BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL

wlallemand · capflam · commit be979dd12773 · 2024-06-10T14:38:34.000+02:00
The ClientHello callback for WolfSSL introduced in haproxy 2.9, seems not to behave correctly with TLSv1.2. In TLSv1.2, this is the cipher that is used to chose the authentication algorithm (ECDSA or RSA), however an SSL client can send a signature algorithm. In TLSv1.3, the authentication is not part of the ciphersuites, and is selected using the signature algorithm. The mistake in the code is that the signature algorithm in TLSv1.2 are overwritting the auth that was selected using the ciphers. This must be backported as far as 2.9. (cherry picked from commit 711338e) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
@@ -2564,6 +2564,10 @@ static int ssl_sock_switchctx_wolfSSL_cbk(WOLFSSL* ssl, void* arg)
 			return 0;
 
 		if (SSL_version(ssl) != TLS1_3_VERSION) {
+
+			/* with TLS <= 1.2, we must use the auth which is provided by the cipher, but we don't need to
+			 * consider the auth provided by the signature algorithms */
+
 			for (idx = 0; idx < suiteSz; idx += 2) {
 				WOLFSSL_CIPHERSUITE_INFO info;
 				info = wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]);
@@ -2572,23 +2576,22 @@ static int ssl_sock_switchctx_wolfSSL_cbk(WOLFSSL* ssl, void* arg)
 				else if (info.eccAuth)
 					has_ecdsa_sig = 1;
 			}
-		}
+		} else {
+			/* with TLS >= 1.3, we must use the auth which is provided by the signature algorithms because
+			 * the ciphers does not provide the auth */
 
-		if (hashSigAlgoSz > 0) {
-			/* sigalgs extension takes precedence over ciphersuites */
-			has_ecdsa_sig = 0;
-			has_rsa_sig = 0;
-		}
-		for (idx = 0; idx < hashSigAlgoSz; idx += 2) {
-			int hashAlgo;
-			int sigAlgo;
+			for (idx = 0; idx < hashSigAlgoSz; idx += 2) {
+				int hashAlgo;
+				int sigAlgo;
 
-			wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], &hashAlgo, &sigAlgo);
+				wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], &hashAlgo, &sigAlgo);
 
-			if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
-				has_rsa_sig = 1;
-			else if (sigAlgo == ECDSAk)
-				has_ecdsa_sig = 1;
+				if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
+					has_rsa_sig = 1;
+				else if (sigAlgo == ECDSAk)
+					has_ecdsa_sig = 1;
+
+			}
 		}
 	}
 
