Re: [openssl-dev] Blog post; changing in email, crypto policy, etc

[Florian Weimer]

* Hubert Kario:

> when I mark project as followed I'm getting messages from all issues
> and all PRs - likely dozens if not hundred messages a day

But isn't that the point?

My main concern with Github is that I have no record of my own
actions.  (Their single-account policy is also a problem for some of
us, but that is perhaps our own fault.)
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Florian Weimer]

* James Bottomley:

> On Sat, 2017-03-25 at 16:10 +, Salz, Rich via openssl-dev wrote:
>>  
>> > Please, in the final OpenSSL license text add the paragraph linked 
>> > in the above LLVM mailing list as an exception to the Apache
>> > license.
>> > 
>> > We should make sure using OpenSSL in GPLv2-only projects its 
>> > possible without any trouble or concern for developers.
>> 
>> The problem is that if it is distributed under the GPLv2 there is no
>> patent protection, and that is important to us.
>
> I've already told you once that this is a factually incorrect statement
> because (L)GPLv2 contains an implicit patent licence:

I think the fact that Richard rejects dual licensing indicates that
it's not the lack of a licence that concerns him, but something else.
He calls it “patent protection”; I assume he refers to the weak
mutually assured destruction clause in the Apache license (the “If You
institute patent litigation against any entity” part).

I don't think the GPL, version 2, contains anything remote close to
*that*, implied or otherwise.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] License change agreement

[Florian Weimer]

* Kurt Roeckx:

> On Fri, Mar 24, 2017 at 08:02:25PM +0100, Florian Weimer wrote:
>> * Quanah Gibson-Mount:
>> 
>> > Zero people that I know of are saying to switch to the GPL.  What is
>> > being pointed out is that the incompatibility with the current
>> > OpenSSL license with the GPLv2 has been a major problem.
>> 
>> The alleged incompatibility of OpenSSL with the GPLv2 has been used to
>> promote GNUTLS in the past (and to a much lesser extent, a certain
>> crypto consolidation effort intending to switch everything to NSS).
>> But GNUTLS has since left the GNU project, and I'm not aware of anyone
>> on the distribution side still saying that the old OpenSSL license
>> (particular when used as a dynamically-linked system library) and the
>> GPLv2 are incompatible.  It's just not considered a problem anymore.
>
> As far as I know, for Debian it's still a problem that a GPL
> application links to openssl.
>
> A few examples:
> - We have multiple curl versions, linked to openssl, gnutls, nss.
>   And you then have to build against the correct one for license
>   reasons.
> - QT (which is LGPL?) does not itself link to libssl but can
>   dynamically load it so that GPL applications can use QT assuming
>   they don't use SSL.
> - We have asked upstream projects to add an openssl exception to
>   their GPL license.

A few examples from Debian for the reverse:

- cgit links against libssl1.1 and is GPLv2
- tcpflow has GPLv2 pieces and links against libssl1.1
- many GPLv1 and GPLv2 programs which link against libgcc
  (which is GPLv3 with an exception, but one that arguably
  does not make it GPLv2-compatible)

I also found a few packages with an OpenSSL exception which have
merged GPL code from other sources who may or may not have agreed to
the exception.

It's probably marginally more productive to continue this discussion
on a Debian list (not that I think anymore that this discussion
matters).
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] License change agreement

[Florian Weimer]

* Quanah Gibson-Mount:

> Zero people that I know of are saying to switch to the GPL.  What is
> being pointed out is that the incompatibility with the current
> OpenSSL license with the GPLv2 has been a major problem.

The alleged incompatibility of OpenSSL with the GPLv2 has been used to
promote GNUTLS in the past (and to a much lesser extent, a certain
crypto consolidation effort intending to switch everything to NSS).
But GNUTLS has since left the GNU project, and I'm not aware of anyone
on the distribution side still saying that the old OpenSSL license
(particular when used as a dynamically-linked system library) and the
GPLv2 are incompatible.  It's just not considered a problem anymore.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

[Florian Weimer]

* Nico Williams:

> On Tue, Dec 08, 2015 at 11:19:32AM +0100, Florian Weimer wrote:
>> > Maybe http://trac.mpich.org/projects/openpa/ would fit the bill?
>> 
>> It seems to have trouble to keep up with new architectures.
>
> New architectures are not really a problem because between a) decent
> compilers with C11 and/or non-C11 atomic intrinsics,

Not on Windows.

> What's the alternative anyways?

Using C++11.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

[Florian Weimer]

* Nico Williams:

> Maybe http://trac.mpich.org/projects/openpa/ would fit the bill?

It seems to have trouble to keep up with new architectures.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

[Florian Weimer]

On 11/25/2015 06:48 PM, Kurt Roeckx wrote:
> On Wed, Nov 25, 2015 at 01:02:29PM +0100, Florian Weimer wrote:
>> On 11/23/2015 11:08 PM, Kurt Roeckx wrote:
>>
>>> I think that we currently don't do any compile / link test to
>>> detect features but that we instead explicitly say so for each
>>> platform.
>>>
>>> Anyway, the gcc the documentation is here:
>>> https://gcc.gnu.org/onlinedocs/gcc/Thread-Local.html
>>>
>>> TLS support clearly isn't supported everywhere.
>>
>> The most portable approach is to switch C++11, which provides you
>> thread-local variables with destructors (and you also get portable
>> atomics).  There are simply no standards-based C solutions as long as
>> you have to support the Microsoft compiler under Windows.
> 
> Please note that we use C, not C++.  But C11 has the same atomics
> extentions as C++11.

C++11 support is much more widespread than C11 support.  You will have
trouble finding reliable support for C11 atomics with the Microsoft
toolchain.

> We're also currently still targetting C89/C90 (with some minor
> extentions), but I think we should try to use them if the platform
> supports it.

It is a lot of working getting the atomics right on all supported platforms.

Florian

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

[Florian Weimer]

On 11/23/2015 11:08 PM, Kurt Roeckx wrote:

> I think that we currently don't do any compile / link test to
> detect features but that we instead explicitly say so for each
> platform.
> 
> Anyway, the gcc the documentation is here:
> https://gcc.gnu.org/onlinedocs/gcc/Thread-Local.html
> 
> TLS support clearly isn't supported everywhere.

The most portable approach is to switch C++11, which provides you
thread-local variables with destructors (and you also get portable
atomics).  There are simply no standards-based C solutions as long as
you have to support the Microsoft compiler under Windows.

Florian
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[Florian Weimer]

* Viktor Dukhovni:

> If I were to guess, it would be that the base crypto implementations
> of IDEA, SEED and binary elliptic curves need to stay.  We could
> perhaps get away with removing CAST and RIPEMD.

Just one data point: CAST5 is still the default for GnuPG when using
symmetric encryption.

Florian
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[Florian Weimer]

* Kurt Roeckx:

> On Tue, Nov 17, 2015 at 07:10:00PM +0100, Florian Weimer wrote:
>> * Viktor Dukhovni:
>> 
>> > If I were to guess, it would be that the base crypto implementations
>> > of IDEA, SEED and binary elliptic curves need to stay.  We could
>> > perhaps get away with removing CAST and RIPEMD.
>> 
>> Just one data point: CAST5 is still the default for GnuPG when using
>> symmetric encryption.
>
> Not in gnupg 2 afaik.

Debian stable has GnuPG 2.0.26, and it still uses CAST5:

$ gpg2 --batch --passphrase - -c < /dev/null | gpg2 --batch --passphrase - 
--list-packets
:symkey enc packet: version 4, cipher 3, s2k 3, hash 2
salt 45c1df2dc3dd11c2, count 2490368 (179)
gpg: CAST5 encrypted data
:encrypted data packet:
length: 22
gpg: encrypted with 1 passphrase
:compressed packet: algo=1
:literal data packet:
mode b (62), created 1447798993, name="",
raw data: 0 bytes
gpg: WARNING: message was not integrity protected

GnuPG 2.0 is still “the stable version suggested for most users”,
unfortunately.  GnuPG 2.1 has indeed switched to AES-128, but only in
September 2014.

Florian
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Self-initialization of locking/threadid callbacks and auto-detection of features

[Florian Weimer]

On 06/15/2015 06:02 PM, Nico Williams wrote:
 On Thu, Jun 11, 2015 at 10:41:58AM +0200, Florian Weimer wrote:
 Detecting things in libcrypto is very difficult on GNU/Linux due to the
 way dynamic linking works.
 
 Details?

Detection based on weak symbols can break due to linking order (if the
main executable is not linked against libpthread).  Merely linking
against libpthread, without ever creating any threads, is also not an
indicator of thread usage (libcrypto, for instance, currently does this
unconditionally).

 Perhaps OpenSSL should have several configuration flavors for Linux
 then.  If you want to statically link a non-threaded program with
 OpenSSL, then you should use the libpthread static link meant for it.

I have not considered the static linking case at all, to be honest.  It
should be used only very rarely.  If the lack of stubs is a problem for
static linking, glibc could be enhanced to provide them in a separate
archive.

 A workaound for libraries may be to use a private copy (as if by static
 linking) of OpenSSL with distinct SONAME/symbols and initialize that
 copy properly.  This is generally safe (we've tried it) but also a bit
 troublesome.  On the plus side this means that ABI incompatibilities
 betwee OpenSSL releases become a non-issue.

We can't do that because too much would need to be recompiled and
relinked for updates.

 Or indeed, libpthread should move into libc (which I gather would take a
 long time and is beyond what we can do here).

See my offer to add more stubs as needed.

 (Moving the implementation of a library to another requires support for
 shared object filters, at least on Solaris, so that dynamically-linked
 dependents of libpthread and such will find the symbols they need there,
 though the RTLD knows to go look in the object they moved to.  We say
 that libpthread is a filter of libc because only the pthread-related
 symbols of libc appear in libpthread.  IIUC the Linux RTLD does not
 support filters.)

If I understand you correctly, we emulate them with IFUNCs in glibc.
There is no additional indirection at run time, calls go directly
through the libc implementation even if it is called through the
libpthread symbol.

 Linking -lpthread has a real performance hit for unthreaded
 applications, so core libraries should avoid it.
 
 It shouldn't.

We can get rid of the performance overhead for single-threaded case, but
it's a multi-year effort, and we haven't even started.

What you as a library author can do: do not link against libpthread.
Most functionality you might need is available from libc proper, and
where it is not, ask for advice on the libc-help list.

 In any case, the initialization problems when OpenSSL is used by
 *libraries* are simply unacceptable.

Right.

-- 
Florian Weimer / Red Hat Product Security
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] 0.9.8 support after 31 Dec 2015

[Florian Weimer]

On 07/21/2015 01:16 PM, Brad House wrote:

 I'm sure you're not the only one that will be needing to support 0.9.8
 after the
 official EOL.  RedHat Enterprise Linux 5 comes to mind (supported until
 3/2017),
 so there will definitely be others providing security related patches.

On the other hand, Red Hat will only backport critical security fixes to
Red Hant Enterprise Linux 5 because it is in Production Phase 3.  This
is considerably narrower than what is currently provided by OpenSSL
upstream 0.9.8.

(The main problem people have with 0.9.8 right now is lack of TLS
1.1/1.2 support, and fixing that while preserving binary compatibility
with 0.9.8 is quite a challenge.)

-- 
Florian Weimer / Red Hat Product Security
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Self-initialization of locking/threadid callbacks and auto-detection of features

[Florian Weimer]

On 10/30/2013 12:15 AM, Nico Williams wrote:
 On Tue, Oct 29, 2013 at 09:58:25PM +0100, Andy Polyakov wrote:
 pthreads and Windows, and one can indeed argue why wouldn't OpenSSL
 simply default to either of the two when appropriate. While it's
 more than appropriate on Windows as it is, on pthreads-powered
 Unices it's not as obvious. Because pthreads can be undesired in
 some situations. Basically it boils down to question whether or not
 libcrypto may be linked with libpthread or not. And answer is
 actually not desired. Ideally libcrypto should *detect* if

Detecting things in libcrypto is very difficult on GNU/Linux due to the
way dynamic linking works.

 More details would be nice.  What follows is speculation of mine as to
 what you might have in mind (or even if you don't, it might be
 relevant).
 
 To summarize the below:
 
 OpenSSL .so's should always be linked with -lpthread on OSes where
 there's a standard libpthread that threaded apps are expected to
 use; OpenSSL static link archives should assume no threading
 libraries and rely on the callers to provide the threading
 callbacks.

On GNU/Linux, you should try very hard to avoid linking -lpthread and
restrict yourself to the pthreads API subset which is available without
-lpthread.  If something is missing, we (as in glibc upstream) can move
additional functionality from libpthread to libc.

Linking -lpthread has a real performance hit for unthreaded
applications, so core libraries should avoid it.

If you have received advice to the contrary, your source of advice is
wrong. :-)

-- 
Florian Weimer / Red Hat Product Security
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] A Question about CRYPTO_THREADID when upgrading to OpenSSL 1.0.1e

[Florian Weimer]

On 01/14/2014 07:12 AM, Aaron wrote:
 Hi All,
 
 We have upgraded our OpenSSL from 9.0.8b to OpenSSL 1.0.1e. We have
 encountered some thread issues. From releated OpenSSL document
 (http://www.openssl.org/docs/crypto/threads.html), we see the following
 description.
 
 /CRYPTO_THREADID and associated functions were introduced in OpenSSL 1.0.0
 to replace (actually, deprecate) the previous CRYPTO_set_id_callback(),
 CRYPTO_get_id_callback(), and CRYPTO_thread_id() functions which assumed
 thread IDs to always be represented by 'unsigned long'. /
 
 We haven't change all calls to CRYPTO_set_id_callback(),
 CRYPTO_get_id_callback(), and CRYPTO_thread_id() in our code to
 CRYPTO_THREADID routines. 
 
 The question I would like to ask is if we upgrade OpenSSL from 9.0.8b to
 OpenSSL 1.0.1e without making the above suggested change what the
 sebsequence is? Will this cause race conditions?

Which platform are you on?

-- 
Florian Weimer / Red Hat Product Security
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2293] OpenSSL dependence on external threading functions is a critical design flaw

[Florian Weimer]

On 09/03/2014 11:50 PM, Rich Salz via RT wrote:
 We're going to try to clean up the threads situation post-1.0.2, but closing
 this particular ticket.

Can you at least change the FAQ to make sure that OpenSSL is *not*
thread safe by default?  Currently, it claims the opposite.

The error reporting library critically depends on working locking
functions.  You get strange results if you believe the FAQ that OpenSSL
is thread-safe, even if you do not use any objects across threads.

-- 
Florian Weimer / Red Hat Product Security
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] removing compression?

[Florian Weimer]

On 04/03/2015 09:53 PM, Salz, Rich wrote:

 If this will cause problems for you, please post on the list, ideally within 
 the next week.

PostgreSQL uses OpenSSL compression by default, and it is a deliberate
feature (there is no application-layer compression support).

-- 
Florian Weimer / Red Hat Product Security
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: Patch to mitigate CVE-2014-3566 (POODLE)

[Florian Weimer]

On 10/15/2014 01:46 AM, Bodo Moeller wrote:

Here's a patch for the OpenSSL 1.0.1 branch that adds support for
TLS_FALLBACK_SCSV, which can be used to counter the POODLE attack
(CVE-2014-3566; https://www.openssl.org/~bodo/ssl-poodle.pdf).


Note that the CVE identifier was assigned to the SSL 3.0 protocol issue 
related to CBC padding.  The new SCSV does not help with that at all. 
But that's not a problem: when both parties support TLS, OpenSSL is not 
vulnerable even if both sides still enable SSL 3.0 for interoperability 
reasons with other peers.


MITRE has not issued a CVE for the broken fallback behavior because it 
is not a security vulnerability—it works as designed.  This means that 
the TLS_FALLBACK_SCSV patch currently has no CVE associated with it.


--
Florian Weimer / Red Hat Product Security
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Patch to mitigate CVE-2014-3566 (POODLE)

[Florian Weimer]

On 10/16/2014 10:41 AM, Salz, Rich wrote:

Note that the CVE identifier was assigned to the SSL 3.0 protocol issue
related to CBC padding.  The new SCSV does not help with that at all.


What?  It prevents silently falling back to the broken protocol.

Perhaps we can keep this battle-thread just in the TLS WG mail?


It's unrelated to the TLS WG discussion.  MITRE has assigned the CVE 
name to the SSL 3.0 protocol issue, specifically:


“The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other 
products, uses nondeterministic CBC padding, which makes it easier for 
man-in-the-middle attackers to obtain cleartext data via a 
padding-oracle attack, aka the POODLE issue.”


http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

Securing fallback is a workaround, but does not address the issue.  You 
are still vulnerable if you use SSL 3.0 directly (because one of the 
peers supports only that), even if both peers implement SCSV.  The 
proper fix comes with TLS 1.0+, and OpenSSL has implemented a 
transparent protocol upgrade for a long time.  Don't be shy—you fixed 
POODLE before it was discovered, which is great!


I had already asked for assignment of a separate CVE for the insecure 
browser fallback, but I was told that MITRE does not consider *that* a 
vulnerability because it is expected, documented behavior.  This means 
that fallback-SCSV-related patches do not fix any CVE-named 
vulnerability, and certainly not CVE-2014-3566.


Again, this is not related to the question whether the fallback SCSV is 
a good idea.  It is a procedural issue with CVE naming.


Curiously, we recently had the same problem with the bash prefix/suffix 
patch, which did not fix any concrete CVE-named vulnerability, either. 
It is confusing, and I think it shows a limitation of the CVE authority 
file in the light of its current applications.


--
Florian Weimer / Red Hat Product Security
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Very old release, unsupported platform

[Florian Weimer]

On 07/01/2014 11:50 AM, Ben Laurie wrote:

Our soon-to-be-released roadmap has this to say on supported platform:

* Currency, i.e. a platform is widely deployed and in current use
* Vendor support
* Available to the dev team, i.e. the dev team have access to a
suitable environment in which to test builds and deal with tickets and
issues
* Dev team ownership, i.e. at least one person on the team is willing
to take some responsibility for a platform


I strongly suggest to add 8 bit chars and 32 bit ints as an additional 
requirement.  There is some idea that 16-bit platforms (such as MS-DOS 
or Windows prior to the Win32 API) are still supported, but this is 
clearly not the case because a lot of bounds checks assume 32-bit ints.


--
Florian Weimer / Red Hat Product Security
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Very old release, unsupported platform

[Florian Weimer]

On 07/02/2014 02:44 PM, Matt Caswell wrote:

I strongly suggest to add 8 bit chars and 32 bit ints as an additional
requirement.  There is some idea that 16-bit platforms (such as MS-DOS or
Windows prior to the Win32 API) are still supported, but this is clearly not
the case because a lot of bounds checks assume 32-bit ints.


Are there any of these platforms that would pass the Currency/Vendor
support criteria? If so which ones?


I fear that eComStation could fit these criteria, for the platforms I 
mentioned.


--
Florian Weimer / Red Hat Product Security
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Locking inefficiency

[Florian Weimer]

On 06/11/2014 02:26 PM, Salz, Rich wrote:

What kinds of operations are protected by read locks?


Looking at almost any of the global data structures, such as error tables, OID 
tables, and so on.


Often, RW locks aren't a win because maintaining just the read locks (without 
any writers) introduces contention at the hardware level, and parallelism does 
not increase all that much as a result.  Paul McKenney's dissertation on RCU 
has some examples.


We've monitored one of our applications, an SSL-terminating HTTP proxy server, under 
load. Of all the mutexes (futex, actually) in the system, the error lock is 
the most highly contended one.  I'll see about posting some statistics.


Is this CRYPTO_LOCK_ERR?  It would be interesting which locking path 
actually triggers the contention.  If it's the thread-local storage 
re-implementation, it should be possible to use an ERR implementation 
which uses native thread-local storage, which should be mostly 
contention-free.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3400] ccs received early

[Florian Weimer]

On 06/12/2014 01:28 PM, Salz, Rich wrote:

Since the patch for CVE-2014-0224 I've so far received 2 reports about people getting the 
error: ccs received early.


So they kiddies can read.  We thought so, but good to have confirmation.  
Thanks!


What do you mean?  As far as I can tell, this is about an 
interoperability issue.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Locking inefficiency

[Florian Weimer]

On 06/10/2014 03:31 PM, Bodo Moeller wrote:


The way we use the locks, in heavily multi-threaded applications, you
can have a lot of contention with mutexes that wouldn't exist with
read/write locks, because often all threads would only require the read
locks


What kinds of operations are protected by read locks?

Often, RW locks aren't a win because maintaining just the read locks 
(without any writers) introduces contention at the hardware level, and 
parallelism does not increase all that much as a result.  Paul 
McKenney's dissertation on RCU has some examples.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Locking inefficiency

[Florian Weimer]

On 06/11/2014 10:24 AM, Peter Waltenberg wrote:


The one we (IBM) hit is composite apps. Multiple independently developed
lumps of code thrown together - someone has to set the locks, but
deciding who is a problem. We deal with it easily as we put a wrapper
around OpenSSL and do it there, but that's not always an option.
The OS installed OpenSSL's should probably also use the OS default
thread model by default for similar reasons.

There were also a number of cases of 'user error' with people just
forgetting to set up the locking around that time.


We face similar issues in Fedora and its downstreams.

For glibc, we have stubs in libc which are always available and are NOPs 
in non-threaded problems, so that it might be feasible to set up the 
locking primitives by default in libcrypto, without actually linking 
with -lpthread.


The latter is important because the presence of the threading library 
causes some other libraries to fall back to slower thread-safe variants. 
 This mostly affects libstdc++ and std::shared_ptr (where atomics are 
used for maintaining the reference count), and to a lesser extend, 
malloc in glibc itself.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Which platforms will be supported in the future on which platforms will be removed?

[Florian Weimer]

On 06/01/2014 09:28 AM, Janpopan wrote:


is there a list of currently supported platforms?

Which platforms are deprecaded an could/should be removed in the
sourcecode?
MS-DOS?
Windows 16 Bit?
OS/2?
Windows 95/98/ME?
Windows NT/2000/XP?


I think there is plenty of code which assumes size_t (and int) of at 
least 32 bits (in the sense that there are unguarded integer overflows 
with 16-bit types).  Wouldn't this rule out MS-DOS and 16-bit Windows as 
useful platforms?


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Attribution of pull requests in git

[Florian Weimer]

* Ben Laurie:

 Is there an easy way to fix that? That is, I would expect it to show
 me as the committer and the original author as the author.

git am does this, but merging from a Git repository does not because
it changes the commit hashes and would force the submitter to rebase.

In general, Git does not reliably track who submits (or fast-forward
merges) commits within the system, you'll need an external mechanism
for that.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH] dtls1_reassemble_fragment: Return error code on memory allocation failure

[Florian Weimer]

---
 ssl/d1_both.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index d8bcd58..2c06fc2 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -679,8 +679,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* 
msg_hdr, int *ok)
item = pitem_new(seq64be, frag);
if (item == NULL)
{
-   goto err;
i = -1;
+   goto err;
}
 
pqueue_insert(s-d1-buffered_messages, item);
-- 
1.9.0

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [PATCH] Reseed PRNG on PID change

[Florian Weimer]

On 01/16/2014 05:03 PM, David Jacobson wrote:


If you want to make sure they diverge, and make sure that multiple forks
diverge differently, you should push in the process ID. Pushing in time
helps with (but does not perfectly cure) the virtual machine copying
problem. So I suggest pushing in the PID concatenated with some sort of
time.


The PID is already mixed in.  It turned out this was not sufficient 
because PIDs are reused (see e.g. CVE-2013-1900).  My initial idea was 
to reseed the pool if a PID change was detected, but reseeding with a 
high-resolution timer appears preferable.  It also sidesteps the 
LinuxThreads issue.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [PATCH] Reseed PRNG on PID change

[Florian Weimer]

On 01/15/2014 05:44 PM, Dr. Stephen Henson wrote:

On Wed, Jan 15, 2014, Florian Weimer wrote:


Commit 3cd8547a2018ada88a4303067a2aa15eadc17f39 mixed the current
time into the randomness pool each time RAND_bytes is called.  As
the resolution of gettimeofday() is limited, I propose to reseed the
PRNG each time a PID change is detected.



I know historically some platforms have different PIDs for different threads.
That would cause problems with this patch.


Ah, good old LinuxThreads.  I admit it's not totally dead yet.  I can 
add a Linux- and glibc-specific detection function which disables the 
reseeding if LinuxThreads is detected.  (Other systems had strange 
threading libraries as well, but those generally shared PIDs.)


Regarding replacing gettimeofday() with a CPU tick counter, I expect 
that many systems have a very fast gettimeofday() implementation these 
days (based in part on a CPU tick counter).  However, time() has no such 
acceleration on the machines I've tested, so the current code shows a 
significant performance hit compared to 3cd8547a2^.


The additional resolution of a tick counter might make reseeding after 
fork unnecessary, but it's difficult to be sure.  Something not based on 
timing information looks desirable to me.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [PATCH] Reseed PRNG on PID change

[Florian Weimer]

On 01/16/2014 01:57 PM, Dr. Stephen Henson wrote:

On Thu, Jan 16, 2014, Florian Weimer wrote:



The additional resolution of a tick counter might make reseeding
after fork unnecessary, but it's difficult to be sure.  Something
not based on timing information looks desirable to me.



I should point out that the aim of the current code is not to completely
reseed after fork() but to make the PRNG state diverge so that the two
processes do not share the same internal PRNG state.


I get that.  I've reconsidered things.  Time seems the only thing that 
deals with the related VM snapshot issue.


I still propose to get rid of the time() call (md_rand-time.patch, 
AFAICT num == 0 at this point, so I pulled the initialization out of the 
loop).  OPENSSL_rdtsc() appears to return 0 if the cycle counter is not 
available, so md_rand-rtdsc.patch calls it unconditionally if RDRAND is 
not available.


--
Florian Weimer / Red Hat Product Security Team
commit 594dcc12d4ede5cd6f4e11cdc23fff3eea20cdcf
Author: Florian Weimer fwei...@redhat.com
Date:   Thu Jan 16 15:16:38 2014 +0100

ssleay_rand_seed: optimize fork protection: do not call time()

diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 6cab308..f2165cd 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -368,7 +368,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 #ifndef GETPID_IS_MEANINGLESS
 	pid_t curr_pid = getpid();
 #endif
-	time_t curr_time = time(NULL);
 	int do_stir_pool = 0;
 /* time value for various platforms */
 #ifdef OPENSSL_SYS_WIN32
@@ -508,6 +507,15 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	crypto_lock_rand = 0;
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
+	/* try to diverge the random sequence after fork and VM resumption */
+#ifndef GETPID_IS_MEANINGLESS
+	if (!MD_Update(m,(unsigned char*)curr_pid, sizeof curr_pid))
+		goto err;
+#endif
+	if (!MD_Update(m,(unsigned char*)tv, sizeof tv))
+		goto err;
+	rand_hw_seed(m);
+
 	while (num  0)
 		{
 		/* num_ceil -= MD_DIGEST_LENGTH/2 */
@@ -515,26 +523,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 		num-=j;
 		if (!MD_Init(m))
 			goto err;
-#ifndef GETPID_IS_MEANINGLESS
-		if (curr_pid) /* just in the first iteration to save time */
-			{
-			if (!MD_Update(m,(unsigned char*)curr_pid,
-   sizeof curr_pid))
-goto err;
-			curr_pid = 0;
-			}
-#endif
-		if (curr_time) /* just in the first iteration to save time */
-			{
-			if (!MD_Update(m,(unsigned char*)curr_time,
-   sizeof curr_time))
-goto err;
-			if (!MD_Update(m,(unsigned char*)tv,
-   sizeof tv))
-goto err;
-			curr_time = 0;
-			rand_hw_seed(m);
-			}
 		if (!MD_Update(m,local_md,MD_DIGEST_LENGTH))
 			goto err;
 		if (!MD_Update(m,(unsigned char *)(md_c[0]),sizeof(md_c)))
commit 8cfc51d808a3d3b3118f3d3168fcba6c0ce79b9c
Author: Florian Weimer fwei...@redhat.com
Date:   Thu Jan 16 15:35:40 2014 +0100

ssleay_rand_bytes: use cycle counter if RDRAND is not available

diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index f2165cd..51acf44 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -382,9 +382,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 #elif defined(OPENSSL_SYS_VXWORKS)
 	struct timespec tv;
 	clock_gettime(CLOCK_REALTIME, ts);
-#elif defined(OPENSSL_SYSNAME_DSPBIOS)
-	unsigned long long tv, OPENSSL_rdtsc();
-	tv = OPENSSL_rdtsc();
 #else
 	struct timeval tv;
 	gettimeofday(tv, NULL);
@@ -674,7 +671,13 @@ static void rand_hw_seed(EVP_MD_CTX *ctx)
 	{
 	int i;
 	if (!(OPENSSL_ia32cap_P[1]  (1(62-32
+		{
+		/* using the cycle counter is better than nothing at all */
+		unsigned long long tv, OPENSSL_rdtsc();
+		tv = OPENSSL_rdtsc();
+		MD_Update(ctx, (unsigned char *)tv, sizeof(tv));
 		return;
+		}
 	for (i = 0; i  RDRAND_CALLS; i++)
 		{
 		size_t rnd;
@@ -721,7 +724,10 @@ void rand_hw_xor(unsigned char *buf, size_t num)
 
 static void rand_hw_seed(EVP_MD_CTX *ctx)
 	{
-	return;
+	/* using the cycle counter is better than nothing at all */
+	unsigned long long tv, OPENSSL_rdtsc();
+	tv = OPENSSL_rdtsc();
+	MD_Update(ctx, (unsigned char *)tv, sizeof(tv));
 	}
 
 void rand_hw_xor(unsigned char *buf, size_t num)

Re: [PATCH] Reseed PRNG on PID change

[Florian Weimer]

On 01/16/2014 03:39 PM, Florian Weimer wrote:


I still propose to get rid of the time() call (md_rand-time.patch,
AFAICT num == 0 at this point, so I pulled the initialization out of the
loop).


Disregard the patches, this doesn't work.

--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH] Reseed PRNG on PID change

[Florian Weimer]

Commit 3cd8547a2018ada88a4303067a2aa15eadc17f39 mixed the current time 
into the randomness pool each time RAND_bytes is called.  As the 
resolution of gettimeofday() is limited, I propose to reseed the PRNG 
each time a PID change is detected.


This change might also be an alternative for platforms where the 
gettimeofday() call is prohibitively slow.


--
Florian Weimer / Red Hat Product Security Team
commit 136a8da88ff52ad32f894fb0ecbcab5f4205ca49
Author: Florian Weimer fwei...@redhat.com
Date:   Wed Jan 15 16:46:17 2014 +0100

ssleay_rand_bytes: Re-seed on PID change

diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 6cab308..75382b5 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -153,6 +153,9 @@ static unsigned char md[MD_DIGEST_LENGTH];
 static long md_count[2]={0,0};
 static double entropy=0;
 static int initialized=0;
+#ifndef GETPID_IS_MEANINGLESS
+static pid_t prev_pid=0;
+#endif
 
 static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
* holds CRYPTO_LOCK_RAND
@@ -201,6 +204,7 @@ static void ssleay_rand_cleanup(void)
 	md_count[1]=0;
 	entropy=0;
 	initialized=0;
+	prev_pid=0;
 	}
 
 static int ssleay_rand_add(const void *buf, int num, double add)
@@ -439,7 +443,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 		{
 		RAND_poll();
 		initialized = 1;
+		prev_pid = curr_pid;
+		}
+#ifndef GETPID_IS_MEANINGLESS
+	if (curr_pid != prev_pid)
+		{
+		RAND_poll();
+		prev_pid = curr_pid;
 		}
+#endif
+
 	
 	if (!stirred_pool)
 		do_stir_pool = 1;

Re: [PATCH] sha1-x86_64/ssse3: enforce stack alignment

[Florian Weimer]

On 12/15/2013 07:53 PM, Yuriy Kaminskiy wrote:


Apparently, stack can be misaligned on BSD (nasty! is it even allowed by amd64
ABI?), and openssl fails to deal with it (funnily, it aligns stack in non-ssse3
version [where it is only efficiency issue], but fails to do this in ssse3
version [where it is mandatory]).


It's required by the amd64 ABI, and other things will break if this 
requirement is violated.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: 1.0.1e: crash in sha1_block_data_order_ssse3()

[Florian Weimer]

On 12/17/2013 03:17 AM, Claus Assmann wrote:


Can you please try putting a breakpoint on sha1_block_data_order_ssse3,
and checking what the value of %rsp is at the start of the function?


Breakpoint 5, sha1_block_data_order_ssse3 () at sha1-x86_64.s:1295
1295pushq   %rbx
Current language:  auto; currently asm
(gdb) p $rsp
$15 = (void *) 0x8007360a0
[looks ok]


Actually, it doesn'ton function entry, %rsp must be congruent 8 modulo 
16.  Could you do the same thing (breakpoint and look at %rsp) for the 
callers up the call stack?


Do you link dynamically or statically?  What's your GCC version?

--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: 1.0.1e: crash in sha1_block_data_order_ssse3()

[Florian Weimer]

On 12/14/2013 05:50 PM, Claus Assmann wrote:


Program received signal SIGBUS, Bus error.
sha1_block_data_order_ssse3 () at sha1-x86_64.s:1328
1328movdqa  %xmm0,0(%rsp)


movdqa needs 16-byte alignment.


rsp0x800736048  0x800736048


%rsp is only 8-byte aligned.

This is likely a toolchain bug, and not something that can be reasonably 
fixed in OpenSSL.


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: UTF8 decoding, unneeded byte masking

[Florian Weimer]

On 08/25/2013 12:23 PM, PMHager wrote:

If your intention is performance optimization you could even replace

   if((*p  0x80) == 0)

with

   if((signed char)(*p) = 0)

as you cannot assume that all compilers will do it correctly themselves.


Actually, this proposed change relies on a GCC extension.  If *p is 
unsigned, compilers are allowed to assume that (signed char)(*p) = 0 is 
always true (because signed overflow is undefined).


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Apple are, apparently, dicks...

[Florian Weimer]

On 06/14/2013 03:31 PM, Dr. Stephen Henson wrote:

Note that the patch changes the value of SSL_OP_ALL so if OpenSSL shared
libraries are updated to include the patch existing applications wont set it:
they'd all need to be recompiled.


That's a valid point.


Possibly alternative is to reuse one of the existing *ancient* flags. Does
anyone really care about compatibility with a bug in SSLeay 0.80 for example?


Wouldn't it be better to reverse the meaning of the flag and not set it 
in SSL_OP_ALL?


--
Florian Weimer / Red Hat Product Security Team
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Add WEB cipher suite selector

[Florian Weimer]

The attached patch adds a WEB entry to the cipher list selection.  The 
idea is that applications can just use that and get a reasonable set of 
cipher suites, offering a trade-off between security and 
interoperability.  These cipher suites are all certificate-based, so 
that applications send a protocol-compliant client hello without 
explicitly disabling the cipher suites they do not support because they 
will never supply the required key material.


--
Florian Weimer / Red Hat Product Security Team
From af125d1abb2af6dd4853188d2e6d99963ae959c2 Mon Sep 17 00:00:00 2001
From: Florian Weimer fwei...@redhat.com
Date: Mon, 26 Nov 2012 18:02:28 +0100
Subject: [PATCH] Add WEB cipher list entry

---
 doc/apps/ciphers.pod |   7 +++
 ssl/s2_lib.c |   2 +-
 ssl/s3_lib.c | 162 +--
 ssl/ssl.h|   1 +
 ssl/ssl_ciph.c   |   1 +
 ssl/ssl_locl.h   |   5 +-
 6 files changed, 94 insertions(+), 84 deletions(-)

diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index c571830..ba08d19 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -139,6 +139,13 @@ the cipher suites not enabled by BALL, currently being BeNULL.
 high encryption cipher suites. This currently means those with key lengths
 larger than 128 bits, and some cipher suites with 128-bit keys.
 
+=item BWEB
+
+Cipher suites with certificate-based authentication which are also
+part of BHIGH, plus additional cipher suites required for web
+application interoperability.  Currently, this adds RC4-based cipher
+suites with 128-bit keys, and triple DES with an MD5 MAC.
+
 =item BMEDIUM
 
 medium encryption cipher suites, currently some of those using 128 bit
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index b37792f..316350f 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -248,7 +248,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
 	SSL_3DES,
 	SSL_MD5,
 	SSL_SSLV2,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_NOT_EXP|SSL_HIGH|SSL_WEB,
 	0,
 	168,
 	168,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index c6ecd8f..3f4415e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -223,7 +223,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_RC4,
 	SSL_MD5,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_NOT_EXP|SSL_MEDIUM|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -239,7 +239,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_RC4,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_NOT_EXP|SSL_MEDIUM|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -321,7 +321,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_3DES,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	168,
 	168,
@@ -370,7 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_3DES,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	168,
 	168,
@@ -418,7 +418,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_3DES,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	168,
 	168,
@@ -467,7 +467,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_3DES,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	168,
 	168,
@@ -515,7 +515,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_3DES,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	168,
 	168,
@@ -890,7 +890,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -905,7 +905,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -920,7 +920,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -935,7 +935,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -950,7 +950,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -981,7 +981,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS|SSL_WEB

Re: [openssl.org #2909] Wildcard support for certificate matching (plus fixes)

[Florian Weimer]

On 11/18/2012 04:16 PM, Stephen Henson via RT wrote:

I have also added a manual page.  The test case does not have full
coverage, but it is better than nothing.



Many thanks for the patch. I've applied it with a few minor changes. Let
me know if I broke anything.


Thanks for showing me the concise way for setting GENERAL_NAMEs.

I've adjusted the test case to cover the new return values 
(v3nametest.patch).  It shouldn't matter from a testing point of view, 
but I think it's important to show the correct error checking.


The IDNA filter for wildcards was incomplete, and I couldn't find this 
in any standard, so I suggest removing it (idna.patch).


--
Florian Weimer / Red Hat Product Security Team
commit 373bf51bb3a64f4d91241752be7178104d0de28b
Author: Florian Weimer fwei...@redhat.com
Date:   Mon Nov 19 11:04:56 2012 +0100

Adjust v3nametest.c return value checking to API

diff --git a/crypto/x509v3/v3nametest.c b/crypto/x509v3/v3nametest.c
index 5bf1201..c1d5ff3 100644
--- a/crypto/x509v3/v3nametest.c
+++ b/crypto/x509v3/v3nametest.c
@@ -273,28 +273,38 @@ static void run_cert(X509 *crt, const char *nameincert,
 		ret = X509_check_host(crt, (const unsigned char *)name,
   namelen, 0);
 		match = -1;
-		if (fn-host)
+		if (ret  0)
 			{
-			if (ret  !samename)
+			fprintf(stderr, internal error in X509_check_host);
+			++errors;
+			}
+		else if (fn-host)
+			{
+			if (ret == 1  !samename)
 match = 1;
-			if (!ret  samename)
+			if (ret == 0  samename)
 match = 0;
 			}
-		else if (ret)
+		else if (ret == 1)
 			match = 1;
 		check_message(fn, host, nameincert, match, *pname);
 
 		ret = X509_check_host(crt, (const unsigned char *)name,
   namelen, X509_CHECK_FLAG_NO_WILDCARDS);
 		match = -1;
-		if (fn-host)
+		if (ret  0)
 			{
-			if (ret  !samename)
+			fprintf(stderr, internal error in X509_check_host);
+			++errors;
+			}
+		else if (fn-host)
+			{
+			if (ret == 1  !samename)
 match = 1;
-			if (!ret  samename)
+			if (ret == 0  samename)
 match = 0;
 			}
-		else if (ret)
+		else if (ret == 1)
 			match = 1;
 		check_message(fn, host-no-wildcards,
 			  nameincert, match, *pname);
commit b399db5b4a31dd13ebc2ee114501c4ee20b748f2
Author: Florian Weimer fwei...@redhat.com
Date:   Mon Nov 19 11:32:38 2012 +0100

X509_check_host: remove IDNA wildcard block

I couldn't find this in any standard, and the check was incomplete
anyway.

diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index ffd9f0d..de43c2f 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -719,12 +719,7 @@ static const unsigned char *wildcard_find_star(const unsigned char *pattern,
 static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
 			  const unsigned char *subject, size_t subject_len)
 	{
-	const unsigned char *star;
-	/* Do not match IDNA names. */
-	if (subject_len =4  memcmp(subject, xn--, 4) == 0)
-		star = NULL;
-	else
-		star = wildcard_find_star(pattern, pattern_len);
+	const unsigned char *star = wildcard_find_star(pattern, pattern_len);
 	if (star == NULL)
 		return equal_nocase(pattern, pattern_len,
 subject, subject_len);
diff --git a/crypto/x509v3/v3nametest.c b/crypto/x509v3/v3nametest.c
index c1d5ff3..aa0d29c 100644
--- a/crypto/x509v3/v3nametest.c
+++ b/crypto/x509v3/v3nametest.c
@@ -24,6 +24,7 @@ static const char *const exceptions[] =
 	set CN: host: [*.example.com] matches [a.example.com],
 	set CN: host: [*.example.com] matches [b.example.com],
 	set CN: host: [*.example.com] matches [www.example.com],
+	set CN: host: [*.example.com] matches [xn--rger-koa.example.com],
 	set CN: host: [test.*.example.com] does not match [test.*.example.com],
 	set CN: host: [test.*.example.com] matches [test.www.example.com],
 	set CN: host: [*.www.example.com] does not match [*.www.example.com],
@@ -36,6 +37,7 @@ static const char *const exceptions[] =
 	set dnsName: host: [*.example.com] does not match [*.example.com],
 	set dnsName: host: [*.example.com] matches [a.example.com],
 	set dnsName: host: [*.example.com] matches [b.example.com],
+	set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com],
 	set dnsName: host: [*.www.example.com] matches [test.www.example.com],
 	set dnsName: host: [*.www.example.com] does not match [*.www.example.com],
 	set dnsName: host: [test.*.example.com] matches [test.www.example.com],

Fix GCC asm constraints in crypto/bn/asm/x86_64-gcc.c

[Florian Weimer]

When x32 support was added to this file, the  constraint was dropped, 
allowing GCC to overlap register assignments for inputs and outputs, 
resulting in broken assembler code.


--
Florian Weimer / Red Hat Product Security Team
commit 9dbf28460d10387c819d332b7a5c0397942b75ee
Author: Florian Weimer fwei...@redhat.com
Date:   Mon Nov 19 12:52:36 2012 +0100

Fix asm constraints in bn_add_words, bn_sub_words

diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
index d34d2dc..dfb7506 100644
--- a/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/bn/asm/x86_64-gcc.c
@@ -199,7 +199,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
 		lea	1(%2),%2	\n
 		loop	1b		\n
 		sbbq	%0,%0		\n
-		: =r(ret),+c(n),+r(i)
+		: =r(ret),+c(n),+r(i)
 		: r(rp),r(ap),r(bp)
 		: cc
 	);
@@ -224,7 +224,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
 		lea	1(%2),%2	\n
 		loop	1b		\n
 		sbbq	%0,%0		\n
-		: =r(ret),+c(n),+r(i)
+		: =r(ret),+c(n),+r(i)
 		: r(rp),r(ap),r(bp)
 		: cc
 	);

Replace scary comment in s3_pkt.c

[Florian Weimer]

Apparently, the IV initialization was moved to tls1_enc() t1_enc.c, so 
the commented-put initialization is indeed superfluous.  And indeed, the 
IV on the wire appears to be random.


Could someone please double-check this?  Thanks.

--
Florian Weimer / Red Hat Product Security Team
commit 6ad93dd6f8ccfdb5cafe5403de8952c568657fb6
Author: Florian Weimer fwei...@redhat.com
Date:   Mon Nov 19 15:10:29 2012 +0100

Replace scary comment with cross-reference

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index dca3458..239a101 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -811,8 +811,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
 	if (eivlen)
 		{
-	/*	if (RAND_pseudo_bytes(p, eivlen) = 0)
-			goto err; */
+		/* IV is initialized in tls1_enc(). */
 		wr-length += eivlen;
 		}
 

SSL_connect.pod fix

[Florian Weimer]

There's a POD error in the manpage, resulting in quite misleading 
documentation.


--
Florian Weimer / Red Hat Product Security Team
commit cb06d593d1a59c932614c4e97055b441fc66c4ec
Author: Florian Weimer fwei...@redhat.com
Date:   Tue Nov 13 14:22:44 2012 +0100

Fix POD usage in SSL_connect.pod

Current perlpod needs some escaping, otherwise it will render a
numbered list, resulting totally misleading return values.

diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
index cc56ebb..aa0f802 100644
--- a/doc/ssl/SSL_connect.pod
+++ b/doc/ssl/SSL_connect.pod
@@ -41,18 +41,18 @@ The following return values can occur:
 
 =over 4
 
-=item 1
+=item C1
 
 The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 established.
 
-=item 0
+=item C0
 
 The TLS/SSL handshake was not successful but was shut down controlled and
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 return value Bret to find out the reason.
 
-=item Elt0
+=item EltC0
 
 The TLS/SSL handshake was not successful, because a fatal error occurred either
 at the protocol level or a connection failure occurred. The shutdown was

Wildcard support for certificate matching (plus fixes)

[Florian Weimer]

Hi,

the attached patch implements wildcard matching and introduces the 
X509_CHECK_FLAG_NO_WILDCARDS flag to disable it if necessary.


In addition, it implements case-insensitive comparison of host names and 
email address domain parts, as required by RFC 5280.  Domain names and 
email addresses which contain NUL characters are now rejected, to cope 
with some mis-issued certificates.


I have also added a manual page.  The test case does not have full 
coverage, but it is better than nothing.


It might make sense to change the API so that 0 means success, 1 match 
failure, and -1 an internal error.  Right now, it is not possible to 
tell match failures and internal errors apart.


Florian
--
Florian Weimer / Red Hat Product Security Team
diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile
index 07e2df4..b54f540 100644
--- a/crypto/x509v3/Makefile
+++ b/crypto/x509v3/Makefile
@@ -13,7 +13,7 @@ AR=		ar r
 CFLAGS= $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile README
-TEST=
+TEST=v3nametest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index db9f05e..8f88e69 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -568,12 +568,177 @@ void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
 	sk_OPENSSL_STRING_pop_free(sk, str_free);
 }
 
+typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,
+			const unsigned char *subject, size_t subject_len);
+
+/* Compare while ASCII ignoring case. */
+static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
+			const unsigned char *subject, size_t subject_len)
+	{
+	if (pattern_len != subject_len)
+		return 0;
+	while (pattern_len)
+		{
+		unsigned char l = *pattern;
+		unsigned char r = *subject;
+		/* The pattern must not contain NUL characters. */
+		if (l == 0)
+			return 0;
+		if (l != r)
+			{
+			if ('A' = l  l = 'Z')
+l = (l - 'A') + 'a';
+			if ('A' = r  r = 'Z')
+r = (r - 'A') + 'a';
+			if (l != r)
+return 0;
+			}
+		++pattern;
+		++subject;
+		--pattern_len;
+		}
+	return 1;
+	}
+
+/* Compare using memcmp. */
+static int equal_case(const unsigned char *pattern, size_t pattern_len,
+		  const unsigned char *subject, size_t subject_len)
+{
+	/* The pattern must not contain NUL characters. */
+	if (memchr(pattern, '\0', pattern_len) != NULL)
+		return 0;
+	if (pattern_len != subject_len)
+		return 0;
+	return !memcmp(pattern, subject, pattern_len);
+}
+
+/* RFC 5280, section 7.5, requires that only the domain is compared in
+   a case-insensitive manner. */
+static int equal_email(const unsigned char *a, size_t a_len,
+		   const unsigned char *b, size_t b_len)
+	{
+	if (a_len != b_len)
+		return 0;
+	size_t i = a_len;
+	/* We search backwards for the '@' character, so that we do
+	   not have to deal with quoted local-parts.  The domain part
+	   is compared in a case-insensitive manner. */
+	while (i  0)
+		{
+		--i;
+		if (a[i] == '@' || b[i] == '@')
+			{
+			if (!equal_nocase(a + i, a_len - i,
+	  b + i, a_len - i))
+return 0;
+			break;
+			}
+		}
+	if (i == 0)
+		i = a_len;
+	return equal_case(a, i, b, i);
+	}
+
+/* Compare the prefix and suffix with the subject, and check that the
+   characters in-between are valid. */
+static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
+			  const unsigned char *suffix, size_t suffix_len,
+			  const unsigned char *subject, size_t subject_len)
+	{
+	const unsigned char *wildcard_start;
+	const unsigned char *wildcard_end;
+	const unsigned char *p;
+	if (subject_len  prefix_len + suffix_len)
+		return 0;
+	if (!equal_nocase(prefix, prefix_len, subject, prefix_len))
+		return 0;
+	wildcard_start = subject + prefix_len;
+	wildcard_end = subject + (subject_len - suffix_len);
+	if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len))
+		return 0;
+	/* The wildcard must match at least one character. */
+	if (wildcard_start == wildcard_end)
+		return 0;
+	/* Check that the part matched by the wildcard contains only
+	   permitted characters and only matches a single label. */
+	for (p = wildcard_start; p != wildcard_end; ++p)
+		if (!(('0' = *p  *p = '9') ||
+		  ('A' = *p  *p = 'Z') ||
+		  ('a' = *p  *p = 'z') ||
+		  *p == '-'))
+			return 0;
+	return 1;
+	}
+
+/* Checks if the memory region consistens of [0-9A-Za-z.-]. */
+static int valid_domain_characters(const unsigned char *p, size_t len)
+	{
+	while (len)
+		{
+		if (!(('0' = *p  *p = '9') ||
+		  ('A' = *p  *p = 'Z') ||
+		  ('a' = *p  *p = 'z') ||
+		  *p == '-' || *p == '.'))
+			return 0;
+		++p;
+		--len;
+		}
+	return 1;
+	}
+
+/* Find the '*' in a wildcard pattern.  If no such character is found
+   or the pattern is otherwise invalid, returns NULL. */
+static const unsigned char *wildcard_find_star(const unsigned char *pattern,
+	   size_t pattern_len)
+	{
+	const unsigned char *star = memchr(pattern, '*', pattern_len);
+	size_t dot_count = 0;
+	const unsigned char

Re: [openssl.org #447] [Fwd: Bug#176058: openssl: Should askpassword only after basic input validation]

[Florian Weimer]

Richard Levitte via RT [EMAIL PROTECTED] writes:

 It would be good to know exactly which openssl commands are involved
 in this issue.  I'm pretty sure this issue only applies for some of
 them.

openssl ca is one of them, and probably the most cumbersome.
openssl req -new -out $FILE does not verify that $FILE is a writable
file.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  fax +49-711-685-5898
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #447] [Fwd: Bug#176058: openssl: Should ask password only after basic input validation]

[Florian Weimer via RT]

Richard Levitte via RT [EMAIL PROTECTED] writes:

 It would be good to know exactly which openssl commands are involved
 in this issue.  I'm pretty sure this issue only applies for some of
 them.

openssl ca is one of them, and probably the most cumbersome.
openssl req -new -out $FILE does not verify that $FILE is a writable
file.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  fax +49-711-685-5898

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Delayed release of OpenSSL 0.9.6a beta 3

[Florian Weimer]

Richard Levitte - VMS Whacker [EMAIL PROTECTED] writes:

 The release of OpenSSL 0.9.6a beta3 and the true release have been
 delayed.  The reason for the delay is mainly due to the following
 paper and the need to add a fix for the problem it describes:
 
 http://crypto.stanford.edu/~dabo/abstracts/faults.html

Thanks for addressing this issue.  The current fix for RSA-CRT, i.e.

+   if (rsa-e  rsa-n)
+   {
+   if (!meth-bn_mod_exp(vrfy,r0,rsa-e,rsa-n,ctx,NULL)) goto err;
+   if (BN_cmp(I, vrfy) != 0)
+   {
+   if (!meth-bn_mod_exp(r0,I,rsa-d,rsa-n,ctx,NULL)) goto err;
+   }
+   }

is not activated if the key material doesn't provide n.  Wouldn't it
be a good idea to calculate n = pq if it's not present?

Of course, calculating e is not so easy, but it should be possible to
derive it as well (from d and q).

OTOH, it's probably faster to calculate n = pq and not to rely CRT at
all.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://cert.uni-stuttgart.de/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]