Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: ECDHE-RSA-AES256-GCM-SHA384 fails with "input must be hashed message" #9808

Closed
johto opened this issue Feb 8, 2015 · 1 comment
Closed

crypto/tls: ECDHE-RSA-AES256-GCM-SHA384 fails with "input must be hashed message" #9808

johto opened this issue Feb 8, 2015 · 1 comment
Labels
FrozenDueToAge
Milestone
Go1.5

Comments

@johto
Copy link
Contributor

johto commented Feb 8, 2015

Hi,

Given this client:

package main

import (
    "crypto/tls"
)

func main() {
    cert, err := tls.LoadX509KeyPair("client.crt", "client.key")
    if err != nil {
        panic(err)
    }
    tlsConf := &tls.Config{
        Certificates: []tls.Certificate{cert},
        InsecureSkipVerify: true,
    }
    c, err := tls.Dial("tcp", "localhost:4433", tlsConf)
    if err != nil {
        panic(err)
    }
    _, err = c.Write([]byte("foo"))
    if err != nil {
        panic(err)
    }
    c.Close()
}

and this command line to run a server:

openssl s_server -serverpref -cipher 'ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256' -Verify 1

the test program fails with:

% go run ~/test.go
panic: tls: failed to sign handshake with client certificate: crypto/rsa: input must be hashed message

This only happens if -serverpref is used. This problem appears to have been introduced by commit f1d669a, and comes from src/crypto/rsa/pkcs1v15.go, line 275 (in HEAD):

    if inLen != hashLen {
        return 0, nil, errors.New("crypto/rsa: input must be hashed message")
    }

openssl s_client appears to have no issues connecting so I'm guessing this is a problem on Go's end.
@johto johto mentioned this issue Feb 8, 2015
Closed
@jstemmer
Copy link
Contributor

jstemmer commented Mar 6, 2015

The commit you referenced added support for arbitrary hash functions. I've tracked this issue down to hashForClientCertificate in prf.go that would always return sha256 as its hash function, even if it used a different one to calculate its digest.

I've uploaded a proposed fix: https://go-review.googlesource.com/7040

@bradfitz bradfitz added this to the Go1.5 milestone Mar 6, 2015
@agl agl closed this as completed in ebe3d69 Mar 16, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@jstemmer @agl
crypto/tls: return correct hash function when using client certificat…
c1444f1 
…es in handshake

Commit f1d669a added support for
AES_256_GCM_SHA384 cipher suites as specified in RFC5289. However, it
did not take the arbitrary hash function into account in the TLS client
handshake when using client certificates.

The hashForClientCertificate method always returned SHA256 as its
hashing function, even if it actually used a different one to calculate
its digest. Setting up the connection would eventually fail with the
error "tls: failed to sign handshake with client certificate:
crypto/rsa: input must be hashed message".

Included is an additional test for this specific situation that uses the
SHA384 hash.

Fixes golang#9808

Change-Id: Iccbf4ab225633471ef897907c208ad31f92855a3
Reviewed-on: https://go-review.googlesource.com/7040
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@jstemmer @agl
crypto/tls: return correct hash function when using client certificat…
c32a7dc 
…es in handshake

Commit f1d669a added support for
AES_256_GCM_SHA384 cipher suites as specified in RFC5289. However, it
did not take the arbitrary hash function into account in the TLS client
handshake when using client certificates.

The hashForClientCertificate method always returned SHA256 as its
hashing function, even if it actually used a different one to calculate
its digest. Setting up the connection would eventually fail with the
error "tls: failed to sign handshake with client certificate:
crypto/rsa: input must be hashed message".

Included is an additional test for this specific situation that uses the
SHA384 hash.

Fixes golang#9808

Change-Id: Iccbf4ab225633471ef897907c208ad31f92855a3
Reviewed-on: https://go-review.googlesource.com/7040
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.5
Development

No branches or pull requests
5 participants
@bradfitz @agl @jstemmer @johto @gopherbot