1 files changed, 133 insertions, 92 deletions
diff --git a/libgo/go/crypto/tls/auth.go b/libgo/go/crypto/tls/auth.go
index c62c9af..009f8d3 100644
--- a/libgo/go/crypto/tls/auth.go
+++ b/libgo/go/crypto/tls/auth.go
@@ -18,70 +18,6 @@ import (
 	"io"
 )
 
-// pickSignatureAlgorithm selects a signature algorithm that is compatible with
-// the given public key and the list of algorithms from the peer and this side.
-// The lists of signature algorithms (peerSigAlgs and ourSigAlgs) are ignored
-// for tlsVersion < VersionTLS12.
-//
-// The returned SignatureScheme codepoint is only meaningful for TLS 1.2,
-// previous TLS versions have a fixed hash function.
-func pickSignatureAlgorithm(pubkey crypto.PublicKey, peerSigAlgs, ourSigAlgs []SignatureScheme, tlsVersion uint16) (sigAlg SignatureScheme, sigType uint8, hashFunc crypto.Hash, err error) {
-	if tlsVersion < VersionTLS12 || len(peerSigAlgs) == 0 {
-		// For TLS 1.1 and before, the signature algorithm could not be
-		// negotiated and the hash is fixed based on the signature type. For TLS
-		// 1.2, if the client didn't send signature_algorithms extension then we
-		// can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
-		switch pubkey.(type) {
-		case *rsa.PublicKey:
-			if tlsVersion < VersionTLS12 {
-				return 0, signaturePKCS1v15, crypto.MD5SHA1, nil
-			} else {
-				return PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1, nil
-			}
-		case *ecdsa.PublicKey:
-			return ECDSAWithSHA1, signatureECDSA, crypto.SHA1, nil
-		case ed25519.PublicKey:
-			if tlsVersion < VersionTLS12 {
-				// RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1,
-				// but it requires holding on to a handshake transcript to do a
-				// full signature, and not even OpenSSL bothers with the
-				// complexity, so we can't even test it properly.
-				return 0, 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2")
-			}
-			return Ed25519, signatureEd25519, directSigning, nil
-		default:
-			return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey)
-		}
-	}
-	for _, sigAlg := range peerSigAlgs {
-		if !isSupportedSignatureAlgorithm(sigAlg, ourSigAlgs) {
-			continue
-		}
-		hashAlg, err := hashFromSignatureScheme(sigAlg)
-		if err != nil {
-			panic("tls: supported signature algorithm has an unknown hash function")
-		}
-		sigType := signatureFromSignatureScheme(sigAlg)
-		switch pubkey.(type) {
-		case *rsa.PublicKey:
-			if sigType == signaturePKCS1v15 || sigType == signatureRSAPSS {
-				return sigAlg, sigType, hashAlg, nil
-			}
-		case *ecdsa.PublicKey:
-			if sigType == signatureECDSA {
-				return sigAlg, sigType, hashAlg, nil
-			}
-		case ed25519.PublicKey:
-			if sigType == signatureEd25519 {
-				return sigAlg, sigType, hashAlg, nil
-			}
-		default:
-			return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey)
-		}
-	}
-	return 0, 0, 0, errors.New("tls: peer doesn't support any common signature algorithms")
-}
-
 // verifyHandshakeSignature verifies a signature against pre-hashed
 // (if required) handshake contents.
 func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error {
@@ -89,30 +25,30 @@ func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc c
 	case signatureECDSA:
 		pubKey, ok := pubkey.(*ecdsa.PublicKey)
 		if !ok {
-			return errors.New("tls: ECDSA signing requires a ECDSA public key")
+			return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
 		}
 		ecdsaSig := new(ecdsaSignature)
 		if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {
 			return err
 		}
 		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
-			return errors.New("tls: ECDSA signature contained zero or negative values")
+			return errors.New("ECDSA signature contained zero or negative values")
 		}
 		if !ecdsa.Verify(pubKey, signed, ecdsaSig.R, ecdsaSig.S) {
-			return errors.New("tls: ECDSA verification failure")
+			return errors.New("ECDSA verification failure")
 		}
 	case signatureEd25519:
 		pubKey, ok := pubkey.(ed25519.PublicKey)
 		if !ok {
-			return errors.New("tls: Ed25519 signing requires a Ed25519 public key")
+			return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey)
 		}
 		if !ed25519.Verify(pubKey, signed, sig) {
-			return errors.New("tls: Ed25519 verification failure")
+			return errors.New("Ed25519 verification failure")
 		}
 	case signaturePKCS1v15:
 		pubKey, ok := pubkey.(*rsa.PublicKey)
 		if !ok {
-			return errors.New("tls: RSA signing requires a RSA public key")
+			return fmt.Errorf("expected an RSA public key, got %T", pubkey)
 		}
 		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil {
 			return err
@@ -120,14 +56,14 @@ func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc c
 	case signatureRSAPSS:
 		pubKey, ok := pubkey.(*rsa.PublicKey)
 		if !ok {
-			return errors.New("tls: RSA signing requires a RSA public key")
+			return fmt.Errorf("expected an RSA public key, got %T", pubkey)
 		}
 		signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
 		if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil {
 			return err
 		}
 	default:
-		return errors.New("tls: unknown signature algorithm")
+		return errors.New("internal error: unknown signature type")
 	}
 	return nil
 }
@@ -165,59 +101,159 @@ func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []
 	return h.Sum(nil)
 }
 
+// typeAndHashFromSignatureScheme returns the corresponding signature type and
+// crypto.Hash for a given TLS SignatureScheme.
+func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) {
+	switch signatureAlgorithm {
+	case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
+		sigType = signaturePKCS1v15
+	case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
+		sigType = signatureRSAPSS
+	case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
+		sigType = signatureECDSA
+	case Ed25519:
+		sigType = signatureEd25519
+	default:
+		return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
+	}
+	switch signatureAlgorithm {
+	case PKCS1WithSHA1, ECDSAWithSHA1:
+		hash = crypto.SHA1
+	case PKCS1WithSHA256, PSSWithSHA256, ECDSAWithP256AndSHA256:
+		hash = crypto.SHA256
+	case PKCS1WithSHA384, PSSWithSHA384, ECDSAWithP384AndSHA384:
+		hash = crypto.SHA384
+	case PKCS1WithSHA512, PSSWithSHA512, ECDSAWithP521AndSHA512:
+		hash = crypto.SHA512
+	case Ed25519:
+		hash = directSigning
+	default:
+		return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
+	}
+	return sigType, hash, nil
+}
+
+// legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for
+// a given public key used with TLS 1.0 and 1.1, before the introduction of
+// signature algorithm negotiation.
+func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error) {
+	switch pub.(type) {
+	case *rsa.PublicKey:
+		return signaturePKCS1v15, crypto.MD5SHA1, nil
+	case *ecdsa.PublicKey:
+		return signatureECDSA, crypto.SHA1, nil
+	case ed25519.PublicKey:
+		// RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1,
+		// but it requires holding on to a handshake transcript to do a
+		// full signature, and not even OpenSSL bothers with the
+		// complexity, so we can't even test it properly.
+		return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2")
+	default:
+		return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub)
+	}
+}
+
+var rsaSignatureSchemes = []struct {
+	scheme          SignatureScheme
+	minModulusBytes int
+	maxVersion      uint16
+}{
+	// RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
+	//    emLen >= hLen + sLen + 2
+	{PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13},
+	{PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13},
+	{PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13},
+	// PKCS#1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
+	//    emLen >= len(prefix) + hLen + 11
+	// TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS.
+	{PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12},
+	{PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12},
+	{PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12},
+	{PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12},
+}
+
 // signatureSchemesForCertificate returns the list of supported SignatureSchemes
-// for a given certificate, based on the public key and the protocol version.
+// for a given certificate, based on the public key and the protocol version,
+// and optionally filtered by its explicit SupportedSignatureAlgorithms.
 //
-// It does not support the crypto.Decrypter interface, so shouldn't be used for
-// server certificates in TLS 1.2 and earlier, and it must be kept in sync with
-// supportedSignatureAlgorithms.
+// This function must be kept in sync with supportedSignatureAlgorithms.
 func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme {
 	priv, ok := cert.PrivateKey.(crypto.Signer)
 	if !ok {
 		return nil
 	}
 
+	var sigAlgs []SignatureScheme
 	switch pub := priv.Public().(type) {
 	case *ecdsa.PublicKey:
 		if version != VersionTLS13 {
 			// In TLS 1.2 and earlier, ECDSA algorithms are not
 			// constrained to a single curve.
-			return []SignatureScheme{
+			sigAlgs = []SignatureScheme{
 				ECDSAWithP256AndSHA256,
 				ECDSAWithP384AndSHA384,
 				ECDSAWithP521AndSHA512,
 				ECDSAWithSHA1,
 			}
+			break
 		}
 		switch pub.Curve {
 		case elliptic.P256():
-			return []SignatureScheme{ECDSAWithP256AndSHA256}
+			sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256}
 		case elliptic.P384():
-			return []SignatureScheme{ECDSAWithP384AndSHA384}
+			sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384}
 		case elliptic.P521():
-			return []SignatureScheme{ECDSAWithP521AndSHA512}
+			sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512}
 		default:
 			return nil
 		}
 	case *rsa.PublicKey:
-		if version != VersionTLS13 {
-			return []SignatureScheme{
-				PKCS1WithSHA256,
-				PKCS1WithSHA384,
-				PKCS1WithSHA512,
-				PKCS1WithSHA1,
+		size := pub.Size()
+		sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes))
+		for _, candidate := range rsaSignatureSchemes {
+			if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
+				sigAlgs = append(sigAlgs, candidate.scheme)
 			}
 		}
-		return []SignatureScheme{
-			PSSWithSHA256,
-			PSSWithSHA384,
-			PSSWithSHA512,
-		}
 	case ed25519.PublicKey:
-		return []SignatureScheme{Ed25519}
+		sigAlgs = []SignatureScheme{Ed25519}
 	default:
 		return nil
 	}
+
+	if cert.SupportedSignatureAlgorithms != nil {
+		var filteredSigAlgs []SignatureScheme
+		for _, sigAlg := range sigAlgs {
+			if isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) {
+				filteredSigAlgs = append(filteredSigAlgs, sigAlg)
+			}
+		}
+		return filteredSigAlgs
+	}
+	return sigAlgs
+}
+
+// selectSignatureScheme picks a SignatureScheme from the peer's preference list
+// that works with the selected certificate. It's only called for protocol
+// versions that support signature algorithms, so TLS 1.2 and 1.3.
+func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) {
+	supportedAlgs := signatureSchemesForCertificate(vers, c)
+	if len(supportedAlgs) == 0 {
+		return 0, unsupportedCertificateError(c)
+	}
+	if len(peerAlgs) == 0 && vers == VersionTLS12 {
+		// For TLS 1.2, if the client didn't send signature_algorithms then we
+		// can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
+		peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
+	}
+	// Pick signature scheme in the peer's preference order, as our
+	// preference order is not configurable.
+	for _, preferredAlg := range peerAlgs {
+		if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
+			return preferredAlg, nil
+		}
+	}
+	return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms")
 }
 
 // unsupportedCertificateError returns a helpful error for certificates with
@@ -247,10 +283,15 @@ func unsupportedCertificateError(cert *Certificate) error {
 			return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name)
 		}
 	case *rsa.PublicKey:
+		return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms")
 	case ed25519.PublicKey:
 	default:
 		return fmt.Errorf("tls: unsupported certificate key (%T)", pub)
 	}
 
+	if cert.SupportedSignatureAlgorithms != nil {
+		return fmt.Errorf("tls: peer doesn't support the certificate custom signature algorithms")
+	}
+
 	return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey)
 }