New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix check of broken implementations of GOST ciphersuites #3588
Conversation
Because it is a GOST only issue, @beldmit are welcomed. |
The proposed patch seems wrong to me, because
|
Current issue is for all GOSTs TLS < 1.2 (see the fixed comment in code) SSL_USE_SIGALGS is valid for TLS 1.2, but GOST2012 (CryptoPro implementations) can work on TLS 1.0 |
In any case, the place of original check is wrong, because |
Have you checked your patch against at least the CryptoPro implementation? |
CryptoPro GOST 2012 client authentications have 64 and 128 bytes bare signatures without length fields if TLS 1.2 (sigalgs) does not used. Currently i am working on GOST engine for OpenSSL 1.1.0 with GOST 2012 support. Everything seems fine except this client authentication code. Even CryptoPro GOST 2001 does not work without this patch because of empty |
And what problems do you have with the existing engine? |
I did not try https://github.com/gost-engine/engine (if you mean it), but it does not matter. That is looks better?
|
For now we agreed to get more tests for this code, both current implementation and the proposed patch. |
Unfortunately, the code for creating the client's signature in all versions of CryptoPro CSP is looks like this:
As you can see, regardless of an algorithm when using TLS not equal 1.2 a message with a client's signature will be a bare signature without length field. Fortunately, a CryptoPro server-side code verification of client signatures supports messages with a length field and without. To test this issue you'll need CryptoPro CSP with 3 certificates with NID_id_GostR3410_2001, NID_id_GostR3410_2012_256, NID_id_GostR3410_2012_512 keys, and an appropriate openssl s_server with client verify. Then if you run:
TLS 1.2 (
|
CLA received, removing tag. |
Seems ok to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on @beldmit's review.
maybe 1.0.2 also? |
no patch is needed for 1.0.2:
|
Thanks for the information
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR is targeting 1.1.0, but presumably the same change needs to be applied to master. However this PR does not apply cleanly to master, so we need another PR for there.
ssl/statem/statem_srvr.c
Outdated
&& EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { | ||
len = 64; | ||
} else | ||
#endif | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we could lose this { and everything below moved to the left.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is right, but i was afraid of massive changes, fixed.
@richsalz are you still ok with this? |
Yes
|
removed the unnecessary upper bracket add !SSL_USE_SIGALGS to check for broken implementations of GOST client signature (signature without length field) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3588)
Thanks for your patience on this, and work to improve openssl! Merged with commit a892766 in 1.1.0 |
This patch moves the current check of "broken implementations of GOST ciphersuites" to a correct place and adds new GOST 2012 nids to this check.