Don't check certificates against the curve list in TLS 1.3.

That instead happens via signature algorithms, which will be done in a
follow-up commit.

Change-Id: I97bc4646319dddbff62552244b0dd7e9bb2650ef
Reviewed-on: https://boringssl-review.googlesource.com/8700
Reviewed-by: David Benjamin <davidben@google.com>

ssl/t1_lib.c

@@ -472,14 +472,19 @@ int tls1_check_group_id(SSL *ssl, uint16_t group_id) {
 }
 
 int tls1_check_ec_cert(SSL *ssl, X509 *x) {
-  int ret = 0;
+  if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    /* In TLS 1.3, the ECDSA curve is negotiated via signature algorithms. */
+    return 1;
+  }
+
   EVP_PKEY *pkey = X509_get_pubkey(x);
+  if (pkey == NULL) {
+    return 0;
+  }
+
+  int ret = 0;
   uint16_t group_id;
   uint8_t comp_id;
-
-  if (!pkey) {
-    goto done;
-  }
   EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
   if (ec_key == NULL ||
       !tls1_curve_params_from_ec_key(&group_id, &comp_id, ec_key) ||

ssl/test/runner/runner.go

@@ -5041,9 +5041,6 @@ func addSignatureAlgorithmTests() {
 
 	// In TLS 1.2 and below, ECDSA uses the curve list rather than the
 	// signature algorithms.
-	//
-	// TODO(davidben): Add a TLS 1.3 version of this test where the mismatch
-	// is allowed.
 	testCases = append(testCases, testCase{
 		name: "CheckLeafCurve",
 		config: Config{
@@ -5055,6 +5052,17 @@ func addSignatureAlgorithmTests() {
 		shouldFail:    true,
 		expectedError: ":BAD_ECC_CERT:",
 	})
+
+	// In TLS 1.3, ECDSA does not use the ECDHE curve list.
+	testCases = append(testCases, testCase{
+		name: "CheckLeafCurve-TLS13",
+		config: Config{
+			MaxVersion:   VersionTLS13,
+			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
+			Certificates: []Certificate{ecdsaP256Certificate},
+		},
+		flags: []string{"-p384-only"},
+	})
 }
 
 // timeouts is the retransmit schedule for BoringSSL. It doubles and