Add TLS 1.3 versions of the -Enforced versions.

Change-Id: I0fdd6db9ea229d394b14c76b6ba55f6165a6a806 Reviewed-on: https://boringssl-review.googlesource.com/8826 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 years ago · b62d287128
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -559,6 +559,10 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
 		var ok bool
 		certReq, ok = msg.(*certificateRequestMsg)
 		if ok {
 			if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
 				certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
 			}

 			hs.writeServerHash(certReq.marshal())

 			chainToSend, err = selectClientCertificate(c, certReq)
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5475,8 +5475,8 @@ func addSignatureAlgorithmTests() {
 		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
 	})

 	// Test that hash preferences are enforced. BoringSSL defaults to
 	// rejecting MD5 signatures.
 	// Test that hash preferences are enforced. BoringSSL does not implement
 	// MD5 signatures.
 	testCases = append(testCases, testCase{
 		testType: serverTest,
 		name:     "ClientAuth-Enforced",
@@ -5485,11 +5485,6 @@ func addSignatureAlgorithmTests() {
 			Certificates: []Certificate{rsaCertificate},
 			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithMD5,
 				// Advertise SHA-1 so the handshake will
 				// proceed, but the shim's preferences will be
 				// ignored in CertificateVerify generation, so
 				// MD5 will be chosen.
 				signatureRSAPKCS1WithSHA1,
 			},
 			Bugs: ProtocolBugs{
 				IgnorePeerSignatureAlgorithmPreferences: true,
@@ -5515,6 +5510,41 @@ func addSignatureAlgorithmTests() {
 		shouldFail:    true,
 		expectedError: ":WRONG_SIGNATURE_TYPE:",
 	})
 	testCases = append(testCases, testCase{
 		testType: serverTest,
 		name:     "ClientAuth-Enforced-TLS13",
 		config: Config{
 			MaxVersion:   VersionTLS13,
 			Certificates: []Certificate{rsaCertificate},
 			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithMD5,
 			},
 			Bugs: ProtocolBugs{
 				IgnorePeerSignatureAlgorithmPreferences: true,
 				IgnoreSignatureVersionChecks:            true,
 			},
 		},
 		flags:         []string{"-require-any-client-certificate"},
 		shouldFail:    true,
 		expectedError: ":WRONG_SIGNATURE_TYPE:",
 	})

 	testCases = append(testCases, testCase{
 		name: "ServerAuth-Enforced-TLS13",
 		config: Config{
 			MaxVersion:   VersionTLS13,
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
 			SignSignatureAlgorithms: []signatureAlgorithm{
 				signatureRSAPKCS1WithMD5,
 			},
 			Bugs: ProtocolBugs{
 				IgnorePeerSignatureAlgorithmPreferences: true,
 				IgnoreSignatureVersionChecks:            true,
 			},
 		},
 		shouldFail:    true,
 		expectedError: ":WRONG_SIGNATURE_TYPE:",
 	})

 	// Test that the agreed upon digest respects the client preferences and
 	// the server digests.