commit 489016550997ba53185658d501d972517a1b79b5
author David Benjamin <davidben@google.com> Mon Aug 01 12:12:47 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Mon Aug 01 19:47:26 2016 +0000
tree 696a9665c2a996128a59a32d2f6434fdd9120ee6
parent 0c40a96455b0f720267b9eeb47704c85ee883121

Empty signature algorithms in TLS 1.3 CertificateRequest is illegal.

In TLS 1.2, this was allowed to be empty for the weird SHA-1 fallback
logic. In TLS 1.3, not only is the fallback logic gone, but omitting
them is a syntactic error.

   struct {
       opaque certificate_request_context<0..2^8-1>;
       SignatureScheme
         supported_signature_algorithms<2..2^16-2>;
       DistinguishedName certificate_authorities<0..2^16-1>;
       CertificateExtension certificate_extensions<0..2^16-1>;
   } CertificateRequest;

Thanks to Eric Rescorla for pointing this out.

Change-Id: I4991e59bc4647bb665aaf920ed4836191cea3a5a
Reviewed-on: https://boringssl-review.googlesource.com/9062
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 5e049b1..3a367c5 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5662,8 +5662,11 @@
 			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
 			"-key-file", path.Join(*resourceDir, rsaKeyFile),
 		},
-		shouldFail:    true,
-		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
+		shouldFail: true,
+		// An empty CertificateRequest signature algorithm list is a
+		// syntax error in TLS 1.3.
+		expectedError:      ":DECODE_ERROR:",
+		expectedLocalError: "remote error: error decoding message",
 	})
 
 	testCases = append(testCases, testCase{