I don't think we had coverage for this check. Change-Id: I5e454e69c1ee9f1b9760d2ef1431170d76f78d63 Reviewed-on: https://boringssl-review.googlesource.com/5544 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -400,6 +400,10 @@ type ProtocolBugs struct { | |||||
// ServerKeyExchange message should be invalid. | // ServerKeyExchange message should be invalid. | ||||
InvalidSKXSignature bool | InvalidSKXSignature bool | ||||
// InvalidCertVerifySignature specifies that the signature in a | |||||
// CertificateVerify message should be invalid. | |||||
InvalidCertVerifySignature bool | |||||
// InvalidSKXCurve causes the curve ID in the ServerKeyExchange message | // InvalidSKXCurve causes the curve ID in the ServerKeyExchange message | ||||
// to be wrong. | // to be wrong. | ||||
InvalidSKXCurve bool | InvalidSKXCurve bool | ||||
@@ -622,6 +622,9 @@ func (hs *clientHandshakeState) doFullHandshake() error { | |||||
c.sendAlert(alertInternalError) | c.sendAlert(alertInternalError) | ||||
return err | return err | ||||
} | } | ||||
if c.config.Bugs.InvalidCertVerifySignature { | |||||
digest[0] ^= 0x80 | |||||
} | |||||
switch key := c.config.Certificates[0].PrivateKey.(type) { | switch key := c.config.Certificates[0].PrivateKey.(type) { | ||||
case *ecdsa.PrivateKey: | case *ecdsa.PrivateKey: | ||||
@@ -785,6 +785,32 @@ func addBasicTests() { | |||||
shouldFail: true, | shouldFail: true, | ||||
expectedError: ":BAD_SIGNATURE:", | expectedError: ":BAD_SIGNATURE:", | ||||
}, | }, | ||||
{ | |||||
testType: serverTest, | |||||
name: "BadRSASignature-ClientAuth", | |||||
config: Config{ | |||||
Bugs: ProtocolBugs{ | |||||
InvalidCertVerifySignature: true, | |||||
}, | |||||
Certificates: []Certificate{getRSACertificate()}, | |||||
}, | |||||
shouldFail: true, | |||||
expectedError: ":BAD_SIGNATURE:", | |||||
flags: []string{"-require-any-client-certificate"}, | |||||
}, | |||||
{ | |||||
testType: serverTest, | |||||
name: "BadECDSASignature-ClientAuth", | |||||
config: Config{ | |||||
Bugs: ProtocolBugs{ | |||||
InvalidCertVerifySignature: true, | |||||
}, | |||||
Certificates: []Certificate{getECDSACertificate()}, | |||||
}, | |||||
shouldFail: true, | |||||
expectedError: ":BAD_SIGNATURE:", | |||||
flags: []string{"-require-any-client-certificate"}, | |||||
}, | |||||
{ | { | ||||
name: "BadECDSACurve", | name: "BadECDSACurve", | ||||
config: Config{ | config: Config{ | ||||