kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add TLS 1.3 versions of the -Enforced versions.

Browse Source 
Change-Id: I0fdd6db9ea229d394b14c76b6ba55f6165a6a806
Reviewed-on: https://boringssl-review.googlesource.com/8826
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-07-18 14:55:02 +02:00 committed by CQ bot account: commit-bot@chromium.org
parent 8d315d7056
commit b62d287128
2 changed files with 41 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/test/runner/handshake_client.go
View File

@ -559,6 +559,10 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
var ok bool var ok bool
certReq, ok = msg.(*certificateRequestMsg) certReq, ok = msg.(*certificateRequestMsg)
if ok { if ok {
if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
}
hs.writeServerHash(certReq.marshal()) hs.writeServerHash(certReq.marshal())
chainToSend, err = selectClientCertificate(c, certReq) chainToSend, err = selectClientCertificate(c, certReq)

44
ssl/test/runner/runner.go
View File

@ -5475,8 +5475,8 @@ func addSignatureAlgorithmTests() {
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
}) })
// Test that hash preferences are enforced. BoringSSL defaults to // Test that hash preferences are enforced. BoringSSL does not implement
// rejecting MD5 signatures. // MD5 signatures.
testCases = append(testCases, testCase{ testCases = append(testCases, testCase{
testType: serverTest, testType: serverTest,
name: "ClientAuth-Enforced", name: "ClientAuth-Enforced",
@ -5485,11 +5485,6 @@ func addSignatureAlgorithmTests() {
Certificates: []Certificate{rsaCertificate}, Certificates: []Certificate{rsaCertificate},
SignSignatureAlgorithms: []signatureAlgorithm{ SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5, signatureRSAPKCS1WithMD5,
// Advertise SHA-1 so the handshake will
// proceed, but the shim's preferences will be
// ignored in CertificateVerify generation, so
// MD5 will be chosen.
signatureRSAPKCS1WithSHA1,
}, },
Bugs: ProtocolBugs{ Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true, IgnorePeerSignatureAlgorithmPreferences: true,
@ -5515,6 +5510,41 @@ func addSignatureAlgorithmTests() {
shouldFail: true, shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:", expectedError: ":WRONG_SIGNATURE_TYPE:",
}) })
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientAuth-Enforced-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{rsaCertificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
IgnoreSignatureVersionChecks: true,
},
},
flags: []string{"-require-any-client-certificate"},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
testCases = append(testCases, testCase{
name: "ServerAuth-Enforced-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
IgnoreSignatureVersionChecks: true,
},
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
// Test that the agreed upon digest respects the client preferences and // Test that the agreed upon digest respects the client preferences and
// the server digests. // the server digests.