Don't fall back to SHA-1 in TLS 1.3, only TLS 1.2.
TLS 1.3 also forbids signing SHA-1 digests, but this will be done as a
consequence of forbidding PKCS#1 in 1.3 altogether (rsa_sign_sha1) and
requiring a curve match in ECDSA (ecdsa_sha1).
Change-Id: I665971139ccef9e270fd5796c5e6a814a8f663b1
Reviewed-on: https://boringssl-review.googlesource.com/8696
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2b9402d..2e0c227 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2608,7 +2608,7 @@
const uint16_t *peer_sigalgs = cert->peer_sigalgs;
size_t peer_sigalgs_len = cert->peer_sigalgslen;
- if (peer_sigalgs_len == 0) {
+ if (peer_sigalgs_len == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
/* If the client didn't specify any signature_algorithms extension then
* we can assume that it supports SHA1. See
* http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 5d5facf..7c0e38b 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4794,9 +4794,8 @@
expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
})
- // Test that, if the list is missing, the peer falls back to SHA-1.
- //
- // TODO(davidben): Test this does not happen in TLS 1.3.
+ // Test that, if the list is missing, the peer falls back to SHA-1 in
+ // TLS 1.2, but not TLS 1.3.
testCases = append(testCases, testCase{
name: "SigningHash-ClientAuth-Fallback",
config: Config{
@@ -4830,6 +4829,43 @@
},
})
+ testCases = append(testCases, testCase{
+ name: "SigningHash-ClientAuth-Fallback-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ ClientAuth: RequireAnyClientCert,
+ SignatureAlgorithms: []signatureAlgorithm{
+ signatureRSAPKCS1WithSHA1,
+ },
+ Bugs: ProtocolBugs{
+ NoSignatureAlgorithms: true,
+ },
+ },
+ flags: []string{
+ "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
+ "-key-file", path.Join(*resourceDir, rsaKeyFile),
+ },
+ shouldFail: true,
+ expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
+ })
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "SigningHash-ServerKeyExchange-Fallback-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ SignatureAlgorithms: []signatureAlgorithm{
+ signatureRSAPKCS1WithSHA1,
+ },
+ Bugs: ProtocolBugs{
+ NoSignatureAlgorithms: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
+ })
+
// Test that hash preferences are enforced. BoringSSL defaults to
// rejecting MD5 signatures.
testCases = append(testCases, testCase{
