diff options
| author | Filippo Valsorda <filippo@golang.org> | 2019-06-13 18:33:33 -0400 |
|---|---|---|
| committer | Filippo Valsorda <filippo@golang.org> | 2019-06-19 19:59:14 +0000 |
| commit | 0b3a57b5374bba3fdf88258e2be4c8be65e6a5de (patch) | |
| tree | 60f2c993a944c3c0f7f82a5c265ac8d5d956b375 /src/crypto/tls/handshake_client.go | |
| parent | 0ab1cc33ef35147b0e1248f2a9d669ae193d6b3e (diff) | |
| download | go-0b3a57b5374bba3fdf88258e2be4c8be65e6a5de.tar.xz | |
crypto/tls: disable RSA-PSS in TLS 1.2 again
Signing with RSA-PSS can uncover faulty crypto.Signer implementations,
and it can fail for (broken) small keys. We'll have to take that
breakage eventually, but it would be nice for it to be opt-out at first.
TLS 1.3 requires RSA-PSS and is opt-out in Go 1.13. Instead of making a
TLS 1.3 opt-out influence a TLS 1.2 behavior, let's wait to add RSA-PSS
to TLS 1.2 until TLS 1.3 is on without opt-out.
Note that since the Client Hello is sent before a protocol version is
selected, we have to advertise RSA-PSS there to support TLS 1.3.
That means that we still support RSA-PSS on the client in TLS 1.2 for
verifying server certificates, which is fine, as all issues arise on the
signing side. We have to be careful not to pick (or consider available)
RSA-PSS on the client for client certificates, though.
We'd expect tests to change only in TLS 1.2:
* the server won't pick PSS to sign the key exchange
(Server-TLSv12-* w/ RSA, TestHandshakeServerRSAPSS);
* the server won't advertise PSS in CertificateRequest
(Server-TLSv12-ClientAuthRequested*, TestClientAuth);
* and the client won't pick PSS for its CertificateVerify
(Client-TLSv12-ClientCert-RSA-*, TestHandshakeClientCertRSAPSS,
Client-TLSv12-Renegotiate* because "R" requests a client cert).
Client-TLSv13-ClientCert-RSA-RSAPSS was updated because of a fix in the test.
This effectively reverts 88343530720a52c96b21f2bd5488c8fb607605d7.
Testing was made more complex by the undocumented semantics of OpenSSL's
-[client_]sigalgs (see openssl/openssl#9172).
Updates #32425
Change-Id: Iaddeb2df1f5c75cd090cc8321df2ac8e8e7db349
Reviewed-on: https://go-review.googlesource.com/c/go/+/182339
Reviewed-by: Adam Langley <agl@golang.org>
Diffstat (limited to 'src/crypto/tls/handshake_client.go')
| -rw-r--r-- | src/crypto/tls/handshake_client.go | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go index 19a7e92d87..ed000eb619 100644 --- a/src/crypto/tls/handshake_client.go +++ b/src/crypto/tls/handshake_client.go @@ -573,7 +573,7 @@ func (hs *clientHandshakeState) doFullHandshake() error { return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey) } - signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, hs.hello.supportedSignatureAlgorithms, c.vers) + signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12, c.vers) if err != nil { c.sendAlert(alertInternalError) return err @@ -899,10 +899,8 @@ func certificateRequestInfoFromMsg(certReq *certificateRequestMsg) *CertificateR return cri } - // In TLS 1.2, the signature schemes apply to both the certificate chain and - // the leaf key, while the certificate types only apply to the leaf key. + // Filter the signature schemes based on the certificate types. // See RFC 5246, Section 7.4.4 (where it calls this "somewhat complicated"). - // Filter the signature schemes based on the certificate type. cri.SignatureSchemes = make([]SignatureScheme, 0, len(certReq.supportedSignatureAlgorithms)) for _, sigScheme := range certReq.supportedSignatureAlgorithms { switch signatureFromSignatureScheme(sigScheme) { |