crypto/tls: disable RSA-PSS in TLS 1.2 again

Signing with RSA-PSS can uncover faulty crypto.Signer implementations,
and it can fail for (broken) small keys. We'll have to take that
breakage eventually, but it would be nice for it to be opt-out at first.

TLS 1.3 requires RSA-PSS and is opt-out in Go 1.13. Instead of making a
TLS 1.3 opt-out influence a TLS 1.2 behavior, let's wait to add RSA-PSS
to TLS 1.2 until TLS 1.3 is on without opt-out.

Note that since the Client Hello is sent before a protocol version is
selected, we have to advertise RSA-PSS there to support TLS 1.3.
That means that we still support RSA-PSS on the client in TLS 1.2 for
verifying server certificates, which is fine, as all issues arise on the
signing side. We have to be careful not to pick (or consider available)
RSA-PSS on the client for client certificates, though.

We'd expect tests to change only in TLS 1.2:

    * the server won't pick PSS to sign the key exchange
      (Server-TLSv12-* w/ RSA, TestHandshakeServerRSAPSS);
    * the server won't advertise PSS in CertificateRequest
      (Server-TLSv12-ClientAuthRequested*, TestClientAuth);
    * and the client won't pick PSS for its CertificateVerify
      (Client-TLSv12-ClientCert-RSA-*, TestHandshakeClientCertRSAPSS,
      Client-TLSv12-Renegotiate* because "R" requests a client cert).

Client-TLSv13-ClientCert-RSA-RSAPSS was updated because of a fix in the test.

This effectively reverts 88343530720a52c96b21f2bd5488c8fb607605d7.

Testing was made more complex by the undocumented semantics of OpenSSL's
-[client_]sigalgs (see openssl/openssl#9172).

Updates #32425

Change-Id: Iaddeb2df1f5c75cd090cc8321df2ac8e8e7db349
Reviewed-on: https://go-review.googlesource.com/c/go/+/182339
Reviewed-by: Adam Langley <agl@golang.org>

1 files changed, 22 insertions, 22 deletions

diff --git a/src/crypto/tls/testdata/Server-TLSv12-RSA-RC4 b/src/crypto/tls/testdata/Server-TLSv12-RSA-RC4
index da549aa32e..78ea1ff929 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-RC4
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-RC4
@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 97 01 00 00  93 03 03 c7 7f 29 46 41  |.............)FA|
-00000010  08 97 7c 3f 77 e0 11 8f  14 30 23 3e fa fc ca f3  |..|?w....0#>....|
-00000020  45 10 83 10 1f 8f 25 b6  9d c1 4d 00 00 04 00 05  |E.....%...M.....|
+00000000  16 03 01 00 97 01 00 00  93 03 03 32 12 2b 12 44  |...........2.+.D|
+00000010  4f 0c 98 c0 fc f6 44 06  3a b1 64 89 a5 8b f4 e4  |O.....D.:.d.....|
+00000020  73 e1 60 1e 51 38 92 f3  83 f3 9f 00 00 04 00 05  |s.`.Q8..........|
 00000030  00 ff 01 00 00 66 00 00  00 0e 00 0c 00 00 09 31  |.....f.........1|
 00000040  32 37 2e 30 2e 30 2e 31  00 0b 00 04 03 00 01 02  |27.0.0.1........|
 00000050  00 0a 00 0c 00 0a 00 1d  00 17 00 1e 00 19 00 18  |................|
@@ -53,23 +53,23 @@
 00000280  b3 3e c0 d1 bd 42 d4 db  fe 3d 13 60 84 5c 21 d3  |.>...B...=.`.\!.|
 00000290  3b e9 fa e7 16 03 03 00  04 0e 00 00 00           |;............|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 d1 b0 57 28 da  |.............W(.|
-00000010  7a f8 46 7c c2 24 0d e0  04 48 33 d4 bc d7 f0 d0  |z.F|.$...H3.....|
-00000020  85 fb ff 22 27 20 91 42  19 55 7b ef d8 fd 72 42  |..."' .B.U{...rB|
-00000030  75 e6 71 e4 9f 67 30 72  68 b6 0e 00 34 d3 2f b8  |u.q..g0rh...4./.|
-00000040  23 1b 00 43 17 68 fd 0f  90 ee 97 16 23 36 90 02  |#..C.h......#6..|
-00000050  5c 71 10 03 80 ea 74 ef  a4 5a ac e4 9f 48 f0 76  |\q....t..Z...H.v|
-00000060  62 43 17 05 7c 8f 59 1d  16 b1 97 48 99 8d 66 5e  |bC..|.Y....H..f^|
-00000070  83 20 b3 02 e4 ac 73 52  b2 24 21 06 5a 49 89 df  |. ....sR.$!.ZI..|
-00000080  4b ad 4e f4 a9 7b 0c 3a  b1 39 5d 14 03 03 00 01  |K.N..{.:.9].....|
-00000090  01 16 03 03 00 24 8b de  7e 10 53 71 e0 0b 68 f6  |.....$..~.Sq..h.|
-000000a0  36 67 66 c2 b9 0a c0 3e  39 0d ab 2e eb 5e eb 06  |6gf....>9....^..|
-000000b0  a6 45 2b d7 48 8f c0 5e  f3 a0                    |.E+.H..^..|
+00000000  16 03 03 00 86 10 00 00  82 00 80 85 ad 31 da a9  |.............1..|
+00000010  fd 0f 5c ca aa 28 d1 08  7d 76 b4 5b b2 09 f4 e0  |..\..(..}v.[....|
+00000020  65 3a 82 7e f8 03 5f c9  82 ae fb 04 f8 f1 dc bc  |e:.~.._.........|
+00000030  b9 2f e8 b4 4c b0 5a de  c8 99 88 99 0b 03 ed 7f  |./..L.Z.........|
+00000040  e4 84 a0 6b 6d 55 1e f6  ea 9f 5a 55 1e 5c e5 f1  |...kmU....ZU.\..|
+00000050  f4 8a f3 7b 7c 20 fc 4b  5d 31 98 c3 bb ce ba 6a  |...{| .K]1.....j|
+00000060  e8 e5 58 a1 db 5a 84 7d  ef cd 17 52 2f 66 31 d2  |..X..Z.}...R/f1.|
+00000070  27 e4 29 1c 9e e0 39 a9  e0 7f 5f 25 d7 49 95 28  |'.)...9..._%.I.(|
+00000080  08 67 1e 25 5f 12 39 b0  a5 63 85 14 03 03 00 01  |.g.%_.9..c......|
+00000090  01 16 03 03 00 24 88 e9  9e 1d 16 8f f7 6e b1 c9  |.....$.......n..|
+000000a0  06 dc 50 e7 40 da 21 84  de 97 e6 a2 8d 78 96 9a  |..P.@.!......x..|
+000000b0  39 9d aa 91 43 15 0f cf  f4 e9                    |9...C.....|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 24 ee dc 70 d2 3a  |..........$..p.:|
-00000010  f1 9c c6 c8 01 01 84 4f  3c 95 a3 ac 7a 78 92 3d  |.......O<...zx.=|
-00000020  8c 05 a1 db 34 fe 92 f2  9e f3 81 a1 33 a5 7f 17  |....4.......3...|
-00000030  03 03 00 21 6e a9 f8 f9  99 0b c1 f5 8a d0 ab 93  |...!n...........|
-00000040  15 4d 2f 24 1c 0b 43 77  cf 14 60 87 b0 8d f7 80  |.M/$..Cw..`.....|
-00000050  c0 69 ea f6 9e 15 03 03  00 16 ef 09 73 d8 06 ec  |.i..........s...|
-00000060  b8 02 14 9c d3 39 32 d4  3d 94 ec 17 79 1d a9 d3  |.....92.=...y...|
+00000000  14 03 03 00 01 01 16 03  03 00 24 c5 34 41 0f 31  |..........$.4A.1|
+00000010  5a 94 d7 4b a9 0a 4e bf  b9 22 ec 76 2c 1f f5 e9  |Z..K..N..".v,...|
+00000020  6b 7b 26 df 41 62 91 b6  dc db 23 2b 8d 3d 49 17  |k{&.Ab....#+.=I.|
+00000030  03 03 00 21 72 31 77 51  94 c5 d4 eb 7c 18 ab 87  |...!r1wQ....|...|
+00000040  29 43 3b c5 78 aa 5c 4a  06 d3 42 5c 61 39 86 12  |)C;.x.\J..B\a9..|
+00000050  b1 ae f6 f7 97 15 03 03  00 16 8a 0e 1d 5c e0 18  |.............\..|
+00000060  12 93 ac 6c 69 32 59 b8  15 88 82 1c 97 f3 5b 9c  |...li2Y.......[.|