[openssl-users] Authentication over ECDHE

Richard Levitte levitte at openssl.org
Mon Dec 31 15:43:42 UTC 2018

I'll go ahead and ask, how long do you think such a back door would
stay unnoticed, let alone survive?  I'm considering the fact that we
have a lot of people looking at our code, just judging from the issues
and pull requests raised on github.

I can't say that I have an actual answer, but it's a question worth
asking as well, to see if the T.O.L.A. Act is worth a state of panic
or not.

Richard ( who's on vacation and should stop reading these mails )

In message <11EDC036-87D3-4757-AD33-80C6E608F77F at foocrypt.net> on Tue, 1 Jan 2019 01:27:53 +1100, "openssl at foocrypt.net" <openssl at foocrypt.net> said:

> Matt et al
> 'been reviewed and approved by two current OpenSSL committers (one of whom must
> be on the OpenSSL Management Committee).’
> Due to the recent legislative changes here in Australia around the T.O.L.A. Act, can a change be
> made to the OpenSSL policy so that the 2 reviewers, don’t reside in Australia, or are Australian
> citizens ?
> ABI/API changes -> breaks -> back door requests….
> --
> Regards,
> Mark A. Lane
> Cryptopocalypse NOW 01 04 2016
> Volumes 0.0 -> 10.0 Now available through iTunes - iBooks @
> https://itunes.apple.com/au/author/mark-a.-lane/id1100062966?mt=11
> © Mark A. Lane 1980 - 2019, All Rights Reserved.
> © FooCrypt 1980 - 2019, All Rights Reserved.
> © FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2019, All Rights Reserved.
> © Cryptopocalypse 1980 - 2019, All Rights Reserved.
>  On 1 Jan 2019, at 01:11, Matt Caswell <matt at openssl.org> wrote:
>  On 31/12/2018 11:36, C.Wehrmeyer wrote:
>  On 31.12.18 10:12, Richard Levitte wrote:
>  Yes, it's true, new features are going in. And it's true that it's
>  often more exciting to add new features than to do the janitorial
>  work.
>  You realised what I have left unspoken thus far, which is this almost
>  obsession-like preference of OSS coders to add new features rather than
>  improving the old, boring codebase. However, there's a reason why it's still
>  called code*base*. It's the base of everything. And adding more and more
>  features to that base is going to make ripping off the band-aid more painful in
>  the long run.
>  There has been a huge amount of effort put in over the last few years to improve
>  the codebase. Things that immediately spring to mind (and there's probably a
>  whole load more):
>  - Rewrite of the state machine
>  - libssl record layer refactor
>  - Implementation of the PACKET and WPACKET abstractions in libssl
>  - Rewrite of the rand code
>  - Implementation of the new test harness
>  - Significant effort into developing tests
>  - Implementation of the coding style and reformat of the codebase to meet it
>  - Opaque many of the structures (which I know you don't see as an improvement,
>  but I'll answer that point separately)
>  - Implementation of continuous fuzzing
>  - Significant expansion of the documentation coverage
>  It is simply not true to claim that we have "an obsession-like preference...to
>  add new features rather than improving the old, boring codebase". None of the
>  above things resulted in or were motivated by user visible features. They were
>  all about improving the codebase.
>  Also, infrastructure again. I, as a user, don't care if the kernel gets a new
>  feature that makes some black magic happening. What I care about is that the
>  kernel doesn't throw away my writes (which has happened in May of 2018, see):
>  https://www.postgresql.org/message-id/flat/CAMsr%2BYE5Gs9iPqw2mQ6OHt1aC5Qk5EuBFCyG%2BvzHun1EqMxyQg%40mail.gmail.com#CAMsr+YE5Gs9iPqw2mQ6OHt1aC5Qk5EuBFCyG+vzHun1EqMxyQg@mail.gmail.com)
>  Cryptography libs should be equally conservative, considering that cryptography
>  is conservative to begin with. I don't care if TLS 1.3 lets me use new exiting
>  ciphers and handshakes when it unreasonably bogs down my server code.
>  BUT, you also have to appreciate that stuff is happening around us
>  that affects our focus. TLS 1.3 happened, and rather than having to
>  answer the question "why don't you have TLS 1.3 yet?" (there's a LOT
>  of interest in that version), we decided to add it.
>  Sure, but didn't Matt just say that there are a lot of volunteers working on
>  that library? The disadvantage here is that quality assurance is barely a thing
>  - however, the *advantage* of this is that OpenSSL does not have to follow
>  commercial interests. If we look at this at face value you could just say "No,
>  people, it's high time we streamline some of the internal aspects of the
>  library, TLS 1.3 will have to wait. You can't wait that long? Well, sorry".
>  However, your message is clear, we do need to do some cleanup as
>  well. More than that, I agree with you that it's needed (I've
>  screamed out in angst when stumbling upon particularly ugly or
>  misplaced code, so the feeling is shared, more than you might
>  believe).
>  But what does "cleanup" entail? That's the hot-button question here. I've
>  already made a suggestion, that is to say, getting rid of opaque structures. If
>  that is deemed too insecure (for whatever reasons), export symbols that allow
>  programmers to query the size of structures, and provide two versions of
>  functions: one function expects the caller to pass an object to which the
>  changes are to be made, and the other one allocates the necessary memory
>  dynamically and then calls the first version. Or just don't allocate my object
>  memory dynamically anymore.
>  That being said, cleanup happens, and documentation happens, in a
>  piecemeal fashion, 'cause that's what most people have capacity for.
>  So, what you're effectively saying is that I'm the first one who ever asked for
>  SSL object reuse, right? Because if piecemeal work happens on the documentation,
>  and Viktor says that it's possible, then surely no one would have ever answered
>  that question on the mailing list and *not* put it piecemeal-ly in the OpenSSL
>  documentation, right?
>  Now, here's something else that you need to consider: API/ABI
>  compatibility needs to be preserved.
>  No it doesn't. We *know* it doesn't. When OpenSSL 1.1 was released it broke all
>  *sorts* of applications out there, because all sorts of applications used struct
>  fields rather than accessors. wget, mutt, neon, python, you name it, you broke it.
>  API/ABI stability is absolutely required. Every time we make a breaking change
>  it is painful for our users - and more pain is felt the bigger the scale of the
>  break. We simply cannot go around making wholesale breaks on an ongoing basis.
>  If we did so then OpenSSL would be a lot less useful to our users.
>  This is not to say that we can *never* make breaking changes. Only that when we
>  do so it must be strongly justified and only done relatively infrequently. We
>  made such a decision when we decided to make the structures opaque. It's not a
>  decision we are likely to repeat anytime soon IMO. We are still feeling the pain
>  of that now (and will continue to do so for at least the next year until 1.0.2
>  goes out of support - and probably beyond that).
>  Which brings me onto why structures were made opaque in the first place. A
>  significant driver for this (probably *the* most important one) was to improve
>  the codebase. I have witnessed first hand the harm that non-opaque structures
>  did to OpenSSL. We will be fixing the fallout from them for years to come.
>  Non-opaque structures combined with the requirements for stable API/ABI means
>  you cannot change anything in those structures. Renaming or deleting structure
>  members constitutes an API break. Even *adding* structure members constitutes an
>  ABI break (due to the changed size of the structure). This means the code
>  ossifies over time and cannot easily be refactored. Much of OpenSSL's internal
>  "quirkiness" results from attempting to work around this restriction.
>  Things like the state machine refactor and the record layer refactor would not
>  have been possible without opaque structures. In my mind making the structures
>  opaque was one of the best things that ever happened to OpenSSL.
>  https://breakpoint.cc/openssl-1.1-rebuild-2016-08-26/
>  So since when do we need to consider API/ABI compatibility? Did we grow up
>  recently?
>  Or maybe OpenSSL should have switched the language. The point of C is that
>  structures are public. And if I'm going to be honest that approach saved my
>  sorry arse more than a couple times. When zlib choked because it couldn't go
>  past 4 GiBs of data since its fields were uint32_ts, I was able to easily
>  workaround this problem. But what do I know.
>  If you really want to fiddle with OpenSSL internal structures - feel free. Just
>  include the OpenSSL internal header files and away you go. Just do so in the
>  knowledge that they could be changed at any time, and your code might break. If
>  this isn't a concern to you then - no problem. If it is a concern to you - then
>  actually you *do* care about API/ABI stability after all.
>  Counting symbols is, however, nothing other than a blunt instrument.
>  Quite a lot of those symbols are convenience macros and functions that
>  have accumulated over time.
>  You're taking my statement out of context. Counting the symbols wasn't supposed
>  to suggest that there are too *many* of them. I'm in no position to say that,
>  seeing as the original context in which my statement was put is that *I'm not
>  familiar enough with the library*.
>  What I said was that reading the code is easy. Learning what the library
>  provides is hard, and that you won't learn much just by looking at the symbols
>  because there's so many of them.
>  But nevertheless, I do hear you call for a remake of the SSL API as
>  well as cleaner internals. The latter is easier, and I'm sure it will
>  happen piecemeal as per usual so as to not break something /
>  inadvertently change a behavior (i.e. break ABI). The former is a
>  fairly massive project, and is more of creating a new API and library
>  rather than a mere cleanup job. That will be a massive effort, and
>  you do have to keep in mind how much time all involved can put into
>  it.
>  I'm not saying it needs to be done right now. I'm merely suggesting that it
>  might be a good goal post for OpenSSL 2.0.
>  Turning structures opaque doesn't prevent people from still messing
>  with their internal fields.
>  True. But it makes for a clear delineation where people are forced to
>  be aware that they are playing with internal stuff, and that it may
>  not be a safe thing to do.
>  Then why not provide small helper functions for covering the "playing with
>  internal stuff" part? That way it's still controlled, and documented, and
>  unified. You guys must've had some examples to show off in order to justify the
>  process, so surely you know what it is that people do when they use internal
>  stuff. Make functions for those. Don't give them any reason to continue playing
>  with internal stuff.
>  I don't like code that tries to protect programmers from themselves. I like code
>  that lets good programmers do smart things. And if bad programmers use that
>  freedom to do bad stuff, then doesn't that mean your API simply didn't support
>  this, and they had to make it work somehow else? Again, helper functions.
>  Uhmmmm.... this is factually incorrect. OpenSSL doesn't use its own
>  memory pooling. We have thin wrappers around the usual malloc() /
>  realloc() / free(), which allows any application to do its own memory
>  pooling.
>  https://web.archive.org/web/20150207180717/http://article.gmane.org/gmane.os.openbsd.misc/211963
>  The BUF_FREELISTS code that this post references was ripped out years ago. This
>  no longer represents the current state of OpenSSL in any supported version.
>  To conclude, I have a question for you: are you only willing to rant
>  (*), or are you willing to help out in another way?
>  This is not the question I feel you should ask because we haven't even
>  established if I *could* make contributions to the project, as my mindset
>  appears to be so much more different. Especially the idea of not wanting to
>  break APIs/ABIs is a huge limitation - just looking at SSL_new() made me give up
>  hope here.
>  Yes - not breaking APIs/ABIs is a huge limitation. BoringSSL is not suitable for
>  general purpose use precisely because of this. The only users BoringSSL cares
>  about whether they break or not are Google users. As soon as you have a library
>  that wants to cater for large numbers of users (which we do) then you have to
>  accept that limitation.
>  As to whether or not we have established whether you *could* make such
>  contributions - I think you are missing the point. We cannot know whether you
>  are capable or not until you try. It is on the basis of your code that we would
>  make such a judgement. In order for your code to get into OpenSSL it must have
>  been reviewed and approved by two current OpenSSL committers (one of whom must
>  be on the OpenSSL Management Committee). We invite anyone to contribute. In
>  order for this to be a healthy open-source community we *need* those
>  contributions. Only those that make the grade will make it in.
>  Note - this review process wasn't always the case. Things used to be much more
>  informal in pre-heartbleed days. This is no longer the case.
>  I'm no cryptography expert, I've made that clear from mail one, and my cleanup
>  jobs would be more widespread than what seems to be deemed acceptable right now.
>  I can read and write scalable C code, otherwise I wouldn't even have tried to
>  reuse that SSL object from the beginning.
>  So, I ask a question in return: what do you think I *could* be helping with?
>  Well, you have vocally complained about the state of the documentation. You have
>  the benefit of being a new OpenSSL user. You know what things were confusing or
>  unclear in the documentation. More experienced OpenSSL coders often don't have
>  the perspective - because some things are just "obvious" to them. So help with
>  pull requests to improve the documentation.
>  Matt
>  --
>  openssl-users mailing list
>  To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list