Re: Possible memory leak when using ECDHE ciphers in OpenSSL-1.0.1f
Thanks Steve for the response. Given the current way it is done in OpenSSL-1.0.1f, what is the right thing for the application to do? Should the application be using a static EC_KEY for each of the curves that are supported? Thanks Varma On Sat, Feb 15, 2014 at 6:36 AM, Dr. Stephen Henson wrote: > On Thu, Feb 13, 2014, Varma Dantuluri wrote: > > > In OpenSSL-1.0.1f, in 'ssl3_send_server_key_exchange' function, when all > > the below conditions are true, there is a potential memory leak. > > > > 1) 'type & SSL_kEECDH' is true, (ie the key exchange is ephemeral ecdh) > > 2) 'ecdhp == NULL' && 's->cert->ecdh_tmp_cb != NULL' > > 3) 's->cert->ecdh_tmp_cb' mallocs a new 'EC_KEY' and returns the > allocated > > pointer. > > > > This allocated 'EC_KEY', 'ecdhp' is later copied to 'ecdh' using > > 'EC_KEY_dup'. But 'ecdhp' is not freed in the function. > > > > I would think that the call back functions would allocate a new EC_KEY, > > atleast sometimes if not everytime. And whenever the allocation is done, > > that memory is leaked. > > > > Well the callback works in the same way as the DH equivalent. For DH the > intention is that DH parameters had been pre-loaded and you just pass a > pointer to the already allocated pointer instead of allocating it on > demand. > So you might (for example) load a set of DH parameters and then return the > same DH pointer in multiple callbacks. > > This isn't really appopriate for ECDH (where you don't "generate" or > "load" a > curve, you just set it) but changing it would badly break compatibility > with > applications that do the right thing, typically with a double free error. > > In 1.0.2 and later you can forget about ECDH callbacks altogether and just > set > auto ECDH support and it will automatically select appropriate parameters. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Possible memory leak when using ECDHE ciphers in OpenSSL-1.0.1f
In OpenSSL-1.0.1f, in 'ssl3_send_server_key_exchange' function, when all the below conditions are true, there is a potential memory leak. 1) 'type & SSL_kEECDH' is true, (ie the key exchange is ephemeral ecdh) 2) 'ecdhp == NULL' && 's->cert->ecdh_tmp_cb != NULL' 3) 's->cert->ecdh_tmp_cb' mallocs a new 'EC_KEY' and returns the allocated pointer. This allocated 'EC_KEY', 'ecdhp' is later copied to 'ecdh' using 'EC_KEY_dup'. But 'ecdhp' is not freed in the function. I would think that the call back functions would allocate a new EC_KEY, atleast sometimes if not everytime. And whenever the allocation is done, that memory is leaked. Thanks Varma
Re: Generation ECDHE parameters
Thanks Steve for the response. That was very useful information. Thanks Varma On Thu, Aug 23, 2012 at 6:05 AM, Dr. Stephen Henson wrote: > On Wed, Aug 22, 2012, Varma Dantuluri wrote: > > > Hi > > > > We are in the process of adding support for ECDSA-ECDHE cipher suites and > > hence ECDSA certificates to our server. > > > > Right now, the server does the following: > > > > 1) Assign the ECDSA certificate to the SSL_CTX. > > 2) Set the callback for ECDH parameter generation using > > SSL_CTX_set_tmp_ecdh_callback. > > > > In ssl3_send_server_key_exchange, when this callback is called, the value > > of 'keylength' parameter is always either 512 or 1024. Shouldnt > 'keylength' > > have the curve name or id in the case of ECDH? Are we doing something > wrong > > here? > > > > No, it's a limitation in some versions of OpenSSL. You basically have to > pick > a curve you think the peer will support, P-256 is usually a safe choice. If > the peer doesn't support it then ECDHE will be disabled. You might as as > well > set the curve using SSL_CTX_set_tmp_ecdh instead of the callback. > > This is fixed in the development version of OpenSSL: for that you can just > set > it to automatically use the right curve based on client and server > preferences. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Generation ECDHE parameters
Hi We are in the process of adding support for ECDSA-ECDHE cipher suites and hence ECDSA certificates to our server. Right now, the server does the following: 1) Assign the ECDSA certificate to the SSL_CTX. 2) Set the callback for ECDH parameter generation using SSL_CTX_set_tmp_ecdh_callback. In ssl3_send_server_key_exchange, when this callback is called, the value of 'keylength' parameter is always either 512 or 1024. Shouldnt 'keylength' have the curve name or id in the case of ECDH? Are we doing something wrong here? Thanks Varma
Use of X_FLAG_NON_FIPS_ALLOW flag in FIPS Module 2.0
OpenSSL 1.0.1 has the following flag definitions: RSA_FLAG_NON_FIPS_ALLOW DSA_FLAG_NON_FIPS_ALLOW EC_FLAG_NON_FIPS_ALLOW EVP_CIPH_FLAG_NON_FIPS_ALLOW EVP_MD_CTX_FLAG_NON_FIPS_ALLOW And these flags are checked in either the FIPS Module 2.0 code itself (fipscanister.o) or in the FIPS capable OpenSSL (libcrypto). If an application using FIPS capable OpenSSL: 1) Sets the FIPS mode of FIPS Module 2.0 AND 2) Sets the above NON_FIPS_ALLOW flags Is the FIPS certificate of FIPS Module 2.0 violated? Thanks Varma
Re: OpenSSL FIPS Module 2.0 and OpenSSL 0.9.8x
Thanks Steve. Just curious as to why this cannot be done. Is it because of some structure changes between 0.9.8 and 1.0.1? Thanks Varma On Tue, Dec 6, 2011 at 7:25 AM, Steve Marquess < marqu...@opensslfoundation.com> wrote: > On 12/05/2011 08:39 PM, Varma Dantuluri wrote: > > Hi > > > > Can the new OpenSSL FIPS 2.0 module be used with OpenSSL 0.9.8 > > releases? Or can it only be used with OpenSSL 1.0.1 and later? > > No, it can't -- it is designed for use with 1.0.1 and greater only. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.com > >
OpenSSL FIPS Module 2.0 and OpenSSL 0.9.8x
Hi Can the new OpenSSL FIPS 2.0 module be used with OpenSSL 0.9.8 releases? Or can it only be used with OpenSSL 1.0.1 and later? Thanks Varma