Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Server with ECDHE key and cert not working

Tags:

c

openssl

ca

I use the below server.c source, i generated

sinful-host-cert.pem
sinful-host.key

as described here: Elliptic Curve CA Guide

When running the program get the following errors:

140722397161136:error:10071065:elliptic curve routines:func(113):reason(101):ec_lib.c:995: 140722397161136:error:0B080075:x509 certificate routines:func(128):reason(117):x509_cmp.c:346:

I compiled using:

gcc server.c -ldl -lcrypto -lssl -o Server

The error occurs at this line I think

if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)

server.c

#include <errno.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <resolv.h>
#include "openssl/ssl.h"
#include "openssl/err.h"

#define FAIL    -1

int OpenListener(int port)
{   int sd;
    struct sockaddr_in addr;


    sd = socket(PF_INET, SOCK_STREAM, 0);
    bzero(&addr, sizeof(addr));

    inet_aton("10.8.0.26", &addr.sin_addr);

    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    //addr.sin_addr.s_addr = INADDR_ANY;

    if ( bind(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
    {
        perror("can't bind port");
        abort();
    }
    if ( listen(sd, 10) != 0 )
    {
        perror("Can't configure listening port");
        abort();
    }
    return sd;
}

SSL_CTX* InitServerCTX(void)
{   const SSL_METHOD *method;
    SSL_CTX *ctx;

    OpenSSL_add_all_algorithms();  /* load & register all cryptos, etc. */
    SSL_load_error_strings();   /* load all error messages */

    //method = SSLv23_server_method();
    method = TLSv1_2_server_method();  /* create new server-method instance */
    ctx = SSL_CTX_new(method);   /* create new context from method */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    return ctx;
}

void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
    //New lines 
    if (SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES128-GCM-SHA256") != 1)
         ERR_print_errors_fp(stderr);

    if (SSL_CTX_load_verify_locations(ctx, CertFile, KeyFile) != 1)
        ERR_print_errors_fp(stderr);

    if (SSL_CTX_set_default_verify_paths(ctx) != 1)
        ERR_print_errors_fp(stderr);
    //End new lines

    /* set the local certificate from CertFile */
    if (SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0)
    {
        ERR_print_errors_fp(stderr);
        abort();
    }

    printf("FFFF\n");
    /* set the private key from KeyFile (may be the same as CertFile) */
    if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    printf("GGGG\n");
    /* verify private key */
    if (!SSL_CTX_check_private_key(ctx))
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }

    //New lines - Force the client-side have a certificate
    //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
    //SSL_CTX_set_verify_depth(ctx, 4);
    //End new lines
}

void ShowCerts(SSL* ssl)
{   X509 *cert;
    char *line;

    cert = SSL_get_peer_certificate(ssl); /* Get certificates (if available) */
    if ( cert != NULL )
    {
        printf("Server certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
        free(line);
        X509_free(cert);
    }
    else
        printf("No certificates.\n");
}

void Servlet(SSL* ssl) /* Serve the connection -- threadable */
{   char buf[1024];
    char reply[1024];
    int sd, bytes, err;
    const char* HTMLecho="<html><body><pre>%s</pre></body></html>\n\n";

    printf("huhupre\n");

    err = SSL_accept(ssl);

    if ( err <= 0 ) {    /* do SSL-protocol accept */
        printf("%d\n",err);
        ERR_print_errors_fp(stderr);
    }
    else
    {
        printf("XXXXXX\n");
        //SSL_write(ssl, "huhu\n\r", 8);
        ShowCerts(ssl);        /* get any certificates */
        bytes = SSL_read(ssl, buf, sizeof(buf)); /* get request */
        if ( bytes > 0 )
        {
            buf[bytes] = 0;
            printf("Client msg: \"%s\"\n", buf);
            sprintf(reply, HTMLecho, buf);   /* construct reply */
            SSL_write(ssl, reply, strlen(reply)); /* send reply */
        }
        else
            ERR_print_errors_fp(stderr);
    }
    sd = SSL_get_fd(ssl);       /* get socket connection */
    SSL_free(ssl);         /* release SSL state */
    close(sd);          /* close connection */
}

int main()
{   SSL_CTX *ctx;
    int server;
    char portnum[]="5000";

        char CertFile[] = "sinful-host-cert.pem";
        char KeyFile[] = "sinful-host.key";

    SSL_library_init();

    ctx = InitServerCTX();        /* initialize SSL */
    LoadCertificates(ctx, CertFile, KeyFile); /* load certs */
    server = OpenListener(atoi(portnum));    /* create server socket */

    printf("%d while\n", server);
    while (1)
    {   struct sockaddr_in addr;
        socklen_t len = sizeof(addr);
        SSL *ssl;

        int client = accept(server, (struct sockaddr*)&addr, &len);  /* accept connection as usual */
        printf("Connection: %s:%d\n",inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
        ssl = SSL_new(ctx);              /* get new SSL state with context */
        if (ssl == NULL) {

            ERR_print_errors_fp(stderr);
            return 0;

        }
        SSL_set_fd(ssl, client);      /* set connection socket to SSL state */
        Servlet(ssl);         /* service connection */
    }
    close(server);          /* close server socket */
    SSL_CTX_free(ctx);         /* release context */
}
like image 541
CutiePie666 Avatar asked May 05 '15 15:05

CutiePie666


1 Answers

as described here: Elliptic Curve CA Guide...

This page has so many errors and omissions I would discard it. The first red flag is the white text and black background. That tells me someone less experienced is providing the page...

From the page:

openssl ecparam -list-curves

This should be -list_curves, not -list-curves.

From the page:

openssl ecparam -out sinful.key -name sect283k1 -genkey

This should be:

openssl ecparam -param_enc named_curve -out sinful.key -name sect283k1 -genkey

If you don't use a named curve, then you will have lots of problems later, like when a client attempts to connect to the server. Here, named curve is the OID for a curve like secp256k1, and not the domain parameters like p, a, b, G, etc.

The "lots of problems later" is documented at the OpenSSL wiki Elliptic Curve Cryptography, Named Curves. Here are some of the problems you will experience:

  • Client: 139925962778272:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
  • Client: 139925962778272:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596
  • Server: 140339533272744:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353

Also, for maximum interoperability, you should use secp256k1. A close second is secp521r1.

Also, use of/lack of -*form in the openssl ecparam and openssl req commands are discussed below.


SSL_CTX* InitServerCTX(void) { ... }

This code block has quite a few problems. The most notable is lack of the ECDH callback. Where are you setting the SSL_CTX_set_tmp_ecdh callback (OpenSSL 1.0.1 and below), or where is the call to SSL_CTX_set_ecdh_auto (OpenSSL 1.0.2 and above)?

Others include the default protocol, the default cipher list, weak and wounded ciphers, the inclusion of anonymous protocols, and compression. For a partial example of code to provide a server context, see 'No Shared Cipher' Error with EDH-RSA-DES-CBC3-SHA.


The error occurs at this line I think

if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)

I think that traces back to that defective page you referenced. This:

openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM -days 3650

Should probably be (note the addition of -keyform)

openssl req -x509 -new -key sinful.key -keyform PEM -out sinful-ca.pem -outform PEM -days 3650

Or

if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_ASN1) <= 0)

In general, always use the *form option for a command, whether its -keyform, -certform, -inform, -outform, etc. OpenSSL does not always get it right (even though its supposed to use PEM by default).


The error occurs at this line I think

if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)

If the private key has a password, then you will need to provide a Password Callback or strip the password from the file.

Its OK to strip the password because there's no difference in storing a plaintext private key; or a encrypted private key with the passphrase in a configuration file next to the key. In both cases, the only effective security you have is the filesystem ACLs.

Related, this is known as the Unattended Key Storage problem. Guttman discusses it in his book Engineering Security. Its a problem without a solution.


Here's some more complete error information... It looks like you are using an old version of OpenSSL, and that does not provide the newer error codes.

When running the program get the following errors:

 140722397161136:error:10071065:elliptic curve routines:func(113):reason(101):ec_lib.c:995
 140722397161136:error:0B080075:x509 certificate routines:func(128):reason(117):x509_cmp.c:346

First, the 0x10071065 error:

$ /usr/local/ssl/macosx-x64/bin/openssl errstr 0x10071065
error:10071065:elliptic curve routines:EC_POINT_cmp:incompatible objects

The 0x10071065 usually means the client and the server are using incompatible EC fields. In this case, you should use either secp256k1 or secp521r1.

Second, the 0x0B080075 error:

$ /usr/local/ssl/macosx-x64/bin/openssl errstr 0x0B080075
error:0B080075:x509 certificate routines:X509_check_private_key:unknown key type

I'm guessing that there's a mismatch in the certificate and private key. But its only a guess. I would (1) clear the named curve issue, (2) clear the sect283k1 issue, and (3) clear the down level library issue (see below). After clearing those issues, then see if this issue remains.


It looks like you are using an old version of OpenSSL, and that does not provide the newer error codes...

Be sure you are running OpenSSL 1.0.0 or above. 0.9.8 had limited EC support, but it was not really cut-in in force until 1.0.0. Better, use OpenSSL 1.0.2.


 OpenSSL_add_all_algorithms();  /* load & register all cryptos, etc. */
 SSL_load_error_strings();   /* load all error messages */

Also see Library Initialization on the OpenSSL wiki.


 if (SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES128-GCM-SHA256")

This will get you into trouble on some versions of OS X and iOS due to a bug in the SecureTransport library. Apple only fixed it on some versions of their operating systems.

If you plan on servicing Apple hardwarez, then you will need one additional non-ECDHE-ECDSA cipher. And you need to use the server side context option SSL_OP_SAFARI_ECDHE_ECDSA_BUG.

Related, Apple is pretty bold about not fixing their security bugs. You have the broken ECDHE-ECDSA cipher suites; and gems like CVE-2015-1130 (Hidden Backdoor with Root).


Here's what my ECDH callback looks like in OpenSSL 1.0.1 and below. OpenSSL 1.0.2 should use SSL_CTX_set_ecdh_auto. Its C++ code, but its easy enough to convert back to C code. Also see SL_CTX_set_tmp_ecdh_callback semantics in 1.0.1 on the OpenSSL mailing list.

The code below could be more robust. The callback should fetch the certificate with SSL_get_certificate (not SSL_get_peer_certificate), query the certificate for the EC field, and then provide a temporary key in the appropriate field, like secp256k1 or secp571k1. (It works because my certificates use secp256, and EcdhCallback uses secp256 as its default).

SSL_get_certificate is not documented. But it is used in <openssl src>/apps/s_cb.c. That's the "self documenting" code OpenSSL is famous for.

using SSL_ptr = std::shared_ptr<SSL>;
using SSL_CTX_ptr = std::shared_ptr<SSL_CTX>;

using EC_KEY_ptr = std::unique_ptr<EC_KEY, decltype(&::EC_KEY_free)>;
using EC_GROUP_ptr = std::unique_ptr<EC_GROUP, decltype(&::EC_GROUP_free)>;
using EC_POINT_ptr = std::unique_ptr<EC_POINT, decltype(&::EC_POINT_free)>;
using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>;
using BIO_MEM_ptr = std::unique_ptr<BIO, decltype(&::BIO_free)>;
using BIO_FILE_ptr = std::unique_ptr<BIO, decltype(&::BIO_free)>;
...

SSL_CTX* CreateServerContext(const string & domain)
{
    const SSL_METHOD* method = SSLv23_server_method();
    ASSERT(method != NULL);

    SSL_CTX_ptr t(SSL_CTX_new(method), ::SSL_CTX_free);
    ASSERT(t.get() != NULL);

    long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
            flags |= SSL_OP_NO_COMPRESSION;
            flags |= SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
            flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;

    SSL_CTX_set_options(t.get(), flags);

    string ciphers = "HIGH:!aNULL:!RC4:!MD5";
    rc = SSL_CTX_set_cipher_list(t.get(), ciphers.c_str());    
    ...

    LogDebug("GetServerContext: setting ECDH callback");
    SSL_CTX_set_tmp_ecdh_callback(t.get(), EcdhCallback);
    ...

    return t.release();
}

EC_KEY* EcdhCallback(SSL *ssl, int is_export, int keylength)
{
    UNUSED(ssl);
    UNUSED(is_export);
    UNUSED(keylength);

    /* This callback is OK, but OpenSSL calls it in a broken fashion. */
    /* With 1.0.1e and 1.0.1f, the value is 1024-bits. That is more   */
    /* appropriate for RSA.... We'll try and rewrite it here.         */
    if (keylength >= 1024)
    {
        keylength = 256;
        LogRelevant("EcdhCallback: field size is wrong, using 256-bit group");
    }

#if defined(ALLOW_ECDH_192_PARAMS)
    if (keylength <= 192 + 4)
        return ECDH192();
#endif

    if (keylength <= 224 + 4)
        return ECDH224();
    else if (keylength <= 256 + 4)
        return ECDH256();
    else if (keylength <= 384 + 4)
        return ECDH384();
    else if (keylength <= 521 + 4)
        return ECDH521();

    return ECDH521();
}

#if defined(ALLOW_ECDH_192_PARAMS)
static EC_KEY* ECDH192()
{
    static EC_KEY_ptr key(NULL, NULL);
    static once_flag flag;

    call_once(flag, []()
    {
        key = EC_KEY_ptr(InitEcdhkey(192), ::EC_KEY_free);
        ASSERT(key.get());

        if(!key.get())
            LogError("ECDH192: InitEcdhkey failed");
    });

    return key.get();
}
#endif

static EC_KEY* ECDH224()
{
    static EC_KEY_ptr key(NULL, NULL);
    static once_flag flag;

    call_once(flag, []()
    {
        key = EC_KEY_ptr(InitEcdhkey(224), ::EC_KEY_free);
        ASSERT(key.get());

        if(!key.get())
            LogError("ECDH224: InitEcdhkey failed");
    });

    return key.get();
}

static EC_KEY* ECDH256()
{
    static EC_KEY_ptr key(NULL, NULL);
    static once_flag flag;

    call_once(flag, []()
    {
        key = EC_KEY_ptr(InitEcdhkey(256), ::EC_KEY_free);
        ASSERT(key.get());

        if(!key.get())
            LogError("ECDH256: InitEcdhkey failed");
    });

    return key.get();
}

static EC_KEY* ECDH384()
{
    static EC_KEY_ptr key(NULL, NULL);
    static once_flag flag;

    call_once(flag, []()
    {
        key = EC_KEY_ptr(InitEcdhkey(384), ::EC_KEY_free);
        ASSERT(key.get());

        if(!key.get())
            LogError("ECDH384: InitEcdhkey failed");
    });

    return key.get();
}

static EC_KEY* ECDH521()
{
    static EC_KEY_ptr key(NULL, NULL);
    static once_flag flag;

    call_once(flag, []()
    {
        key = EC_KEY_ptr(InitEcdhkey(521), ::EC_KEY_free);
        ASSERT(key.get());

        if(!key.get())
            LogError("ECDH521: InitEcdhkey failed");
    });

    return key.get();
}

static EC_KEY* InitEcdhkey(int bits)
{
    if (bits <= 160 + 4)
        bits = 160;
    else if (bits <= 192 + 4)
        bits = 192;
    else if (bits <= 224 + 4)
        bits = 224;
    else if (bits <= 256 + 4)
        bits = 256;
    else if (bits <= 384 + 4)
        bits = 384;
    else if (bits <= 521 + 4)
        bits = 521;
    else
        bits = 521;

    EC_KEY* key = EC_KEY_new_by_curve_name(CurveToNidByBits(bits));
    unsigned long err = ERR_get_error();

    ASSERT(key != NULL);
    if (key == NULL)
    {
        ostringstream oss;
        oss << "InitEcdhkey: EC_KEY_new_by_curve_name failed for ";
        oss << bits << "-bit key, error " << err << ", 0x" << err;
        LogError(oss);
    }

    return key;
}
like image 95
jww Avatar answered Nov 03 '22 21:11

jww