Re: BUG #17760: SCRAM authentication fails with "modern" (rsassaPss signature) server certificate

On 10/02/2023 00:45, Michael Paquier wrote:
> On Thu, Feb 09, 2023 at 02:22:28PM -0800, Jacob Champion wrote:
>> +1. I'm still coming up to speed on RSA-PSS and the conversation at
>>
>> https://github.com/openssl/openssl/issues/15477
>>
>> but it makes me really uncomfortable to fail open rather than shut in
>> this case, as part of a backport.
>
> I could get that some users would want to be able to use such certs,
> though. At least we have one such user as of this thread.

Note that the discussion in that thread is in a slightly different
context. They are not talking about channel binding, but something else
(https://github.com/openssl/openssl/issues/15477#issuecomment-852928702)
The problem is similar: what hash algorithm to use if it's not well
defined. But there's no guarantee that the rules they come up with will
be the same as the rules for tls-server-end-point. So I'm not very
comfortable relying on X509_digest_sig() to do the right thing for us in
the future, even if it does today.

>>>> So as much as I'd like to be aggressive and potentially enforce the
>>>> use of SHA256 to compute the certificate hash, what you are doing is
>>>> RFC-compliant.
>>>
>>> Yeah, it seems silly to use anything else than SHA-256, given that
>>> SCRAM-SHA-256 is totally dependent on the security of SHA-256 anyway.
>>
>> How will this evolve when SCRAM-SHA-512 is implemented? Do you plan to
>> upgrade the undef-hash in that case to SHA-512?

Yes, that's what I had in mind. Or for SCRAM-SHA-512, we could go
further and define it as "always use SHA-512", because we wouldn't need
to worry about backwards compatibility anymore.

>> Knee-jerk reaction: this departure feels unnecessary since Gunnar's
>> certificate does in fact contain a hash algorithm...
>
> What do you mean by Gunnar here?

Gunnar reported the bug, he's cc'd in this thread.

Ok, let me refine my earlier idea to make this more concrete:

> We could use a new "tls-server-end-point-sha-256" channel binding name
> for that, instead of "tls-server-end-point", to make it clear when we're
> violating the RFC.

Let's define a new channel binding type: tls-server-end-point-sha-256.
with "tls-server-end-point-sha-256", the SHA-256 hash of the certificate
is used, regardless of what algorithm is in the certificate's signature.

1. When the client sees a "normal" server certificate that uses SHA-256,
SHA-512, or something else that it recognizes and handles fine today, it
does the same thing as it does today. It sends "tls-server-end-point" as
the the cb-name, and calculates the hash using the certificate's hash
algorithm.

2. When the client sees a certificate with RSA-PSS, ED25519, ED448, or
any other signature method that it doesn't recognize, it selects the
tls-server-end-point-sha-256 channel binding type. It sends
"tls-server-end-point-sha-256" as the cb-name, and calculates the
SHA-256 hash of the certificate.

3. The server follows the current rules, or uses SHA-256, depending on
whether the client sent "tls-server-end-point" or
"tls-server-end-point-sha-256" in the cb-name.

These rules ensure that with certificates that work today, nothing
changes. Rule 1 ensures that you can connect with a new client to an old
server, and it still works. And rule 3. ensures that you can still
connect to a new server with an old client.

At the same time, we are using a new channel binding type to make it
clear when we are deviating from the standard rules of
"tls-server-end-point".

If you have an RSA-PSS certificate, you need to upgrade the client and
the server, or you get an error when you try to connect. (Unless you set
channel_binding=disable). But after upgrading, it will work.

- Heikki