commit eff1e8d9c7d039a36519122237047da3745fac0f
author Steven Valdez <svaldez@google.com> Wed Jul 06 14:24:47 2016 -0400
committer David Benjamin <davidben@google.com> Tue Jul 12 19:10:51 2016 +0000
tree 9e2bfcea5ba74c0895ca31850ea5e61b15261410
parent 0c222956683144754da1a643093960f813e8ec8c

Adding RSA-PSS signature algorithms.

[Rebased and tests added by davidben.]

In doing so, regenerate the test RSA certificate to be 2048-bit RSA.
RSA-PSS with SHA-512 is actually too large for 1024-bit RSA. Also make
the sigalg test loop test versions that do and don't work which subsumes
the ecdsa_sha1 TLS 1.3 test.

For now, RSA-PKCS1 is still allowed because NSS has yet to implement
RSA-PSS and we'd like to avoid complicated interop testing.

Change-Id: I686b003ef7042ff757bdaab8d5838b7a4d6edd87
Reviewed-on: https://boringssl-review.googlesource.com/8613
Reviewed-by: David Benjamin <davidben@google.com>

ssl/t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 5279a5d..4594649 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -517,7 +517,37 @@
     SSL_SIGN_ECDSA_SHA1,
 };
 
+static const uint16_t kDefaultTLS13SignatureAlgorithms[] = {
+    SSL_SIGN_RSA_PSS_SHA512,
+    SSL_SIGN_RSA_PKCS1_SHA512,
+    SSL_SIGN_ECDSA_SECP521R1_SHA512,
+
+    SSL_SIGN_RSA_PSS_SHA384,
+    SSL_SIGN_RSA_PKCS1_SHA384,
+    SSL_SIGN_ECDSA_SECP384R1_SHA384,
+
+    SSL_SIGN_RSA_PSS_SHA256,
+    SSL_SIGN_RSA_PKCS1_SHA256,
+    SSL_SIGN_ECDSA_SECP256R1_SHA256,
+
+    SSL_SIGN_RSA_PKCS1_SHA1,
+    SSL_SIGN_ECDSA_SHA1,
+};
+
 size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs) {
+  uint16_t version;
+  if (ssl->s3->have_version) {
+    version = ssl3_protocol_version(ssl);
+  } else {
+    version = ssl->method->version_from_wire(ssl->client_version);
+  }
+
+  if (version >= TLS1_3_VERSION) {
+    *psigs = kDefaultTLS13SignatureAlgorithms;
+    return sizeof(kDefaultTLS13SignatureAlgorithms) /
+           sizeof(kDefaultTLS13SignatureAlgorithms[0]);
+  }
+
   *psigs = kDefaultSignatureAlgorithms;
   return sizeof(kDefaultSignatureAlgorithms) /
          sizeof(kDefaultSignatureAlgorithms[0]);
@@ -561,6 +591,9 @@
   sigalgslen = tls12_get_psigalgs(ssl, &sigalgs);
   for (i = 0; i < sigalgslen; i++) {
     switch (sigalgs[i]) {
+      case SSL_SIGN_RSA_PSS_SHA512:
+      case SSL_SIGN_RSA_PSS_SHA384:
+      case SSL_SIGN_RSA_PSS_SHA256:
       case SSL_SIGN_RSA_PKCS1_SHA512:
       case SSL_SIGN_RSA_PKCS1_SHA384:
       case SSL_SIGN_RSA_PKCS1_SHA256:
@@ -2571,9 +2604,8 @@
     return 1;
   }
 
-  const uint16_t *sigalgs = kDefaultSignatureAlgorithms;
-  size_t sigalgs_len = sizeof(kDefaultSignatureAlgorithms) /
-                       sizeof(kDefaultSignatureAlgorithms[0]);
+  const uint16_t *sigalgs;
+  size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs);
   if (cert->sigalgs != NULL) {
     sigalgs = cert->sigalgs;
     sigalgs_len = cert->sigalgs_len;