[Help-gnutls] Problem with anonymous authentication

Alexei Boyarchenko trener at hotbox.ru
Tue Jun 8 12:59:46 CEST 2004 

> This shouldn't have happened. Could you trace where this happens?

Sorry for my bad English again!!!!

I think i've found a bug! (maybe i am right maybe not :) )
Version: gnutls-1.0.9


Look!

if after initialisation we have:

&anon_serv_cred = 0x0053a754  
and at that adress  we have 0x00935610 -- adress of anon_serv_cred
    
anon_serv_cred  = 0x00935610  
and at that adress  we have 0x00935420 -- adress of global_dh_params
                            0x00000000 -- NULL !!!!!!!!!!

global_dh_params       = 0x00935420
and at that adress  we have 0x00935420 -- not NULL! adress of 
global_dh_params->params[0]  
                            0x00952620 -- not NULL! adress of 
global_dh_params->params[1]


when we call function check_server_params in gnutls_handshake.c

.......
 else if ( cred_type == GNUTLS_CRD_ANON) {
		anon_cred =                               
		    _gnutls_get_cred(session->key, cred_type, NULL); //!!!!!
	
		if (anon_cred != NULL) {
			dh_params = anon_cred->dh_params; //!!
		}
	} else return 0; /* no need for params */


	/* If the key exchange method needs RSA or DH params,
	 * but they are not set then remove it.
	 */
	if (_gnutls_kx_needs_rsa_params( kx) != 0) {
		/* needs rsa params. */
		if (_gnutls_get_rsa_params( rsa_params)==NULL)
			return 1;
	}
	
	if (_gnutls_kx_needs_dh_params( kx) != 0) {
		/* needs DH params. */
		if (_gnutls_get_dh_params( dh_params)==NULL)
			return 1;
	}
.....
we get anon_cred = &anon_serv_cred = 0x0053a754 
and at that adress we have 0x00935610 adress of anon_serv_cred (but not 
global_dh_params!!!)
so when we do 	
		if (anon_cred != NULL) {
			dh_params = anon_cred->dh_params; //!!
		}
dh_params = 0x00935610  but this is adress of anon_serv_cred  and not adress
of global_dh_params !!!!

And we get dh_params = anon_serv_cred  = 0x00935610
at that adress we have   0x00935420 -- adress of global_dh_params
                         0x00000000 --  NULL !!!!!!!!!!

So we get _gnutls_get_dh_params( dh_params)==NULL   !!!!!!!!!



I changed this code in this way:

void** MyTmp;
.....
 else if ( cred_type == GNUTLS_CRD_ANON) {
		MyTmp =
		    _gnutls_get_cred(session->key, cred_type, NULL);
	
		if (MyTmp != NULL) {
			anon_cred =  *MyTmp;
			dh_params = anon_cred->dh_params;
		}
	} else return 0; /* no need for params */


	/* If the key exchange method needs RSA or DH params,
	 * but they are not set then remove it.
	 */
	if (_gnutls_kx_needs_rsa_params( kx) != 0) {
		/* needs rsa params. */
		if (_gnutls_get_rsa_params( rsa_params)==NULL)
			return 1;
	}
	
	if (_gnutls_kx_needs_dh_params( kx) != 0) {
		/* needs DH params. */
		if (_gnutls_get_dh_params( dh_params)==NULL)
			return 1;
	}
......

and it works fine!!!

Also i had to correct function gen_anon_server_kx in anon_auth.c :
....
	gnutls_dh_params dh_params;
	const gnutls_anon_server_credentials cred;
	void** MyTmp;
	
	MyTmp = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL);
	if (MyTmp == NULL) {
		gnutls_assert();
		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
	}

	cred = *MyTmp;
	dh_params = _gnutls_anon_get_dh_params( cred, session);
....

And eventually I recieved completely   working server with anonymous 
authentication.

More information about the Gnutls-help mailing list