1983676 – gnutls doesn't send (8.8) EdDSA-Ed448 sigalg (allowlisting)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1983676 - gnutls doesn't send (8.8) EdDSA-Ed448 sigalg (allowlisting)

Summary: gnutls doesn't send (8.8) EdDSA-Ed448 sigalg (allowlisting)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	gnutls
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	Alexander Sosedkin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-19 13:15 UTC by Alexander Sosedkin
Modified:	2022-05-17 16:17 UTC (History)
CC List:	1 user (show)
Fixed In Version:	gnutls-3.7.3-4.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-17 15:52:13 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-6198	0	None	None	None	2022-02-21 16:13:34 UTC
Red Hat Product Errata	RHBA-2022:3937	0	None	None	None	2022-05-17 15:52:27 UTC

Description Alexander Sosedkin 2021-07-19 13:15:40 UTC

Description of problem: gnutls doesn't send (8.8) EdDSA-Ed448 sigalg on RHEL-9 despite it being allowlisted in the config
Version-Release number of selected component (if applicable): gnutls-3.7.2-3.el9
How reproducible: always
Steps to Reproduce: gnutls -d9 google.com
Actual results: (note the lack of EdDSA-Ed448)
  |<2>| resolved 'SYSTEM' to 'NONE:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+GROUP-X25519:+GROUP-X448:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:+GROUP-FFDHE6144:+GROUP-FFDHE8192:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+AES-256-CBC:+AES-128-GCM:+AES-128-CCM:+AES-128-CBC:+AEAD:+SHA1:+SHA512:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA512:+SIGN-EdDSA-Ed25519:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-ECDSA-SECP256R1-SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2', next ''
  ...
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (4.3) ECDSA-SHA256
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (5.3) ECDSA-SHA384
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (6.3) ECDSA-SHA512
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (8.7) EdDSA-Ed25519
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (8.9) RSA-PSS-SHA256
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (8.10) RSA-PSS-SHA384
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (8.11) RSA-PSS-SHA512
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (4.1) RSA-SHA256
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (5.1) RSA-SHA384
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (6.1) RSA-SHA512
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (4.3) ECDSA-SECP256R1-SHA256
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (5.3) ECDSA-SECP384R1-SHA384
  |<4>| EXT[0x55ccfde262f0]: sent signature algo (6.3) ECDSA-SECP521R1-SHA512

Expected results:
  |<2>| resolved 'SYSTEM' to '...|+SIGN-EdDSA-Ed448:...'
  ...
  |<4>| EXT[0x5619cc0b1790]: sent signature algo (8.8) EdDSA-Ed448
  ...

Additional info:
  # rpm -q crypto-policies
  crypto-policies-20210707-1.git29f6c0b.el9.noarch
  # egrep '(448|25519)' /etc/crypto-policies/back-ends/gnutls.config
  tls-enabled-group = GROUP-X25519
  tls-enabled-group = GROUP-X448
  secure-sig = EdDSA-Ed25519
  secure-sig = EdDSA-Ed448
  secure-sig-for-cert = EdDSA-Ed25519
  secure-sig-for-cert = EdDSA-Ed448
  enabled-curve = X25519
  enabled-curve = X448
  enabled-curve = Ed25519
  enabled-curve = Ed448

Comment 1 Alicja Kario 2021-09-16 12:15:33 UTC

This also impact interoperability with OpenSSL if certificates with Ed448 keys are in use.

Gnutls will print:
Error in handshake: One of the involved algorithms has insufficient security level.

While OpenSSL reports the received alert (insufficient_security):
004C1281CF7F0000:error:0A00042F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:ssl/record/rec_layer_s3.c:1584:SSL alert number 71

Comment 2 Daiki Ueno 2021-09-16 14:28:07 UTC

The reason turned out to be:
- "secure-hash = SHAKE-256" is missing in the configuration
- the nettle backend of gnutls does not report the algorithm exists (as a hash algorithm);
  https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/mac.c#L600

Comment 3 Alexander Sosedkin 2021-09-16 15:03:59 UTC

Thanks for the investigation,
filed the need to teach crypto-policies about SHAKE-256 as bz2005021.

Comment 9 errata-xmlrpc 2022-05-17 15:52:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: gnutls), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3937

Note You need to log in before you can comment on or make changes to this bug.