OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7506
Full headers

From: ben@bjencks.net
Subject: Diffie-Hellman parameters (DHParamFile) are improperly handled
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Mon, 28 Jan 2013 00:13:04 +0000
From: ben@bjencks.net
To: openldap-its@OpenLDAP.org
Subject: Diffie-Hellman parameters (DHParamFile) are improperly handled
Full_Name: Ben Jencks
Version: git master
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2601:8:580:1d:5e6:2c43:96d0:4503)


Both tls_g.c for GnuTLS and tls_o.c for OpenSSL have major problems in their
handling of DHParamFile. Additionally, the documentation is not entirely
accurate.

For GnuTLS, DH parameters are entirely unimplemented. There appears to be an
attempt at generating them in tlsg_ctx_init, but they're never attached to
ctx->cred, so they're unused. Additionally, the size is hardcoded.

For OpenSSL, there's an attempt to support multiple sizes, but unfortunately
it's misusing the OpenSSL API and only 512 or 1024 bit parameters will ever be
used. The callback with specified size is only useful for export ciphers: the
size isn't negotiated, it's only specified as a maximum when the export flag is
set [1]. You want to specify exactly one size and parameter set.

The documentation refers to a non-existent TLSEphemeralDHParamFile option.

Patches are available below:
http://www.bjencks.net/openldap/0001-tls_g.c-Properly-support-DHParamFile.patch
http://www.bjencks.net/openldap/0002-tls_o.c-Fix-Diffie-Hellman-parameter-usage.patch
http://www.bjencks.net/openldap/0003-DHParamFile-Update-docs.patch

I'm a little uncomfortable with leaving a hardcoded parameter set in the OpenSSL
code, but I figured it would break compatibility to remove it. A better solution
(and the one recommended by OpenSSL) is to add parameter generation to the
install scripts. If you'd prefer that, I can modify the patch to get rid of the
hardcoded parameter and just not set a DH on the SSL_CTX without a file
specified.

The attached file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch(es) were developed by
Meddius. Meddius has not assigned rights and/or interest in this work to any
party. I, Ben Jencks am authorized by Meddius, my employer, to release this work
under the following terms.

Meddius hereby places the attached modifications to OpenLDAP Software (and only
these modifications) into the public domain. Hence, these modifications may be
freely used and/or redistributed for any purpose with or without attribution
and/or other notice.

[1] http://permalink.gmane.org/gmane.comp.encryption.openssl.user/45805

Followup 1

Download message
Date: Sun, 27 Jan 2013 19:28:17 -0500
From: Ben Jencks <ben@bjencks.net>
To: openldap-its@openldap.org
Subject: Re: (ITS#7506) Diffie-Hellman parameters (DHParamFile) are improperly
 handled
I suppose I should attach a test case:

cd $WORKDIR
openssl dhparam 1536 > dh1536.pem
openssl req -new -newkey rsa:2048 -keyout server.key \
  -out server.crt -sha256 -nodes -subj '/CN=localhost/' -x509

For GnuTLS, load the following config:
dn: cn=config
objectClass: olcGlobal
cn: config
olcTLSCertificateFile: $WORKDIR/server.crt
olcTLSCertificateKeyFile: $WORKDIR/server.key
olcTLSCipherSuite: NONE:+VERS-TLS1.1:+VERS-TLS1.0:+AES-128-CBC:
 +DHE-RSA:+SHA1:+COMP-NULL
olcTLSDHParamFile: $WORKDIR/dh1536.pem

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config

For Openssl, change olcTLSCipherSuite to:
olcTLSCipherSuite: aRSA+AES128+kEDH

Start up slapd with the config, listening on ldaps://localhost:6636.

openssl s_client -connect localhost:6636

With GnuTLS this will fail negotiation; with OpenSSL it will use 1024
bit parameters rather than the 1536 bits params we specified.

The only way I've found to find the actual parameter size is to tcpdump
the negotiation. First, verify that the negotiated cipher suite is
DHE-RSA-AES128-SHA according to s_client, then:

tcpdump -i lo -wldap.pcap port 6636
wireshark ldap.pcap
Apply the SSL decode to the traffic (right click on packet, Decode As,
Transport tab, SSL), find the Server Key Exchange packet, select the
Server Key Exchange portion of the handshake message, and look at the
hex dump.

It should start with 0c, followed by a three byte size, then the next
two bytes are the length of the DH parameters: 0080 for 1024 bits, 00c0
for 1536 bits.

On 01/27/2013 07:13 PM, openldap-its@OpenLDAP.org wrote:
> *** THIS IS AN AUTOMATICALLY GENERATED REPLY ***
> 
> Thanks for your report to the OpenLDAP Issue Tracking System.  Your
> report has been assigned the tracking number ITS#7506.
> 
> One of our support engineers will look at your report in due course.
> Note that this may take some time because our support engineers
> are volunteers.  They only work on OpenLDAP when they have spare
> time.
> 
> If you need to provide additional information in regards to your
> issue report, you may do so by replying to this message.  Note that
> any mail sent to openldap-its@openldap.org with (ITS#7506)
> in the subject will automatically be attached to the issue report.
> 
> 	mailto:openldap-its@openldap.org?subject=(ITS#7506)
> 
> You may follow the progress of this report by loading the following
> URL in a web browser:
>     http://www.OpenLDAP.org/its/index.cgi?findid=7506
> 
> Please remember to retain your issue tracking number (ITS#7506)
> on any further messages you send to us regarding this report.  If
> you don't then you'll just waste our time and yours because we
> won't be able to properly track the report.
> 
> Please note that the Issue Tracking System is not intended to
> be used to seek help in the proper use of OpenLDAP Software.
> Such requests will be closed.
> 
> OpenLDAP Software is user supported.
> 	http://www.OpenLDAP.org/support/
> 
> --------------
> Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
> 



Followup 2

Download message
Date: Sat, 07 Sep 2013 07:11:34 -0700
From: Howard Chu <hyc@symas.com>
To: ben@bjencks.net, openldap-its@openldap.org
Subject: Re: (ITS#7506) Diffie-Hellman parameters (DHParamFile) are improperly
 handled
ben@bjencks.net wrote:
> I suppose I should attach a test case:

Thanks, patches applied to master (with some tweaks).
>
> cd $WORKDIR
> openssl dhparam 1536 > dh1536.pem
> openssl req -new -newkey rsa:2048 -keyout server.key \
>    -out server.crt -sha256 -nodes -subj '/CN=localhost/' -x509
>
> For GnuTLS, load the following config:
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcTLSCertificateFile: $WORKDIR/server.crt
> olcTLSCertificateKeyFile: $WORKDIR/server.key
> olcTLSCipherSuite: NONE:+VERS-TLS1.1:+VERS-TLS1.0:+AES-128-CBC:
>   +DHE-RSA:+SHA1:+COMP-NULL
> olcTLSDHParamFile: $WORKDIR/dh1536.pem
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
>
> For Openssl, change olcTLSCipherSuite to:
> olcTLSCipherSuite: aRSA+AES128+kEDH
>
> Start up slapd with the config, listening on ldaps://localhost:6636.
>
> openssl s_client -connect localhost:6636
>
> With GnuTLS this will fail negotiation; with OpenSSL it will use 1024
> bit parameters rather than the 1536 bits params we specified.
>
> The only way I've found to find the actual parameter size is to tcpdump
> the negotiation. First, verify that the negotiated cipher suite is
> DHE-RSA-AES128-SHA according to s_client, then:
>
> tcpdump -i lo -wldap.pcap port 6636
> wireshark ldap.pcap
> Apply the SSL decode to the traffic (right click on packet, Decode As,
> Transport tab, SSL), find the Server Key Exchange packet, select the
> Server Key Exchange portion of the handshake message, and look at the
> hex dump.
>
> It should start with 0c, followed by a three byte size, then the next
> two bytes are the length of the DH parameters: 0080 for 1024 bits, 00c0
> for 1536 bits.



-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 3

Download message
Date: Sat, 07 Sep 2013 07:29:49 -0700
From: Howard Chu <hyc@symas.com>
To: ben@bjencks.net, openldap-its@openldap.org
Subject: Re: (ITS#7506) Diffie-Hellman parameters (DHParamFile) are improperly
 handled
Howard Chu wrote:
> ben@bjencks.net wrote:
>> I suppose I should attach a test case:
>
> Thanks, patches applied to master (with some tweaks).
>>
>> cd $WORKDIR
>> openssl dhparam 1536 > dh1536.pem
>> openssl req -new -newkey rsa:2048 -keyout server.key \
>>     -out server.crt -sha256 -nodes -subj '/CN=localhost/' -x509
>>
>> For GnuTLS, load the following config:
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcTLSCertificateFile: $WORKDIR/server.crt
>> olcTLSCertificateKeyFile: $WORKDIR/server.key
>> olcTLSCipherSuite: NONE:+VERS-TLS1.1:+VERS-TLS1.0:+AES-128-CBC:
>>    +DHE-RSA:+SHA1:+COMP-NULL
>> olcTLSDHParamFile: $WORKDIR/dh1536.pem
>>
>> dn: olcDatabase={0}config,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: {0}config
>>
>> For Openssl, change olcTLSCipherSuite to:
>> olcTLSCipherSuite: aRSA+AES128+kEDH
>>
>> Start up slapd with the config, listening on ldaps://localhost:6636.
>>
>> openssl s_client -connect localhost:6636
>>
>> With GnuTLS this will fail negotiation; with OpenSSL it will use 1024
>> bit parameters rather than the 1536 bits params we specified.
>>
>> The only way I've found to find the actual parameter size is to tcpdump
>> the negotiation. First, verify that the negotiated cipher suite is
>> DHE-RSA-AES128-SHA according to s_client, then:
>>
>> tcpdump -i lo -wldap.pcap port 6636
>> wireshark ldap.pcap
>> Apply the SSL decode to the traffic (right click on packet, Decode As,
>> Transport tab, SSL), find the Server Key Exchange packet, select the
>> Server Key Exchange portion of the handshake message, and look at the
>> hex dump.
>>
>> It should start with 0c, followed by a three byte size, then the next
>> two bytes are the length of the DH parameters: 0080 for 1024 bits, 00c0
>> for 1536 bits.

For future reference, you can check this just using
openssl s_client -connect localhost:6636 -debug -state

SSL_connect:SSLv3 read server certificate A
read from 0x16b0c20 [0x16b6cf3] (5 bytes => 5 (0x5))
0000 - 16 03 02 03 0d                                    .....
read from 0x16b0c20 [0x16b6cf8] (781 bytes => 781 (0x30D))
0000 - 0c 00 03 09 01 00 a8 e0-4a 3d d1 d2 73 a8 bd 2e   ........J=..s...

In this case 0c 00 03 09 marks the Server Key Exchange and length, and 01 00 
indicates 2048 bits (which matches the dhparams I used).

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org