DTLS PSK in FIPS mode

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

DTLS PSK in FIPS mode

Fredrik Jansson-6

Hi!


I am trying to use DTLS with PSK (cipher: SSL_TXT_PSK). Everything works well if I don't set OpenSSL in FIPS mode (FIPS_mode_set(1)).


If I do, I get crashes as below where p =0;


Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fffddffb700 (LWP 15278)]

0x00007ffff752ebe0 in dtls1_get_record (s=0x7fffc8000c00) at d1_pkt.c:680

680    *p == SSL3_MT_CLIENT_HELLO) &&

(gdb) bt

#0  0x00007ffff752ebe0 in dtls1_get_record (s=0x7fffc8000c00) at d1_pkt.c:680

#1  0x00007ffff752ef7f in dtls1_read_bytes (s=0x7fffc8000c00, type=22, buf=0x7fffddffa990 "\300\251\377\335\377\177", len=12, peek=0) at d1_pkt.c:838

#2  0x00007ffff75327cd in dtls1_get_message_fragment (s=0x7fffc8000c00, st1=8465, stn=8466, max=16384, ok=0x7fffddffaa44) at d1_both.c:788

#3  0x00007ffff7531699 in dtls1_get_message (s=0x7fffc8000c00, st1=8465, stn=8466, mt=1, max=16384, ok=0x7fffddffaa44) at d1_both.c:436

#4  0x00007ffff7503a53 in ssl3_get_client_hello (s=0x7fffc8000c00) at s3_srvr.c:941

#5  0x00007ffff752712c in dtls1_accept (s=0x7fffc8000c00) at d1_srvr.c:298

#6  0x00007ffff7536e85 in SSL_accept (s=0x7fffc8000c00) at ssl_lib.c:940

#7  0x00007ffff752dd38 in dtls1_listen (s=0x7fffc8000c00, client=0x7fffddffacf0) at d1_lib.c:477

#8  0x00007ffff752d715 in dtls1_ctrl (s=0x7fffc8000c00, cmd=75, larg=0, parg=0x7fffddffacf0) at d1_lib.c:263

#9  0x00007ffff7537422 in SSL_ctrl (s=0x7fffc8000c00, cmd=75, larg=0, parg=0x7fffddffacf0) at ssl_lib.c:1106

#10 0x00000000009b64a9 in (anonymous namespace)::listenThread (serverAddr=...) at /home/frja/srv_trunk/src/product/service/dtls/unix/dtlsserver.cpp:586


This is only a problem when combining PSK and FIPS, if I do either FIPS or PSK it works.


Can anyone please help me out?


Fredrik

Reply | Threaded
Open this post in threaded view
|

Re: DTLS PSK in FIPS mode

Fredrik Jansson-6
Hi again,

in d1_pkt.c:574
(s->rstate != SSL_ST_READ_BODY) || (s->packet_length < DTLS1_RT_HEADER_LENGTH)) seems to be false at times. When the program reaches *p == SSL3_MT_CLIENT_HELLO further down it fails (since p is initialized to NULL).

if I add 

if (NULL == p) { 
   p = s->packet;

before *p == SSL3_MT_CLIENT_HELLO, it works.

Should I report a bug?

Fredrik




On Fri, Oct 25, 2013 at 2:03 PM, Fredrik Jansson <[hidden email]> wrote:

Hi!


I am trying to use DTLS with PSK (cipher: SSL_TXT_PSK). Everything works well if I don't set OpenSSL in FIPS mode (FIPS_mode_set(1)).


If I do, I get crashes as below where p =0;


Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fffddffb700 (LWP 15278)]

0x00007ffff752ebe0 in dtls1_get_record (s=0x7fffc8000c00) at d1_pkt.c:680

680    *p == SSL3_MT_CLIENT_HELLO) &&

(gdb) bt

#0  0x00007ffff752ebe0 in dtls1_get_record (s=0x7fffc8000c00) at d1_pkt.c:680

#1  0x00007ffff752ef7f in dtls1_read_bytes (s=0x7fffc8000c00, type=22, buf=0x7fffddffa990 "\300\251\377\335\377\177", len=12, peek=0) at d1_pkt.c:838

#2  0x00007ffff75327cd in dtls1_get_message_fragment (s=0x7fffc8000c00, st1=8465, stn=8466, max=16384, ok=0x7fffddffaa44) at d1_both.c:788

#3  0x00007ffff7531699 in dtls1_get_message (s=0x7fffc8000c00, st1=8465, stn=8466, mt=1, max=16384, ok=0x7fffddffaa44) at d1_both.c:436

#4  0x00007ffff7503a53 in ssl3_get_client_hello (s=0x7fffc8000c00) at s3_srvr.c:941

#5  0x00007ffff752712c in dtls1_accept (s=0x7fffc8000c00) at d1_srvr.c:298

#6  0x00007ffff7536e85 in SSL_accept (s=0x7fffc8000c00) at ssl_lib.c:940

#7  0x00007ffff752dd38 in dtls1_listen (s=0x7fffc8000c00, client=0x7fffddffacf0) at d1_lib.c:477

#8  0x00007ffff752d715 in dtls1_ctrl (s=0x7fffc8000c00, cmd=75, larg=0, parg=0x7fffddffacf0) at d1_lib.c:263

#9  0x00007ffff7537422 in SSL_ctrl (s=0x7fffc8000c00, cmd=75, larg=0, parg=0x7fffddffacf0) at ssl_lib.c:1106

#10 0x00000000009b64a9 in (anonymous namespace)::listenThread (serverAddr=...) at /home/frja/srv_trunk/src/product/service/dtls/unix/dtlsserver.cpp:586


This is only a problem when combining PSK and FIPS, if I do either FIPS or PSK it works.


Can anyone please help me out?


Fredrik


Reply | Threaded
Open this post in threaded view
|

Re: DTLS PSK in FIPS mode

Dr. Stephen Henson
In reply to this post by Fredrik Jansson-6
On Fri, Oct 25, 2013, Fredrik Jansson wrote:

>
> I am trying to use DTLS with PSK (cipher: SSL_TXT_PSK). Everything works
> well if I don't set OpenSSL in FIPS mode (FIPS_mode_set(1)).
>

Can you reproduce this using s_client and s_server? If so can you give details
of the command lines you used?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DTLS PSK in FIPS mode

Fredrik Jansson-6
Steve, thanks for getting back!

Since I could not reproduce this using s_client and s_server I set out to take the code I am using into a sample project. 

Doing so I believe I have found the issue, SSL_CTX_set_cipher(ctx, SSL_TXT_PSK) returns an error ("SSL routines:SSL_CTX_set_cipher_list:no cipher match") if I have called FIPS_mode_set(1) first.

My original code did not check the return value of SSL_CTX_set_cipher so that may very well be the cause of the subsequent crash.

Now my question becomes why I cannot select SSL_TXT_PSK when in FIPS mode?

Best regards,
Fredrik


On Sun, Nov 3, 2013 at 4:15 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Fri, Oct 25, 2013, Fredrik Jansson wrote:

>
> I am trying to use DTLS with PSK (cipher: SSL_TXT_PSK). Everything works
> well if I don't set OpenSSL in FIPS mode (FIPS_mode_set(1)).
>

Can you reproduce this using s_client and s_server? If so can you give details
of the command lines you used?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: DTLS PSK in FIPS mode

Dr. Stephen Henson
On Mon, Nov 04, 2013, Fredrik Jansson wrote:

> Steve, thanks for getting back!
>
> Since I could not reproduce this using s_client and s_server I set out to
> take the code I am using into a sample project.
>
> Doing so I believe I have found the issue, SSL_CTX_set_cipher(ctx,
> SSL_TXT_PSK) returns an error ("SSL routines:SSL_CTX_set_cipher_list:no
> cipher match") if I have called FIPS_mode_set(1) first.
>
> My original code did not check the return value of SSL_CTX_set_cipher so
> that may very well be the cause of the subsequent crash.
>
> Now my question becomes why I cannot select SSL_TXT_PSK when in FIPS mode?
>

The ciphersuites supported in FIPS mode are restricted to those which use
approved algorithms. PSK at present is not listed though there isn't really
any reason why it can't be included in future.

To test this add the flag SSL_FIPS to the relevant ciphersuits in s3_lib.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DTLS PSK in FIPS mode

Fredrik Jansson-6
Thanks, that did it!

To try to understand the implications of this, if I add SSL_FIPS to TLS1_TXT_PSK_WITH_AES_128_CBC_SHA and TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, am I violating the security policy? AES 128/256 CBC and SHA are approved algorithms(?).

Best regards,
Fredrik


On Mon, Nov 4, 2013 at 2:31 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Nov 04, 2013, Fredrik Jansson wrote:

> Steve, thanks for getting back!
>
> Since I could not reproduce this using s_client and s_server I set out to
> take the code I am using into a sample project.
>
> Doing so I believe I have found the issue, SSL_CTX_set_cipher(ctx,
> SSL_TXT_PSK) returns an error ("SSL routines:SSL_CTX_set_cipher_list:no
> cipher match") if I have called FIPS_mode_set(1) first.
>
> My original code did not check the return value of SSL_CTX_set_cipher so
> that may very well be the cause of the subsequent crash.
>
> Now my question becomes why I cannot select SSL_TXT_PSK when in FIPS mode?
>

The ciphersuites supported in FIPS mode are restricted to those which use
approved algorithms. PSK at present is not listed though there isn't really
any reason why it can't be included in future.

To test this add the flag SSL_FIPS to the relevant ciphersuits in s3_lib.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: DTLS PSK in FIPS mode

Dr. Stephen Henson
On Mon, Nov 04, 2013, Fredrik Jansson wrote:

> Thanks, that did it!
>
> To try to understand the implications of this, if I add SSL_FIPS
> to TLS1_TXT_PSK_WITH_AES_128_CBC_SHA and TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
> am I violating the security policy? AES 128/256 CBC and SHA are approved
> algorithms(?).
>

The security policy means you cannot modify any code in the validated module
source, it does not apply to the FIPS capable OpenSSL which is effectively an
"application" of the FIPS module.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DTLS PSK in FIPS mode

Fredrik Jansson-6
Awesome, thank you!

Can you please help me close bug 3152? 

I will put in a change request to have TLS1_TXT_PSK_WITH_AES_128_CBC_SHA and TLS1_TXT_PSK_WITH_AES_256_CBC_SHA enabled in FIPS mode.

Best regards,
Fredrik


On Mon, Nov 4, 2013 at 3:37 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Nov 04, 2013, Fredrik Jansson wrote:

> Thanks, that did it!
>
> To try to understand the implications of this, if I add SSL_FIPS
> to TLS1_TXT_PSK_WITH_AES_128_CBC_SHA and TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
> am I violating the security policy? AES 128/256 CBC and SHA are approved
> algorithms(?).
>

The security policy means you cannot modify any code in the validated module
source, it does not apply to the FIPS capable OpenSSL which is effectively an
"application" of the FIPS module.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]