cryptomb: ssl handleshake always failed in tlsv1.2

[Lynskylate]

cryptomb: ssl handleshake always failed in tlsv1.2

@ipuustin
Openssl client can't complete ssl handleshake in tlsv1.2 protocol , but can complete tls handshake when use tlsv1.3 protocol.if connect server with tlsv1.2 protocol, envoy will reset the connection.

The difference seems to be in the order of the signature algorithms
Although client hello message offer many signature algorithm, crymtomb always use first signature method.

In the pr, cryptomb remove PKCS1_5 padding support and rsa_pkcs1_sha512 is the first order signature in the client hello message.

In tls1.3 rsa_pss_rsae_sha512 is the first signature algorithm, cymtomb can complete the tls handshake.

• sds config *

{
    "@type":"type.googleapis.com/envoy.admin.v3.SecretsConfigDump",
    "dynamic_active_secrets":[
        {
            "name":"kubernetes://f53e12d9e545d73f29584d18e00d1cb8",
            "version_info":"2022-05-09T11:24:12+08:00/3",
            "last_updated":"2022-05-09T03:24:12.052Z",
            "secret":{
                "@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
                "name":"kubernetes://f53e12d9e545d73f29584d18e00d1cb8",
                "tls_certificate":{
                    "certificate_chain":{
                        "inline_bytes":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQrakNDQWVJQ0FRRXdEUVlKS29aSWh2Y05BUUVMQlFBd1JURU9NQXdHQTFVRUNnd0ZTWE4wYVc4eEdEQVcKQmdOVkJBTU1EMGx1ZEdWeWJXVmthV0YwWlNCRFFURVpNQmNHQTFVRUJ3d1FaR2x1WjJScGJtY3RhVzVuY21WegpjekFlRncweU1URXlNVFl4TnpRMU1qaGFGdzB6TVRFeU1UUXhOelExTWpoYU1FRXhJREFlQmdOVkJBTU1GMkpqCmNDNXRjMlV1WVd4cFltRmlZUzFwYm1NdVkyOXRNUjB3R3dZRFZRUUtEQlJCYkdsaVlXSmhJRzl5WjJGdWFYcGgKZEdsdmJqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtqUytOVzJ2WWNxbTZXRwpERTdJV1pCMzltdi9RaGlIWERPL0Jaa0R2YmdyUHkyaG1MOS9OZWVQNVpycUI2V0hjYitoREJjTnJmenZOb3pPCitqM0svbzJqSUVyenJrTy9jK3Y5K3hwTkVMbDllRlFZUUdrdCs0a1VxSUM0NEh2U0tleXFNeE95TjQxS25Cc1cKSlU5UDFnSjJ1SmZML3prdkZZRU1lZnJZRzlGNkQ1VWc0NWx5N0xvRWlzVkgyWjNCblN5R1VHWWJ6SEx2RXErcgpCdlZkc3VhNnJGbDc2dGdJZnNxWE15cE9sbWlCMmUyQTBndHlRS1p4WHZndFE3WnI2YmZZbkIyMStOTkkydHlGCkNTZ0ZmK3JGQ1BKWGlyZkpIT3ltMDVVZFhvTjJyeXN6alJrUHJ0SSs4VWxsUEpqVXY3dWloTk43M2xYWkdVY0oKQVk0RVZCY0NBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQUVpcHMxOHk4NWdCN0VJbGwvWWduV0xlOApJblFrTGh0NmZNQ2J0MVEyVDhKcVZ2L0ZsTUZIb090TWZYQnljUmxsMDBTTlF1MXZkZGJHc2tKenNrSjlraEhHCld4THV5TGdPTXlMTGNGVUp1bG9GTzd2L1VMZi9Td2VLbEVuVHNaZDVhcWM0M0JZeURrd2JPU1p2dTVWOS9PdWoKMlBsRHJTRERXWWFVb281OXBCdVNhajhnQ2IwMFAwYldaSi9YWlZMYUxFL1Vvd3g1Q1NvTFhFRE1RVDlsZy85KwppaUowNG5ycUYzcTc1K2J6dmhjaTNSMTJCUnZpenNNbGNUYU1BdXhhdmRrM2ZyZHhTckxBRVNVT3RBZDJFVTkwCkNBVXFSVHRJckdXRTdhOCsrcWIrL2QxSy91OElhd096d01yU1pwblZoR2JDeVd0QVhZV2NRYW1PVmIzcCtrK0kKWW9DTk9xUlI2UEtSNWFacmRmL2k3WW9vcnFXM1prckxOSUxrdWRCUUNtOEFOZitncGEvQ0ttY2pCKzgzNVZjSwphWVg1c2o0Mnk5dVlWeWgrNjFKUmNKdXJRMkFkZWY0S2hXTWdpcXllWlhSQitQTEgxSzVLYVN0RjA3NHd4Q01CCnd2cmtjL1gwQUM5RFBXa0hERnZTeEpVaFZSRVhHOFk1N04zWDZwQkozRmtCbmRJcXorQS9zaUo0UDRVd1F0Rm0KSHhZaGxzZ29oY3pzREJGOCtkbGtncTdGS2UvemxuWWZJL1htbVRzNEhxcWFMdlNrL0FZMWkrazUyL09vR25wSgo5K2RhbUs3dmtGSlZoZU0wcWx0cXBpbm93bXV6K1AwS2ZnR1ZVbFNKTTJJbnl0aDJHVXBsL01iM1lvSmtRK1piCmxtdEZVaEZMUFVncWtMd2RiNHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
                    },
                    "private_key_provider":{
                        "provider_name":"cryptomb",
                        "typed_config":{
                            "@type":"type.googleapis.com/envoy.extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig",
                            "private_key":{
                                "inline_bytes":"W3JlZGFjdGVkXQ=="
                            },
                            "poll_delay":"0s"
                        }
                    }
                }
            }
        }
    ]
}

[Lynskylate]

It can also be easily reproduced using libressl

openssl s_client -connect 47.111.99.55:443 -servername a-test.mse-gw-demo.alibaba-inc.com

[ipuustin]

Thanks for the report! The PKCS1_5 support didn't work right previously, so I just removed the code. I do have a working PKCS1_5 implementation drafted -- it just needs a bunch of tests.

/assign @ipuustin

[Lynskylate]

@ipuustin
I have tested the old pcks implementation, the padding type returned in the ssl message is not consistent with the padding type used by the actual hash.

We have used this function in the production environment and need to fix its compatibility with versions below tls1.3 as soon as possible. Maybe you can make your draft public and let me help with the testing part.

[ipuustin]

@Lynskylate I pushed the draft code here: https://github.com/ipuustin/envoy/tree/pkcs1_5

Regarding testing, the problem is that we don't really have end-to-end test code for cryptomb, so the testing code needs to be able to check that the padding is done correctly.

[Lynskylate]

@ipuustin I used sslab to test the version. The version has been able to handle almost all ssl clients from the result.