making all in crypto/ec... Target all is up to date. making all in crypto/rsa... Target all is up to date. making all in crypto/dsa... Target all is up to date. making all in crypto/ecdsa... Target all is up to date. making all in crypto/dh... Target all is up to date. making all in crypto/ecdh... Target all is up to date. making all in crypto/dso... Target all is up to date. making all in crypto/engine... Target all is up to date. making all in crypto/buffer... Target all is up to date. making all in crypto/bio... Target all is up to date. making all in crypto/stack... Target all is up to date. making all in crypto/lhash... Target all is up to date. making all in crypto/rand... Target all is up to date. making all in crypto/err... Target all is up to date. making all in crypto/evp... Target all is up to date. making all in crypto/asn1... Target all is up to date. making all in crypto/pem... Target all is up to date. making all in crypto/x509... Target all is up to date. making all in crypto/x509v3... Target all is up to date. making all in crypto/conf... Target all is up to date. making all in crypto/txt_db... Target all is up to date. making all in crypto/pkcs7... Target all is up to date. making all in crypto/pkcs12... Target all is up to date. making all in crypto/comp... Target all is up to date. making all in crypto/ocsp... Target all is up to date. making all in crypto/ui... Target all is up to date. making all in crypto/krb5... Target all is up to date. making all in crypto/cms... Target all is up to date. making all in crypto/pqueue... Target all is up to date. making all in crypto/ts... Target all is up to date. making all in crypto/srp... Target all is up to date. making all in crypto/cmac... Target all is up to date. if [ -n libcrypto.so.1.0.0 libssl.so.1.0.0 ]; then (cd ..; make libcrypto.so.1.0.0); fi [ -z ] || cc -DOPENSSL_THREADS -qthreaded -D_THREAD_SAFE -DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DAES_ASM -Iinclude -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso fips_premain.c fipscanister.o libcrypto.a ld: 0711-851 SEVERE ERROR: Output file: libcrypto.so.1.0.0 The file is in use and cannot be overwritten. make: The error code from the last command is 12. Stop. make: The error code from the last command is 2. Stop. make: The error code from the last command is 2. Stop. make: The error code from the last command is 2. Stop. make: The error code from the last command is 1. Stop.