Validate ServerKeyExchange signature algorithm (TLS 1.2+)

- check the algorithm is in signature_algorithms (or the implicit
defaults if that extension was not sent)
- add (D)TLS test scenarios to cover these checks

Author: peterdettman

crypto/src/crypto/tls/AbstractTlsKeyExchange.cs

@@ -18,6 +18,17 @@ protected AbstractTlsKeyExchange(int keyExchange, IList supportedSignatureAlgori
             this.mSupportedSignatureAlgorithms = supportedSignatureAlgorithms;
         }
 
+        protected virtual DigitallySigned ParseSignature(Stream input)
+        {
+            DigitallySigned signature = DigitallySigned.Parse(mContext, input);
+            SignatureAndHashAlgorithm signatureAlgorithm = signature.Algorithm;
+            if (signatureAlgorithm != null)
+            {
+                TlsUtilities.VerifySupportedSignatureAlgorithm(mSupportedSignatureAlgorithms, signatureAlgorithm);
+            }
+            return signature;
+        }
+
         public virtual void Init(TlsContext context)
         {
             this.mContext = context;

crypto/src/crypto/tls/TlsDheKeyExchange.cs

@@ -71,7 +71,7 @@ public override void ProcessServerKeyExchange(Stream input)
 
             ServerDHParams dhParams = ServerDHParams.Parse(teeIn);
 
-            DigitallySigned signed_params = DigitallySigned.Parse(mContext, input);
+            DigitallySigned signed_params = ParseSignature(input);
 
             ISigner signer = InitVerifyer(mTlsSigner, signed_params.Algorithm, securityParameters);
             buf.UpdateSigner(signer);

crypto/src/crypto/tls/TlsECDheKeyExchange.cs

@@ -73,7 +73,7 @@ public override void ProcessServerKeyExchange(Stream input)
 
             byte[] point = TlsUtilities.ReadOpaque8(teeIn);
 
-            DigitallySigned signed_params = DigitallySigned.Parse(mContext, input);
+            DigitallySigned signed_params = ParseSignature(input);
 
             ISigner signer = InitVerifyer(mTlsSigner, signed_params.Algorithm, securityParameters);
             buf.UpdateSigner(signer);

crypto/src/crypto/tls/TlsSrpKeyExchange.cs

@@ -189,7 +189,7 @@ public override void ProcessServerKeyExchange(Stream input)
 
             if (buf != null)
             {
-                DigitallySigned signed_params = DigitallySigned.Parse(mContext, input);
+                DigitallySigned signed_params = ParseSignature(input);
 
                 ISigner signer = InitVerifyer(mTlsSigner, signed_params.Algorithm, securityParameters);
                 buf.UpdateSigner(signer);

crypto/test/src/crypto/tls/test/DtlsTestSuite.cs

@@ -149,6 +149,35 @@ private static void AddVersionTests(IList testSuite, ProtocolVersion version)
 
                 AddTestCase(testSuite, c, prefix + "BadMandatoryCertReqDeclined");
             }
+
+            /*
+             * Server selects MD5/RSA for ServerKeyExchange signature, which is not in the default
+             * supported signature algorithms that the client sent. We expect fatal alert from the
+             * client when it verifies the selected algorithm against the supported algorithms.
+             */
+            if (TlsUtilities.IsTlsV12(version))
+            {
+                TlsTestConfig c = CreateDtlsTestConfig(version);
+                c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
+                c.ExpectClientFatalAlert(AlertDescription.illegal_parameter);
+
+                AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg");
+            }
+
+            /*
+             * Server selects MD5/RSA for ServerKeyExchange signature, which is not the default {sha1,rsa}
+             * implied by the absent signature_algorithms extension. We expect fatal alert from the
+             * client when it verifies the selected algorithm against the implicit default.
+             */
+            if (TlsUtilities.IsTlsV12(version))
+            {
+                TlsTestConfig c = CreateDtlsTestConfig(version);
+                c.clientSendSignatureAlgorithms = false;
+                c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
+                c.ExpectClientFatalAlert(AlertDescription.illegal_parameter);
+
+                AddTestCaseDebug(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2");
+            }
 #endif
 
             {
@@ -173,6 +202,11 @@ private static void AddVersionTests(IList testSuite, ProtocolVersion version)
         }
 
         private static void AddTestCase(IList testSuite, TlsTestConfig config, String name)
+        {
+            //testSuite.Add(new TestCaseData(config).SetName(name));
+        }
+
+        private static void AddTestCaseDebug(IList testSuite, TlsTestConfig config, String name)
         {
             testSuite.Add(new TestCaseData(config).SetName(name));
         }

crypto/test/src/crypto/tls/test/TlsTestClientImpl.cs

@@ -57,6 +57,17 @@ public override ProtocolVersion MinimumVersion
 	        }
         }
 
+        public override IDictionary GetClientExtensions()
+        {
+            IDictionary clientExtensions = base.GetClientExtensions();
+            if (clientExtensions != null && !mConfig.clientSendSignatureAlgorithms)
+            {
+                clientExtensions.Remove(ExtensionType.signature_algorithms);
+                this.mSupportedSignatureAlgorithms = null;
+            }
+            return clientExtensions;
+        }
+
         public override bool IsFallback
         {
             get { return mConfig.clientFallback; }

crypto/test/src/crypto/tls/test/TlsTestConfig.cs

@@ -74,6 +74,17 @@ public class TlsTestConfig
          */
         public bool clientFallback = false;
 
+        /**
+         * Configures whether a (TLS 1.2+) client will send the signature_algorithms extension in ClientHello.
+         */
+        public bool clientSendSignatureAlgorithms = true;
+
+        /**
+         * If not null, and TLS 1.2 or higher is negotiated, selects a fixed signature/hash algorithm to
+         * be used for the ServerKeyExchange signature (if one is sent).
+         */
+        public SignatureAndHashAlgorithm serverAuthSigAlg = null;
+
         /**
          * Configures whether the test server will send a certificate request.
          */

crypto/test/src/crypto/tls/test/TlsTestServerImpl.cs

@@ -172,15 +172,27 @@ public override void NotifyClientCertificate(Certificate clientCertificate)
             }
         }
 
+        protected virtual IList GetSupportedSignatureAlgorithms()
+        {
+            if (TlsUtilities.IsTlsV12(mContext) && mConfig.serverAuthSigAlg != null)
+            {
+                IList signatureAlgorithms = new ArrayList(1);
+                signatureAlgorithms.Add(mConfig.serverAuthSigAlg);
+                return signatureAlgorithms;
+            }
+
+            return mSupportedSignatureAlgorithms;
+        }
+
         protected override TlsSignerCredentials GetDsaSignerCredentials()
         {
-            return TlsTestUtilities.LoadSignerCredentials(mContext, mSupportedSignatureAlgorithms, SignatureAlgorithm.dsa,
+            return TlsTestUtilities.LoadSignerCredentials(mContext, GetSupportedSignatureAlgorithms(), SignatureAlgorithm.dsa,
                 "x509-server-dsa.pem", "x509-server-key-dsa.pem");
         }
 
         protected override TlsSignerCredentials GetECDsaSignerCredentials()
         {
-            return TlsTestUtilities.LoadSignerCredentials(mContext, mSupportedSignatureAlgorithms, SignatureAlgorithm.ecdsa,
+            return TlsTestUtilities.LoadSignerCredentials(mContext, GetSupportedSignatureAlgorithms(), SignatureAlgorithm.ecdsa,
                 "x509-server-ecdsa.pem", "x509-server-key-ecdsa.pem");
         }
 
@@ -192,7 +204,7 @@ protected override TlsEncryptionCredentials GetRsaEncryptionCredentials()
 
         protected override TlsSignerCredentials GetRsaSignerCredentials()
         {
-            return TlsTestUtilities.LoadSignerCredentials(mContext, mSupportedSignatureAlgorithms, SignatureAlgorithm.rsa,
+            return TlsTestUtilities.LoadSignerCredentials(mContext, GetSupportedSignatureAlgorithms(), SignatureAlgorithm.rsa,
                 "x509-server.pem", "x509-server-key.pem");
         }
 

crypto/test/src/crypto/tls/test/TlsTestSuite.cs

@@ -142,6 +142,35 @@ private static void AddVersionTests(IList testSuite, ProtocolVersion version)
                 AddTestCase(testSuite, c, prefix + "BadMandatoryCertReqDeclined");
             }
 
+            /*
+             * Server selects MD5/RSA for ServerKeyExchange signature, which is not in the default
+             * supported signature algorithms that the client sent. We expect fatal alert from the
+             * client when it verifies the selected algorithm against the supported algorithms.
+             */
+            if (TlsUtilities.IsTlsV12(version))
+            {
+                TlsTestConfig c = CreateTlsTestConfig(version);
+                c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
+                c.ExpectClientFatalAlert(AlertDescription.illegal_parameter);
+
+                AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg");
+            }
+
+            /*
+             * Server selects MD5/RSA for ServerKeyExchange signature, which is not the default {sha1,rsa}
+             * implied by the absent signature_algorithms extension. We expect fatal alert from the
+             * client when it verifies the selected algorithm against the implicit default.
+             */
+            if (TlsUtilities.IsTlsV12(version))
+            {
+                TlsTestConfig c = CreateTlsTestConfig(version);
+                c.clientSendSignatureAlgorithms = false;
+                c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
+                c.ExpectClientFatalAlert(AlertDescription.illegal_parameter);
+
+                AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2");
+            }
+
             {
                 TlsTestConfig c = CreateTlsTestConfig(version);
                 c.serverCertReq = C.SERVER_CERT_REQ_NONE;