[openssl-users] DTLS Handshake issue (openssl-1.0.1e-dtls-ecc-ext.patch) leads to process crash

sanchit arora sanchit1.arora at gmail.com
Tue Feb 10 14:50:06 UTC 2015 

Which distro?
>>>>>>>>>>>>>>

OS is Red Hat Enterprise Linux Server release 6.5
OpenSSL Version :1.0.1e


All of the above are vendor specific patches (probably based on original
OpenSSL commits). However I don't know from the name what dtls-ecc-ext
is referring to. You would need to address your specific question to
your vendor.
>>>>>>>

The patch openssl-1.0.1e-dtls-ecc-ext.patch with changes is decribed below:

https://bugzilla.redhat.com/show_bug.cgi?id=1119800

Could it be that the changes in the above patch are causing issues in
DTLS Handshake causing the process to crash always at the below
location:

#4  <signal handler called>
#5  0x00007f61e97188e9 in sha1_block_data_order_ssse3 () from
/usr/lib64/libcrypto.so.10
#6  0xad89a0d6776026f6 in ?? ()
#7  0xf9e71fd74025dad7 in ?? ()
#8  0x2243d5d8167d7997 in ?? ()
#9  0x8bbb75d9b4efd5d8 in ?? ()
#10 0xea9689da4d4ac2cb in ?? ()
#11 0x7067bc5f5034983b in ?? ()
#12 0xe19f5aa4a5679ed0 in ?? ()
#13 0x8ecbf7e83d1d8ccd in ?? ()
#14 0x00007f61e9a827ce in state () from /usr/lib64/libcrypto.so.10
#15 0x00000000bc803cd0 in ?? ()
#16 0x0000000000000011 in ?? ()
#17 0x00007f61e9715de7 in SHA1_Update () from /usr/lib64/libcrypto.so.10
#18 0x00007f61e97899fd in ssleay_rand_add () from /usr/lib64/libcrypto.so.10
#19 0x00007f61e9ed92f9 in dtls1_accept () from /usr/lib64/libssl.so.10

Is it possible that you can run the latest 1.0.1 version of standard
OpenSSL (i.e. OpenSSL 1.0.1l)? There have been some significant DTLS
related fixes that have been applied in recent versions.
>>>>>>>>>

it would not be possible as other modules are also using 1.0.1e version.

Thanks,
Sanchit Arora

On Mon, Feb 9, 2015 at 6:07 PM, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 09/02/15 20:17, sanchit arora wrote:
>> Bug report
>>
>> OS: Linux
>
> Which distro?
>
>>
>> OpenSSL Version: 1.0.1e-30
>
> That is not an OpenSSL version - that is an OS vendor specific version
> based on OpenSSL 1.0.1e
>
>> While doing DTLS testing with openssl-1.0.1e-30 Version and patches
>> for RT3327, RT3470 and RT3483 on top of that, we are facing an issue
>> where our process is crashing during the duration run of 24 hours.
>>
>> Use Case:
>> *        There are 125 DTLS Server Connections and 125 DTLS Client Connections.
>> *        Connection Attempts towards Server connections are also being
>> made every 1 second.
>> *        Client Connections are initiating connection attempts every 1 second .
>> *        SSL Handshake is made to fail so that connection attempts
>> continues and there are no crashes observed.
>>
>> During the above duration run, process is always crashing at the below
>> location always.
>>
>> #4  <signal handler called>
>> #5  0x00007f61e97188e9 in sha1_block_data_order_ssse3 () from
>> /usr/lib64/libcrypto.so.10
>> #6  0xad89a0d6776026f6 in ?? ()
>> #7  0xf9e71fd74025dad7 in ?? ()
>> #8  0x2243d5d8167d7997 in ?? ()
>> #9  0x8bbb75d9b4efd5d8 in ?? ()
>> #10 0xea9689da4d4ac2cb in ?? ()
>> #11 0x7067bc5f5034983b in ?? ()
>> #12 0xe19f5aa4a5679ed0 in ?? ()
>> #13 0x8ecbf7e83d1d8ccd in ?? ()
>> #14 0x00007f61e9a827ce in state () from /usr/lib64/libcrypto.so.10
>> #15 0x00000000bc803cd0 in ?? ()
>> #16 0x0000000000000011 in ?? ()
>> #17 0x00007f61e9715de7 in SHA1_Update () from /usr/lib64/libcrypto.so.10
>> #18 0x00007f61e97899fd in ssleay_rand_add () from /usr/lib64/libcrypto.so.10
>> #19 0x00007f61e9ed92f9 in dtls1_accept () from /usr/lib64/libssl.so.10
>
> There is insufficient information in the above to diagnose the problem.
> We would need a build with full debugging symbols.
>
>
>>
>> When we tested with openssl-1.0.1e-16 Version and patches for RT3327,
>> RT3470 and RT3483 on top of that, the use case works fine.
>>
>> On investigation, we found that there are 11 patches added between
>> openssl-1.0.1e-30 and openssl-1.0.1e-16 version out of which following
>> 3 patches are related to DTLS.
>>
>> openssl-1.0.1e-dtls-ecc-ext.
>> patch
>> openssl-1.0.1e-cve-2014-3513.
>> patch
>> openssl-1.0.1e-fallback-scsv.patch
>>
>> We have narrowed down that when we use openssl-1.0.1e-30 Version with
>> the openssl-1.0.1e-dtls-ecc-ext.patch and patches for RT3327, RT3470
>> and RT3483 on top of that, process crashes with the above abterm
>> during the duration run of 24 hours.
>>
>> When we excluded the openssl-1.0.1e-dtls-ecc-ext.patch from
>> openssl-1.0.1e-30 Version, we didn't see an abterm during the duration
>> run of 24  hours.
>>
>> Therefore, it seems that the openssl-1.0.1e-dtls-ecc-ext.patch is
>> causing the abterm in the duration run.
>>
>> Please let us know if there could be issues with the
>> openssl-1.0.1e-dtls-ecc-ext.patch?
>
> All of the above are vendor specific patches (probably based on original
> OpenSSL commits). However I don't know from the name what dtls-ecc-ext
> is referring to. You would need to address your specific question to
> your vendor.
>
> Is it possible that you can run the latest 1.0.1 version of standard
> OpenSSL (i.e. OpenSSL 1.0.1l)? There have been some significant DTLS
> related fixes that have been applied in recent versions.
>
> Matt
>
>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list