ML-DSA signatures with not matching schemes in TLS are accepted

[tomato42]

When running the current master (f7feb2d) OpenSSL will accept an ML-DSA signature that identifies itself as a wrong scheme. For example, client certificate with ML-DSA-65 includes a valid signature in CertificateVerify that has a mldsa44 SignatureScheme.

To Reproduce

reproducer

openssl req -x509 -newkey rsa -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj /CN=localhost -nodes -batch
openssl s_server -key /tmp/localhost.key -cert /tmp/localhost.crt -Verify 1 -HTTP 2>server.err >server.out &
openssl_pid=$!
git clone https://github.com/tomato42/tlsfuzzer
pushd tlsfuzzer
# won't be needed after https://github.com/tlsfuzzer/tlsfuzzer/pull/1017 is merged
git checkout more-ml-dsa
git clone https://github.com/tomato42/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/src/ecdsa ecdsa
git clone https://github.com/GiacomoPope/kyber-py .kyber-py
ln -s .kyber-py/src/kyber_py kyber_py
git clone https://github.com/GiacomoPope/dilithium-py .dilithium-py
ln -s .dilithium-py/src/dilithium_py dilithium_py
PYTHONPATH=. python3 scripts/test-tls13-mldsa-in-certificate-verify.py -k tests/serverMldsa65Key.pem -c tests/serverMldsa65Cert.pem -s "mldsa65 mldsa87 mldsa44 ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 ecdsa_brainpoolP256r1tls13_sha256 ecdsa_brainpoolP384r1tls13_sha384 ecdsa_brainpoolP512r1tls13_sha512 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512" 'check mldsa signature with mismatched scheme fails' sanity
popd
kill $openssl_pid

OpenSSL output

verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
depth=0 CN=localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=localhost
verify error:num=26:unsuitable certificate purpose
verify return:1
depth=0 CN=localhost
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=localhost
verify return:1
depth=0 CN=localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=localhost
verify error:num=26:unsuitable certificate purpose
verify return:1
depth=0 CN=localhost
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=localhost
verify return:1
depth=0 CN=localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=localhost
verify error:num=26:unsuitable certificate purpose
verify return:1
depth=0 CN=localhost
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=localhost
verify return:1

tlsfuzzer output

sanity ...
OK

check mldsa signature with mismatched scheme fails ...
Error encountered while processing node ExpectAlert(level=2, description=47) (child: <tlsfuzzer.expect.ExpectClose object at 0x7fa40caeb9d0>) with last message being: <tlslite.messages.Message object at 0x7fa4056c2390>
Error while processing
Traceback (most recent call last):
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/_apps/test_tls13_mldsa_in_certificate_verify.py", line 646, in main
    runner.run()
    ~~~~~~~~~~^^
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 235, in run
    raise AssertionError("Unexpected message from peer: " +
    ...<4 lines>...
                                        RecordHeader2)))
AssertionError: Unexpected message from peer: Handshake(new_session_ticket)

sanity ...
OK

Test to verify that server properly accepts or refuses
ML-DSA signatures in TLS1.3
Test should be executed three times, once each with ML-DSA-44,
ML-DSA-65 and ML-DSA-87 (if all are supported by the server).

Test end
====================
version: 2
====================
TOTAL: 3
SKIP: 0
PASS: 2
XFAIL: 0
FAIL: 1
XPASS: 0
====================
FAILED:
        'check mldsa signature with mismatched scheme fails'

Expected behavior

The server should check if the signature ID matches the client certificate and reject the connection with an illegal_parameter alert.

[tomato42]

I've updated the test case to test with all the signature schemes supported by tlsfuzzer (update the branch to current version run with -n 1 instead of 'check mldsa signature with mismatched scheme fails' sanity to reproduce it) and the signatures identified as ed25519, ed448, or any of the ML-DSA algorithms are accepted even when they don't match the certificate algorithm

[beldmit]

@vdukhovni can you please take a look?

[vdukhovni]

The explanation of the issue is much too terse to make sense to me. I'm afraid the issue will have to be explained in more detail.

Are we talking about the signature in the Client's CerificateVerify message? What is the claim here?

• Is the client able to use a certificate with a different key type than the purported type negotiated on the wire, and then sign with that key, provided it pretends that the key was for the ostensibly negotiated algorithm?
• That is the key in the certificate makes a valid signature of the payload, but the algorithm is not the one that the server expected, but the server fails to notice?

Is that the problem? And if so, is only an issue in the client-to-server direction?
And is substitution only possible across different ML-DSA veriants or also across unrelated algorithms?

[tomato42]

The Certificate message has ML-DSA-65 certificate, it's signed by a CA that the server trusts, I use the associated private key to make a valid signature with it, I put that signature in CertificateVerify message, mark it as ML-DSA-44, ML-DSA-87, Ed25519 or Ed448 signature: the server accepts it and responds with a NewSessionTicket. i.e. the Subject Public Key Info in the Certificate doesn't match the signature algorithm in the CertificateVerify.

And if so, is only an issue in the client-to-server direction?

don't have an easy way to reproduce it the other way

And is substitution only possible across different ML-DSA veriants or also across unrelated algorithms?

haven't tested with EdDSA certs advertising ML-DSA signatures, but it's likely

[vdukhovni]

Can you check whether tls12_check_peer_sigalg() is called when processing the client's CertificateVerify and what it returns?

[vdukhovni]

The problem may be at:

openssl/ssl/t1_lib.c

Lines 2730 to 2732 in 94cc3b7

	/* if this sigalg is loaded, set so far unknown pkeyid to its sig NID */
	if (pkeyid == EVP_PKEY_KEYMGMT)
	pkeyid = lu->sig;

This may not correctly handle new key types... The issue is then not ML-DSA-specific, but rather relevant to all keys that have a key type of EVP_PKEY_KEYMGMT.

[tomato42]

Can you check whether tls12_check_peer_sigalg() is called when processing the client's CertificateVerify and what it returns?

yes, it's called
it returns 1

from here:

1316        for (i = 0; i < ctx->sigalg_list_len; i++) {
1317            if (ctx->ssl_cert_info[i].nid == nid) {
1318                *pidx = SSL_PKEY_NUM + i;
1319                return 1;
1320            }
1321        }

[vdukhovni]

Those line numbers don't match where I find the code in question, not sure what OpenSSL code you're looking at... But I do think that the handling of EVP_PKEY_KEYMGMT looks questionable at best.