commit 7a41d37b66c8450a949340657bc71c5efb126b8b
author David Benjamin <davidben@google.com> Sat Jul 09 11:21:54 2016 -0700
committer David Benjamin <davidben@google.com> Tue Jul 12 19:11:27 2016 +0000
tree 6bc9b8d53c5c061840958467f3834e46932bebaf
parent eff1e8d9c7d039a36519122237047da3745fac0f

Configure verify/sign signature algorithms in Go separately.

This way we can test failing client auth without having to worry about
first getting through server auth.

Change-Id: Iaf996d87ac3df702a17e76c26006ca9b2a5bdd1f
Reviewed-on: https://boringssl-review.googlesource.com/8721
Reviewed-by: David Benjamin <davidben@google.com>

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 94476d4..a54c357 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4714,52 +4714,52 @@
 
 			suffix := "-" + alg.name + "-" + ver.name
 
-			// TODO(davidben): Separate signing and verifying sigalg
-			// configuration in Go, so we can run both sides.
-			if !shouldFail {
-				testCases = append(testCases, testCase{
-					name: "SigningHash-ClientAuth-Sign" + suffix,
-					config: Config{
-						MaxVersion: ver.version,
-						// SignatureAlgorithms is shared, so we must
-						// configure a matching server certificate too.
-						Certificates: []Certificate{getRunnerCertificate(alg.cert)},
-						ClientAuth:   RequireAnyClientCert,
-						SignatureAlgorithms: []signatureAlgorithm{
-							fakeSigAlg1,
-							alg.id,
-							fakeSigAlg2,
-						},
+			testCases = append(testCases, testCase{
+				name: "SigningHash-ClientAuth-Sign" + suffix,
+				config: Config{
+					MaxVersion: ver.version,
+					ClientAuth: RequireAnyClientCert,
+					VerifySignatureAlgorithms: []signatureAlgorithm{
+						fakeSigAlg1,
+						alg.id,
+						fakeSigAlg2,
 					},
-					flags: []string{
-						"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
-						"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
-						"-enable-all-curves",
-					},
-					expectedPeerSignatureAlgorithm: alg.id,
-				})
+				},
+				flags: []string{
+					"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
+					"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
+					"-enable-all-curves",
+				},
+				shouldFail:                     shouldFail,
+				expectedError:                  signError,
+				expectedPeerSignatureAlgorithm: alg.id,
+			})
 
-				testCases = append(testCases, testCase{
-					testType: serverTest,
-					name:     "SigningHash-ClientAuth-Verify" + suffix,
-					config: Config{
-						MaxVersion:   ver.version,
-						Certificates: []Certificate{getRunnerCertificate(alg.cert)},
-						SignatureAlgorithms: []signatureAlgorithm{
-							alg.id,
-						},
+			testCases = append(testCases, testCase{
+				testType: serverTest,
+				name:     "SigningHash-ClientAuth-Verify" + suffix,
+				config: Config{
+					MaxVersion:   ver.version,
+					Certificates: []Certificate{getRunnerCertificate(alg.cert)},
+					SignSignatureAlgorithms: []signatureAlgorithm{
+						alg.id,
 					},
-					flags: []string{
-						"-require-any-client-certificate",
-						"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
-						// SignatureAlgorithms is shared, so we must
-						// configure a matching server certificate too.
-						"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
-						"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
-						"-enable-all-curves",
+					Bugs: ProtocolBugs{
+						SkipECDSACurveCheck:          shouldFail,
+						IgnoreSignatureVersionChecks: shouldFail,
+						// The client won't advertise 1.3-only algorithms after
+						// version negotiation.
+						IgnorePeerSignatureAlgorithmPreferences: shouldFail,
 					},
-				})
-			}
+				},
+				flags: []string{
+					"-require-any-client-certificate",
+					"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
+					"-enable-all-curves",
+				},
+				shouldFail:    shouldFail,
+				expectedError: verifyError,
+			})
 
 			testCases = append(testCases, testCase{
 				testType: serverTest,
@@ -4770,15 +4770,11 @@
 						TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 						TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 					},
-					SignatureAlgorithms: []signatureAlgorithm{
+					VerifySignatureAlgorithms: []signatureAlgorithm{
 						fakeSigAlg1,
 						alg.id,
 						fakeSigAlg2,
 					},
-					Bugs: ProtocolBugs{
-						SkipECDSACurveCheck:          shouldFail,
-						IgnoreSignatureVersionChecks: shouldFail,
-					},
 				},
 				flags: []string{
 					"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
@@ -4799,7 +4795,7 @@
 						TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 						TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 					},
-					SignatureAlgorithms: []signatureAlgorithm{
+					SignSignatureAlgorithms: []signatureAlgorithm{
 						alg.id,
 					},
 					Bugs: ProtocolBugs{
@@ -4825,7 +4821,7 @@
 		config: Config{
 			ClientAuth: RequireAnyClientCert,
 			MaxVersion: VersionTLS12,
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureECDSAWithP521AndSHA512,
 				signatureRSAPKCS1WithSHA384,
 				signatureECDSAWithSHA1,
@@ -4844,7 +4840,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS12,
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureECDSAWithP521AndSHA512,
 				signatureRSAPKCS1WithSHA384,
 				signatureECDSAWithSHA1,
@@ -4862,7 +4858,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS12,
 			Certificates: []Certificate{rsaCertificate},
-			SignatureAlgorithms: []signatureAlgorithm{
+			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA256,
 			},
 			Bugs: ProtocolBugs{
@@ -4881,7 +4877,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS12,
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-			SignatureAlgorithms: []signatureAlgorithm{
+			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA256,
 			},
 			Bugs: ProtocolBugs{
@@ -4899,7 +4895,7 @@
 		config: Config{
 			MaxVersion: VersionTLS12,
 			ClientAuth: RequireAnyClientCert,
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA1,
 			},
 			Bugs: ProtocolBugs{
@@ -4918,7 +4914,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS12,
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA1,
 			},
 			Bugs: ProtocolBugs{
@@ -4932,7 +4928,7 @@
 		config: Config{
 			MaxVersion: VersionTLS13,
 			ClientAuth: RequireAnyClientCert,
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA1,
 			},
 			Bugs: ProtocolBugs{
@@ -4953,7 +4949,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS13,
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA1,
 			},
 			Bugs: ProtocolBugs{
@@ -4972,7 +4968,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS12,
 			Certificates: []Certificate{rsaCertificate},
-			SignatureAlgorithms: []signatureAlgorithm{
+			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithMD5,
 				// Advertise SHA-1 so the handshake will
 				// proceed, but the shim's preferences will be
@@ -4994,7 +4990,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS12,
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-			SignatureAlgorithms: []signatureAlgorithm{
+			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithMD5,
 			},
 			Bugs: ProtocolBugs{
@@ -5014,7 +5010,7 @@
 		config: Config{
 			MaxVersion: VersionTLS12,
 			ClientAuth: RequireAnyClientCert,
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA512,
 				signatureRSAPKCS1WithSHA1,
 			},
@@ -5032,7 +5028,7 @@
 		config: Config{
 			MaxVersion: VersionTLS12,
 			ClientAuth: RequireAnyClientCert,
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA1,
 				signatureRSAPKCS1WithSHA256,
 			},
@@ -5049,7 +5045,7 @@
 		config: Config{
 			MaxVersion: VersionTLS12,
 			ClientAuth: RequireAnyClientCert,
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA1,
 			},
 		},
@@ -5065,7 +5061,7 @@
 		config: Config{
 			MaxVersion: VersionTLS12,
 			ClientAuth: RequireAnyClientCert,
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithSHA256,
 				signatureECDSAWithP256AndSHA256,
 				signatureRSAPKCS1WithSHA1,
@@ -5111,7 +5107,7 @@
 			MaxVersion:   VersionTLS12,
 			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
 			Certificates: []Certificate{ecdsaP256Certificate},
-			SignatureAlgorithms: []signatureAlgorithm{
+			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureECDSAWithP384AndSHA384,
 			},
 		},
@@ -5124,7 +5120,7 @@
 			MaxVersion:   VersionTLS13,
 			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
 			Certificates: []Certificate{ecdsaP256Certificate},
-			SignatureAlgorithms: []signatureAlgorithm{
+			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureECDSAWithP384AndSHA384,
 			},
 			Bugs: ProtocolBugs{
@@ -5143,7 +5139,7 @@
 		config: Config{
 			MaxVersion:   VersionTLS13,
 			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
-			SignatureAlgorithms: []signatureAlgorithm{
+			VerifySignatureAlgorithms: []signatureAlgorithm{
 				signatureECDSAWithP384AndSHA384,
 				signatureECDSAWithP256AndSHA256,
 			},