Merge branch 'tmp-mark-gost94-as-broken' into 'master'

GOSTR341194, RIPEMD160: mark as insecure for digital signatures See merge request gnutls/gnutls!1175
author: Dmitry Baryshkov <dbaryshkov@gmail.com> 2020-06-16 00:35:12 +0000
committer: Dmitry Baryshkov <dbaryshkov@gmail.com> 2020-06-16 00:35:12 +0000
commit: 1c8720d012d47439e96672ea44f34e50ae8c6725 (patch)
tree: 93286d95c71a087f551360e77d35120295de3a69
parent: 5c7ec5abb8947795b35b18a91eaaf097ebff4d06 (diff)
parent: 7bfc148a587a69cf7faab4ef090031c91b6bb33a (diff)
download: gnutls-1c8720d012d47439e96672ea44f34e50ae8c6725.tar.gz
10 files changed, 56 insertions, 12 deletions
diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c
index a82270975d..518323bca1 100644
--- a/lib/algorithms/mac.c
+++ b/lib/algorithms/mac.c
@@ -132,14 +132,17 @@ mac_entry_st hash_algorithms[] = {
 	 .id = GNUTLS_MAC_RMD160,
 	 .output_size = 20,
 	 .key_size = 20,
-	 .block_size = 64},
+	 .block_size = 64
+	},
 	{.name = "GOSTR341194",
 	 .oid = HASH_OID_GOST_R_3411_94,
 	 .mac_oid = MAC_OID_GOST_R_3411_94,
 	 .id = GNUTLS_MAC_GOSTR_94,
 	 .output_size = 32,
 	 .key_size = 32,
-	 .block_size = 32},
+	 .block_size = 32,
+	 .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE
+	},
 	{.name = "STREEBOG-256",
 	 .oid = HASH_OID_STREEBOG_256,
 	 .mac_oid = MAC_OID_STREEBOG_256,
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
index 6f66cd84dd..70b0f618ff 100644
--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
@@ -321,6 +321,10 @@ static int test_sig(gnutls_pk_algorithm_t pk,
 	gnutls_datum_t sig = { NULL, 0 };
 	gnutls_pubkey_t pub = NULL;
 	char param_name[32];
+	unsigned vflags = 0;
+
+	if (sigalgo == GNUTLS_SIGN_GOST_94)
+		vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
 
 	ret = gnutls_privkey_init(&key);
 	if (ret < 0)
@@ -427,7 +431,7 @@ static int test_sig(gnutls_pk_algorithm_t pk,
 	}
 
 	ret =
-	    gnutls_pubkey_verify_data2(pub, sigalgo, 0,
+	    gnutls_pubkey_verify_data2(pub, sigalgo, vflags,
 				       &signed_data, &sig);
 	if (ret < 0) {
 		ret = GNUTLS_E_SELF_TEST_ERROR;
@@ -436,7 +440,7 @@ static int test_sig(gnutls_pk_algorithm_t pk,
 	}
 
 	ret =
-	    gnutls_pubkey_verify_data2(pub, sigalgo, 0,
+	    gnutls_pubkey_verify_data2(pub, sigalgo, vflags,
 				       &bad_data, &sig);
 
 	if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) {
@@ -475,6 +479,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
 	gnutls_pubkey_t pub = NULL;
 	gnutls_privkey_t key;
 	char param_name[32];
+	unsigned vflags = 0;
 
 	if (pk == GNUTLS_PK_EC ||
 	    pk == GNUTLS_PK_GOST_01 ||
@@ -484,6 +489,8 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
 		snprintf(param_name, sizeof(param_name), "%s",
 			 gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE
 						   (bits)));
+		if (dig == GNUTLS_DIG_GOSTR_94)
+			vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
 	} else {
 		snprintf(param_name, sizeof(param_name), "%u", bits);
 	}
@@ -553,7 +560,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
 	}
 
 	ret =
-	    gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
+	    gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), vflags,
 				       &signed_data, &sig);
 	if (ret < 0) {
 		ret = GNUTLS_E_SELF_TEST_ERROR;
diff --git a/tests/cert-tests/data/gost-cert-nogost.pem b/tests/cert-tests/data/gost-cert-nogost.pem
index 76fcd3d8b9..cd9459f9fb 100644
--- a/tests/cert-tests/data/gost-cert-nogost.pem
+++ b/tests/cert-tests/data/gost-cert-nogost.pem
@@ -6,8 +6,17 @@ X.509 Certificate Information:
 		Not Before: Fri Aug 17 06:47:36 UTC 2012
 		Not After: Sat Aug 17 06:47:36 UTC 2013
 	Subject: CN=SuperTerm0000001,OU=SuperPlat Terminals,O=SuperPlat,L=Moscow,ST=Russia,C=RU
-error importing public key: The curve is unsupported
 	Subject Public Key Algorithm: GOST R 34.10-2001
+	Algorithm Security Level: High (256 bits)
+		Curve:	CryptoPro-A
+		Digest:	GOSTR341194
+		ParamSet: CryptoPro-A
+		X:
+			e0:35:f2:a8:40:cf:ea:25:63:b5:c1:eb:fa:fd:1d:7f
+			45:d6:2a:31:96:56:35:75:25:19:f6:62:69:db:da:eb
+		Y:
+			57:41:b2:c1:e2:1f:7b:d0:13:c8:dd:eb:9f:ba:cb:42
+			a3:63:c7:0b:f4:e9:24:d7:dd:e9:34:8d:12:18:67:d8
 	Extensions:
 		Basic Constraints (not critical):
 			Certificate Authority (CA): FALSE
@@ -19,6 +28,7 @@ error importing public key: The curve is unsupported
 		Authority Key Identifier (not critical):
 			9875a3b785c1641b23344d9bfbae0c2a256b44eb
 	Signature Algorithm: GOSTR341001
+warning: signed using a broken signature algorithm that can be forged.
 	Signature:
 		8f:37:24:fd:be:f0:37:d9:f3:1a:5c:31:5e:33:ef:35
 		61:93:07:03:3d:4d:e8:2c:1b:39:a2:6c:d4:2f:85:35
@@ -28,6 +38,11 @@ Other Information:
 	Fingerprint:
 		sha1:621f34c4fdd7e93f9b8f18224ba0bcd1c63a4771
 		sha256:ac6ecf4e7a876edf3e61f538d6061353c2015bfbdf60370492f7404d7f09e13a
+	Public Key ID:
+		sha1:43757042dae9e9f5fa92cc2d2cbf4950f28a7bd0
+		sha256:cee4a59e7803bafb101af8e39e5355d7895e3b85e7616fe624d48f2c51e8bdbf
+	Public Key PIN:
+		pin-sha256:zuSlnngDuvsQGvjjnlNV14leO4XnYW/mJNSPLFHovb8=
 
 -----BEGIN CERTIFICATE-----
 MIICXjCCAgugAwIBAgICAR8wCgYGKoUDAgIDBQAwdDELMAkGA1UEBhMCUlUxDzAN
diff --git a/tests/cert-tests/data/gost-cert.pem b/tests/cert-tests/data/gost-cert.pem
index bec29b8bb5..cd9459f9fb 100644
--- a/tests/cert-tests/data/gost-cert.pem
+++ b/tests/cert-tests/data/gost-cert.pem
@@ -28,6 +28,7 @@ X.509 Certificate Information:
 		Authority Key Identifier (not critical):
 			9875a3b785c1641b23344d9bfbae0c2a256b44eb
 	Signature Algorithm: GOSTR341001
+warning: signed using a broken signature algorithm that can be forged.
 	Signature:
 		8f:37:24:fd:be:f0:37:d9:f3:1a:5c:31:5e:33:ef:35
 		61:93:07:03:3d:4d:e8:2c:1b:39:a2:6c:d4:2f:85:35
diff --git a/tests/cert-tests/data/grfc.crt b/tests/cert-tests/data/grfc.crt
index 0b06f778b8..fe7700e3e1 100644
--- a/tests/cert-tests/data/grfc.crt
+++ b/tests/cert-tests/data/grfc.crt
@@ -41,6 +41,7 @@ X.509 Certificate Information:
 			1.2.643.100.113.2 (Russian security class KC2)
 			2.5.29.32.0 (anyPolicy)
 	Signature Algorithm: GOSTR341001
+warning: signed using a broken signature algorithm that can be forged.
 	Signature:
 		bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0
 		13:1a:21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9
diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7
index 23db9e017e..5767e09646 100755
--- a/tests/cert-tests/pkcs7
+++ b/tests/cert-tests/pkcs7
@@ -330,6 +330,15 @@ then
 	${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" <"${OUTFILE}"
 	rc=$?
 
+	if test "${rc}" != "1"; then
+		echo "${FILE}: PKCS7 struct signing succeeded verification with broken algo"
+		exit ${rc}
+	fi
+
+	FILE="gost01-signing-verify"
+	${VALGRIND} "${CERTTOOL}" --p7-verify --verify-allow-broken --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" <"${OUTFILE}"
+	rc=$?
+
 	if test "${rc}" != "0"; then
 		echo "${FILE}: PKCS7 struct signing failed verification"
 		exit ${rc}
diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c
index 31634bd095..565beccb20 100644
--- a/tests/privkey-keygen.c
+++ b/tests/privkey-keygen.c
@@ -64,6 +64,7 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke
 	gnutls_pubkey_t pubkey;
 	gnutls_datum_t signature;
 	gnutls_digest_algorithm_t digest;
+	unsigned vflags = 0;
 
 	assert(gnutls_privkey_init(&privkey) >= 0);
 
@@ -81,6 +82,9 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke
 	if (ret < 0)
 		fail("gnutls_pubkey_get_preferred_hash_algorithm\n");
 
+	if (digest == GNUTLS_DIG_GOSTR_94)
+		vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+
 	/* sign arbitrary data */
 	ret = gnutls_privkey_sign_data(privkey, digest, 0,
 					&raw_data, &signature);
@@ -89,7 +93,7 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke
 
 	/* verify data */
 	ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),digest),
-				0, &raw_data, &signature);
+				         vflags, &raw_data, &signature);
 	if (ret < 0)
 		fail("gnutls_pubkey_verify_data2\n");
 
diff --git a/tests/sign-is-secure.c b/tests/sign-is-secure.c
index 5f987e08b4..64e0836963 100644
--- a/tests/sign-is-secure.c
+++ b/tests/sign-is-secure.c
@@ -85,13 +85,14 @@ void doit(void)
 
 	CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD5);
 	CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD2);
+	CHECK_INSECURE_SIG(GNUTLS_SIGN_GOST_94);
 
 	for (i=1;i<=GNUTLS_SIGN_MAX;i++) {
 #ifndef ALLOW_SHA1
 		if (i==GNUTLS_SIGN_RSA_SHA1||i==GNUTLS_SIGN_DSA_SHA1||i==GNUTLS_SIGN_ECDSA_SHA1)
 			continue;
 #endif
-		if (i==GNUTLS_SIGN_RSA_MD5||i==GNUTLS_SIGN_RSA_MD2||i==GNUTLS_SIGN_UNKNOWN)
+		if (i==GNUTLS_SIGN_GOST_94||i==GNUTLS_SIGN_RSA_MD5||i==GNUTLS_SIGN_RSA_MD2||i==GNUTLS_SIGN_UNKNOWN)
 			continue;
 		/* skip any unused elements */
 		if (gnutls_sign_algorithm_get_name(i)==NULL)
diff --git a/tests/test-chains.h b/tests/test-chains.h
index 9b06b85f5f..cf8198e8c5 100644
--- a/tests/test-chains.h
+++ b/tests/test-chains.h
@@ -4264,8 +4264,10 @@ static struct
   { "rsa pss: chain with changing hashes - ok", rsa_pss_chain_sha512_sha384_sha256_ok, &rsa_pss_chain_sha512_sha384_sha256_ok[3], 0, 0, 0, 1501159136},
   { "no subject id: chain with missing subject id, but valid auth id - ok", chain_with_no_subject_id_in_ca_ok, &chain_with_no_subject_id_in_ca_ok[4], 0, 0, 0, 1537518468},
 #ifdef ENABLE_GOST
-  { "gost 34.10-01 - ok", gost01, &gost01[2], 0, 0, 0, 1466612070, 1},
-  { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
+  { "gost 34.10-01 - ok", gost01, &gost01[2], GNUTLS_VERIFY_ALLOW_BROKEN, 0, 0, 1466612070, 1},
+  { "gost 34.10-01 - not ok (due to gostr94)", gost01, &gost01[2], 0,
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1},
+  { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1},
   { "gost 34.10-12-256 - ok", gost12_256, &gost12_256[0], 0, 0, 0, 1466612070, 1},
   { "gost 34.10-12-512 - ok", gost12_512, &gost12_512[0], 0, 0, 0, 1466612070, 1},
diff --git a/tests/x509sign-verify-common.h b/tests/x509sign-verify-common.h
index 80aea5cd63..6b7498586b 100644
--- a/tests/x509sign-verify-common.h
+++ b/tests/x509sign-verify-common.h
@@ -114,9 +114,10 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits)
 		vflags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
 	} else if (hash == GNUTLS_DIG_SHA256)
 		hash_data = &sha256_data;
-	else if (hash == GNUTLS_DIG_GOSTR_94)
+	else if (hash == GNUTLS_DIG_GOSTR_94) {
 		hash_data = &gostr94_data;
-	else if (hash == GNUTLS_DIG_STREEBOG_256)
+		vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+	} else if (hash == GNUTLS_DIG_STREEBOG_256)
 		hash_data = &streebog256_data;
 	else if (hash == GNUTLS_DIG_STREEBOG_512)
 		hash_data = &streebog512_data;
author	Dmitry Baryshkov <dbaryshkov@gmail.com>	2020-06-16 00:35:12 +0000
committer	Dmitry Baryshkov <dbaryshkov@gmail.com>	2020-06-16 00:35:12 +0000
commit	1c8720d012d47439e96672ea44f34e50ae8c6725 (patch)
tree	93286d95c71a087f551360e77d35120295de3a69
parent	5c7ec5abb8947795b35b18a91eaaf097ebff4d06 (diff)
parent	7bfc148a587a69cf7faab4ef090031c91b6bb33a (diff)
download	gnutls-1c8720d012d47439e96672ea44f34e50ae8c6725.tar.gz