OpenSSL-1.1.1u - Is this patch adding chacha20-poly1305_draft correct/safe to use? #21405
Replies: 4 comments 2 replies
-
Why??? Do you have data that indicate sufficiently widespread use of this to justify the effort? I'm quite skeptical that anyone uses it and if they do, they are not standards compliant. It's a pre-publication draft algorithm. You will need to need to figure out what changes were made before it was standardised and why and then assess the security implications of each change. Since you admit your ignorance in the area, you'd do best to hire an independent cryptanalyst to make such an assessment. This simply is not something the project can assist you with. The OpenSSL project would never accept this as a submission. By policy we only accept standards and this is not and never will be. |
Beta Was this translation helpful? Give feedback.
-
The draft was replaced by the standard's version -- there is no guarantee that there wasn't a problem with it. That's often the reason drafts are changed. If you want to proceed with this, I strongly suggest hiring an expert to analyse it. The OpenSSL team isn't going to be doing so. You also didn't mention what evidence you have that this is actually used (or not). As I noted, I think it unlikely. |
Beta Was this translation helpful? Give feedback.
-
It is the only choice if you want to support 256bits Android 5.0.0 / 6.0 Cloudflare supported/used it up to the 1st this month, but stopped supporting it because of very few use. |
Beta Was this translation helpful? Give feedback.
-
I understand and respect the answer I got so far. And for anyone interrested, I rewrote the patch code for OpenSSL-3.2.0-dev aswell:
|
Beta Was this translation helpful? Give feedback.
-
Im trying to build an OpenSSL setup (for Nginx-1.25.0) using only 256bit ciphers, with "max compatibility".
With max compatibility I mean supporting as much devices as possible.
Because of this I am using a certificate with "EC 384 bits (SHA384withECDSA)" next to one with "RSA 4096 bits (SHA256withRSA)" so
I can support (Using ssllabs.com naming) Chrome 49 / XP SP3 with RSA 4096 (SHA256) on
TLS 1.2 > http/1.1 using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, ECDH secp384r1, FS.
But next that I want to add support for Android 5.0.0 and Android 6.0 by adding the "OLD_" / "POLY1305-D" / draft version of chacha by D. Bernstein.
Because I am just a newbie trying to achieve this goal for a few months with no prior experience, I searched for old patches implementing the draft version.
I found 2 versions, 1 seemed wrong and kinda feeding of the default cipher, but the other looked better
(seems wrong: https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-1.1.1h-chacha_draft.patch)
(seems better: https://raw.githubusercontent.com/Jemmy1228/ngx_ossl_patches/master/ossl_enable_chacha20-poly1305-draft.patch)
So I took the one looking better and adjusted it to match OpenSSL-1.1.1u.
And then added patch code to also pass the make test command.
I tested it on Ubuntu 22.04, 22.10, 23.04, and 23.04 using default kernel 6.2.0 and 6.4.2.
Everything seems to work and I get 0 warnings errors notifications or anything.
Now my question is if this is a correct/secure implementation of the draft cipher?
https://github.com/EverybodyGetsHurt/OpenSSL-3.2.0-dev-OpenSSL-1.1.1u-chacha20-poly1305_draft
Live test server SSL-Labs results:
NOTES:
WITH ENABLE-CRYPTO-MDEBUG :
gcc -I. -Iinclude -fPIC -pthread -m64 -Wa,--noexecstack -rdynamic -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/usr/local/ssl"" -DENGINESDIR=""/usr/local/lib/engines-1.1"" -DZLIB -DZLIB_SHARED -DNDEBUG -MMD -MF crypto/modes/ccm128.d.tmp -MT crypto/modes/ccm128.o -c -o crypto/modes/ccm128.o crypto/modes/ccm128.c
In function 'CRYPTO_free',
inlined from 'CRYPTO_free' at crypto/mem.c:295:6:
crypto/mem.c:307:9: warning: pointer 'str' used after 'free' [-Wuse-after-free]
307 | CRYPTO_mem_debug_free(str, 1, file, line);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
crypto/mem.c:306:9: note: call to 'free' here
306 | free(str);
| ^~~~~~~~~
In function 'CRYPTO_realloc',
inlined from 'CRYPTO_realloc' at crypto/mem.c:238:7:
crypto/mem.c:258:9: warning: pointer 'str' used after 'realloc' [-Wuse-after-free]
258 | CRYPTO_mem_debug_realloc(str, ret, num, 1, file, line);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
crypto/mem.c:257:ret = realloc(str, num);
| 15: note: call to 'realloc' here
257 | ^~~~~~~~~~~~~~~~~
WITH ENABLE-UBSAN, or ENABLE-ASAN, or TOGETHER:
gcc -I. -Iinclude -fPIC -pthread -m64 -fsanitize=undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -g -Wa,--noexecstack -rdynamic -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/usr/local/ssl"" -DENGINESDIR=""/usr/local/lib/engines-1.1"" -DZLIB -DZLIB_SHARED -DNDEBUG -MMD -MF ssl/s3_lib.d.tmp -MT ssl/s3_lib.o -c -o ssl/s3_lib.o ssl/s3_lib.c
In function 'ssl3_generate_key_block',
inlined from 'ssl3_setup_key_block' at ssl/s3_enc.c:290:11:
ssl/s3_enc.c:48:20: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
48 | buf[j] = c;
| ~~~~~~~^~~
ssl/s3_enc.c: In function 'ssl3_setup_key_block':
ssl/s3_enc.c:21:19: note: at offset 16 into destination object 'buf' of size 16
21 | unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
| ^~~
Beta Was this translation helpful? Give feedback.
All reactions