TLS 1.2 with standard signature? Why hash->size == 36??

> Carolin Latze <carolin.latze@...> writes:
>
>  
>> Hi all,
>>
>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>> 36... that does not sound like a standard signature.. I would expect
>> something like 20 for SHA1. Am I wrong?
>>    
>
> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
> a look?  It should have more solid TLS 1.2 support.
>
> Thanks,
> Simon
>  

> Hi Simon,
>
> I tried to use TLS 1.2 with and without sign callback, and I still see a
> signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't
> it be max 35 then? Maybe we should check, whether I check the right
> variables:
>
> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
> called dconcat. dconcat.size holds the hash size, right? and
> dconcat.data should hold the hash itself? dconcat.size has a value of 36
> for me...
>
> If I use the sign callback, I print the value of hash->size (=36) and
> hash->data (cannot see the OID included in that value, so for me it
> looks like it is really not SHA-1 only).
>
> Maybe I check the wrong values?
>
> BTW: I used the latest Snapshot, 2.9.8 to test it.
>
> Sorry... :-/
> Carolin
>
> Simon Josefsson wrote:
>    
>> Carolin Latze<carolin.latze@...>  writes:
>>
>>
>>      
>>> Hi all,
>>>
>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>> 36... that does not sound like a standard signature.. I would expect
>>> something like 20 for SHA1. Am I wrong?
>>>
>>>        
>> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
>> a look?  It should have more solid TLS 1.2 support.
>>
>> Thanks,
>> Simon
>>
>>      
>    

> Maybe we should check, whether I check the right variables:
>
> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
> called dconcat. dconcat.size holds the hash size, right? and
> dconcat.data should hold the hash itself? dconcat.size has a value of 36
> for me...
>
> If I use the sign callback, I print the value of hash->size (=36) and
> hash->data (cannot see the OID included in that value, so for me it
> looks like it is really not SHA-1 only).
>
> Maybe I check the wrong values?

> BTW: I used the latest Snapshot, 2.9.8 to test it.
>
> Sorry... :-/
> Carolin
>
> Simon Josefsson wrote:
>> Carolin Latze <carolin.latze@...> writes:
>>
>>  
>>> Hi all,
>>>
>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>> 36... that does not sound like a standard signature.. I would expect
>>> something like 20 for SHA1. Am I wrong?
>>>    
>>
>> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
>> a look?  It should have more solid TLS 1.2 support.
>>
>> Thanks,
>> Simon
>>  

> Hi Simon,
>
> I tried to use TLS 1.2 with and without sign callback, and I still see a
> signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't
> it be max 35 then? Maybe we should check, whether I check the right
> variables:
>
> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
> called dconcat. dconcat.size holds the hash size, right? and
> dconcat.data should hold the hash itself? dconcat.size has a value of 36
> for me...
>
> If I use the sign callback, I print the value of hash->size (=36) and
> hash->data (cannot see the OID included in that value, so for me it
> looks like it is really not SHA-1 only).
>
> Maybe I check the wrong values?
>
> BTW: I used the latest Snapshot, 2.9.8 to test it.
>
> Sorry... :-/
> Carolin
>
> Simon Josefsson wrote:
>> Carolin Latze <carolin.latze@...> writes:
>>
>>  
>>> Hi all,
>>>
>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>> 36... that does not sound like a standard signature.. I would expect
>>> something like 20 for SHA1. Am I wrong?
>>>    
>>
>> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
>> a look?  It should have more solid TLS 1.2 support.
>>
>> Thanks,
>> Simon
>>  

> Carolin,
>
> I just re-ran the x509signself self-test with gnutls 2.9.x and the hash
> size passed to the function is now 20 bytes.  I suppose GnuTLS adds the
> right PKCS#1 ASN.1 OID internally.  It occurs to me that perhaps the
> callback should receive the entire PKCS#1 blob, to avoid having the
> callback reconstruct it, instead of just the hash value, but maybe this
> is sufficient to make things work for you?  I'll release 2.9.9 in a few
> minutes with some minor fixes, please test it.
>
> /Simon
>
> Carolin Latze <carolin.latze@...> writes:
>
>  
>> Hi Simon,
>>
>> I tried to use TLS 1.2 with and without sign callback, and I still see a
>> signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't
>> it be max 35 then? Maybe we should check, whether I check the right
>> variables:
>>
>> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
>> called dconcat. dconcat.size holds the hash size, right? and
>> dconcat.data should hold the hash itself? dconcat.size has a value of 36
>> for me...
>>
>> If I use the sign callback, I print the value of hash->size (=36) and
>> hash->data (cannot see the OID included in that value, so for me it
>> looks like it is really not SHA-1 only).
>>
>> Maybe I check the wrong values?
>>
>> BTW: I used the latest Snapshot, 2.9.8 to test it.
>>
>> Sorry... :-/
>> Carolin
>>
>> Simon Josefsson wrote:
>>    
>>> Carolin Latze <carolin.latze@...> writes:
>>>
>>>  
>>>      
>>>> Hi all,
>>>>
>>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>>> 36... that does not sound like a standard signature.. I would expect
>>>> something like 20 for SHA1. Am I wrong?
>>>>    
>>>>        
>>> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
>>> a look?  It should have more solid TLS 1.2 support.
>>>
>>> Thanks,
>>> Simon
>>>  
>>>      

> Carolin,
>
> I just re-ran the x509signself self-test with gnutls 2.9.x and the hash
> size passed to the function is now 20 bytes.  I suppose GnuTLS adds the
> right PKCS#1 ASN.1 OID internally.  It occurs to me that perhaps the
> callback should receive the entire PKCS#1 blob, to avoid having the
> callback reconstruct it, instead of just the hash value, but maybe this
> is sufficient to make things work for you?  I'll release 2.9.9 in a few
> minutes with some minor fixes, please test it.
>
> /Simon
>
> Carolin Latze <carolin.latze@...> writes:
>
>  
>> Hi Simon,
>>
>> I tried to use TLS 1.2 with and without sign callback, and I still see a
>> signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't
>> it be max 35 then? Maybe we should check, whether I check the right
>> variables:
>>
>> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
>> called dconcat. dconcat.size holds the hash size, right? and
>> dconcat.data should hold the hash itself? dconcat.size has a value of 36
>> for me...
>>
>> If I use the sign callback, I print the value of hash->size (=36) and
>> hash->data (cannot see the OID included in that value, so for me it
>> looks like it is really not SHA-1 only).
>>
>> Maybe I check the wrong values?
>>
>> BTW: I used the latest Snapshot, 2.9.8 to test it.
>>
>> Sorry... :-/
>> Carolin
>>
>> Simon Josefsson wrote:
>>    
>>> Carolin Latze <carolin.latze@...> writes:
>>>
>>>  
>>>      
>>>> Hi all,
>>>>
>>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>>> 36... that does not sound like a standard signature.. I would expect
>>>> something like 20 for SHA1. Am I wrong?
>>>>    
>>>>        
>>> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
>>> a look?  It should have more solid TLS 1.2 support.
>>>
>>> Thanks,
>>> Simon
>>>  
>>>      

> Hi Simon,
>
> yup, it is perfectly working now (I tested with 2.9.10)! Thanks a lot
> for fixing that!!!
>
> Cheers
> Carolin
>
> Simon Josefsson wrote:
>> Carolin,
>>
>> I just re-ran the x509signself self-test with gnutls 2.9.x and the hash
>> size passed to the function is now 20 bytes.  I suppose GnuTLS adds the
>> right PKCS#1 ASN.1 OID internally.  It occurs to me that perhaps the
>> callback should receive the entire PKCS#1 blob, to avoid having the
>> callback reconstruct it, instead of just the hash value, but maybe this
>> is sufficient to make things work for you?  I'll release 2.9.9 in a few
>> minutes with some minor fixes, please test it.
>>
>> /Simon
>>
>> Carolin Latze <carolin.latze@...> writes:
>>
>>  
>>> Hi Simon,
>>>
>>> I tried to use TLS 1.2 with and without sign callback, and I still see a
>>> signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't
>>> it be max 35 then? Maybe we should check, whether I check the right
>>> variables:
>>>
>>> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
>>> called dconcat. dconcat.size holds the hash size, right? and
>>> dconcat.data should hold the hash itself? dconcat.size has a value of 36
>>> for me...
>>>
>>> If I use the sign callback, I print the value of hash->size (=36) and
>>> hash->data (cannot see the OID included in that value, so for me it
>>> looks like it is really not SHA-1 only).
>>>
>>> Maybe I check the wrong values?
>>>
>>> BTW: I used the latest Snapshot, 2.9.8 to test it.
>>>
>>> Sorry... :-/
>>> Carolin
>>>
>>> Simon Josefsson wrote:
>>>    
>>>> Carolin Latze <carolin.latze@...> writes:
>>>>
>>>>  
>>>>      
>>>>> Hi all,
>>>>>
>>>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>>>> 36... that does not sound like a standard signature.. I would expect
>>>>> something like 20 for SHA1. Am I wrong?
>>>>>    
>>>>>        
>>>> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
>>>> a look?  It should have more solid TLS 1.2 support.
>>>>
>>>> Thanks,
>>>> Simon
>>>>  
>>>>      

> That is great!
>
> Did you have to re-add the PKCS#1 ASN.1 OID before signing the data
> manually?  Or was that not necessary?  I'm wondering whether current API
> to only give the callback the hash value is OK, or whether it should
> also include the ASN.1 OID in the data passed to the callback.  One
> problem with the current callback API is that there is no signalling of
> which hash function was used -- before in TLS this was not necessary
> since only MD5/SHA1 was used, and the default is still SHA-1, but it
> will be possible to sign using SHA-256 or similar too.  The callback
> needs to be able to figure out that somehow.
>
> /Simon
>
> Carolin Latze <carolin.latze@...> writes:
>
>  
>> Hi Simon,
>>
>> yup, it is perfectly working now (I tested with 2.9.10)! Thanks a lot
>> for fixing that!!!
>>
>> Cheers
>> Carolin
>>
>> Simon Josefsson wrote:
>>    
>>> Carolin,
>>>
>>> I just re-ran the x509signself self-test with gnutls 2.9.x and the hash
>>> size passed to the function is now 20 bytes.  I suppose GnuTLS adds the
>>> right PKCS#1 ASN.1 OID internally.  It occurs to me that perhaps the
>>> callback should receive the entire PKCS#1 blob, to avoid having the
>>> callback reconstruct it, instead of just the hash value, but maybe this
>>> is sufficient to make things work for you?  I'll release 2.9.9 in a few
>>> minutes with some minor fixes, please test it.
>>>
>>> /Simon
>>>
>>> Carolin Latze <carolin.latze@...> writes:
>>>
>>>  
>>>      
>>>> Hi Simon,
>>>>
>>>> I tried to use TLS 1.2 with and without sign callback, and I still see a
>>>> signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't
>>>> it be max 35 then? Maybe we should check, whether I check the right
>>>> variables:
>>>>
>>>> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
>>>> called dconcat. dconcat.size holds the hash size, right? and
>>>> dconcat.data should hold the hash itself? dconcat.size has a value of 36
>>>> for me...
>>>>
>>>> If I use the sign callback, I print the value of hash->size (=36) and
>>>> hash->data (cannot see the OID included in that value, so for me it
>>>> looks like it is really not SHA-1 only).
>>>>
>>>> Maybe I check the wrong values?
>>>>
>>>> BTW: I used the latest Snapshot, 2.9.8 to test it.
>>>>
>>>> Sorry... :-/
>>>> Carolin
>>>>
>>>> Simon Josefsson wrote:
>>>>    
>>>>        
>>>>> Carolin Latze <carolin.latze@...> writes:
>>>>>
>>>>>  
>>>>>      
>>>>>          
>>>>>> Hi all,
>>>>>>
>>>>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>>>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>>>>> 36... that does not sound like a standard signature.. I would expect
>>>>>> something like 20 for SHA1. Am I wrong?
>>>>>>    
>>>>>>        
>>>>>>            
>>>>> Hi!  With GnuTLS 2.9.7 I hope this should work better -- could you take
>>>>> a look?  It should have more solid TLS 1.2 support.
>>>>>
>>>>> Thanks,
>>>>> Simon
>>>>>  
>>>>>      
>>>>>