1// Copyright 2016 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "crypto" 9 "crypto/ecdsa" 10 "crypto/elliptic" 11 "crypto/md5" 12 "crypto/rsa" 13 "crypto/sha1" 14 _ "crypto/sha256" 15 _ "crypto/sha512" 16 "encoding/asn1" 17 "errors" 18 "fmt" 19 "math/big" 20 21 "boringssl.googlesource.com/boringssl/ssl/test/runner/ed25519" 22) 23 24type signer interface { 25 supportsKey(key crypto.PrivateKey) bool 26 signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) 27 verifyMessage(key crypto.PublicKey, msg, sig []byte) error 28} 29 30func selectSignatureAlgorithm(version uint16, key crypto.PrivateKey, config *Config, peerSigAlgs []signatureAlgorithm) (signatureAlgorithm, error) { 31 // If the client didn't specify any signature_algorithms extension then 32 // we can assume that it supports SHA1. See 33 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 34 if len(peerSigAlgs) == 0 { 35 peerSigAlgs = []signatureAlgorithm{signatureRSAPKCS1WithSHA1, signatureECDSAWithSHA1} 36 } 37 38 for _, sigAlg := range config.signSignatureAlgorithms() { 39 if !isSupportedSignatureAlgorithm(sigAlg, peerSigAlgs) { 40 continue 41 } 42 43 signer, err := getSigner(version, key, config, sigAlg, false) 44 if err != nil { 45 continue 46 } 47 48 if signer.supportsKey(key) { 49 return sigAlg, nil 50 } 51 } 52 return 0, errors.New("tls: no common signature algorithms") 53} 54 55func signMessage(version uint16, key crypto.PrivateKey, config *Config, sigAlg signatureAlgorithm, msg []byte) ([]byte, error) { 56 if config.Bugs.InvalidSignature { 57 newMsg := make([]byte, len(msg)) 58 copy(newMsg, msg) 59 newMsg[0] ^= 0x80 60 msg = newMsg 61 } 62 63 signer, err := getSigner(version, key, config, sigAlg, false) 64 if err != nil { 65 return nil, err 66 } 67 68 return signer.signMessage(key, config, msg) 69} 70 71func verifyMessage(version uint16, key crypto.PublicKey, config *Config, sigAlg signatureAlgorithm, msg, sig []byte) error { 72 if version >= VersionTLS12 && !isSupportedSignatureAlgorithm(sigAlg, config.verifySignatureAlgorithms()) { 73 return errors.New("tls: unsupported signature algorithm") 74 } 75 76 signer, err := getSigner(version, key, config, sigAlg, true) 77 if err != nil { 78 return err 79 } 80 81 return signer.verifyMessage(key, msg, sig) 82} 83 84type rsaPKCS1Signer struct { 85 hash crypto.Hash 86} 87 88func (r *rsaPKCS1Signer) computeHash(msg []byte) []byte { 89 if r.hash == crypto.MD5SHA1 { 90 // crypto.MD5SHA1 is not a real hash function. 91 hashMD5 := md5.New() 92 hashMD5.Write(msg) 93 hashSHA1 := sha1.New() 94 hashSHA1.Write(msg) 95 return hashSHA1.Sum(hashMD5.Sum(nil)) 96 } 97 98 h := r.hash.New() 99 h.Write(msg) 100 return h.Sum(nil) 101} 102 103func (r *rsaPKCS1Signer) supportsKey(key crypto.PrivateKey) bool { 104 _, ok := key.(*rsa.PrivateKey) 105 return ok 106} 107 108func (r *rsaPKCS1Signer) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) { 109 rsaKey, ok := key.(*rsa.PrivateKey) 110 if !ok { 111 return nil, errors.New("invalid key type for RSA-PKCS1") 112 } 113 114 return rsa.SignPKCS1v15(config.rand(), rsaKey, r.hash, r.computeHash(msg)) 115} 116 117func (r *rsaPKCS1Signer) verifyMessage(key crypto.PublicKey, msg, sig []byte) error { 118 rsaKey, ok := key.(*rsa.PublicKey) 119 if !ok { 120 return errors.New("invalid key type for RSA-PKCS1") 121 } 122 123 return rsa.VerifyPKCS1v15(rsaKey, r.hash, r.computeHash(msg), sig) 124} 125 126type ecdsaSigner struct { 127 version uint16 128 config *Config 129 curve elliptic.Curve 130 hash crypto.Hash 131} 132 133func (e *ecdsaSigner) isCurveValid(curve elliptic.Curve) bool { 134 if e.config.Bugs.SkipECDSACurveCheck { 135 return true 136 } 137 if e.version <= VersionTLS12 { 138 return true 139 } 140 return e.curve != nil && curve == e.curve 141} 142 143func (e *ecdsaSigner) supportsKey(key crypto.PrivateKey) bool { 144 ecdsaKey, ok := key.(*ecdsa.PrivateKey) 145 return ok && e.isCurveValid(ecdsaKey.Curve) 146} 147 148func maybeCorruptECDSAValue(n *big.Int, typeOfCorruption BadValue, limit *big.Int) *big.Int { 149 switch typeOfCorruption { 150 case BadValueNone: 151 return n 152 case BadValueNegative: 153 return new(big.Int).Neg(n) 154 case BadValueZero: 155 return big.NewInt(0) 156 case BadValueLimit: 157 return limit 158 case BadValueLarge: 159 bad := new(big.Int).Set(limit) 160 return bad.Lsh(bad, 20) 161 default: 162 panic("unknown BadValue type") 163 } 164} 165 166func (e *ecdsaSigner) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) { 167 ecdsaKey, ok := key.(*ecdsa.PrivateKey) 168 if !ok { 169 return nil, errors.New("invalid key type for ECDSA") 170 } 171 if !e.isCurveValid(ecdsaKey.Curve) { 172 return nil, errors.New("invalid curve for ECDSA") 173 } 174 175 h := e.hash.New() 176 h.Write(msg) 177 digest := h.Sum(nil) 178 179 r, s, err := ecdsa.Sign(config.rand(), ecdsaKey, digest) 180 if err != nil { 181 return nil, errors.New("failed to sign ECDHE parameters: " + err.Error()) 182 } 183 order := ecdsaKey.Curve.Params().N 184 r = maybeCorruptECDSAValue(r, config.Bugs.BadECDSAR, order) 185 s = maybeCorruptECDSAValue(s, config.Bugs.BadECDSAS, order) 186 return asn1.Marshal(ecdsaSignature{r, s}) 187} 188 189func (e *ecdsaSigner) verifyMessage(key crypto.PublicKey, msg, sig []byte) error { 190 ecdsaKey, ok := key.(*ecdsa.PublicKey) 191 if !ok { 192 return errors.New("invalid key type for ECDSA") 193 } 194 if !e.isCurveValid(ecdsaKey.Curve) { 195 return errors.New("invalid curve for ECDSA") 196 } 197 198 ecdsaSig := new(ecdsaSignature) 199 if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil { 200 return err 201 } 202 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { 203 return errors.New("ECDSA signature contained zero or negative values") 204 } 205 206 h := e.hash.New() 207 h.Write(msg) 208 if !ecdsa.Verify(ecdsaKey, h.Sum(nil), ecdsaSig.R, ecdsaSig.S) { 209 return errors.New("ECDSA verification failure") 210 } 211 return nil 212} 213 214var pssOptions = rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash} 215 216type rsaPSSSigner struct { 217 hash crypto.Hash 218} 219 220func (r *rsaPSSSigner) supportsKey(key crypto.PrivateKey) bool { 221 _, ok := key.(*rsa.PrivateKey) 222 return ok 223} 224 225func (r *rsaPSSSigner) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) { 226 rsaKey, ok := key.(*rsa.PrivateKey) 227 if !ok { 228 return nil, errors.New("invalid key type for RSA-PSS") 229 } 230 231 h := r.hash.New() 232 h.Write(msg) 233 return rsa.SignPSS(config.rand(), rsaKey, r.hash, h.Sum(nil), &pssOptions) 234} 235 236func (r *rsaPSSSigner) verifyMessage(key crypto.PublicKey, msg, sig []byte) error { 237 rsaKey, ok := key.(*rsa.PublicKey) 238 if !ok { 239 return errors.New("invalid key type for RSA-PSS") 240 } 241 242 h := r.hash.New() 243 h.Write(msg) 244 return rsa.VerifyPSS(rsaKey, r.hash, h.Sum(nil), sig, &pssOptions) 245} 246 247type ed25519Signer struct{} 248 249func (e *ed25519Signer) supportsKey(key crypto.PrivateKey) bool { 250 _, ok := key.(ed25519.PrivateKey) 251 return ok 252} 253 254func (e *ed25519Signer) signMessage(key crypto.PrivateKey, config *Config, msg []byte) ([]byte, error) { 255 privKey, ok := key.(ed25519.PrivateKey) 256 if !ok { 257 return nil, errors.New("invalid key type for Ed25519") 258 } 259 260 return ed25519.Sign(privKey, msg), nil 261} 262 263func (e *ed25519Signer) verifyMessage(key crypto.PublicKey, msg, sig []byte) error { 264 pubKey, ok := key.(ed25519.PublicKey) 265 if !ok { 266 return errors.New("invalid key type for Ed25519") 267 } 268 269 if !ed25519.Verify(pubKey, msg, sig) { 270 return errors.New("invalid Ed25519 signature") 271 } 272 273 return nil 274} 275 276func getSigner(version uint16, key interface{}, config *Config, sigAlg signatureAlgorithm, isVerify bool) (signer, error) { 277 // TLS 1.1 and below use legacy signature algorithms. 278 if version < VersionTLS12 { 279 if config.Bugs.UseLegacySigningAlgorithm == 0 || isVerify { 280 switch key.(type) { 281 case *rsa.PrivateKey, *rsa.PublicKey: 282 return &rsaPKCS1Signer{crypto.MD5SHA1}, nil 283 case *ecdsa.PrivateKey, *ecdsa.PublicKey: 284 return &ecdsaSigner{version, config, nil, crypto.SHA1}, nil 285 default: 286 return nil, errors.New("unknown key type") 287 } 288 } 289 290 // Fall through, forcing a particular algorithm. 291 sigAlg = config.Bugs.UseLegacySigningAlgorithm 292 } 293 294 switch sigAlg { 295 case signatureRSAPKCS1WithMD5: 296 if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { 297 return &rsaPKCS1Signer{crypto.MD5}, nil 298 } 299 case signatureRSAPKCS1WithSHA1: 300 if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { 301 return &rsaPKCS1Signer{crypto.SHA1}, nil 302 } 303 case signatureRSAPKCS1WithSHA256: 304 if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { 305 return &rsaPKCS1Signer{crypto.SHA256}, nil 306 } 307 case signatureRSAPKCS1WithSHA384: 308 if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { 309 return &rsaPKCS1Signer{crypto.SHA384}, nil 310 } 311 case signatureRSAPKCS1WithSHA512: 312 if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { 313 return &rsaPKCS1Signer{crypto.SHA512}, nil 314 } 315 case signatureECDSAWithSHA1: 316 return &ecdsaSigner{version, config, nil, crypto.SHA1}, nil 317 case signatureECDSAWithP256AndSHA256: 318 return &ecdsaSigner{version, config, elliptic.P256(), crypto.SHA256}, nil 319 case signatureECDSAWithP384AndSHA384: 320 return &ecdsaSigner{version, config, elliptic.P384(), crypto.SHA384}, nil 321 case signatureECDSAWithP521AndSHA512: 322 return &ecdsaSigner{version, config, elliptic.P521(), crypto.SHA512}, nil 323 case signatureRSAPSSWithSHA256: 324 return &rsaPSSSigner{crypto.SHA256}, nil 325 case signatureRSAPSSWithSHA384: 326 return &rsaPSSSigner{crypto.SHA384}, nil 327 case signatureRSAPSSWithSHA512: 328 return &rsaPSSSigner{crypto.SHA512}, nil 329 case signatureEd25519: 330 return &ed25519Signer{}, nil 331 } 332 333 return nil, fmt.Errorf("unsupported signature algorithm %04x", sigAlg) 334} 335