Enable RSA-PSS in TLS 1.2 by default.
Add a test that RSA-PSS is available in TLS 1.2 by default, both for
signing and verifying. Note that if a custom SSL_PRIVATE_KEY_METHOD is
used and it sets signing preferences, it won't use RSA-PSS if it doesn't
know about it. (See *-Sign-Negotiate-* tests.)
Change-Id: I3776a0c95480188a135795f7ebf31f2b0e0626cc
Reviewed-on: https://boringssl-review.googlesource.com/10723
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 3f9c898..1bf0b24 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -1788,53 +1788,20 @@
}
static const uint8_t kTLS12ClientHello[] = {
- 0x16,
- 0x03, 0x01,
- 0x00, 0x9c,
- 0x01,
- 0x00, 0x00, 0x98,
- 0x03, 0x03,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00,
- 0x00, 0x3a,
- 0xcc, 0xa9,
- 0xcc, 0xa8,
- 0xcc, 0x14,
- 0xcc, 0x13,
- 0xc0, 0x2b,
- 0xc0, 0x2f,
- 0x00, 0x9e,
- 0xc0, 0x2c,
- 0xc0, 0x30,
- 0x00, 0x9f,
- 0xc0, 0x09,
- 0xc0, 0x23,
- 0xc0, 0x13,
- 0xc0, 0x27,
- 0x00, 0x33,
- 0x00, 0x67,
- 0xc0, 0x0a,
- 0xc0, 0x24,
- 0xc0, 0x14,
- 0xc0, 0x28,
- 0x00, 0x39,
- 0x00, 0x6b,
- 0x00, 0x9c,
- 0x00, 0x9d,
- 0x00, 0x2f,
- 0x00, 0x3c,
- 0x00, 0x35,
- 0x00, 0x3d,
- 0x00, 0x0a,
- 0x01, 0x00, 0x00, 0x35, 0xff, 0x01, 0x00, 0x01,
- 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
- 0x12, 0x00, 0x10, 0x06, 0x01, 0x06, 0x03, 0x05, 0x01, 0x05, 0x03, 0x04,
- 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, 0x00, 0x0b, 0x00, 0x02, 0x01,
- 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
- 0x18,
+ 0x16, 0x03, 0x01, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x9e, 0x03, 0x03, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3a, 0xcc, 0xa9,
+ 0xcc, 0xa8, 0xcc, 0x14, 0xcc, 0x13, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e,
+ 0xc0, 0x2c, 0xc0, 0x30, 0x00, 0x9f, 0xc0, 0x09, 0xc0, 0x23, 0xc0, 0x13,
+ 0xc0, 0x27, 0x00, 0x33, 0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x24, 0xc0, 0x14,
+ 0xc0, 0x28, 0x00, 0x39, 0x00, 0x6b, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
+ 0x00, 0x3c, 0x00, 0x35, 0x00, 0x3d, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x3b,
+ 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00,
+ 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x07, 0x02, 0x06, 0x01, 0x06,
+ 0x03, 0x07, 0x01, 0x05, 0x01, 0x05, 0x03, 0x07, 0x00, 0x04, 0x01, 0x04,
+ 0x03, 0x02, 0x01, 0x02, 0x03, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
+ 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
};
if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
sizeof(kTLS12ClientHello))) {
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e550796..0cdcb39 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -513,29 +513,24 @@
* customisable at some point, for now include everything we support. */
static const uint16_t kDefaultSignatureAlgorithms[] = {
- SSL_SIGN_RSA_PKCS1_SHA512,
- SSL_SIGN_ECDSA_SECP521R1_SHA512,
-
- SSL_SIGN_RSA_PKCS1_SHA384,
- SSL_SIGN_ECDSA_SECP384R1_SHA384,
-
- SSL_SIGN_RSA_PKCS1_SHA256,
- SSL_SIGN_ECDSA_SECP256R1_SHA256,
-
- SSL_SIGN_RSA_PKCS1_SHA1,
- SSL_SIGN_ECDSA_SHA1,
-};
-
-static const uint16_t kDefaultTLS13SignatureAlgorithms[] = {
+ /* For now, do not ship RSA-PSS signature algorithms on Android's system
+ * BoringSSL. Once TLS 1.3 is finalized and the change in Chrome has stuck,
+ * restore them. */
+#if !defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_RSA_PSS_SHA512,
+#endif
SSL_SIGN_RSA_PKCS1_SHA512,
SSL_SIGN_ECDSA_SECP521R1_SHA512,
+#if !defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_RSA_PSS_SHA384,
+#endif
SSL_SIGN_RSA_PKCS1_SHA384,
SSL_SIGN_ECDSA_SECP384R1_SHA384,
+#if !defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_RSA_PSS_SHA256,
+#endif
SSL_SIGN_RSA_PKCS1_SHA256,
SSL_SIGN_ECDSA_SECP256R1_SHA256,
@@ -544,25 +539,6 @@
};
size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs) {
- uint16_t min_version, max_version;
- if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
- assert(0); /* This should never happen. */
-
- /* Return an empty list. */
- ERR_clear_error();
- *psigs = NULL;
- return 0;
- }
-
- /* TODO(davidben): Once TLS 1.3 has finalized, probably just advertise the
- * same algorithm list regardless, as long as no fallback is needed. Note this
- * may require care due to lingering NSS servers affected by
- * https://bugzilla.mozilla.org/show_bug.cgi?id=1119983 */
- if (max_version >= TLS1_3_VERSION) {
- *psigs = kDefaultTLS13SignatureAlgorithms;
- return OPENSSL_ARRAY_SIZE(kDefaultTLS13SignatureAlgorithms);
- }
-
*psigs = kDefaultSignatureAlgorithms;
return OPENSSL_ARRAY_SIZE(kDefaultSignatureAlgorithms);
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index f1643c3..742fb9e 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -6305,6 +6305,31 @@
shouldFail: true,
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
})
+
+ // Test that RSA-PSS is enabled by default for TLS 1.2.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "RSA-PSS-Default-Verify",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ SignSignatureAlgorithms: []signatureAlgorithm{
+ signatureRSAPSSWithSHA256,
+ },
+ },
+ flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
+ })
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "RSA-PSS-Default-Sign",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ VerifySignatureAlgorithms: []signatureAlgorithm{
+ signatureRSAPSSWithSHA256,
+ },
+ },
+ flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
+ })
}
// timeouts is the retransmit schedule for BoringSSL. It doubles and
