[gnutls-devel] Problem with proxied connections on 3.5.3

Stefan Bühler stbuehler at lighttpd.net
Wed Sep 21 00:07:11 CEST 2016


Hi,

Sorry. My fault - the server key exchange fails of course
due to the mismatching client random, which is included in
the key exchange signature...

Also I confused m and m1, so the power function always
returned the same data, just the hash didn't match it.

It's obviously already too late :)

Sorry again. I hope the go program still is useful;
just need a way to fix the client random to the original
value.

On 09/20/2016 11:36 PM, Stefan Bühler wrote:
> Hi,
> 
> I can reproduce the problem by simply responding with the same data as
> shown in the PCAP file. (I'll try to describe it at the bottom).
> 
> It fails to verify the signature in the server key exchange:
> 
> (gdb) bt
> #0  _nettle_rsa_verify (key=key at entry=0x7fffffffa7b0, m=m at entry=0x7fffffffa710, s=s at entry=0xad6f90) at rsa-verify.c:59
> #1  0x00007ffff678cc7b in nettle_rsa_pkcs1_verify (key=key at entry=0x7fffffffa7b0, length=<optimized out>, digest_info=0xadf890 "010\r\006\t`\206H\001e\003\004\002\001\005", s=0xad6f90) at rsa-pkcs1-verify.c:53
> #2  0x00007ffff7b7c211 in _wrap_nettle_pk_verify (algo=<optimized out>, vdata=0x7fffffffa840, signature=<optimized out>, pk_params=0xadf5f8) at pk.c:750
> #3  0x00007ffff7ad2dbd in _pkcs1_rsa_verify_sig (me=me at entry=0x7ffff7dd2d10 <hash_algorithms+112>, text=text at entry=0x0, prehash=<optimized out>, signature=0x7fffffffab20, params=<optimized out>) at pubkey.c:1827
> #4  0x00007ffff7ad56a2 in pubkey_verify_hashed_data (pk=GNUTLS_PK_RSA, hash_algo=0x7ffff7dd2d10 <hash_algorithms+112>, hash=0x7fffffffa960, signature=0x7fffffffab20, issuer_params=0xadf5f8) at pubkey.c:1908
> #5  0x00007ffff7ac5cac in verify_tls_hash (session=session at entry=0xac7710, ver=ver at entry=0x7ffff7dd30c0 <sup_versions+96>, cert=cert at entry=0x7fffffffab30, hash_concat=hash_concat at entry=0x7fffffffa9e0, 
>     signature=signature at entry=0x7fffffffab20, sha1pos=sha1pos at entry=0, sign_algo=GNUTLS_SIGN_RSA_SHA256, pk_algo=GNUTLS_PK_RSA) at tls-sig.c:266
> #6  0x00007ffff7ac63f7 in _gnutls_handshake_verify_data (session=session at entry=0xac7710, cert=cert at entry=0x7fffffffab30, params=params at entry=0x7fffffffaba0, signature=signature at entry=0x7fffffffab20, 
>     sign_algo=sign_algo at entry=GNUTLS_SIGN_RSA_SHA256) at tls-sig.c:360
> #7  0x00007ffff7b4594a in _gnutls_proc_dhe_signature (session=session at entry=0xac7710, data=<optimized out>, data at entry=0xad9535 "\004\001\001", _data_size=_data_size at entry=260, vparams=vparams at entry=0x7fffffffaba0) at cert.c:2207
> #8  0x00007ffff7b4e32d in proc_ecdhe_server_kx (session=0xac7710, data=0xad94f0 "\003", _data_size=329) at ecdhe.c:310
> #9  0x00007ffff7ab5454 in _gnutls_recv_server_kx_message (session=session at entry=0xac7710) at kx.c:506
> #10 0x00007ffff7ab0908 in handshake_client (session=0xac7710) at handshake.c:2845
> #11 gnutls_handshake (session=0xac7710) at handshake.c:2597
> #12 0x0000000000409c0d in do_handshake (socket=socket at entry=0x7fffffffc160) at cli.c:1673
> #13 0x000000000040c917 in socket_open (hd=hd at entry=0x7fffffffc160, hostname=<optimized out>, service=service at entry=0x618d60 <service> "9090", app_proto=<optimized out>, flags=<optimized out>, msg=msg at entry=0x41066b "Connecting to", 
>     rdata=<optimized out>) at socket.c:493
> #14 0x000000000040732c in main (argc=<optimized out>, argv=<optimized out>) at cli.c:1222
> 
> "mpz_powm(m1, s, key->e, key->n);" seems to return a different result
> in each run (m, s and key stay the same); the first 4 "words" in
> m1 don't match m and are "random" (the other words match the expected
> result).
> 
> (gdb) x/32xg m._mp_d
> 0xac9710:	0x804beb2263eecc36	0x6504286b7a368e8c
> 0xac9720:	0xb1a9862f7b773403	0xec5c042715893b74
> 0xac9730:	0x0304020105000420	0x0d06096086480165
> 0xac9740:	0xffffffff00303130	0xffffffffffffffff
> 0xac9750:	0xffffffffffffffff	0xffffffffffffffff
> 0xac9760:	0xffffffffffffffff	0xffffffffffffffff
> 0xac9770:	0xffffffffffffffff	0xffffffffffffffff
> 0xac9780:	0xffffffffffffffff	0xffffffffffffffff
> 0xac9790:	0xffffffffffffffff	0xffffffffffffffff
> 0xac97a0:	0xffffffffffffffff	0xffffffffffffffff
> 0xac97b0:	0xffffffffffffffff	0xffffffffffffffff
> 0xac97c0:	0xffffffffffffffff	0xffffffffffffffff
> 0xac97d0:	0xffffffffffffffff	0xffffffffffffffff
> 0xac97e0:	0xffffffffffffffff	0xffffffffffffffff
> 0xac97f0:	0xffffffffffffffff	0xffffffffffffffff
> 0xac9800:	0xffffffffffffffff	0x0001ffffffffffff
> (gdb) x/32xg m1._mp_d
> 0xaddd00:	0x8b1c70bfdd2f162b	0x1a4525131c2f0f68
> 0xaddd10:	0x1d73f063c3e85044	0x9d6de468135ddd4e
> 0xaddd20:	0x0304020105000420	0x0d06096086480165
> 0xaddd30:	0xffffffff00303130	0xffffffffffffffff
> 0xaddd40:	0xffffffffffffffff	0xffffffffffffffff
> 0xaddd50:	0xffffffffffffffff	0xffffffffffffffff
> 0xaddd60:	0xffffffffffffffff	0xffffffffffffffff
> 0xaddd70:	0xffffffffffffffff	0xffffffffffffffff
> 0xaddd80:	0xffffffffffffffff	0xffffffffffffffff
> 0xaddd90:	0xffffffffffffffff	0xffffffffffffffff
> 0xaddda0:	0xffffffffffffffff	0xffffffffffffffff
> 0xadddb0:	0xffffffffffffffff	0xffffffffffffffff
> 0xadddc0:	0xffffffffffffffff	0xffffffffffffffff
> 0xadddd0:	0xffffffffffffffff	0xffffffffffffffff
> 0xaddde0:	0xffffffffffffffff	0xffffffffffffffff
> 0xadddf0:	0xffffffffffffffff	0x0001ffffffffffff
> 
> I don't see how this relates to the bisected commit, but maybe someone
> else does.
> 
> Reproduce using:
> - a go program replaying the server part of the connection (also "supporting" http connect for curl)
> - "gnutls-cli -d3 duckduckgo.com" (with "127.0.0.1 duckduckgo.com" in /etc/hosts)
> - or "curl -x http://127.0.0.1:9090 https://duckduckgo.com"
> 
> gnutls-cli -d3 output (skipping the "initial asserts"):
> [...]
> Resolving 'duckduckgo.com:9090'...
> Connecting to '127.0.0.1:9090'...
> |<3>| ASSERT: constate.c[_gnutls_epoch_get]:600
> |<3>| ASSERT: buffers.c[get_last_packet]:1159
> |<3>| ASSERT: buffers.c[get_last_packet]:1159
> |<3>| ASSERT: buffers.c[get_last_packet]:1159
> - Certificate type: X.509
> - Got a certificate list of 2 certificates.
> - Certificate[0] info:
> |<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
> |<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
> |<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
>  - subject `C=US,ST=Pennsylvania,L=Paoli,O=Duck Duck Go\, Inc.,CN=*.duckduckgo.com', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', serial 0x07622fe9d08fe56097dc5943b673cb02, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-05-25 00:00:00 UTC', expires `2017-07-26 12:00:00 UTC', SHA-1 fingerprint `cdb31f6fe0974565227249bb1ad08b1747b5ec61'
> 	Public Key ID:
> 		5c1d8e326fef9f3f52c84838b50e91bca7436c23
> 	Public key's random art:
> 		+--[ RSA 2048]----+
> 		|        . . .    |
> 		|         + = .   |
> 		|        + B +    |
> 		|       E # +     |
> 		|        S @ o .  |
> 		|         + + o . |
> 		|          . . .  |
> 		|           . . o |
> 		|            ..+.o|
> 		+-----------------+
> 
> - Certificate[1] info:
> |<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
> |<3>| ASSERT: dn.c[_gnutls_x509_parse_dn]:250
> |<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
>  - subject `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', SHA-1 fingerprint `1fb86b1168ec743154062e8c9cc5b171a4b7ccb4'
> |<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1516
> |<3>| ASSERT: ocsp.c[find_signercert]:1888
> |<3>| ASSERT: common.c[_gnutls_x509_der_encode]:860
> |<3>| ASSERT: ocsp.c[find_signercert]:1942
> |<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1516
> |<3>| ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2200
> |<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1516
> |<3>| ASSERT: ocsp.c[find_signercert]:1888
> |<3>| ASSERT: common.c[_gnutls_x509_der_encode]:860
> |<3>| ASSERT: ocsp.c[find_signercert]:1942
> |<3>| ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1541
> |<3>| ASSERT: common.c[x509_read_value]:693
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: common.c[x509_read_value]:693
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:919
> |<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
> |<3>| ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
> |<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
> |<3>| ASSERT: mpi.c[_gnutls_x509_read_uint]:246
> |<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
> |<3>| ASSERT: common.c[x509_read_value]:693
> |<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
> |<3>| ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
> |<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
> |<3>| ASSERT: common.c[x509_read_value]:693
> - Status: The certificate is trusted. 
> |<3>| ASSERT: buffers.c[get_last_packet]:1159
> |<2>| received curve SECP256R1
> |<3>| ASSERT: pk.c[_wrap_nettle_pk_verify]:756
> |<3>| ASSERT: pubkey.c[pubkey_verify_hashed_data]:1911
> |<3>| ASSERT: tls-sig.c[verify_tls_hash]:270
> |<3>| ASSERT: tls-sig.c[_gnutls_handshake_verify_data]:365
> |<3>| ASSERT: cert.c[_gnutls_proc_dhe_signature]:2213
> |<3>| ASSERT: kx.c[_gnutls_recv_server_kx_message]:513
> |<3>| ASSERT: handshake.c[handshake_client]:2847
> *** Fatal error: Public key signature verification has failed.
> *** handshake has failed: Public key signature verification has failed.
> 
> 
> 
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-devel
> 



More information about the Gnutls-devel mailing list