Add TLS 1.3 versions of the -Enforced versions.
Change-Id: I0fdd6db9ea229d394b14c76b6ba55f6165a6a806
Reviewed-on: https://boringssl-review.googlesource.com/8826
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index e3b501b..52951d3 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -559,6 +559,10 @@
var ok bool
certReq, ok = msg.(*certificateRequestMsg)
if ok {
+ if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
+ certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
+ }
+
hs.writeServerHash(certReq.marshal())
chainToSend, err = selectClientCertificate(c, certReq)
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 8241f8b..c587f91 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5475,8 +5475,8 @@
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
})
- // Test that hash preferences are enforced. BoringSSL defaults to
- // rejecting MD5 signatures.
+ // Test that hash preferences are enforced. BoringSSL does not implement
+ // MD5 signatures.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientAuth-Enforced",
@@ -5485,11 +5485,6 @@
Certificates: []Certificate{rsaCertificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
- // Advertise SHA-1 so the handshake will
- // proceed, but the shim's preferences will be
- // ignored in CertificateVerify generation, so
- // MD5 will be chosen.
- signatureRSAPKCS1WithSHA1,
},
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
@@ -5515,6 +5510,41 @@
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "ClientAuth-Enforced-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Certificates: []Certificate{rsaCertificate},
+ SignSignatureAlgorithms: []signatureAlgorithm{
+ signatureRSAPKCS1WithMD5,
+ },
+ Bugs: ProtocolBugs{
+ IgnorePeerSignatureAlgorithmPreferences: true,
+ IgnoreSignatureVersionChecks: true,
+ },
+ },
+ flags: []string{"-require-any-client-certificate"},
+ shouldFail: true,
+ expectedError: ":WRONG_SIGNATURE_TYPE:",
+ })
+
+ testCases = append(testCases, testCase{
+ name: "ServerAuth-Enforced-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ SignSignatureAlgorithms: []signatureAlgorithm{
+ signatureRSAPKCS1WithMD5,
+ },
+ Bugs: ProtocolBugs{
+ IgnorePeerSignatureAlgorithmPreferences: true,
+ IgnoreSignatureVersionChecks: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":WRONG_SIGNATURE_TYPE:",
+ })
// Test that the agreed upon digest respects the client preferences and
// the server digests.
