[openssl.org #3112] OpenSSL Documentation Bugs
Page: http://www.openssl.org/docs/crypto/ecdsa.html (1) intret; ECDSA_SIG *sig; EC_KEY*eckey = EC_KEY_new(); if (eckey == NULL) { /* error */ } key-group = EC_GROUP_new_by_nid(NID_secp192k1); if (key-group == NULL) { /* error */ } if (!EC_KEY_generate_key(eckey)) { /* error */ } key is undefined. This was probably supposed to be eckey (which does have a group member). (2) ECDSA_verify() verifies that the signature in sig of size siglen is a valid ECDSA signature of the hash value value dgst of size dgstlen using the public key eckey. The parameter type is ignored. value value should be value. Dustin __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3113] OpenSSL’s DH implementation uses an unnecessarily long exponent, leading to significant performance loss
Hello all, OpenSSL’s DH implementation uses an unnecessarily long exponent, leading to significant performance loss OpenSSL handles the Diffie Hellman (DH) protocol in a very conservative way. By default, the length of the private key equals to the bit-length of the prime modulus. For example, DH2048 will use a 2048-bit exponent (and two such exponentiations are executed for a key exchange). This is an overkill: NIST suggests that 224 bit exponent is sufficient for 112 bit security (which is what DH2048 offers). There is no API to specify the exponent’ length when generating the key. However, there is a parameter in the DH struct, which that defines the size of the exponent: struct dh_st { /* This first argument is used to pick up errors when * a DH is passed instead of a EVP_PKEY */ int pad; int version; BIGNUM *p; BIGNUM *g; long length; /* optional */ BIGNUM *pub_key; /* g^x */ BIGNUM *priv_key; /* x */ int flags; BN_MONT_CTX *method_mont_p; /* Place holders if we want to do X9.42 DH */ BIGNUM *q; BIGNUM *j; unsigned char *seed; int seedlen; BIGNUM *counter; int references; CRYPTO_EX_DATA ex_data; const DH_METHOD *meth; ENGINE *engine; }; So, by *manually* changing the ‘length’ field, a user can control the exponent length and reduce it to a more desirable size. Unfortunately, users of the OpenSSL library, such as Apache (and it seems that nginx also), are either unaware of the implementation’s default, or are not aware of the performance impact of choosing such a long exponent (this leads to ~9X performance loss, compared to DH2048 with a 224 bits exponent). This performance overhead is significant when moving to Perfect Forward Security (PFS) protocols (e.g., RSA DHE). We should point out that the NSS library defaults to the NIST recommended values --- here is a snippet. /* Lengths are in bytes. */ static unsigned int dh_GetSecretKeyLen(unsigned int primeLen) { /* Based on Table 2 in NIST SP 800-57. */ if (primeLen = 1920) { /* 15360 bits */ return 64; /* 512 bits */ } if (primeLen = 960) { /* 7680 bits */ return 48; /* 384 bits */ } if (primeLen = 384) { /* 3072 bits */ return 32; /* 256 bits */ } if (primeLen = 256) { /* 2048 bits */ return 28; /* 224 bits */ } return 20; /* 160 bits */ } We would like to propose a way to alleviate what seems to be an unnecessary overhead. For OpenSSL, we recommend to *consider* the following: Change the implementation to default the private key (exponent) to the NIST recommended values. The change is very easy to carry out. This way, the longer exponent would be the choice that is actively explicitly required by the user. Specify in the documentation what the default exponent length is. Then, automatically have servers that use OpenSSL enjoy a much faster DH speed on TLS sessions that use DH (for PFS). For the server applications (e.g., Apache) that use OpenSSL library, we recommend to *consider* the following: Change the implementation so that it invokes the DH functions with the NIST recommended key size. Especially, as browsers (e.g., using NSS) use 224 bit on their side of the key exchange, anyway. *** Shay Gueron (1, 2), and Vlad Krasnov (1) (1) Intel Corporation, Israel Development Center, Haifa, Israel (2) University of Haifa, Israel *** Copyright(c) 2013, Intel Corp. - Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3113] OpenSSL’s DH implementation uses an unnecessarily long exponent, leading to significant performance loss
On Tue Aug 20 09:00:56 2013, shay.gue...@intel.com wrote: OpenSSL’s DH implementation uses an unnecessarily long exponent, leading to significant performance loss OpenSSL handles the Diffie Hellman (DH) protocol in a very conservative way. By default, the length of the private key equals to the bit-length of the prime modulus. For example, DH2048 will use a 2048-bit exponent (and two such exponentiations are executed for a key exchange). This is an overkill: NIST suggests that 224 bit exponent is sufficient for 112 bit security (which is what DH2048 offers). There is no API to specify the exponent’ length when generating the key. However, there is a parameter in the DH struct, which that defines the size of the exponent: The -dsaparam option to dhparam converts DSA parameters to DH and sets the length parameter. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3114] Bug report: Spelling error in apps/ocsp.c
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aloha! I believe there is a typo in the response from the ocsp app. This nit is present in OpenSSL 1.0.1e. Example: openssl ocsp -issuer ca_cert.pem -serial 751447 -url http://ocsp.startssl.com/sub/class1/server/ca Error querying OCSP responsder Note 'responsder'. Fix for apps/ocsp.c: 1412c1412 BIO_printf(bio_err, Error querying OCSP responsder\n); - --- BIO_printf(bio_err, Error querying OCSP responder\n); - -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. Joachim Strömbergson Secworks AB joac...@secworks.se -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlITQaoACgkQZoPr8HT30QGK0gCeNZsvOs60sVcGFMWgWl57Mts8 EJUAn3YFIfKhMmP8zvLE4TiCj8s0Tvm5 =I3PR -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 0/2] Avoid NULL pointer dereference in several places
Hello All, Automatic tool detects there are several potential NULL pointer dereference in openssl source code, please help me review the attached two patches. Thanks, Xufeng Xufeng Zhang (2): openssl: avoid NULL pointer dereference in EVP_DigestInit_ex() openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode() crypto/dh/dh_ameth.c |6 ++ crypto/dsa/dsa_ameth.c |5 + crypto/evp/digest.c|2 +- 3 files changed, 12 insertions(+), 1 deletions(-) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 1/2] openssl: avoid NULL pointer dereference in EVP_DigestInit_ex()
We should avoid accessing the type pointer if it's NULL, this could happen if ctx-digest is not NULL. --- crypto/evp/digest.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 982ba2b..96122ea 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -195,7 +195,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) return 0; } #endif - if (ctx-digest != type) + if (type (ctx-digest != type)) { if (ctx-digest ctx-digest-ctx_size) OPENSSL_free(ctx-md_data); -- 1.7.0.2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 0/2] Avoid NULL pointer dereference in several places
Hello All, Automatic tool detects there are several potential NULL pointer dereference in openssl source code, please help me review the attached two patches. Thanks, Xufeng Xufeng Zhang (2): openssl: avoid NULL pointer dereference in EVP_DigestInit_ex() openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode() crypto/dh/dh_ameth.c |6 ++ crypto/dsa/dsa_ameth.c |5 + crypto/evp/digest.c|2 +- 3 files changed, 12 insertions(+), 1 deletions(-) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH 2/2] openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode()
We should avoid accessing the pointer if ASN1_STRING_new() allocates memory failed. --- crypto/dh/dh_ameth.c |6 ++ crypto/dsa/dsa_ameth.c |5 + 2 files changed, 11 insertions(+), 0 deletions(-) diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 141c09b..784746b 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -162,6 +162,12 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) dh=pkey-pkey.dh; str = ASN1_STRING_new(); + if (!str) + { + DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); + goto err; + } + str-length = i2d_dhp(pkey, dh, str-data); if (str-length = 0) { diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 6b1d52f..40465b6 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -148,6 +148,11 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { ASN1_STRING *str; str = ASN1_STRING_new(); + if (!str) + { + DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE); + goto err; + } str-length = i2d_DSAparams(dsa, str-data); if (str-length = 0) { -- 1.7.0.2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH 0/2] Avoid NULL pointer dereference in several places
Sorry, looks like this patchset has been resend, please ignore one of them. Thanks, Xufeng On 08/21/2013 10:54 AM, Xufeng Zhang wrote: Hello All, Automatic tool detects there are several potential NULL pointer dereference in openssl source code, please help me review the attached two patches. Thanks, Xufeng Xufeng Zhang (2): openssl: avoid NULL pointer dereference in EVP_DigestInit_ex() openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode() crypto/dh/dh_ameth.c |6 ++ crypto/dsa/dsa_ameth.c |5 + crypto/evp/digest.c|2 +- 3 files changed, 12 insertions(+), 1 deletions(-) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org