Forbid PKCS1 in TLS 1.3.
BUG=84
Change-Id: Ie5eaefddd161488996033de28c0ebd1064bb793d
Reviewed-on: https://boringssl-review.googlesource.com/10484
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index c06207f..a34d1e2 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -653,7 +653,8 @@
}
const EVP_MD *md;
- if (is_rsa_pkcs1(&md, signature_algorithm)) {
+ if (is_rsa_pkcs1(&md, signature_algorithm) &&
+ ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len)
? ssl_private_key_success
: ssl_private_key_failure;
@@ -681,7 +682,8 @@
size_t signature_len, uint16_t signature_algorithm,
EVP_PKEY *pkey, const uint8_t *in, size_t in_len) {
const EVP_MD *md;
- if (is_rsa_pkcs1(&md, signature_algorithm)) {
+ if (is_rsa_pkcs1(&md, signature_algorithm) &&
+ ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
return ssl_verify_rsa_pkcs1(ssl, signature, signature_len, md, pkey, in,
in_len);
}
@@ -735,7 +737,8 @@
int ssl_private_key_supports_signature_algorithm(SSL *ssl,
uint16_t signature_algorithm) {
const EVP_MD *md;
- if (is_rsa_pkcs1(&md, signature_algorithm)) {
+ if (is_rsa_pkcs1(&md, signature_algorithm) &&
+ ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
return ssl_private_key_type(ssl) == NID_rsaEncryption;
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 8221286..3e4ba2e 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5484,6 +5484,10 @@
if ver.version == VersionTLS12 && hasComponent(alg.name, "PSS") {
shouldFail = true
}
+ // RSA-PKCS1 does not exist in TLS 1.3.
+ if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
+ shouldFail = true
+ }
var signError, verifyError string
if shouldFail {
diff --git a/ssl/test/runner/sign.go b/ssl/test/runner/sign.go
index 1674c4a..77ceb79 100644
--- a/ssl/test/runner/sign.go
+++ b/ssl/test/runner/sign.go
@@ -258,15 +258,25 @@
// TODO(davidben): Forbid RSASSA-PKCS1-v1_5 in TLS 1.3.
switch sigAlg {
case signatureRSAPKCS1WithMD5:
- return &rsaPKCS1Signer{crypto.MD5}, nil
+ if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
+ return &rsaPKCS1Signer{crypto.MD5}, nil
+ }
case signatureRSAPKCS1WithSHA1:
- return &rsaPKCS1Signer{crypto.SHA1}, nil
+ if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
+ return &rsaPKCS1Signer{crypto.SHA1}, nil
+ }
case signatureRSAPKCS1WithSHA256:
- return &rsaPKCS1Signer{crypto.SHA256}, nil
+ if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
+ return &rsaPKCS1Signer{crypto.SHA256}, nil
+ }
case signatureRSAPKCS1WithSHA384:
- return &rsaPKCS1Signer{crypto.SHA384}, nil
+ if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
+ return &rsaPKCS1Signer{crypto.SHA384}, nil
+ }
case signatureRSAPKCS1WithSHA512:
- return &rsaPKCS1Signer{crypto.SHA512}, nil
+ if version < VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
+ return &rsaPKCS1Signer{crypto.SHA512}, nil
+ }
case signatureECDSAWithSHA1:
return &ecdsaSigner{version, config, nil, crypto.SHA1}, nil
case signatureECDSAWithP256AndSHA256:
