Background

While LibreSSL 2.7+ features partial API compatibility with OpenSSL 1.0.2 and 1.1.0, there are still missing symbols to enable ECDSA support with it. We will be able to support ECDSA with LibreSSL when missing APIs are provided, but for now, I would like to share the list below as a reminder.

Status

LibreSSL 2.9.1 provides mandatory APIs AFAIK.

How to test

Please fetch #25 and comment on the result back to the PR.

It looks like it is a bad move to set NULL to keygen and compute_key function.

Removing these 2 lines fixes the issue.

I am developling a proxy server using Golang and a modified version of h2o and libh2o-evloop. I modify h2o and build it as a static library with every h2o new commit to keep current with it. Everythings work fine till 0f08b67. I simply strip out neverbleed related codes from h2o because Golang runtime is not fork() friendly without exec (neverbleed uses fork() without exec ) . But as of 0f08b67, it seems that quicly uses neverbleed for async resumption and I cant simply strip out neverbleed related codes from h2o to make it work fine.

Neverbleed is awesome library and it would be nice to provide a standalone version of neverbleed with a main() entry so developers interesting in neverbleed can use it with fork/exec or h2o_spawn or similar mechanism in their projects.

thanks

The default RSA method calls static rsa_ossl_finish to free BN_MONT_CTX_free objects.
If neverbleed RSA method is used, this function is not called, thus these objects are leaked.
The proposed fix is tatsuhiro-t@003de52

Hey there, I'm trying to compile NGINX with neverbleed using this patch but getting these warnings.

src/event/neverbleed.c: In function 'expbuf_reserve':
src/event/neverbleed.c:159:15: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
     if (extra <= buf->buf + buf->capacity - buf->end)
               ^
src/event/neverbleed.c:164:48: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
     while (buf->buf + buf->capacity - buf->end < extra)
                                                ^
src/event/neverbleed.c: In function 'expbuf_write':
src/event/neverbleed.c:245:28: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
         while (r != 0 && r >= vecs[vecindex].iov_len) {
                            ^
src/event/neverbleed.c:250:37: error: pointer of type 'void *' used in arithmetic [-Werror=pointer-arith]
             vecs[vecindex].iov_base += r;
                                     ^
src/event/neverbleed.c: At top level:
src/event/neverbleed.c:353:1: error: missing initializer for field 'size' of 'struct <anonymous>' [-Werror=missing-field-initializers]
 } daemon_vars = {{PTHREAD_MUTEX_INITIALIZER}};
 ^
src/event/neverbleed.c:349:16: note: 'size' declared here
         size_t size;
                ^
src/event/neverbleed.c:353:1: error: missing initializer for field 'nb' of 'struct <anonymous>' [-Werror=missing-field-initializers]
 } daemon_vars = {{PTHREAD_MUTEX_INITIALIZER}};
 ^
src/event/neverbleed.c:352:19: note: 'nb' declared here
     neverbleed_t *nb;

Coverity Scan found the following issue when we submitted builds as part of nghttp2 build process:

** CID 1331205:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1331205:    (TAINTED_SCALAR)
/third-party/neverbleed/neverbleed.c: 262 in expbuf_read()
256     static int expbuf_read(struct expbuf_t *buf, int fd)
257     {
258         size_t sz;
259
260         if (read_nbytes(fd, &sz, sizeof(sz)) != 0)
261             return -1;
>>>     CID 1331205:    (TAINTED_SCALAR)
>>>     Passing tainted variable "sz" to a tainted sink.
262         expbuf_reserve(buf, sz);
263         if (read_nbytes(fd, buf->end, sz) != 0)
264             return -1;
265         buf->end += sz;
266         return 0;
267     }
/third-party/neverbleed/neverbleed.c: 263 in expbuf_read()
257     {
258         size_t sz;
259
260         if (read_nbytes(fd, &sz, sizeof(sz)) != 0)
261             return -1;
262         expbuf_reserve(buf, sz);
>>>     CID 1331205:    (TAINTED_SCALAR)
>>>     Passing tainted variable "sz" to a tainted sink.
263         if (read_nbytes(fd, buf->end, sz) != 0)
264             return -1;
265         buf->end += sz;
266         return 0;
267     }
268

** CID 1331203:  Integer handling issues  (NEGATIVE_RETURNS)
/third-party/neverbleed/neverbleed.c: 664 in setuidgid_stub()


________________________________________________________________________________________________________
*** CID 1331203:  Integer handling issues  (NEGATIVE_RETURNS)
/third-party/neverbleed/neverbleed.c: 664 in setuidgid_stub()
658     static int setuidgid_stub(struct expbuf_t *buf)
659     {
660         const char *user;
661         size_t change_socket_ownership;
662         struct passwd pwbuf, *pw;
663         char pwstrbuf[65536]; /* should be large enough */
>>>     CID 1331203:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     Assigning: "ret" = a negative value.
664         int ret = -1;
665
666         if ((user = expbuf_shift_str(buf)) == NULL || expbuf_shift_num(buf, &change_socket_ownership) != 0) {
667             errno = 0;
668             warnf("%s: failed to parse request", __FUNCTION__);
669             return -1;

First issue could be non-issue, if we rely on the sender (is it ok?).
2nd issue could be a bug, since we passes -1 to size_t parameter, which results in very large value.

In case of TLS, keys used to encrypt session tickets is also a long-term secret that needs to be taken care in addition to RSA private keys (note :in H2O we rotate the session ticket keys periodically, but not all web servers do it; see http://blog.kazuhooku.com/2015/07/h2o-version-140-released-with.html).

With OpenSSL it is possible add user-defined symmetric ciphers / HMACs at run-time, so it is theoretically possible to create them that uses IPC so that their secrets will be protected in conjunction with the RSA private keys.

The downside is that due to how OpenSSL is designed, it would cause two IPC calls for every ticket-based session resumption.

There are 2 issues I found with OCSP.

1. When neverbleed is enabled, OCSP_basic_verify with RSA key because RSA object has NULL bn_mod_exp. This can be fixed by just assigning default function to the field. But I propose to use RSA_meth_dup first, and then override custom functions instead.

2. If optional certificate is attached in OCSP response, priv_rsa_finish or priv_ecdsa_finish is called when OCSP_BASICRESP_free is called. In that function chain, we end up calling RSA_get_ex_data or
   EC_KEY_get_ex_data, but we don't set its associated data, it fails and we hit dief.
   One possible workaround is don't call dief if we cannot get any data from these functions and just do nothing without communicating daemon process. What do you think?

Issue 1 is new to OpenSSL 1.1.1.
I don't know Issue 2 happens with older OpenSSL. I just found it while debugging Issue 1.

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

It looks like OpenSSL 3.0.0 deprecates ENGINE related APIs and bunch of low-level getters and setters.
There are lots of deprecation warnings when compiled with OpenSSL 3.0.0.

As of adb7442, the Neverbleed daemon refuses debuggers from being attached only in the following cases:

• always on Linux
• on OS X, if neverbleed_setuidgid is called

We should:

• call ptrace(PT_DENY_ATTACH) on OS X to always refuse
• explore the possibility of doing same onon other OS

Note: this feature is not a must-have; you can use different UIDs for the daemon and the client.

When I fed ECDSA key pair to neverbleed_load_private_key_file, then it returned error saying "neverbleed_load_private_key_file failed: failed to parse the private key".

Using ordinal openssl library function works fine.

I created ECDSA key pair using:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout ecdsa.key -out ecdsa.crt -days 3650

http://security.stackexchange.com/questions/58077/generating-ecdsa-certificate-and-private-key-in-one-step