Empty signature algorithms in TLS 1.3 CertificateRequest is illegal.

In TLS 1.2, this was allowed to be empty for the weird SHA-1 fallback
logic. In TLS 1.3, not only is the fallback logic gone, but omitting
them is a syntactic error.

   struct {
       opaque certificate_request_context<0..2^8-1>;
       SignatureScheme
         supported_signature_algorithms<2..2^16-2>;
       DistinguishedName certificate_authorities<0..2^16-1>;
       CertificateExtension certificate_extensions<0..2^16-1>;
   } CertificateRequest;

Thanks to Eric Rescorla for pointing this out.

Change-Id: I4991e59bc4647bb665aaf920ed4836191cea3a5a
Reviewed-on: https://boringssl-review.googlesource.com/9062
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/runner.go

@@ -5662,8 +5662,11 @@ func addSignatureAlgorithmTests() {
 			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
 			"-key-file", path.Join(*resourceDir, rsaKeyFile),
 		},
-		shouldFail:    true,
-		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
+		shouldFail: true,
+		// An empty CertificateRequest signature algorithm list is a
+		// syntax error in TLS 1.3.
+		expectedError:      ":DECODE_ERROR:",
+		expectedLocalError: "remote error: error decoding message",
 	})
 
 	testCases = append(testCases, testCase{

ssl/tls13_client.c

@@ -323,6 +323,7 @@ static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl,
       !CBS_stow(&context, &ssl->s3->hs->cert_context,
                 &ssl->s3->hs->cert_context_len) ||
       !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
+      CBS_len(&supported_signature_algorithms) == 0 ||
       !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);