<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777;">

<a href="https://gitlab.com/tomato42">Hubert Kario (@mention me if you need reply)</a> created an issue:

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">When GnuTLS (<a href="https://gitlab.com/gnutls/gnutls/commit/e4a7db34259295ebb32a0255215471323948efbb" data-original="e4a7db34259295e" data-link="false" data-link-reference="false" data-project="179611" data-commit="e4a7db34259295ebb32a0255215471323948efbb" data-reference-type="commit" data-container="body" data-placement="bottom" title="Merge branch 'tls-continuous-mac' into 'master'" class="gfm gfm-commit has-tooltip">e4a7db34</a>) receives a CertificateVerify with algorithms that don't match ones sent in CertificateRequest or which are incorrect (use different hash than indicated), it sends wrong alerts (<code>handshake_failure</code> instead of <code>decrypt_error</code> or <code>illegal_parameter</code>)</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto"><a href="https://gitlab.com/gnutls/gnutls/commit/e4a7db34259295ebb32a0255215471323948efbb" data-original="e4a7db34259295e" data-link="false" data-link-reference="false" data-project="179611" data-commit="e4a7db34259295ebb32a0255215471323948efbb" data-reference-type="commit" data-container="body" data-placement="bottom" title="Merge branch 'tls-continuous-mac' into 'master'" class="gfm gfm-commit has-tooltip">e4a7db34</a></p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">Steps to Reproduce:</p>

<ul dir="auto">

<li><code>doc/credentials/gnutls-http-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+DHE-PSK:+PSK:+SHA384:+SHA256 -p 4433 -d 6</code></li>

<li><a href="https://github.com/tomato42/tlsfuzzer/pull/604" rel="nofollow noreferrer noopener" target="_blank">https://github.com/tomato42/tlsfuzzer/pull/604</a></li>

<li><code>python scripts/test-ecdsa-in-certificate-verify.py -k /tmp/client-p256/key.pem -c /tmp/client-p256/cert.pem</code></li>

</ul>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">...</span>

<span id="LC2" class="line" lang="plaintext"></span>

<span id="LC3" class="line" lang="plaintext">make sha224+ecdsa signature, advertise it as sha1+ecdsa in CertificateVerify ...</span>

<span id="LC4" class="line" lang="plaintext">Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7ff2e6b64090> (child: <tlsfuzzer.expect.ExpectClose object at 0x7ff2e6b640d0>) with last message being: <tlslite.messages.Message object at 0x7ff2e6abf410></span>

<span id="LC5" class="line" lang="plaintext">Error while processing</span>

<span id="LC6" class="line" lang="plaintext">Traceback (most recent call last):</span>

<span id="LC7" class="line" lang="plaintext">  File "scripts/test-ecdsa-in-certificate-verify.py", line 274, in main</span>

<span id="LC8" class="line" lang="plaintext">    runner.run()</span>

<span id="LC9" class="line" lang="plaintext">  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 227, in run</span>

<span id="LC10" class="line" lang="plaintext">    node.process(self.state, msg)</span>

<span id="LC11" class="line" lang="plaintext">  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1484, in process</span>

<span id="LC12" class="line" lang="plaintext">    raise AssertionError(problem_desc)</span>

<span id="LC13" class="line" lang="plaintext">AssertionError: Expected alert description "decrypt_error" does not match received "handshake_failure"</span>

<span id="LC14" class="line" lang="plaintext"></span>

<span id="LC15" class="line" lang="plaintext">...</span>

<span id="LC16" class="line" lang="plaintext"></span>

<span id="LC17" class="line" lang="plaintext">Test support for ECDSA signatures in CertificateVerify</span>

<span id="LC18" class="line" lang="plaintext"></span>

<span id="LC19" class="line" lang="plaintext">Version: 1</span>

<span id="LC20" class="line" lang="plaintext">Test end</span>

<span id="LC21" class="line" lang="plaintext">successful: 22</span>

<span id="LC22" class="line" lang="plaintext">failed: 6</span>

<span id="LC23" class="line" lang="plaintext">  'make sha224+ecdsa signature in CertificateVerify'</span>

<span id="LC24" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha1+ecdsa in CertificateVerify'</span>

<span id="LC25" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha256+ecdsa in CertificateVerify'</span>

<span id="LC26" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha384+ecdsa in CertificateVerify'</span>

<span id="LC27" class="line" lang="plaintext">  'make sha224+ecdsa signature, advertise it as sha512+ecdsa in CertificateVerify'</span>

<span id="LC28" class="line" lang="plaintext">  'md5+ecdsa forced'</span>

<span id="LC29" class="line" lang="plaintext"></span></code></pre>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Test end</span>

<span id="LC2" class="line" lang="plaintext">successful: 28</span>

<span id="LC3" class="line" lang="plaintext">failed: 0</span></code></pre>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/848">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/22d1ac2e758d8fc94796c1236e837f8f/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/848"}}</script>

</p>

</div>

</body>

</html>