[openssl.org #3112] OpenSSL Documentation Bugs

2013-08-20 Thread Dustin Oprea via RT 
Page: http://www.openssl.org/docs/crypto/ecdsa.html

(1)

 intret;
 ECDSA_SIG *sig;
 EC_KEY*eckey = EC_KEY_new();
 if (eckey == NULL)
{
/* error */
}
 key-group = EC_GROUP_new_by_nid(NID_secp192k1);
 if (key-group == NULL)
{
/* error */
}
 if (!EC_KEY_generate_key(eckey))
{
/* error */
}


key is undefined. This was probably supposed to be eckey (which does
have a group member).

(2)

ECDSA_verify() verifies that the signature in sig of size siglen is a valid
ECDSA signature of the hash value value dgst of size dgstlen using the
public key eckey. The parameter type is ignored.


value value should be value.


Dustin

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3113] OpenSSL’s DH implementation uses an unnecessarily long exponent, leading to significant performance loss

2013-08-20 Thread Gueron, Shay via RT 

Hello all,

OpenSSL’s DH implementation uses an unnecessarily long exponent, leading to 
significant performance loss

OpenSSL handles the Diffie Hellman (DH) protocol in a very conservative way. By 
default, the length of the private key equals to the bit-length of the prime 
modulus. For example, DH2048 will use a 2048-bit exponent (and two such 
exponentiations are executed for a key exchange).

This is an overkill: NIST suggests that 224 bit exponent is sufficient for 112 
bit security (which is what DH2048 offers).

There is no API to specify the exponent’ length when generating the key. 
However, there is a parameter in the DH struct, which that defines the size of 
the exponent:

struct dh_st
  {
  /* This first argument is used to pick up errors when
  * a DH is passed instead of a EVP_PKEY */
  int pad;
  int version;
  BIGNUM *p;
  BIGNUM *g;
  long length; /* optional */
  BIGNUM *pub_key;  /* g^x */
  BIGNUM *priv_key; /* x */

  int flags;
  BN_MONT_CTX *method_mont_p;
  /* Place holders if we want to do X9.42 DH */
  BIGNUM *q;
  BIGNUM *j;
  unsigned char *seed;
  int seedlen;
  BIGNUM *counter;

  int references;
  CRYPTO_EX_DATA ex_data;
  const DH_METHOD *meth;
  ENGINE *engine;
  };

So, by *manually* changing the ‘length’ field, a user can control the exponent 
length and reduce it to a more desirable size.

Unfortunately, users of the OpenSSL library, such as Apache (and it seems that 
nginx also), are either unaware of the implementation’s default, or are not 
aware of the performance impact of choosing such a long exponent (this leads to 
~9X performance loss, compared to DH2048 with a 224 bits exponent).

This performance overhead is significant when moving to Perfect Forward 
Security (PFS) protocols (e.g., RSA  DHE).

We should point out that the NSS library defaults to the NIST recommended 
values --- here is a snippet.

/* Lengths are in bytes. */
static unsigned int
dh_GetSecretKeyLen(unsigned int primeLen)
{
/* Based on Table 2 in NIST SP 800-57. */
if (primeLen = 1920) { /* 15360 bits */
return 64;  /* 512 bits */
}
if (primeLen = 960) { /* 7680 bits */
return 48;  /* 384 bits */
}
if (primeLen = 384) { /* 3072 bits */
return 32;  /* 256 bits */
}
if (primeLen = 256) { /* 2048 bits */
return 28;  /* 224 bits */
}
return 20;  /* 160 bits */
}

We would like to propose a way to alleviate what seems to be an unnecessary 
overhead.

For OpenSSL, we recommend to *consider* the following:

Change the implementation to default the private key (exponent) to the NIST 
recommended values. The change is very easy to carry out.
This way, the longer exponent would be the choice that is actively  explicitly 
required by the user. Specify in the documentation what the default exponent 
length is. Then, automatically have servers that use OpenSSL enjoy a much 
faster DH speed on TLS sessions that use DH (for PFS).

For the server applications (e.g., Apache) that use OpenSSL library, we 
recommend to *consider* the following:

Change the implementation so that it invokes the DH functions with the NIST 
recommended key size. Especially, as browsers (e.g., using NSS) use 224 bit on 
their side of the key exchange, anyway.



***
Shay Gueron (1, 2), and Vlad Krasnov (1)
(1) Intel Corporation, Israel Development Center, Haifa, Israel
(2) University of Haifa, Israel
***
Copyright(c) 2013, Intel Corp.

-
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3113] OpenSSL’s DH implementation uses an unnecessarily long exponent, leading to significant performance loss

2013-08-20 Thread Stephen Henson via RT 
On Tue Aug 20 09:00:56 2013, shay.gue...@intel.com wrote:


 OpenSSL’s DH implementation uses an unnecessarily long exponent,
 leading to significant performance loss

 OpenSSL handles the Diffie Hellman (DH) protocol in a very
 conservative way. By default, the length of the private key equals
 to the bit-length of the prime modulus. For example, DH2048 will
 use a 2048-bit exponent (and two such exponentiations are executed
 for a key exchange).

 This is an overkill: NIST suggests that 224 bit exponent is sufficient
 for 112 bit security (which is what DH2048 offers).

 There is no API to specify the exponent’ length when generating the
 key. However, there is a parameter in the DH struct, which that
 defines the size of the exponent:


The -dsaparam option to dhparam converts DSA parameters to DH and sets the
length parameter.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3114] Bug report: Spelling error in apps/ocsp.c

2013-08-20 Thread joac...@secworks.se via RT 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Aloha!

I believe there is a typo in the response from the ocsp app.
This nit is present in OpenSSL 1.0.1e.

Example:
openssl ocsp -issuer ca_cert.pem -serial 751447 -url
http://ocsp.startssl.com/sub/class1/server/ca

Error querying OCSP responsder

Note 'responsder'.

Fix for apps/ocsp.c:

1412c1412
   BIO_printf(bio_err, Error querying OCSP responsder\n);
- ---
 BIO_printf(bio_err, Error querying OCSP responder\n);

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.

 Joachim Strömbergson  Secworks AB  joac...@secworks.se

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlITQaoACgkQZoPr8HT30QGK0gCeNZsvOs60sVcGFMWgWl57Mts8
EJUAn3YFIfKhMmP8zvLE4TiCj8s0Tvm5
=I3PR
-END PGP SIGNATURE-

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 0/2] Avoid NULL pointer dereference in several places

2013-08-20 Thread Xufeng Zhang 
Hello All,

Automatic tool detects there are several potential NULL pointer dereference
in openssl source code, please help me review the attached two patches.

Thanks,
Xufeng


Xufeng Zhang (2):
  openssl: avoid NULL pointer dereference in EVP_DigestInit_ex()
  openssl: avoid NULL pointer dereference in
dh_pub_encode()/dsa_pub_encode()

 crypto/dh/dh_ameth.c   |6 ++
 crypto/dsa/dsa_ameth.c |5 +
 crypto/evp/digest.c|2 +-
 3 files changed, 12 insertions(+), 1 deletions(-)

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 1/2] openssl: avoid NULL pointer dereference in EVP_DigestInit_ex()

2013-08-20 Thread Xufeng Zhang 
We should avoid accessing the type pointer if it's NULL,
this could happen if ctx-digest is not NULL.
---
 crypto/evp/digest.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 982ba2b..96122ea 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -195,7 +195,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, 
ENGINE *impl)
return 0;
}
 #endif
-   if (ctx-digest != type)
+   if (type  (ctx-digest != type))
{
if (ctx-digest  ctx-digest-ctx_size)
OPENSSL_free(ctx-md_data);
-- 
1.7.0.2

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 0/2] Avoid NULL pointer dereference in several places

2013-08-20 Thread Xufeng Zhang 
Hello All,

Automatic tool detects there are several potential NULL pointer dereference
in openssl source code, please help me review the attached two patches.

Thanks,
Xufeng


Xufeng Zhang (2):
  openssl: avoid NULL pointer dereference in EVP_DigestInit_ex()
  openssl: avoid NULL pointer dereference in
dh_pub_encode()/dsa_pub_encode()

 crypto/dh/dh_ameth.c   |6 ++
 crypto/dsa/dsa_ameth.c |5 +
 crypto/evp/digest.c|2 +-
 3 files changed, 12 insertions(+), 1 deletions(-)

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 2/2] openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode()

2013-08-20 Thread Xufeng Zhang 
We should avoid accessing the pointer if ASN1_STRING_new()
allocates memory failed.
---
 crypto/dh/dh_ameth.c   |6 ++
 crypto/dsa/dsa_ameth.c |5 +
 2 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 141c09b..784746b 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -162,6 +162,12 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY 
*pkey)
dh=pkey-pkey.dh;
 
str = ASN1_STRING_new();
+   if (!str)
+   {
+   DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+   goto err;
+   }
+
str-length = i2d_dhp(pkey, dh, str-data);
if (str-length = 0)
{
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 6b1d52f..40465b6 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -148,6 +148,11 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY 
*pkey)
{
ASN1_STRING *str;
str = ASN1_STRING_new();
+   if (!str)
+   {
+   DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+   goto err;
+   }
str-length = i2d_DSAparams(dsa, str-data);
if (str-length = 0)
{
-- 
1.7.0.2

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [PATCH 0/2] Avoid NULL pointer dereference in several places

2013-08-20 Thread Xufeng Zhang 

Sorry, looks like this patchset has been resend, please ignore one of them.


Thanks,
Xufeng

On 08/21/2013 10:54 AM, Xufeng Zhang wrote:

Hello All,

Automatic tool detects there are several potential NULL pointer dereference
in openssl source code, please help me review the attached two patches.

Thanks,
Xufeng


Xufeng Zhang (2):
   openssl: avoid NULL pointer dereference in EVP_DigestInit_ex()
   openssl: avoid NULL pointer dereference in
 dh_pub_encode()/dsa_pub_encode()

  crypto/dh/dh_ameth.c   |6 ++
  crypto/dsa/dsa_ameth.c |5 +
  crypto/evp/digest.c|2 +-
  3 files changed, 12 insertions(+), 1 deletions(-)

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org
   


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org