[openssl-users] Authentication over ECDHE
C.Wehrmeyer
c.wehrmeyer at gmx.de
Sat Dec 29 17:18:48 UTC 2018
On 29.12.18 16:53, Jakob Bohm via openssl-users wrote:
> The session caching in the SSL and TLS protocols is to skip the
> expensive key exchange when reconnecting within a few seconds,
> as is extremely common with web browsers opening up to 8 parallel
> connections to each server.
My outburst was somewhat out of line. SSL_clear() is not *completely*
superfluous, you're right, but it's incredibly limited.
> There is hopefully a configuration option to tell the OpenSSL server
> end SSL_CTX to not do this, just as there should (for multi-process
> web servers) be an option to hand the state storage over to the web
> server application for inter-process sharing in whatever the web
> server application (and its configuration) deems secure.
Then why doesn't the documentation page of SSL_clear() mention this
directly? "If you want to reuse an SSL object, use this function to set
some option on the SSL_CTX object".
On 29.12.18 17:08, Richard Levitte wrote:
> ... I'm not sure about you, but I have a hard time seeing how one
> would trim off fat from *public* structures that everyone and their
> stray cat might be tinkering in. Trimming off fat usually means
> restructuring the structures, and unless they're opaque, the freedom
> to do so is severily limited.
You're implying that people can't do that anymore. Let me assure you
that they still can, you just made it a little harder for people who're
really determined to walk outside of the API bounds.
On the other hand you've made the normal applications programmers job -
which is to know where and when to allocate and free memory - a lot
harder. Here I am, having a bunch of objects all sitting in a designated
memory area of mine - which I can initialise, reset, and reuse just how
I seem fit (not that I want to horribly break SSL objects, I just want
to determine where they are stored) - and I can't use them because the
OpenSSL devs are working on taking a little bit of power from me that I
need in order to help the library do smart things.
Like, imagine that I know I'll need:
- a context object
- a connection object
- a BIO object
- some X.509 cert object/memory/whatever
- and so forth and so on
And that not just once, but for a thousand connections. As an
application programmer who knows a thing or two about scalable
programming I'd be like: OK, that's fantastic. I can mmap the necessary
memory, use hugepages, reduce the TLB, and just have all that stuff
written on the same chunk without metadata or padding inbetween, which
doesn't bloat our D$. Sweet money!
And now I can't do that because the devs want me to use their
single-object-only creation functions who return already allocated
memory to me. I don't get to decide anymore where my objects are
written, I don't get to decide what caching objects are used (maybe I
don't WANT an X.509 cert object, so I could pass NULL to the function
that creates it, or maybe I already HAVE a couple hundred of those lying
here, so you can have them ... no? You prefer your structures to be
opaque? Oh well).
But, you know, it could still be argued that this is safer somehow.
*Somehow*. If not ... for the fact that I don't even seem to be able to
KEEP the objects OpenSSL created for me quite elaborately.
> You do know that your string insert NUL bytes, right? If you have a
> look at how they're used, you might see why those stray NUL bytes
> aren't a good thing.
Yes, I do. See below, I wrote the last part first.
(Also, what? Please have a look again, those stray NUL bytes wouldn't
have ANY effect, at least not that I see it. One memcpy(), two
EVP_DigestUpdate(), and it's always a separately calculated length).
> P.S. as a side note, your message triggered profanity filters. I
> don't really care, it's not our filters, but this is just to inform
> you that your rant didn't quite reach everyone (those with profanity
> filters in place)
> /postmaster
It's just that this is so stupid to me. I'm no crypto master, I know
that. But I constantly hear about timing attacks and side channels and
all that, so I tried to avoid stepping into the pitfalls that other
people would do - and then I'm being told it's SUPPOSED to be like that.
Come on, please! It's almost as if the devs aren't even trying.
On 29.12.18 17:21, J. J. Farrell wrote:> So instead of correct portable
code which derives obviously and
> straightforwardly from the specification, you'd write arrays of a
> different length from the original, the first 48 bytes of which would
> only be correct in some compilation environments, and even in the cases
> where those 48 bytes end up correct they have no obvious relationship to
> the specification they are implementing (your obfuscation making the
> code much more difficult to review). How are these changes improvements?
Another implication, this time that my code isn't perfectly portable
code. There is *one* environment I could think of where this wouldn't be
the case - that being Shift JIS environments that tinker with ASCII
standard by replacing a backslash with a Japanese half-width Yen sign -
however:
1. we'll already have much, MUCH bigger problems if ASCII isn't the
encoding the compiler is expecting here, so exchanging 0x5c for '\' is
not going to ruin much more here. And it doesn't even matter anyway
because any Shift JIS editor would display this as the half-width Yen
sign *anyways*. (And that being said, since the main criticism of the
Han unification of the Unicode consortium came from the Japanese, I
don't care if they're going to throw another fit. They can't even
prevent mojibake between mainly Japanese character encodings. At least
ISO-8859-1/CP1252 has the excuse of being the most popular encoding in
the entire west, so ... whatever. Just let them rail.)
2. to be honest I wouldn't have have this be a static array at all, but
rather an exportable pointer and an exportable variable that would hold
the string's size minus one. However, if you actually HAD looked at the
code as is - which you obviously haven't because you wouldn't have even
brought it up then - the size of the array is completely inconsequential
in that particular code. That's right: they don't even derive the
amounts of bytes to copy from the string directly, but rather just use a
constant:
> npad = (48 / md_size) * md_size;
Oh, you want me to change that? No problem:
> #define STRING \
> "xxxxxxxx" \
> "xxxxxxxx" \
> "xxxxxxxx" \
> "xxxxxxxx" \
> "xxxxxxxx" \
> "xxxxxxxx"
>
> const unsigned char string_length = sizeof(STRING) - 1;
> const char*string = STRING;
>
> npad = (string_length / md_size) * md_size;
Hell, I could even create a macro for this so that I don't even need the
explicit definition of STRING here. It's not as if OpenSSL shies away
from the concept of using macros to auto-generate a plethora of symbols
(I'm looking at include/openssl/crypto.h right now).
> I'd walk you out of an interview if you offered this as an
> implementation, let alone as an improvement.
Don't worry, I'd fire you on the spot if you had checked in the existing
code, so I'll call it quits.
More information about the openssl-users
mailing list