Don't check certificates against the curve list in TLS 1.3.

That instead happens via signature algorithms, which will be done in a
follow-up commit.

Change-Id: I97bc4646319dddbff62552244b0dd7e9bb2650ef
Reviewed-on: https://boringssl-review.googlesource.com/8700
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2016-07-08 17:43:29 -07:00
parent 3386326d2b
commit 75ea5bb187
2 changed files with 21 additions and 8 deletions

View File

@ -472,14 +472,19 @@ int tls1_check_group_id(SSL *ssl, uint16_t group_id) {
}
int tls1_check_ec_cert(SSL *ssl, X509 *x) {
int ret = 0;
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
/* In TLS 1.3, the ECDSA curve is negotiated via signature algorithms. */
return 1;
}
EVP_PKEY *pkey = X509_get_pubkey(x);
if (pkey == NULL) {
return 0;
}
int ret = 0;
uint16_t group_id;
uint8_t comp_id;
if (!pkey) {
goto done;
}
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
if (ec_key == NULL ||
!tls1_curve_params_from_ec_key(&group_id, &comp_id, ec_key) ||

View File

@ -5041,9 +5041,6 @@ func addSignatureAlgorithmTests() {
// In TLS 1.2 and below, ECDSA uses the curve list rather than the
// signature algorithms.
//
// TODO(davidben): Add a TLS 1.3 version of this test where the mismatch
// is allowed.
testCases = append(testCases, testCase{
name: "CheckLeafCurve",
config: Config{
@ -5055,6 +5052,17 @@ func addSignatureAlgorithmTests() {
shouldFail: true,
expectedError: ":BAD_ECC_CERT:",
})
// In TLS 1.3, ECDSA does not use the ECDHE curve list.
testCases = append(testCases, testCase{
name: "CheckLeafCurve-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{ecdsaP256Certificate},
},
flags: []string{"-p384-only"},
})
}
// timeouts is the retransmit schedule for BoringSSL. It doubles and