[gnutls-devel] Problem with proxied connections on 3.5.3

Stefan Bühler stbuehler at lighttpd.net
Tue Sep 20 23:36:46 CEST 2016


Hi,

I can reproduce the problem by simply responding with the same data as
shown in the PCAP file. (I'll try to describe it at the bottom).

It fails to verify the signature in the server key exchange:

(gdb) bt
#0  _nettle_rsa_verify (key=key at entry=0x7fffffffa7b0, m=m at entry=0x7fffffffa710, s=s at entry=0xad6f90) at rsa-verify.c:59
#1  0x00007ffff678cc7b in nettle_rsa_pkcs1_verify (key=key at entry=0x7fffffffa7b0, length=<optimized out>, digest_info=0xadf890 "010\r\006\t`\206H\001e\003\004\002\001\005", s=0xad6f90) at rsa-pkcs1-verify.c:53
#2  0x00007ffff7b7c211 in _wrap_nettle_pk_verify (algo=<optimized out>, vdata=0x7fffffffa840, signature=<optimized out>, pk_params=0xadf5f8) at pk.c:750
#3  0x00007ffff7ad2dbd in _pkcs1_rsa_verify_sig (me=me at entry=0x7ffff7dd2d10 <hash_algorithms+112>, text=text at entry=0x0, prehash=<optimized out>, signature=0x7fffffffab20, params=<optimized out>) at pubkey.c:1827
#4  0x00007ffff7ad56a2 in pubkey_verify_hashed_data (pk=GNUTLS_PK_RSA, hash_algo=0x7ffff7dd2d10 <hash_algorithms+112>, hash=0x7fffffffa960, signature=0x7fffffffab20, issuer_params=0xadf5f8) at pubkey.c:1908
#5  0x00007ffff7ac5cac in verify_tls_hash (session=session at entry=0xac7710, ver=ver at entry=0x7ffff7dd30c0 <sup_versions+96>, cert=cert at entry=0x7fffffffab30, hash_concat=hash_concat at entry=0x7fffffffa9e0, 
    signature=signature at entry=0x7fffffffab20, sha1pos=sha1pos at entry=0, sign_algo=GNUTLS_SIGN_RSA_SHA256, pk_algo=GNUTLS_PK_RSA) at tls-sig.c:266
#6  0x00007ffff7ac63f7 in _gnutls_handshake_verify_data (session=session at entry=0xac7710, cert=cert at entry=0x7fffffffab30, params=params at entry=0x7fffffffaba0, signature=signature at entry=0x7fffffffab20, 
    sign_algo=sign_algo at entry=GNUTLS_SIGN_RSA_SHA256) at tls-sig.c:360
#7  0x00007ffff7b4594a in _gnutls_proc_dhe_signature (session=session at entry=0xac7710, data=<optimized out>, data at entry=0xad9535 "\004\001\001", _data_size=_data_size at entry=260, vparams=vparams at entry=0x7fffffffaba0) at cert.c:2207
#8  0x00007ffff7b4e32d in proc_ecdhe_server_kx (session=0xac7710, data=0xad94f0 "\003", _data_size=329) at ecdhe.c:310
#9  0x00007ffff7ab5454 in _gnutls_recv_server_kx_message (session=session at entry=0xac7710) at kx.c:506
#10 0x00007ffff7ab0908 in handshake_client (session=0xac7710) at handshake.c:2845
#11 gnutls_handshake (session=0xac7710) at handshake.c:2597
#12 0x0000000000409c0d in do_handshake (socket=socket at entry=0x7fffffffc160) at cli.c:1673
#13 0x000000000040c917 in socket_open (hd=hd at entry=0x7fffffffc160, hostname=<optimized out>, service=service at entry=0x618d60 <service> "9090", app_proto=<optimized out>, flags=<optimized out>, msg=msg at entry=0x41066b "Connecting to", 
    rdata=<optimized out>) at socket.c:493
#14 0x000000000040732c in main (argc=<optimized out>, argv=<optimized out>) at cli.c:1222

"mpz_powm(m1, s, key->e, key->n);" seems to return a different result
in each run (m, s and key stay the same); the first 4 "words" in
m1 don't match m and are "random" (the other words match the expected
result).

(gdb) x/32xg m._mp_d
0xac9710:	0x804beb2263eecc36	0x6504286b7a368e8c
0xac9720:	0xb1a9862f7b773403	0xec5c042715893b74
0xac9730:	0x0304020105000420	0x0d06096086480165
0xac9740:	0xffffffff00303130	0xffffffffffffffff
0xac9750:	0xffffffffffffffff	0xffffffffffffffff
0xac9760:	0xffffffffffffffff	0xffffffffffffffff
0xac9770:	0xffffffffffffffff	0xffffffffffffffff
0xac9780:	0xffffffffffffffff	0xffffffffffffffff
0xac9790:	0xffffffffffffffff	0xffffffffffffffff
0xac97a0:	0xffffffffffffffff	0xffffffffffffffff
0xac97b0:	0xffffffffffffffff	0xffffffffffffffff
0xac97c0:	0xffffffffffffffff	0xffffffffffffffff
0xac97d0:	0xffffffffffffffff	0xffffffffffffffff
0xac97e0:	0xffffffffffffffff	0xffffffffffffffff
0xac97f0:	0xffffffffffffffff	0xffffffffffffffff
0xac9800:	0xffffffffffffffff	0x0001ffffffffffff
(gdb) x/32xg m1._mp_d
0xaddd00:	0x8b1c70bfdd2f162b	0x1a4525131c2f0f68
0xaddd10:	0x1d73f063c3e85044	0x9d6de468135ddd4e
0xaddd20:	0x0304020105000420	0x0d06096086480165
0xaddd30:	0xffffffff00303130	0xffffffffffffffff
0xaddd40:	0xffffffffffffffff	0xffffffffffffffff
0xaddd50:	0xffffffffffffffff	0xffffffffffffffff
0xaddd60:	0xffffffffffffffff	0xffffffffffffffff
0xaddd70:	0xffffffffffffffff	0xffffffffffffffff
0xaddd80:	0xffffffffffffffff	0xffffffffffffffff
0xaddd90:	0xffffffffffffffff	0xffffffffffffffff
0xaddda0:	0xffffffffffffffff	0xffffffffffffffff
0xadddb0:	0xffffffffffffffff	0xffffffffffffffff
0xadddc0:	0xffffffffffffffff	0xffffffffffffffff
0xadddd0:	0xffffffffffffffff	0xffffffffffffffff
0xaddde0:	0xffffffffffffffff	0xffffffffffffffff
0xadddf0:	0xffffffffffffffff	0x0001ffffffffffff

I don't see how this relates to the bisected commit, but maybe someone
else does.

Reproduce using:
- a go program replaying the server part of the connection (also "supporting" http connect for curl)
- "gnutls-cli -d3 duckduckgo.com" (with "127.0.0.1 duckduckgo.com" in /etc/hosts)
- or "curl -x http://127.0.0.1:9090 https://duckduckgo.com"

gnutls-cli -d3 output (skipping the "initial asserts"):
[...]
Resolving 'duckduckgo.com:9090'...
Connecting to '127.0.0.1:9090'...
|<3>| ASSERT: constate.c[_gnutls_epoch_get]:600
|<3>| ASSERT: buffers.c[get_last_packet]:1159
|<3>| ASSERT: buffers.c[get_last_packet]:1159
|<3>| ASSERT: buffers.c[get_last_packet]:1159
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
|<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
|<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
 - subject `C=US,ST=Pennsylvania,L=Paoli,O=Duck Duck Go\, Inc.,CN=*.duckduckgo.com', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', serial 0x07622fe9d08fe56097dc5943b673cb02, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-05-25 00:00:00 UTC', expires `2017-07-26 12:00:00 UTC', SHA-1 fingerprint `cdb31f6fe0974565227249bb1ad08b1747b5ec61'
	Public Key ID:
		5c1d8e326fef9f3f52c84838b50e91bca7436c23
	Public key's random art:
		+--[ RSA 2048]----+
		|        . . .    |
		|         + = .   |
		|        + B +    |
		|       E # +     |
		|        S @ o .  |
		|         + + o . |
		|          . . .  |
		|           . . o |
		|            ..+.o|
		+-----------------+

- Certificate[1] info:
|<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
|<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
 - subject `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', SHA-1 fingerprint `1fb86b1168ec743154062e8c9cc5b171a4b7ccb4'
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1516
|<3>| ASSERT: ocsp.c[find_signercert]:1888
|<3>| ASSERT: common.c[_gnutls_x509_der_encode]:860
|<3>| ASSERT: ocsp.c[find_signercert]:1942
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1516
|<3>| ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2200
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1516
|<3>| ASSERT: ocsp.c[find_signercert]:1888
|<3>| ASSERT: common.c[_gnutls_x509_der_encode]:860
|<3>| ASSERT: ocsp.c[find_signercert]:1942
|<3>| ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1541
|<3>| ASSERT: common.c[x509_read_value]:693
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: common.c[x509_read_value]:693
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: mpi.c[_gnutls_x509_read_uint]:246
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: common.c[x509_read_value]:693
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: common.c[x509_read_value]:693
- Status: The certificate is trusted. 
|<3>| ASSERT: buffers.c[get_last_packet]:1159
|<2>| received curve SECP256R1
|<3>| ASSERT: pk.c[_wrap_nettle_pk_verify]:756
|<3>| ASSERT: pubkey.c[pubkey_verify_hashed_data]:1911
|<3>| ASSERT: tls-sig.c[verify_tls_hash]:270
|<3>| ASSERT: tls-sig.c[_gnutls_handshake_verify_data]:365
|<3>| ASSERT: cert.c[_gnutls_proc_dhe_signature]:2213
|<3>| ASSERT: kx.c[_gnutls_recv_server_kx_message]:513
|<3>| ASSERT: handshake.c[handshake_client]:2847
*** Fatal error: Public key signature verification has failed.
*** handshake has failed: Public key signature verification has failed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-test-responder.go
Type: text/x-go
Size: 22739 bytes
Desc: not available
URL: </pipermail/attachments/20160920/2bc761e4/attachment-0001.bin>


More information about the Gnutls-devel mailing list