From 0e95015aa593ebb84b2a11c2794a3995f89db830 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 13 Aug 2016 21:08:56 -0400 Subject: [PATCH] RSA-PSS should work in TLS 1.2. However, for now, we will only enable it if TLS 1.3 is offered. BUG=85 Change-Id: I958ae0adeafee553dbffb966a6fa41f8a81cef96 Reviewed-on: https://boringssl-review.googlesource.com/10342 Reviewed-by: David Benjamin Commit-Queue: David Benjamin --- ssl/ssl_rsa.c | 9 +++------ ssl/t1_lib.c | 19 +++++++++++++------ ssl/test/runner/runner.go | 4 ---- ssl/test/runner/sign.go | 12 +++--------- 4 files changed, 19 insertions(+), 25 deletions(-) diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index a34d1e2c..f74d83c5 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -667,8 +667,7 @@ enum ssl_private_key_result_t ssl_private_key_sign( : ssl_private_key_failure; } - if (is_rsa_pss(&md, signature_algorithm) && - ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { + if (is_rsa_pss(&md, signature_algorithm)) { return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len) ? ssl_private_key_success : ssl_private_key_failure; @@ -694,8 +693,7 @@ int ssl_public_key_verify(SSL *ssl, const uint8_t *signature, in_len); } - if (is_rsa_pss(&md, signature_algorithm) && - ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { + if (is_rsa_pss(&md, signature_algorithm)) { return ssl_verify_rsa_pss(ssl, signature, signature_len, md, pkey, in, in_len); } @@ -759,8 +757,7 @@ int ssl_private_key_supports_signature_algorithm(SSL *ssl, } if (is_rsa_pss(&md, signature_algorithm)) { - if (ssl3_protocol_version(ssl) < TLS1_3_VERSION || - ssl_private_key_type(ssl) != NID_rsaEncryption) { + if (ssl_private_key_type(ssl) != NID_rsaEncryption) { return 0; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 54d5bdf5..a9a8fa33 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -543,14 +543,21 @@ static const uint16_t kDefaultTLS13SignatureAlgorithms[] = { }; size_t tls12_get_psigalgs(SSL *ssl, const uint16_t **psigs) { - uint16_t version; - if (ssl->s3->have_version) { - version = ssl3_protocol_version(ssl); - } else { - version = ssl->method->version_from_wire(ssl->client_version); + uint16_t min_version, max_version; + if (!ssl_get_version_range(ssl, &min_version, &max_version)) { + assert(0); /* This should never happen. */ + + /* Return an empty list. */ + ERR_clear_error(); + *psigs = NULL; + return 0; } - if (version >= TLS1_3_VERSION) { + /* TODO(davidben): Once TLS 1.3 has finalized, probably just advertise the + * same algorithm list regardless, as long as no fallback is needed. Note this + * may require care due to lingering NSS servers affected by + * https://bugzilla.mozilla.org/show_bug.cgi?id=1119983 */ + if (max_version >= TLS1_3_VERSION) { *psigs = kDefaultTLS13SignatureAlgorithms; return sizeof(kDefaultTLS13SignatureAlgorithms) / sizeof(kDefaultTLS13SignatureAlgorithms[0]); diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 78e41913..ad3a5920 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -5512,10 +5512,6 @@ func addSignatureAlgorithmTests() { if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 { shouldFail = true } - // RSA-PSS does not exist in TLS 1.2. - if ver.version == VersionTLS12 && hasComponent(alg.name, "PSS") { - shouldFail = true - } // RSA-PKCS1 does not exist in TLS 1.3. if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") { shouldFail = true diff --git a/ssl/test/runner/sign.go b/ssl/test/runner/sign.go index 77ceb798..5f56ff96 100644 --- a/ssl/test/runner/sign.go +++ b/ssl/test/runner/sign.go @@ -286,17 +286,11 @@ func getSigner(version uint16, key interface{}, config *Config, sigAlg signature case signatureECDSAWithP521AndSHA512: return &ecdsaSigner{version, config, elliptic.P521(), crypto.SHA512}, nil case signatureRSAPSSWithSHA256: - if version >= VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { - return &rsaPSSSigner{crypto.SHA256}, nil - } + return &rsaPSSSigner{crypto.SHA256}, nil case signatureRSAPSSWithSHA384: - if version >= VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { - return &rsaPSSSigner{crypto.SHA384}, nil - } + return &rsaPSSSigner{crypto.SHA384}, nil case signatureRSAPSSWithSHA512: - if version >= VersionTLS13 || config.Bugs.IgnoreSignatureVersionChecks { - return &rsaPSSSigner{crypto.SHA512}, nil - } + return &rsaPSSSigner{crypto.SHA512}, nil } return nil, fmt.Errorf("unsupported signature algorithm %04x", sigAlg)