Bug 1263 - --disable-ecdh option patch for Solaris11.3(after Dec 2016)
--disable-ecdh option patch for Solaris11.3(after Dec 2016)
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.6.2
Sun other
: P5 minor
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-07 10:16 CEST by Kunitaka Namba
Modified: 2017-05-08 09:05 CEST (History)
2 users (show)

See Also:


Attachments
disable-ecdh_option.patch (937 bytes, text/plain)
2017-05-07 10:16 CEST, Kunitaka Namba
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kunitaka Namba 2017-05-07 10:16:25 CEST
Created attachment 396 [details]
disable-ecdh_option.patch

Solaris11.3's openssl patches
https://github.com/oracle/solaris-userland/blob/c631311a500f8a6f6699c5eac2b58400309f4aaa/components/shim/patches/06-Cryptlib_OpenSSL_Makefile.patch

add CFLAGS: -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH


Unbound used Solaris11.3's openssl libs

# /usr/local/unbound/sbin/unbound
Apr 30 17:51:05 unbound[51454:0] error: Error in SSL_CTX_ecdh_auto, not enabling ECDHE crypto error:00000000:lib(0):func(0):reason(0)

SSL_CTX_ecdh_auto -> ECDHE, but not use by "-DOPENSSL_NO_ECDH"


Why enabled ECDHE ?

SSL_CTX_ecdh_auto is support by new patches.

$ diff /usr/include/openssl/ssl.h /.zfs/snapshot/{Jun_2017_CPU*}/usr/include/openssl/ssl.h | \
grep SSL_CTX | grep ECDH
<         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) 

* CPU = Oracle Critical Patch Update


But not included in "/usr/bin/openssl".

$ nm /usr/bin/openssl | grep -i CTX | grep -i ECDH | wc -l
       0 

I think a problem on Solaris11.3 side.



This ad hoc patch for Solaris11.3。

disable-ecdh_option.patch:


Usage:

$ cp -ip configure configure.org

$ patch configure disable-ecdh_option.patch
patching file configure

$ diff configure configure.org

$ ./configure --prefix=/usr/local/unbound CFLAGS="-I/usr/local/include -m64" \
LDFLAGS="-L/usr/local/lib:/usr/lib/64 -R/usr/local/lib:/usr/lib/64 -m64" \
--enable-event-api --with-libevent --disable-gost --disable-ecdsa --disable-ecdh
                                                                  ^^^^^^^^^^^^^^
Comment 1 Wouter Wijngaards 2017-05-08 09:05:20 CEST
Hi Kunitaka Namba,

We already had a report that ECDH does not work when ECC is not enabled in the openssl library.  So the current code repository version of unbound already has a fix, that only enables the ECDH when both SHA256 and ECDSA are available.  It looks like this could also, already, fix your problem, because you are disabling ECDSA already, and that would then also disable the ECDH call.

The code fix was this, and is also in the code repository.  Can you see if the latest code repository is fixed?  ((If not I'd be happy to include your patch, by the way))

Index: daemon/remote.c
===================================================================
--- daemon/remote.c	(revision 4136)
+++ daemon/remote.c	(revision 4137)
@@ -260,7 +260,7 @@
 		return NULL;
 	}
 #endif
-#ifdef SHA256_DIGEST_LENGTH
+#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
 	/* if we have sha256, set the cipher list to have no known vulns */
 	if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
 		log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");


Best regards, Wouter