diff options
| author | David Benjamin <davidben@google.com> | 2016-07-09 02:07:01 +0300 |
|---|---|---|
| committer | David Benjamin <davidben@google.com> | 2016-07-12 21:24:02 +0300 |
| commit | 51dd7d637905c8fd6100ab9e5c1ac65ff5ece670 (patch) | |
| tree | 62ac2c5496101a1a795185a727327ea31c3e6ac5 | |
| parent | a2d81f1a27e82fb36899c4644a370759e3759b0c (diff) | |
Don't fall back to SHA-1 in TLS 1.3, only TLS 1.2.
TLS 1.3 also forbids signing SHA-1 digests, but this will be done as a
consequence of forbidding PKCS#1 in 1.3 altogether (rsa_sign_sha1) and
requiring a curve match in ECDSA (ecdsa_sha1).
Change-Id: I665971139ccef9e270fd5796c5e6a814a8f663b1
Reviewed-on: https://boringssl-review.googlesource.com/8696
Reviewed-by: David Benjamin <davidben@google.com>
| -rw-r--r-- | ssl/t1_lib.c | 2 | ||||
| -rw-r--r-- | ssl/test/runner/runner.go | 42 |
2 files changed, 40 insertions, 4 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 2b9402d0..2e0c2274 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2608,7 +2608,7 @@ int tls1_choose_signature_algorithm(SSL *ssl, uint16_t *out) { const uint16_t *peer_sigalgs = cert->peer_sigalgs; size_t peer_sigalgs_len = cert->peer_sigalgslen; - if (peer_sigalgs_len == 0) { + if (peer_sigalgs_len == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) { /* If the client didn't specify any signature_algorithms extension then * we can assume that it supports SHA1. See * http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 5d5facfc..7c0e38bd 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -4794,9 +4794,8 @@ func addSignatureAlgorithmTests() { expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384, }) - // Test that, if the list is missing, the peer falls back to SHA-1. - // - // TODO(davidben): Test this does not happen in TLS 1.3. + // Test that, if the list is missing, the peer falls back to SHA-1 in + // TLS 1.2, but not TLS 1.3. testCases = append(testCases, testCase{ name: "SigningHash-ClientAuth-Fallback", config: Config{ @@ -4830,6 +4829,43 @@ func addSignatureAlgorithmTests() { }, }) + testCases = append(testCases, testCase{ + name: "SigningHash-ClientAuth-Fallback-TLS13", + config: Config{ + MaxVersion: VersionTLS13, + ClientAuth: RequireAnyClientCert, + SignatureAlgorithms: []signatureAlgorithm{ + signatureRSAPKCS1WithSHA1, + }, + Bugs: ProtocolBugs{ + NoSignatureAlgorithms: true, + }, + }, + flags: []string{ + "-cert-file", path.Join(*resourceDir, rsaCertificateFile), + "-key-file", path.Join(*resourceDir, rsaKeyFile), + }, + shouldFail: true, + expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", + }) + + testCases = append(testCases, testCase{ + testType: serverTest, + name: "SigningHash-ServerKeyExchange-Fallback-TLS13", + config: Config{ + MaxVersion: VersionTLS13, + CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, + SignatureAlgorithms: []signatureAlgorithm{ + signatureRSAPKCS1WithSHA1, + }, + Bugs: ProtocolBugs{ + NoSignatureAlgorithms: true, + }, + }, + shouldFail: true, + expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", + }) + // Test that hash preferences are enforced. BoringSSL defaults to // rejecting MD5 signatures. testCases = append(testCases, testCase{ |