[gnutls-devel] GnuTLS | Wrong alerts for malformed CertificateVerify messages in TLS 1.2 (#848)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Oct 24 16:43:18 CEST 2019
Hubert Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/issues/848
## Description of problem:
When GnuTLS (e4a7db34259295e) receives a CertificateVerify with algorithms that don't match ones sent in CertificateRequest or which are incorrect (use different hash than indicated), it sends wrong alerts (`handshake_failure` instead of `decrypt_error` or `illegal_parameter`)
## Version of gnutls used:
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
## How reproducible:
Steps to Reproduce:
* `doc/credentials/gnutls-http-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+DHE-PSK:+PSK:+SHA384:+SHA256 -p 4433 -d 6`
* `python scripts/test-ecdsa-in-certificate-verify.py -k /tmp/client-p256/key.pem -c /tmp/client-p256/cert.pem`
## Actual results:
make sha224+ecdsa signature, advertise it as sha1+ecdsa in CertificateVerify ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7ff2e6b64090> (child: <tlsfuzzer.expect.ExpectClose object at 0x7ff2e6b640d0>) with last message being: <tlslite.messages.Message object at 0x7ff2e6abf410>
Error while processing
Traceback (most recent call last):
File "scripts/test-ecdsa-in-certificate-verify.py", line 274, in main
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 227, in run
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1484, in process
AssertionError: Expected alert description "decrypt_error" does not match received "handshake_failure"
Test support for ECDSA signatures in CertificateVerify
'make sha224+ecdsa signature in CertificateVerify'
'make sha224+ecdsa signature, advertise it as sha1+ecdsa in CertificateVerify'
'make sha224+ecdsa signature, advertise it as sha256+ecdsa in CertificateVerify'
'make sha224+ecdsa signature, advertise it as sha384+ecdsa in CertificateVerify'
'make sha224+ecdsa signature, advertise it as sha512+ecdsa in CertificateVerify'
## Expected results:
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/848
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel