<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/tomato42">Hubert Kario (@mention me if you need reply)</a> created an issue:
</p>
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">When GnuTLS (<a href="https://gitlab.com/gnutls/gnutls/commit/e4a7db34259295ebb32a0255215471323948efbb" data-original="e4a7db34259295e" data-link="false" data-link-reference="false" data-project="179611" data-commit="e4a7db34259295ebb32a0255215471323948efbb" data-reference-type="commit" data-container="body" data-placement="bottom" title="Merge branch 'tls-continuous-mac' into 'master'" class="gfm gfm-commit has-tooltip">e4a7db34</a>) receives a CertificateVerify with algorithms that don't match ones sent in CertificateRequest or which are incorrect (use different hash than indicated), it sends wrong alerts (<code>handshake_failure</code> instead of <code>decrypt_error</code> or <code>illegal_parameter</code>)</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto"><a href="https://gitlab.com/gnutls/gnutls/commit/e4a7db34259295ebb32a0255215471323948efbb" data-original="e4a7db34259295e" data-link="false" data-link-reference="false" data-project="179611" data-commit="e4a7db34259295ebb32a0255215471323948efbb" data-reference-type="commit" data-container="body" data-placement="bottom" title="Merge branch 'tls-continuous-mac' into 'master'" class="gfm gfm-commit has-tooltip">e4a7db34</a></p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">Steps to Reproduce:</p>
<ul dir="auto">
<li><code>doc/credentials/gnutls-http-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+DHE-PSK:+PSK:+SHA384:+SHA256 -p 4433 -d 6</code></li>
<li><a href="https://github.com/tomato42/tlsfuzzer/pull/604" rel="nofollow noreferrer noopener" target="_blank">https://github.com/tomato42/tlsfuzzer/pull/604</a></li>
<li><code>python scripts/test-ecdsa-in-certificate-verify.py -k /tmp/client-p256/key.pem -c /tmp/client-p256/cert.pem</code></li>
</ul>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">...</span>
<span id="LC2" class="line" lang="plaintext"></span>
<span id="LC3" class="line" lang="plaintext">make sha224+ecdsa signature, advertise it as sha1+ecdsa in CertificateVerify ...</span>
<span id="LC4" class="line" lang="plaintext">Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7ff2e6b64090> (child: <tlsfuzzer.expect.ExpectClose object at 0x7ff2e6b640d0>) with last message being: <tlslite.messages.Message object at 0x7ff2e6abf410></span>
<span id="LC5" class="line" lang="plaintext">Error while processing</span>
<span id="LC6" class="line" lang="plaintext">Traceback (most recent call last):</span>
<span id="LC7" class="line" lang="plaintext">  File "scripts/test-ecdsa-in-certificate-verify.py", line 274, in main</span>
<span id="LC8" class="line" lang="plaintext">    runner.run()</span>
<span id="LC9" class="line" lang="plaintext">  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 227, in run</span>
<span id="LC10" class="line" lang="plaintext">    node.process(self.state, msg)</span>
<span id="LC11" class="line" lang="plaintext">  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1484, in process</span>
<span id="LC12" class="line" lang="plaintext">    raise AssertionError(problem_desc)</span>
<span id="LC13" class="line" lang="plaintext">AssertionError: Expected alert description "decrypt_error" does not match received "handshake_failure"</span>
<span id="LC14" class="line" lang="plaintext"></span>
<span id="LC15" class="line" lang="plaintext">...</span>
<span id="LC16" class="line" lang="plaintext"></span>
<span id="LC17" class="line" lang="plaintext">Test support for ECDSA signatures in CertificateVerify</span>
<span id="LC18" class="line" lang="plaintext"></span>
<span id="LC19" class="line" lang="plaintext">Version: 1</span>
<span id="LC20" class="line" lang="plaintext">Test end</span>
<span id="LC21" class="line" lang="plaintext">successful: 22</span>
<span id="LC22" class="line" lang="plaintext">failed: 6</span>
<span id="LC23" class="line" lang="plaintext">  'make sha224+ecdsa signature in CertificateVerify'</span>
<span id="LC24" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha1+ecdsa in CertificateVerify'</span>
<span id="LC25" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha256+ecdsa in CertificateVerify'</span>
<span id="LC26" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha384+ecdsa in CertificateVerify'</span>
<span id="LC27" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha512+ecdsa in CertificateVerify'</span>
<span id="LC28" class="line" lang="plaintext">  'md5+ecdsa forced'</span>
<span id="LC29" class="line" lang="plaintext"></span></code></pre>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Test end</span>
<span id="LC2" class="line" lang="plaintext">successful: 28</span>
<span id="LC3" class="line" lang="plaintext">failed: 0</span></code></pre>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/848">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/22d1ac2e758d8fc94796c1236e837f8f/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/848"}}</script>


</p>
</div>
</body>
</html>