commit e5fe31cfe734ca6d9fd1f1a84c48fe1c49f8e01b
author David Benjamin <davidben@google.com> Fri Mar 19 14:06:51 2021 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Mon Mar 22 18:31:56 2021 +0000
tree 36e3f123723727b59981f930b60aa0c1dd7ad8c1
parent 8c31179d81081cc9b8ce5b5ac3151088c45042f7

Revert "Implement rsa_pkcs1_sha256_legacy."

This reverts commit a3437c09c77bab011d0bebb8f61a6df82eb53eec. There was
a miscommunication and it does not seem like we currently need this. If
that changes later, it's in Git and we can bring it back easily.

Change-Id: Ibbce29df2258a2d893d725ab3ee6fd78c5b6cb00
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46286
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

ssl/ssl_privkey.cc

diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index f8e206d..e800136 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -99,46 +99,29 @@
   int curve;
   const EVP_MD *(*digest_func)(void);
   bool is_rsa_pss;
-  bool tls12_ok;
-  bool tls13_ok;
 } SSL_SIGNATURE_ALGORITHM;
 
 static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {
-    // PKCS#1 v1.5 code points are only allowed in TLS 1.2.
     {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false},
-    {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false},
-    {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false},
-    {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false},
-    {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false},
+     false},
+    {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, false},
+    {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, false},
+    {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, false},
+    {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, false},
 
-    // Legacy PKCS#1 v1.5 code points are only allowed in TLS 1.3. See
-    // draft-davidben-tls13-pkcs1-00.
-    {SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/false, /*tls13_ok=*/true},
+    {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, true},
+    {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, true},
+    {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, true},
 
-    {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,
-     /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true},
-    {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,
-     /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true},
-    {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,
-     /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true},
-
-    {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false},
+    {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, false},
     {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,
-     &EVP_sha256, /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true},
+     &EVP_sha256, false},
     {SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true},
+     false},
     {SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true},
+     false},
 
-    {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,
-     /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true},
+    {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr, false},
 };
 
 static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
@@ -161,7 +144,7 @@
 }
 
 static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
-                                    uint16_t sigalg, bool is_verify) {
+                                    uint16_t sigalg) {
   const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
   if (alg == NULL ||
       EVP_PKEY_id(pkey) != alg->pkey_type) {
@@ -169,14 +152,8 @@
   }
 
   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
-    if (!alg->tls13_ok) {
-      return false;
-    }
-
-    // Legacy PKCS#1 v1.5 code points for TLS 1.3 are client-only. See
-    // draft-davidben-tls13-pkcs1-00.
-    bool is_client_sign = ssl->server == is_verify;
-    if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss && !is_client_sign) {
+    // RSA keys may only be used with RSA-PSS.
+    if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
       return false;
     }
 
@@ -187,8 +164,6 @@
              EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {
       return false;
     }
-  } else if (!alg->tls12_ok) {
-    return false;
   }
 
   return true;
@@ -196,7 +171,7 @@
 
 static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
                       uint16_t sigalg, bool is_verify) {
-  if (!pkey_supports_algorithm(ssl, pkey, sigalg, is_verify)) {
+  if (!pkey_supports_algorithm(ssl, pkey, sigalg)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
     return false;
   }
@@ -313,8 +288,7 @@
 bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
                                                   uint16_t sigalg) {
   SSL *const ssl = hs->ssl;
-  if (!pkey_supports_algorithm(ssl, hs->local_pubkey.get(), sigalg,
-                               /*is_verify=*/false)) {
+  if (!pkey_supports_algorithm(ssl, hs->local_pubkey.get(), sigalg)) {
     return false;
   }