Fix TLS 1.2 sigalgs fallback logic for ECDSA.
Also fix up those tests as they were a little confused. It is always the
shim that signs and has a configured certificate in these tests.
BUG=95
Change-Id: I57a6b1bad19986c79cd30aaa6cf3b8ca307ef8b2
Reviewed-on: https://boringssl-review.googlesource.com/10444
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index dc6c6dd..54d5bdf 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3070,7 +3070,7 @@
SSL_SIGN_ECDSA_SHA1};
peer_sigalgs = kDefaultPeerAlgorithms;
peer_sigalgs_len =
- sizeof(kDefaultPeerAlgorithms) / sizeof(kDefaultPeerAlgorithms);
+ sizeof(kDefaultPeerAlgorithms) / sizeof(kDefaultPeerAlgorithms[0]);
}
for (i = 0; i < sigalgs_len; i++) {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index f999f48..4c7d2e7 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5814,7 +5814,7 @@
// Test that, if the list is missing, the peer falls back to SHA-1 in
// TLS 1.2, but not TLS 1.3.
testCases = append(testCases, testCase{
- name: "ClientAuth-SHA1-Fallback",
+ name: "ClientAuth-SHA1-Fallback-RSA",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
@@ -5833,10 +5833,9 @@
testCases = append(testCases, testCase{
testType: serverTest,
- name: "ServerAuth-SHA1-Fallback",
+ name: "ServerAuth-SHA1-Fallback-RSA",
config: Config{
- MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ MaxVersion: VersionTLS12,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA1,
},
@@ -5844,6 +5843,46 @@
NoSignatureAlgorithms: true,
},
},
+ flags: []string{
+ "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
+ "-key-file", path.Join(*resourceDir, rsaKeyFile),
+ },
+ })
+
+ testCases = append(testCases, testCase{
+ name: "ClientAuth-SHA1-Fallback-ECDSA",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ ClientAuth: RequireAnyClientCert,
+ VerifySignatureAlgorithms: []signatureAlgorithm{
+ signatureECDSAWithSHA1,
+ },
+ Bugs: ProtocolBugs{
+ NoSignatureAlgorithms: true,
+ },
+ },
+ flags: []string{
+ "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
+ "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
+ },
+ })
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "ServerAuth-SHA1-Fallback-ECDSA",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ VerifySignatureAlgorithms: []signatureAlgorithm{
+ signatureECDSAWithSHA1,
+ },
+ Bugs: ProtocolBugs{
+ NoSignatureAlgorithms: true,
+ },
+ },
+ flags: []string{
+ "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
+ "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
+ },
})
testCases = append(testCases, testCase{