Disable RSA-PSS by default.

This change reverts 57e929f3c8c3d412639eb123382c79ff3bdc3ed3, although
it was done by hand due to conflicts.

BUG=chromium:667806

Change-Id: I17ddf2e5aa7d5129fe09cdeaf63c675091b445b0
Reviewed-on: https://boringssl-review.googlesource.com/12420
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 4ad513e..905aa3f 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -1774,20 +1774,53 @@
   }
 
   static const uint8_t kTLS12ClientHello[] = {
-      0x16, 0x03, 0x01, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x9e, 0x03, 0x03, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3a, 0xcc, 0xa9,
-      0xcc, 0xa8, 0xcc, 0x14, 0xcc, 0x13, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e,
-      0xc0, 0x2c, 0xc0, 0x30, 0x00, 0x9f, 0xc0, 0x09, 0xc0, 0x23, 0xc0, 0x13,
-      0xc0, 0x27, 0x00, 0x33, 0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x24, 0xc0, 0x14,
-      0xc0, 0x28, 0x00, 0x39, 0x00, 0x6b, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f,
-      0x00, 0x3c, 0x00, 0x35, 0x00, 0x3d, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x3b,
-      0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00,
-      0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06,
-      0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04,
-      0x03, 0x02, 0x01, 0x02, 0x03, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
-      0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
+      0x16,
+      0x03, 0x01,
+      0x00, 0x9c,
+      0x01,
+      0x00, 0x00, 0x98,
+      0x03, 0x03,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00,
+      0x00, 0x3a,
+      0xcc, 0xa9,
+      0xcc, 0xa8,
+      0xcc, 0x14,
+      0xcc, 0x13,
+      0xc0, 0x2b,
+      0xc0, 0x2f,
+      0x00, 0x9e,
+      0xc0, 0x2c,
+      0xc0, 0x30,
+      0x00, 0x9f,
+      0xc0, 0x09,
+      0xc0, 0x23,
+      0xc0, 0x13,
+      0xc0, 0x27,
+      0x00, 0x33,
+      0x00, 0x67,
+      0xc0, 0x0a,
+      0xc0, 0x24,
+      0xc0, 0x14,
+      0xc0, 0x28,
+      0x00, 0x39,
+      0x00, 0x6b,
+      0x00, 0x9c,
+      0x00, 0x9d,
+      0x00, 0x2f,
+      0x00, 0x3c,
+      0x00, 0x35,
+      0x00, 0x3d,
+      0x00, 0x0a,
+      0x01, 0x00, 0x00, 0x35, 0xff, 0x01, 0x00, 0x01,
+      0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00,
+      0x12, 0x00, 0x10, 0x06, 0x01, 0x06, 0x03, 0x05, 0x01, 0x05, 0x03, 0x04,
+      0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, 0x00, 0x0b, 0x00, 0x02, 0x01,
+      0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00,
+      0x18,
   };
   if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello,
                           sizeof(kTLS12ClientHello))) {
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index da446e0..d1cf3b5 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -512,24 +512,29 @@
  * customisable at some point, for now include everything we support. */
 
 static const uint16_t kDefaultSignatureAlgorithms[] = {
-    /* For now, do not ship RSA-PSS signature algorithms on Android's system
-     * BoringSSL. Once TLS 1.3 is finalized and the change in Chrome has stuck,
-     * restore them. */
-#if !defined(BORINGSSL_ANDROID_SYSTEM)
-    SSL_SIGN_RSA_PSS_SHA512,
-#endif
     SSL_SIGN_RSA_PKCS1_SHA512,
     SSL_SIGN_ECDSA_SECP521R1_SHA512,
 
-#if !defined(BORINGSSL_ANDROID_SYSTEM)
-    SSL_SIGN_RSA_PSS_SHA384,
-#endif
     SSL_SIGN_RSA_PKCS1_SHA384,
     SSL_SIGN_ECDSA_SECP384R1_SHA384,
 
-#if !defined(BORINGSSL_ANDROID_SYSTEM)
+    SSL_SIGN_RSA_PKCS1_SHA256,
+    SSL_SIGN_ECDSA_SECP256R1_SHA256,
+
+    SSL_SIGN_RSA_PKCS1_SHA1,
+    SSL_SIGN_ECDSA_SHA1,
+};
+
+static const uint16_t kDefaultTLS13SignatureAlgorithms[] = {
+    SSL_SIGN_RSA_PSS_SHA512,
+    SSL_SIGN_RSA_PKCS1_SHA512,
+    SSL_SIGN_ECDSA_SECP521R1_SHA512,
+
+    SSL_SIGN_RSA_PSS_SHA384,
+    SSL_SIGN_RSA_PKCS1_SHA384,
+    SSL_SIGN_ECDSA_SECP384R1_SHA384,
+
     SSL_SIGN_RSA_PSS_SHA256,
-#endif
     SSL_SIGN_RSA_PKCS1_SHA256,
     SSL_SIGN_ECDSA_SECP256R1_SHA256,
 
@@ -538,6 +543,21 @@
 };
 
 size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs) {
+  uint16_t min_version, max_version;
+  if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
+    assert(0);  /* This should never happen. */
+
+    /* Return an empty list. */
+    ERR_clear_error();
+    *psigs = NULL;
+    return 0;
+  }
+
+  if (max_version >= TLS1_3_VERSION) {
+    *psigs = kDefaultTLS13SignatureAlgorithms;
+    return OPENSSL_ARRAY_SIZE(kDefaultTLS13SignatureAlgorithms);
+  }
+
   *psigs = kDefaultSignatureAlgorithms;
   return OPENSSL_ARRAY_SIZE(kDefaultSignatureAlgorithms);
 }
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index ec20947..ac11b8e 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -6484,30 +6484,33 @@
 		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
 	})
 
-	// Test that RSA-PSS is enabled by default for TLS 1.2.
-	testCases = append(testCases, testCase{
-		testType: clientTest,
-		name:     "RSA-PSS-Default-Verify",
-		config: Config{
-			MaxVersion: VersionTLS12,
-			SignSignatureAlgorithms: []signatureAlgorithm{
-				signatureRSAPSSWithSHA256,
+	// Disabled because RSA-PSS support was removed in this branch.
+	if false {
+		// Test that RSA-PSS is enabled by default for TLS 1.2.
+		testCases = append(testCases, testCase{
+			testType: clientTest,
+			name:     "RSA-PSS-Default-Verify",
+			config: Config{
+				MaxVersion: VersionTLS12,
+				SignSignatureAlgorithms: []signatureAlgorithm{
+					signatureRSAPSSWithSHA256,
+				},
 			},
-		},
-		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
-	})
+			flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
+		})
 
-	testCases = append(testCases, testCase{
-		testType: serverTest,
-		name:     "RSA-PSS-Default-Sign",
-		config: Config{
-			MaxVersion: VersionTLS12,
-			VerifySignatureAlgorithms: []signatureAlgorithm{
-				signatureRSAPSSWithSHA256,
+		testCases = append(testCases, testCase{
+			testType: serverTest,
+			name:     "RSA-PSS-Default-Sign",
+			config: Config{
+				MaxVersion: VersionTLS12,
+				VerifySignatureAlgorithms: []signatureAlgorithm{
+					signatureRSAPSSWithSHA256,
+				},
 			},
-		},
-		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
-	})
+			flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
+		})
+	}
 }
 
 // timeouts is the retransmit schedule for BoringSSL. It doubles and