Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 51dd7d637905c8fd6100ab9e5c1ac65ff5ece670^! / . / ssl / test / runner / runner.go
commit51dd7d637905c8fd6100ab9e5c1ac65ff5ece670[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Jul 08 16:07:01 2016 -0700
committerDavid Benjamin <davidben@google.com>Tue Jul 12 18:24:02 2016 +0000
tree62ac2c5496101a1a795185a727327ea31c3e6ac5
parenta2d81f1a27e82fb36899c4644a370759e3759b0c [diff] [blame]
Don't fall back to SHA-1 in TLS 1.3, only TLS 1.2.

TLS 1.3 also forbids signing SHA-1 digests, but this will be done as a
consequence of forbidding PKCS#1 in 1.3 altogether (rsa_sign_sha1) and
requiring a curve match in ECDSA (ecdsa_sha1).

Change-Id: I665971139ccef9e270fd5796c5e6a814a8f663b1
Reviewed-on: https://boringssl-review.googlesource.com/8696
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 5d5facf..7c0e38b 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -4794,9 +4794,8 @@
 		expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
 	})
 
-	// Test that, if the list is missing, the peer falls back to SHA-1.
-	//
-	// TODO(davidben): Test this does not happen in TLS 1.3.
+	// Test that, if the list is missing, the peer falls back to SHA-1 in
+	// TLS 1.2, but not TLS 1.3.
 	testCases = append(testCases, testCase{
 		name: "SigningHash-ClientAuth-Fallback",
 		config: Config{
@@ -4830,6 +4829,43 @@
 		},
 	})
 
+	testCases = append(testCases, testCase{
+		name: "SigningHash-ClientAuth-Fallback-TLS13",
+		config: Config{
+			MaxVersion: VersionTLS13,
+			ClientAuth: RequireAnyClientCert,
+			SignatureAlgorithms: []signatureAlgorithm{
+				signatureRSAPKCS1WithSHA1,
+			},
+			Bugs: ProtocolBugs{
+				NoSignatureAlgorithms: true,
+			},
+		},
+		flags: []string{
+			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
+			"-key-file", path.Join(*resourceDir, rsaKeyFile),
+		},
+		shouldFail:    true,
+		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
+	})
+
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "SigningHash-ServerKeyExchange-Fallback-TLS13",
+		config: Config{
+			MaxVersion:   VersionTLS13,
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			SignatureAlgorithms: []signatureAlgorithm{
+				signatureRSAPKCS1WithSHA1,
+			},
+			Bugs: ProtocolBugs{
+				NoSignatureAlgorithms: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
+	})
+
 	// Test that hash preferences are enforced. BoringSSL defaults to
 	// rejecting MD5 signatures.
 	testCases = append(testCases, testCase{