RSA-PSS should work in TLS 1.2.

However, for now, we will only enable it if TLS 1.3 is offered.

BUG=85

Change-Id: I958ae0adeafee553dbffb966a6fa41f8a81cef96
Reviewed-on: https://boringssl-review.googlesource.com/10342
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

ssl/ssl_rsa.c

@@ -667,8 +667,7 @@ enum ssl_private_key_result_t ssl_private_key_sign(
                : ssl_private_key_failure;
   }
 
-  if (is_rsa_pss(&md, signature_algorithm) &&
-      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (is_rsa_pss(&md, signature_algorithm)) {
     return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len)
                ? ssl_private_key_success
                : ssl_private_key_failure;
@@ -694,8 +693,7 @@ int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,
                             in_len);
   }
 
-  if (is_rsa_pss(&md, signature_algorithm) &&
-      ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (is_rsa_pss(&md, signature_algorithm)) {
     return ssl_verify_rsa_pss(ssl, signature, signature_len, md, pkey, in,
                               in_len);
   }
@@ -759,8 +757,7 @@ int ssl_private_key_supports_signature_algorithm(SSL *ssl,
   }
 
   if (is_rsa_pss(&md, signature_algorithm)) {
-    if (ssl3_protocol_version(ssl) < TLS1_3_VERSION ||
-        ssl_private_key_type(ssl) != NID_rsaEncryption) {
+    if (ssl_private_key_type(ssl) != NID_rsaEncryption) {
       return 0;
     }
 

ssl/t1_lib.c

@@ -543,14 +543,21 @@ static const uint16_t kDefaultTLS13SignatureAlgorithms[] = {
 };
 
 size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs) {
-  uint16_t version;
-  if (ssl->s3->have_version) {
-    version = ssl3_protocol_version(ssl);
-  } else {
-    version = ssl->method->version_from_wire(ssl->client_version);
+  uint16_t min_version, max_version;
+  if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
+    assert(0);  /* This should never happen. */
+
+    /* Return an empty list. */
+    ERR_clear_error();
+    *psigs = NULL;
+    return 0;
   }
 
-  if (version >= TLS1_3_VERSION) {
+  /* TODO(davidben): Once TLS 1.3 has finalized, probably just advertise the
+   * same algorithm list regardless, as long as no fallback is needed. Note this
+   * may require care due to lingering NSS servers affected by
+   * https://bugzilla.mozilla.org/show_bug.cgi?id=1119983 */
+  if (max_version >= TLS1_3_VERSION) {
     *psigs = kDefaultTLS13SignatureAlgorithms;
     return sizeof(kDefaultTLS13SignatureAlgorithms) /
            sizeof(kDefaultTLS13SignatureAlgorithms[0]);

ssl/test/runner/runner.go

@@ -5512,10 +5512,6 @@ func addSignatureAlgorithmTests() {
 			if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
 				shouldFail = true
 			}
-			// RSA-PSS does not exist in TLS 1.2.
-			if ver.version == VersionTLS12 && hasComponent(alg.name, "PSS") {
-				shouldFail = true
-			}
 			// RSA-PKCS1 does not exist in TLS 1.3.
 			if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
 				shouldFail = true

ssl/test/runner/sign.go

@@ -286,17 +286,11 @@ func getSigner(version uint16, key interface{}, config *Config, sigAlg signature
 	case signatureECDSAWithP521AndSHA512:
 		return &ecdsaSigner{version, config, elliptic.P521(), crypto.SHA512}, nil
 	case signatureRSAPSSWithSHA256:
-		if version >= VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
-			return &rsaPSSSigner{crypto.SHA256}, nil
-		}
+		return &rsaPSSSigner{crypto.SHA256}, nil
 	case signatureRSAPSSWithSHA384:
-		if version >= VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
-			return &rsaPSSSigner{crypto.SHA384}, nil
-		}
+		return &rsaPSSSigner{crypto.SHA384}, nil
 	case signatureRSAPSSWithSHA512:
-		if version >= VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks {
-			return &rsaPSSSigner{crypto.SHA512}, nil
-		}
+		return &rsaPSSSigner{crypto.SHA512}, nil
 	}
 
 	return nil, fmt.Errorf("unsupported signature algorithm %04x", sigAlg)