Re: BUG #17760: SCRAM authentication fails with "modern" (rsassaPss signature) server certificate - Mailing list pgsql-bugs

On 10/02/2023 00:45, Michael Paquier wrote:
> On Thu, Feb 09, 2023 at 02:22:28PM -0800, Jacob Champion wrote:
>> +1. I'm still coming up to speed on RSA-PSS and the conversation at
>>
>>      https://github.com/openssl/openssl/issues/15477
>>
>> but it makes me really uncomfortable to fail open rather than shut in
>> this case, as part of a backport.
> 
> I could get that some users would want to be able to use such certs,
> though.  At least we have one such user as of this thread.

Note that the discussion in that thread is in a slightly different 
context. They are not talking about channel binding, but something else 
(https://github.com/openssl/openssl/issues/15477#issuecomment-852928702). 
The problem is similar: what hash algorithm to use if it's not well 
defined. But there's no guarantee that the rules they come up with will 
be the same as the rules for tls-server-end-point. So I'm not very 
comfortable relying on X509_digest_sig() to do the right thing for us in 
the future, even if it does today.

>>>> So as much as I'd like to be aggressive and potentially enforce the
>>>> use of SHA256 to compute the certificate hash, what you are doing is
>>>> RFC-compliant.
>>>
>>> Yeah, it seems silly to use anything else than SHA-256, given that
>>> SCRAM-SHA-256 is totally dependent on the security of SHA-256 anyway.
>>
>> How will this evolve when SCRAM-SHA-512 is implemented? Do you plan to
>> upgrade the undef-hash in that case to SHA-512?

Yes, that's what I had in mind. Or for SCRAM-SHA-512, we could go 
further and define it as "always use SHA-512", because we wouldn't need 
to worry about backwards compatibility anymore.

>> Knee-jerk reaction: this departure feels unnecessary since Gunnar's
>> certificate does in fact contain a hash algorithm...
> 
> What do you mean by Gunnar here?

Gunnar reported the bug, he's cc'd in this thread.


Ok, let me refine my earlier idea to make this more concrete:

> We could use a new "tls-server-end-point-sha-256" channel binding name 
> for that, instead of "tls-server-end-point", to make it clear when we're 
> violating the RFC.


Let's define a new channel binding type: tls-server-end-point-sha-256. 
with "tls-server-end-point-sha-256", the SHA-256 hash of the certificate 
is used, regardless of what algorithm is in the certificate's signature.

1. When the client sees a "normal" server certificate that uses SHA-256, 
SHA-512, or something else that it recognizes and handles fine today, it 
does the same thing as it does today. It sends "tls-server-end-point" as 
the the cb-name, and calculates the hash using the certificate's hash 
algorithm.

2. When the client sees a certificate with RSA-PSS, ED25519, ED448, or 
any other signature method that it doesn't recognize, it selects the 
tls-server-end-point-sha-256 channel binding type. It sends 
"tls-server-end-point-sha-256" as the cb-name, and calculates the 
SHA-256 hash of the certificate.

3. The server follows the current rules, or uses SHA-256, depending on 
whether the client sent "tls-server-end-point" or 
"tls-server-end-point-sha-256" in the cb-name.

These rules ensure that with certificates that work today, nothing 
changes. Rule 1 ensures that you can connect with a new client to an old 
server, and it still works. And rule 3. ensures that you can still 
connect to a new server with an old client.

At the same time, we are using a new channel binding type to make it 
clear when we are deviating from the standard rules of 
"tls-server-end-point".

If you have an RSA-PSS certificate, you need to upgrade the client and 
the server, or you get an error when you try to connect. (Unless you set 
channel_binding=disable). But after upgrading, it will work.

- Heikki