commit 57e929f3c8c3d412639eb123382c79ff3bdc3ed3
author David Benjamin <davidben@google.com> Tue Aug 30 00:30:38 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Tue Aug 30 22:50:05 2016 +0000
tree 74d3d8021a4e2a52c339d97b4093a7d391c92373
parent 449c38197167cfb03f3036321cd79d8ed159fff9

Enable RSA-PSS in TLS 1.2 by default.

Add a test that RSA-PSS is available in TLS 1.2 by default, both for
signing and verifying. Note that if a custom SSL_PRIVATE_KEY_METHOD is
used and it sets signing preferences, it won't use RSA-PSS if it doesn't
know about it. (See *-Sign-Negotiate-* tests.)

Change-Id: I3776a0c95480188a135795f7ebf31f2b0e0626cc
Reviewed-on: https://boringssl-review.googlesource.com/10723
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index f1643c3..742fb9e 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -6305,6 +6305,31 @@
 		shouldFail:    true,
 		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
 	})
+
+	// Test that RSA-PSS is enabled by default for TLS 1.2.
+	testCases = append(testCases, testCase{
+		testType: clientTest,
+		name:     "RSA-PSS-Default-Verify",
+		config: Config{
+			MaxVersion: VersionTLS12,
+			SignSignatureAlgorithms: []signatureAlgorithm{
+				signatureRSAPSSWithSHA256,
+			},
+		},
+		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
+	})
+
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "RSA-PSS-Default-Sign",
+		config: Config{
+			MaxVersion: VersionTLS12,
+			VerifySignatureAlgorithms: []signatureAlgorithm{
+				signatureRSAPSSWithSHA256,
+			},
+		},
+		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
+	})
 }
 
 // timeouts is the retransmit schedule for BoringSSL. It doubles and