diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index ddd0468d..07cb1753 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go @@ -400,6 +400,10 @@ type ProtocolBugs struct { // ServerKeyExchange message should be invalid. InvalidSKXSignature bool + // InvalidCertVerifySignature specifies that the signature in a + // CertificateVerify message should be invalid. + InvalidCertVerifySignature bool + // InvalidSKXCurve causes the curve ID in the ServerKeyExchange message // to be wrong. InvalidSKXCurve bool diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index a96cd9c1..c38334e2 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go @@ -622,6 +622,9 @@ func (hs *clientHandshakeState) doFullHandshake() error { c.sendAlert(alertInternalError) return err } + if c.config.Bugs.InvalidCertVerifySignature { + digest[0] ^= 0x80 + } switch key := c.config.Certificates[0].PrivateKey.(type) { case *ecdsa.PrivateKey: diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 1121dacd..9fa394f7 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -785,6 +785,32 @@ func addBasicTests() { shouldFail: true, expectedError: ":BAD_SIGNATURE:", }, + { + testType: serverTest, + name: "BadRSASignature-ClientAuth", + config: Config{ + Bugs: ProtocolBugs{ + InvalidCertVerifySignature: true, + }, + Certificates: []Certificate{getRSACertificate()}, + }, + shouldFail: true, + expectedError: ":BAD_SIGNATURE:", + flags: []string{"-require-any-client-certificate"}, + }, + { + testType: serverTest, + name: "BadECDSASignature-ClientAuth", + config: Config{ + Bugs: ProtocolBugs{ + InvalidCertVerifySignature: true, + }, + Certificates: []Certificate{getECDSACertificate()}, + }, + shouldFail: true, + expectedError: ":BAD_SIGNATURE:", + flags: []string{"-require-any-client-certificate"}, + }, { name: "BadECDSACurve", config: Config{