1// Copyright 2016 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runner
6
7import (
8	"crypto"
9	"crypto/ecdsa"
10	"crypto/ed25519"
11	"crypto/elliptic"
12	"crypto/md5"
13	"crypto/rsa"
14	"crypto/sha1"
15	_ "crypto/sha256"
16	_ "crypto/sha512"
17	"encoding/asn1"
18	"errors"
19	"fmt"
20	"math/big"
21)
22
23type signer interface {
24	supportsKey(key crypto.PrivateKey) bool
25	signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error)
26	verifyMessage(key crypto.PublicKey, msg, sig []byte) error
27}
28
29func selectSignatureAlgorithm(version uint16, key crypto.PrivateKey, config *Config, peerSigAlgs []signatureAlgorithm) (signatureAlgorithm, error) {
30	// If the client didn't specify any signature_algorithms extension then
31	// we can assume that it supports SHA1. See
32	// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
33	if len(peerSigAlgs) == 0 {
34		peerSigAlgs = []signatureAlgorithm{signatureRSAPKCS1WithSHA1, signatureECDSAWithSHA1}
35	}
36
37	for _, sigAlg := range config.signSignatureAlgorithms() {
38		if !isSupportedSignatureAlgorithm(sigAlg, peerSigAlgs) {
39			continue
40		}
41
42		signer, err := getSigner(version, key, config, sigAlg, false)
43		if err != nil {
44			continue
45		}
46
47		if signer.supportsKey(key) {
48			return sigAlg, nil
49		}
50	}
51	return 0, errors.New("tls: no common signature algorithms")
52}
53
54func signMessage(version uint16, key crypto.PrivateKey, config *Config, sigAlg signatureAlgorithm, msg []byte) ([]byte, error) {
55	if config.Bugs.InvalidSignature {
56		newMsg := make([]byte, len(msg))
57		copy(newMsg, msg)
58		newMsg[0] ^= 0x80
59		msg = newMsg
60	}
61
62	signer, err := getSigner(version, key, config, sigAlg, false)
63	if err != nil {
64		return nil, err
65	}
66
67	return signer.signMessage(key, config, msg)
68}
69
70func verifyMessage(version uint16, key crypto.PublicKey, config *Config, sigAlg signatureAlgorithm, msg, sig []byte) error {
71	if version >= VersionTLS12 && !isSupportedSignatureAlgorithm(sigAlg, config.verifySignatureAlgorithms()) {
72		return errors.New("tls: unsupported signature algorithm")
73	}
74
75	signer, err := getSigner(version, key, config, sigAlg, true)
76	if err != nil {
77		return err
78	}
79
80	return signer.verifyMessage(key, msg, sig)
81}
82
83type rsaPKCS1Signer struct {
84	hash crypto.Hash
85}
86
87func (r *rsaPKCS1Signer) computeHash(msg []byte) []byte {
88	if r.hash == crypto.MD5SHA1 {
89		// crypto.MD5SHA1 is not a real hash function.
90		hashMD5 := md5.New()
91		hashMD5.Write(msg)
92		hashSHA1 := sha1.New()
93		hashSHA1.Write(msg)
94		return hashSHA1.Sum(hashMD5.Sum(nil))
95	}
96
97	h := r.hash.New()
98	h.Write(msg)
99	return h.Sum(nil)
100}
101
102func (r *rsaPKCS1Signer) supportsKey(key crypto.PrivateKey) bool {
103	_, ok := key.(*rsa.PrivateKey)
104	return ok
105}
106
107func (r *rsaPKCS1Signer) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) {
108	rsaKey, ok := key.(*rsa.PrivateKey)
109	if !ok {
110		return nil, errors.New("invalid key type for RSA-PKCS1")
111	}
112
113	return rsa.SignPKCS1v15(config.rand(), rsaKey, r.hash, r.computeHash(msg))
114}
115
116func (r *rsaPKCS1Signer) verifyMessage(key crypto.PublicKey, msg, sig []byte) error {
117	rsaKey, ok := key.(*rsa.PublicKey)
118	if !ok {
119		return errors.New("invalid key type for RSA-PKCS1")
120	}
121
122	return rsa.VerifyPKCS1v15(rsaKey, r.hash, r.computeHash(msg), sig)
123}
124
125type ecdsaSigner struct {
126	version uint16
127	config  *Config
128	curve   elliptic.Curve
129	hash    crypto.Hash
130}
131
132func (e *ecdsaSigner) isCurveValid(curve elliptic.Curve) bool {
133	if e.config.Bugs.SkipECDSACurveCheck {
134		return true
135	}
136	if e.version <= VersionTLS12 {
137		return true
138	}
139	return e.curve != nil && curve == e.curve
140}
141
142func (e *ecdsaSigner) supportsKey(key crypto.PrivateKey) bool {
143	ecdsaKey, ok := key.(*ecdsa.PrivateKey)
144	return ok && e.isCurveValid(ecdsaKey.Curve)
145}
146
147func maybeCorruptECDSAValue(n *big.Int, typeOfCorruption BadValue, limit *big.Int) *big.Int {
148	switch typeOfCorruption {
149	case BadValueNone:
150		return n
151	case BadValueNegative:
152		return new(big.Int).Neg(n)
153	case BadValueZero:
154		return big.NewInt(0)
155	case BadValueLimit:
156		return limit
157	case BadValueLarge:
158		bad := new(big.Int).Set(limit)
159		return bad.Lsh(bad, 20)
160	default:
161		panic("unknown BadValue type")
162	}
163}
164
165func (e *ecdsaSigner) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) {
166	ecdsaKey, ok := key.(*ecdsa.PrivateKey)
167	if !ok {
168		return nil, errors.New("invalid key type for ECDSA")
169	}
170	if !e.isCurveValid(ecdsaKey.Curve) {
171		return nil, errors.New("invalid curve for ECDSA")
172	}
173
174	h := e.hash.New()
175	h.Write(msg)
176	digest := h.Sum(nil)
177
178	r, s, err := ecdsa.Sign(config.rand(), ecdsaKey, digest)
179	if err != nil {
180		return nil, errors.New("failed to sign ECDHE parameters: " + err.Error())
181	}
182	order := ecdsaKey.Curve.Params().N
183	r = maybeCorruptECDSAValue(r, config.Bugs.BadECDSAR, order)
184	s = maybeCorruptECDSAValue(s, config.Bugs.BadECDSAS, order)
185	return asn1.Marshal(ecdsaSignature{r, s})
186}
187
188func (e *ecdsaSigner) verifyMessage(key crypto.PublicKey, msg, sig []byte) error {
189	ecdsaKey, ok := key.(*ecdsa.PublicKey)
190	if !ok {
191		return errors.New("invalid key type for ECDSA")
192	}
193	if !e.isCurveValid(ecdsaKey.Curve) {
194		return errors.New("invalid curve for ECDSA")
195	}
196
197	ecdsaSig := new(ecdsaSignature)
198	if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {
199		return err
200	}
201	if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
202		return errors.New("ECDSA signature contained zero or negative values")
203	}
204
205	h := e.hash.New()
206	h.Write(msg)
207	if !ecdsa.Verify(ecdsaKey, h.Sum(nil), ecdsaSig.R, ecdsaSig.S) {
208		return errors.New("ECDSA verification failure")
209	}
210	return nil
211}
212
213var pssOptions = rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
214
215type rsaPSSSigner struct {
216	hash crypto.Hash
217}
218
219func (r *rsaPSSSigner) supportsKey(key crypto.PrivateKey) bool {
220	_, ok := key.(*rsa.PrivateKey)
221	return ok
222}
223
224func (r *rsaPSSSigner) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) {
225	rsaKey, ok := key.(*rsa.PrivateKey)
226	if !ok {
227		return nil, errors.New("invalid key type for RSA-PSS")
228	}
229
230	h := r.hash.New()
231	h.Write(msg)
232	return rsa.SignPSS(config.rand(), rsaKey, r.hash, h.Sum(nil), &pssOptions)
233}
234
235func (r *rsaPSSSigner) verifyMessage(key crypto.PublicKey, msg, sig []byte) error {
236	rsaKey, ok := key.(*rsa.PublicKey)
237	if !ok {
238		return errors.New("invalid key type for RSA-PSS")
239	}
240
241	h := r.hash.New()
242	h.Write(msg)
243	return rsa.VerifyPSS(rsaKey, r.hash, h.Sum(nil), sig, &pssOptions)
244}
245
246type ed25519Signer struct{}
247
248func (e *ed25519Signer) supportsKey(key crypto.PrivateKey) bool {
249	_, ok := key.(ed25519.PrivateKey)
250	return ok
251}
252
253func (e *ed25519Signer) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) {
254	privKey, ok := key.(ed25519.PrivateKey)
255	if !ok {
256		return nil, errors.New("invalid key type for Ed25519")
257	}
258
259	return ed25519.Sign(privKey, msg), nil
260}
261
262func (e *ed25519Signer) verifyMessage(key crypto.PublicKey, msg, sig []byte) error {
263	pubKey, ok := key.(ed25519.PublicKey)
264	if !ok {
265		return errors.New("invalid key type for Ed25519")
266	}
267
268	if !ed25519.Verify(pubKey, msg, sig) {
269		return errors.New("invalid Ed25519 signature")
270	}
271
272	return nil
273}
274
275func getSigner(version uint16, key interface{}, config *Config, sigAlg signatureAlgorithm, isVerify bool) (signer, error) {
276	// TLS 1.1 and below use legacy signature algorithms.
277	if version < VersionTLS12 {
278		if config.Bugs.UseLegacySigningAlgorithm == 0 || isVerify {
279			switch key.(type) {
280			case *rsa.PrivateKey, *rsa.PublicKey:
281				return &rsaPKCS1Signer{crypto.MD5SHA1}, nil
282			case *ecdsa.PrivateKey, *ecdsa.PublicKey:
283				return &ecdsaSigner{version, config, nil, crypto.SHA1}, nil
284			default:
285				return nil, errors.New("unknown key type")
286			}
287		}
288
289		// Fall through, forcing a particular algorithm.
290		sigAlg = config.Bugs.UseLegacySigningAlgorithm
291	}
292
293	switch sigAlg {
294	case signatureRSAPKCS1WithMD5:
295		if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
296			return &rsaPKCS1Signer{crypto.MD5}, nil
297		}
298	case signatureRSAPKCS1WithSHA1:
299		if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
300			return &rsaPKCS1Signer{crypto.SHA1}, nil
301		}
302	case signatureRSAPKCS1WithSHA256:
303		if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
304			return &rsaPKCS1Signer{crypto.SHA256}, nil
305		}
306	case signatureRSAPKCS1WithSHA384:
307		if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
308			return &rsaPKCS1Signer{crypto.SHA384}, nil
309		}
310	case signatureRSAPKCS1WithSHA512:
311		if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
312			return &rsaPKCS1Signer{crypto.SHA512}, nil
313		}
314	case signatureECDSAWithSHA1:
315		return &ecdsaSigner{version, config, nil, crypto.SHA1}, nil
316	case signatureECDSAWithP256AndSHA256:
317		return &ecdsaSigner{version, config, elliptic.P256(), crypto.SHA256}, nil
318	case signatureECDSAWithP384AndSHA384:
319		return &ecdsaSigner{version, config, elliptic.P384(), crypto.SHA384}, nil
320	case signatureECDSAWithP521AndSHA512:
321		return &ecdsaSigner{version, config, elliptic.P521(), crypto.SHA512}, nil
322	case signatureRSAPSSWithSHA256:
323		return &rsaPSSSigner{crypto.SHA256}, nil
324	case signatureRSAPSSWithSHA384:
325		return &rsaPSSSigner{crypto.SHA384}, nil
326	case signatureRSAPSSWithSHA512:
327		return &rsaPSSSigner{crypto.SHA512}, nil
328	case signatureEd25519:
329		return &ed25519Signer{}, nil
330	}
331
332	return nil, fmt.Errorf("unsupported signature algorithm %04x", sigAlg)
333}
334