Don't accept {sha1, ecdsa} and {sha512, ecdsa}.
{sha1, ecdsa} is virtually nonexistent. {sha512, ecdsa} is pointless
when we only accept P-256 and P-384. See Chromium Intent thread here:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/kWwLfeIQIBM/9chGZ40TCQAJ
This tweaks the signature algorithm logic slightly so that sign and
verify preferences are separate.
BUG=chromium:655318
Change-Id: I1097332600dcaa38e62e4dffa0194fb734c6df3f
Reviewed-on: https://boringssl-review.googlesource.com/11621
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 77f9a0d..367fef1 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5884,19 +5884,28 @@
continue
}
- var shouldFail bool
+ var shouldSignFail, shouldVerifyFail bool
// ecdsa_sha1 does not exist in TLS 1.3.
if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
- shouldFail = true
+ shouldSignFail = true
+ shouldVerifyFail = true
}
// RSA-PKCS1 does not exist in TLS 1.3.
if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
- shouldFail = true
+ shouldSignFail = true
+ shouldVerifyFail = true
+ }
+
+ // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
+ if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
+ shouldVerifyFail = true
}
var signError, verifyError string
- if shouldFail {
+ if shouldSignFail {
signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
+ }
+ if shouldVerifyFail {
verifyError = ":WRONG_SIGNATURE_TYPE:"
}
@@ -5918,7 +5927,7 @@
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
"-enable-all-curves",
},
- shouldFail: shouldFail,
+ shouldFail: shouldSignFail,
expectedError: signError,
expectedPeerSignatureAlgorithm: alg.id,
})
@@ -5933,11 +5942,10 @@
alg.id,
},
Bugs: ProtocolBugs{
- SkipECDSACurveCheck: shouldFail,
- IgnoreSignatureVersionChecks: shouldFail,
- // The client won't advertise 1.3-only algorithms after
- // version negotiation.
- IgnorePeerSignatureAlgorithmPreferences: shouldFail,
+ SkipECDSACurveCheck: shouldVerifyFail,
+ IgnoreSignatureVersionChecks: shouldVerifyFail,
+ // Some signature algorithms may not be advertised.
+ IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
},
},
flags: []string{
@@ -5945,7 +5953,7 @@
"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
"-enable-all-curves",
},
- shouldFail: shouldFail,
+ shouldFail: shouldVerifyFail,
expectedError: verifyError,
})
@@ -5966,7 +5974,7 @@
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
"-enable-all-curves",
},
- shouldFail: shouldFail,
+ shouldFail: shouldSignFail,
expectedError: signError,
expectedPeerSignatureAlgorithm: alg.id,
})
@@ -5981,19 +5989,21 @@
alg.id,
},
Bugs: ProtocolBugs{
- SkipECDSACurveCheck: shouldFail,
- IgnoreSignatureVersionChecks: shouldFail,
+ SkipECDSACurveCheck: shouldVerifyFail,
+ IgnoreSignatureVersionChecks: shouldVerifyFail,
+ // Some signature algorithms may not be advertised.
+ IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
},
},
flags: []string{
"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
"-enable-all-curves",
},
- shouldFail: shouldFail,
+ shouldFail: shouldVerifyFail,
expectedError: verifyError,
})
- if !shouldFail {
+ if !shouldVerifyFail {
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientAuth-InvalidSignature" + suffix,
@@ -6034,7 +6044,7 @@
})
}
- if ver.version >= VersionTLS12 && !shouldFail {
+ if ver.version >= VersionTLS12 && !shouldSignFail {
testCases = append(testCases, testCase{
name: "ClientAuth-Sign-Negotiate" + suffix,
config: Config{