[gnutls-devel] GnuTLS | pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig() (!1301)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Jul 22 14:43:52 CEST 2020

Petr Pavlu created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301

Project:Branches: petrpavlu/gnutls:sign-spurious-message to gnutls/gnutls:master
Author:    Petr Pavlu

When checking in `_gnutls_pubkey_compatible_with_sig()` whether a public key is compatible with a signature algorithm, run first `pubkey_supports_sig()` before performing weaker checks that can accept the given algorithm but with an audit-log warning. This avoids an issue when a weaker check would log an audit message for some signature algorithm that would then be determined as incompatible by the `pubkey_supports_sig()` check anyway.

For instance, a GnuTLS server might have a certificate with a SECP384R1 public key and a client can report that it supports
ECDSA-SECP256R1-SHA256 and ECDSA-SECP384R1-SHA384. In such a case, the GnuTLS server will eventually find that it must use ECDSA-SECP384R1-SHA384 with this public key. However, the code would first run `_gnutls_pubkey_compatible_with_sig()` to check if SECP384R1 is compatible with ECDSA-SECP256R1-SHA256. The function would report the audit warning "The hash size used in signature (32) is less than the expected (48)" but then reject the signature algorithm in `pubkey_supports_sig()` as incompatible because it has a different curve. Since the algorithm gets rejected it is not necessary to inform about its hash size difference in the audit log.

The problem can be reproduced as follows:

1. Run a server:

       $ certtool --generate-privkey --key-type=ecdsa --curve=secp384r1 --outfile=server_privkey.pem
       $ certtool --generate-self-signed --load-privkey=server_privkey.pem --outfile=server_cert.pem
       [use defaults, set a sensible expiration date]
       $ gnutls-serv --x509keyfile=server_privkey.pem --x509certfile=server_cert.pem --port=4567
       HTTP Server listening on IPv4 port 4567...done
       HTTP Server listening on IPv6 :: port 4567...done

2. Connect a client:

       $ gnutls-cli --port=4567 --insecure localhost
       Processed 0 CA certificate(s).
       Resolving 'localhost:4567'...
       Connecting to '::1:4567'...

3. Output on the server:

       * Accepted connection from IPv6 ::1 port 44786 on Wed Jul 22 14:22:26 202
       |<0x5608c399e3c0>| The hash size used in signature (32) is less than the expected (48)
       |<0x5608c399e3c0>| The hash size used in signature (32) is less than the expected (48)

## Checklist
 * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author
 * [ ] Code modified for feature
 * [ ] Test suite updated with functionality tests
 * [ ] Test suite updated with negative tests
 * [ ] Documentation updated / NEWS entry present (for non-trivial changes)
 * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

## Reviewer's checklist:
 * [ ] Any issues marked for closing are addressed
 * [ ] There is a test suite reasonably covering new functionality or modifications
 * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
 * [ ] This feature/change has adequate documentation added
 * [ ] No obvious mistakes in the code

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1301
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200722/cd637584/attachment.html>

More information about the Gnutls-devel mailing list