crypto/tls: re-enable RSA-PSS in TLS 1.2 again

TLS 1.3, which requires RSA-PSS, is now enabled without a GODEBUG
opt-out, and with the introduction of
Certificate.SupportedSignatureAlgorithms (#28660) there is a
programmatic way to avoid RSA-PSS (disable TLS 1.3 with MaxVersion and
use that field to specify only PKCS#1 v1.5 SignatureSchemes).

This effectively reverts 0b3a57b,
although following CL 205061 all of the signing-side logic is
conveniently centralized in signatureSchemesForCertificate.

Fixes #32425

Change-Id: I7c9a8893bb5d518d86eae7db82612b9b2cd257d7
Reviewed-on: https://go-review.googlesource.com/c/go/+/205063
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Katie Hockman <[email protected]>
Reviewed-by: Adam Langley <[email protected]>

Author: FiloSottile

src/crypto/tls/auth.go

@@ -191,10 +191,9 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu
 	case *rsa.PublicKey:
 		if version != VersionTLS13 {
 			sigAlgs = []SignatureScheme{
-				// Temporarily disable RSA-PSS in TLS 1.2, see Issue 32425.
-				// PSSWithSHA256,
-				// PSSWithSHA384,
-				// PSSWithSHA512,
+				PSSWithSHA256,
+				PSSWithSHA384,
+				PSSWithSHA512,
 				PKCS1WithSHA256,
 				PKCS1WithSHA384,
 				PKCS1WithSHA512,

src/crypto/tls/auth_test.go

@@ -39,7 +39,7 @@ func TestSignatureSelection(t *testing.T) {
 	}{
 		{rsaCert, []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
 		{rsaCert, []SignatureScheme{PKCS1WithSHA512, PKCS1WithSHA1}, VersionTLS12, PKCS1WithSHA512, signaturePKCS1v15, crypto.SHA512},
-		{rsaCert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256},
+		{rsaCert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PSSWithSHA256, signatureRSAPSS, crypto.SHA256},
 		{pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256},
 		{rsaCert, []SignatureScheme{PSSWithSHA384, PKCS1WithSHA1}, VersionTLS13, PSSWithSHA384, signatureRSAPSS, crypto.SHA384},
 		{ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1},

src/crypto/tls/common.go

@@ -192,21 +192,6 @@ var supportedSignatureAlgorithms = []SignatureScheme{
 	ECDSAWithSHA1,
 }
 
-// supportedSignatureAlgorithmsTLS12 contains the signature and hash algorithms
-// that are supported in TLS 1.2, where it is possible to distinguish the
-// protocol version. This is temporary, see Issue 32425.
-var supportedSignatureAlgorithmsTLS12 = []SignatureScheme{
-	PKCS1WithSHA256,
-	ECDSAWithP256AndSHA256,
-	Ed25519,
-	PKCS1WithSHA384,
-	PKCS1WithSHA512,
-	ECDSAWithP384AndSHA384,
-	ECDSAWithP521AndSHA512,
-	PKCS1WithSHA1,
-	ECDSAWithSHA1,
-}
-
 // helloRetryRequestRandom is set as the Random value of a ServerHello
 // to signal that the message is actually a HelloRetryRequest.
 var helloRetryRequestRandom = []byte{ // See RFC 8446, Section 4.1.3.

src/crypto/tls/handshake_client_test.go

@@ -837,19 +837,8 @@ func TestHandshakeClientCertRSAPSS(t *testing.T) {
 		cert:   testRSAPSSCertificate,
 		key:    testRSAPrivateKey,
 	}
-	runClientTestTLS13(t, test)
-
-	// In our TLS 1.2 client, RSA-PSS is only supported for server certificates.
-	// See Issue 32425.
-	test = &clientTest{
-		name: "ClientCert-RSA-RSAPSS",
-		args: []string{"-cipher", "AES128", "-Verify", "1", "-client_sigalgs",
-			"rsa_pkcs1_sha256", "-sigalgs", "rsa_pss_rsae_sha256"},
-		config: config,
-		cert:   testRSAPSSCertificate,
-		key:    testRSAPrivateKey,
-	}
 	runClientTestTLS12(t, test)
+	runClientTestTLS13(t, test)
 }
 
 func TestHandshakeClientCertRSAPKCS1v15(t *testing.T) {

src/crypto/tls/handshake_server.go

@@ -492,7 +492,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 		}
 		if c.vers >= VersionTLS12 {
 			certReq.hasSignatureAlgorithm = true
-			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithmsTLS12
+			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
 		}
 
 		// An empty list of certificateAuthorities signals to

src/crypto/tls/handshake_server_test.go

@@ -1181,16 +1181,10 @@ func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
 
 func TestHandshakeServerRSAPSS(t *testing.T) {
 	test := &serverTest{
-		name:                          "RSA-RSAPSS",
-		command:                       []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"},
-		expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms", // See Issue 32425.
-	}
-	runServerTestTLS12(t, test)
-
-	test = &serverTest{
 		name:    "RSA-RSAPSS",
 		command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"},
 	}
+	runServerTestTLS12(t, test)
 	runServerTestTLS13(t, test)
 }
 
@@ -1349,21 +1343,14 @@ func TestClientAuth(t *testing.T) {
 	runServerTestTLS12(t, test)
 	runServerTestTLS13(t, test)
 
-	test = &serverTest{
-		name: "ClientAuthRequestedAndGiven",
-		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
-			"-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
-		config:            config,
-		expectedPeerCerts: []string{}, // See Issue 32425.
-	}
-	runServerTestTLS12(t, test)
 	test = &serverTest{
 		name: "ClientAuthRequestedAndGiven",
 		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
 			"-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
 		config:            config,
 		expectedPeerCerts: []string{clientCertificatePEM},
 	}
+	runServerTestTLS12(t, test)
 	runServerTestTLS13(t, test)
 
 	test = &serverTest{
@@ -1656,12 +1643,6 @@ T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
 	err = client.Handshake()
 	expectError(t, err, "handshake failure")
 	<-done
-
-	// In TLS 1.2 RSA-PSS is not used, so this should succeed. See Issue 32425.
-	serverConfig := testConfig.Clone()
-	serverConfig.Certificates = []Certificate{cert}
-	serverConfig.MaxVersion = VersionTLS12
-	testHandshake(t, testConfig, serverConfig)
 }
 
 func TestMultipleCertificates(t *testing.T) {

src/crypto/tls/testdata/Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384

@@ -16,11 +16,11 @@
 000000e0  e5 7d a3 47 cd 62 43 15  28 da ac 5f bb 29 07 30  |.}.G.bC.(.._.).0|
 000000f0  ff f6 84 af c4 cf c2 ed  90 99 5f 58 cb 3b 74     |.........._X.;t|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 59 02 00 00  55 03 03 41 6b 69 65 47  |....Y...U..AkieG|
-00000010  8c 15 2f d5 6d 1a 3d 0c  ff 56 ad 42 31 6c 1f 86  |../.m.=..V.B1l..|
-00000020  06 62 e3 e4 18 9c 5c 47  9e 8c 66 20 af ba 7c 62  |.b....\G..f ..|b|
-00000030  c2 32 f4 49 f1 8d f4 ba  7a 51 23 32 46 96 7e b8  |.2.I....zQ#2F.~.|
-00000040  f0 2c ae 0a d4 04 49 16  4a 64 79 c8 c0 30 00 00  |.,....I.Jdy..0..|
+00000000  16 03 03 00 59 02 00 00  55 03 03 d4 20 b3 4c 6a  |....Y...U... .Lj|
+00000010  69 44 3f f7 ab 15 35 85  ca 71 02 b0 70 18 8e d6  |iD?...5..q..p...|
+00000020  61 d5 34 08 42 de cf a1  57 32 96 20 8c b4 72 dd  |a.4.B...W2. ..r.|
+00000030  63 93 e6 13 9d 4a ec 75  d9 a1 a6 9e 5e 02 f5 63  |c....J.u....^..c|
+00000040  29 1a 78 9f 94 9f 6c 58  b5 91 ae 63 c0 30 00 00  |).x...lX...c.0..|
 00000050  0d ff 01 00 01 00 00 0b  00 04 03 00 01 02 16 03  |................|
 00000060  03 02 59 0b 00 02 55 00  02 52 00 02 4f 30 82 02  |..Y...U..R..O0..|
 00000070  4b 30 82 01 b4 a0 03 02  01 02 02 09 00 e8 f0 9d  |K0..............|
@@ -60,17 +60,17 @@
 00000290  77 8d 0c 1c f1 0f a1 d8  40 83 61 c9 4c 72 2b 9d  |[email protected]+.|
 000002a0  ae db 46 06 06 4d f4 c1  b3 3e c0 d1 bd 42 d4 db  |..F..M...>...B..|
 000002b0  fe 3d 13 60 84 5c 21 d3  3b e9 fa e7 16 03 03 00  |.=.`.\!.;.......|
-000002c0  ac 0c 00 00 a8 03 00 1d  20 9e 80 b0 95 af 3b 4c  |........ .....;L|
-000002d0  e7 fb 97 65 d0 36 8f 97  88 0d 3b 5d a0 21 a8 78  |...e.6....;].!.x|
-000002e0  81 39 4c 80 5c 58 52 6e  68 08 04 00 80 41 c6 e7  |.9L.\XRnh....A..|
-000002f0  c9 48 c1 be 17 a6 a3 3c  3a de c8 c8 86 6e 70 37  |.H.....<:....np7|
-00000300  2f d3 ed 8a dd 3a 73 5c  b5 23 49 a8 4a fe e9 2b  |/....:s\.#I.J..+|
-00000310  4e 99 43 b8 e8 05 f9 fe  90 bf 74 be 92 3d d8 a3  |N.C.......t..=..|
-00000320  c2 b2 38 80 1c 82 1f 35  e1 2e 04 bf a6 0a ec 3f  |..8....5.......?|
-00000330  81 4c a2 2b 19 8f 91 4c  51 b5 0d 52 1e 69 84 0a  |.L.+...LQ..R.i..|
-00000340  b0 cb de 41 1a bd a6 3d  50 9a ca d2 c0 26 11 3f  |...A...=P....&.?|
-00000350  cd 80 b4 2d 6e 03 f2 c5  2b cd 9c b6 a4 d8 e6 cf  |...-n...+.......|
-00000360  ec 1d 7a a9 17 59 6c 89  17 2f 64 0a 7c 16 03 03  |..z..Yl../d.|...|
+000002c0  ac 0c 00 00 a8 03 00 1d  20 a2 bd 95 3e 0c 9f ad  |........ ...>...|
+000002d0  11 59 e0 6a c1 21 0c 6c  86 cc f1 ce bd a0 30 5d  |.Y.j.!.l......0]|
+000002e0  53 1e 75 f9 55 af 49 7b  31 08 04 00 80 d4 8b 11  |S.u.U.I{1.......|
+000002f0  ca 22 14 79 a3 e8 b6 c7  d0 d6 1b 17 42 93 47 30  |.".y........B.G0|
+00000300  ab 50 0e c9 0c 92 88 96  b4 63 4e 4e ac 7f dd c8  |.P.......cNN....|
+00000310  8f 85 07 5b 95 c5 0a c0  4e 6d 4f 51 ba d8 d7 db  |...[....NmOQ....|
+00000320  14 70 80 4f 68 d9 b4 39  e7 48 27 21 76 4c 79 a4  |.p.Oh..9.H'!vLy.|
+00000330  60 91 d7 2f 75 69 04 1a  da 71 ff b8 4d 78 d8 e7  |`../ui...q..Mx..|
+00000340  ca f2 f2 1e 71 21 b3 a0  44 a7 6c 99 16 a1 c9 f8  |....q!..D.l.....|
+00000350  f0 de e8 99 12 7b 3d a2  e3 15 fa 63 62 e9 1b 72  |.....{=....cb..r|
+00000360  c8 bb 27 38 4a 48 66 1d  dd fb ef 6f d1 16 03 03  |..'8JHf....o....|
 00000370  00 3a 0d 00 00 36 03 01  02 40 00 2e 04 03 05 03  |.:...6...@......|
 00000380  06 03 08 07 08 08 08 09  08 0a 08 0b 08 04 08 05  |................|
 00000390  08 06 04 01 05 01 06 01  03 03 02 03 03 01 02 01  |................|
@@ -112,26 +112,26 @@
 00000200  e5 35 16 03 03 00 25 10  00 00 21 20 2f e5 7d a3  |.5....%...! /.}.|
 00000210  47 cd 62 43 15 28 da ac  5f bb 29 07 30 ff f6 84  |G.bC.(.._.).0...|
 00000220  af c4 cf c2 ed 90 99 5f  58 cb 3b 74 16 03 03 00  |......._X.;t....|
-00000230  88 0f 00 00 84 04 01 00  80 29 22 23 51 c5 71 4a  |.........)"#Q.qJ|
-00000240  32 eb 72 6b f2 c8 46 99  df fe d5 a7 0c 55 3c 40  |2.rk..F......U<@|
-00000250  e1 1e 09 4c 40 83 8a 0d  67 27 63 21 d2 36 66 8f  |...L@...g'c!.6f.|
-00000260  cb 97 4b 87 8a ed 9a 44  81 97 34 4b 9b 12 27 f5  |..K....D..4K..'.|
-00000270  d8 63 9b 1f cf d7 b4 2b  54 99 86 2d cd 36 9f 3e  |.c.....+T..-.6.>|
-00000280  92 af 5a a6 0c 8a e0 e3  d3 b9 9b 47 ea 67 61 69  |..Z........G.gai|
-00000290  d8 c1 86 1d fd 43 d4 1f  5c f5 48 d8 4a 97 a7 0f  |.....C..\.H.J...|
-000002a0  57 59 b0 5f e8 24 3f 9e  1d 96 3d 4b be 9c fa e3  |WY._.$?...=K....|
-000002b0  3b 34 7e aa 67 d7 cc ea  78 14 03 03 00 01 01 16  |;4~.g...x.......|
-000002c0  03 03 00 28 00 00 00 00  00 00 00 00 33 b3 7b c9  |...(........3.{.|
-000002d0  3f e8 7d 08 3d 65 a3 22  fa e3 04 79 d9 9f 54 a3  |?.}.=e."...y..T.|
-000002e0  45 e7 64 b2 5d 95 cf dd  88 cc ba 0b              |E.d.].......|
+00000230  88 0f 00 00 84 08 04 00  80 2e bf 05 22 82 a7 d6  |............"...|
+00000240  e9 08 ff 9b 10 d3 4a 6c  c4 73 5c 78 88 05 0c 15  |......Jl.s\x....|
+00000250  b7 8c 78 49 64 2d 58 67  ef 8f db c0 67 fa 32 6e  |..xId-Xg....g.2n|
+00000260  65 45 90 a0 69 5c fb ba  e0 16 1c d4 81 1d 24 89  |eE..i\........$.|
+00000270  35 27 14 15 19 0b 86 ee  6a f2 b4 a5 27 61 5f 1f  |5'......j...'a_.|
+00000280  cc 47 7c 01 ed a9 ff ed  61 45 3f 53 1c 82 c8 cd  |.G|.....aE?S....|
+00000290  48 e4 89 82 12 d7 d2 ff  fa 32 b3 e6 9d ce 75 75  |H........2....uu|
+000002a0  d1 cd b2 a8 56 a6 a6 63  da 8d ed 27 13 01 9a 56  |....V..c...'...V|
+000002b0  a2 26 b4 6c af 27 f6 4f  1b 14 03 03 00 01 01 16  |.&.l.'.O........|
+000002c0  03 03 00 28 00 00 00 00  00 00 00 00 f0 e8 32 33  |...(..........23|
+000002d0  50 df 73 17 3c 58 f2 c9  30 2e 5d e9 00 4f 4b 33  |P.s.<X..0.]..OK3|
+000002e0  22 12 f7 f0 62 d0 62 3e  ed 36 b8 58              |"...b.b>.6.X|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 28 7e 38 ab 82 0c  |..........(~8...|
-00000010  fd fa b9 83 3e 77 ed 22  b5 9d d3 c1 ca cd 18 c5  |....>w."........|
-00000020  1c 01 a0 b8 8b 96 20 92  7b bd 0a 33 ee fe be 75  |...... .{..3...u|
-00000030  95 6e 0c                                          |.n.|
+00000000  14 03 03 00 01 01 16 03  03 00 28 14 ce b1 86 0e  |..........(.....|
+00000010  9f ce 73 25 44 b7 3e a9  25 db a8 93 d9 39 33 75  |..s%D.>.%....93u|
+00000020  2f a9 7f 97 6a 76 28 fe  e2 84 5f 1e 84 66 b4 c8  |/...jv(..._..f..|
+00000030  45 e7 64                                          |E.d|
 >>> Flow 5 (client to server)
-00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 9d f0 cd  |................|
-00000010  53 8d 1a 45 ae 4a e4 01  97 dd ac f1 00 d3 aa b6  |S..E.J..........|
-00000020  bf c9 bc 15 03 03 00 1a  00 00 00 00 00 00 00 02  |................|
-00000030  aa 1b 41 d5 f5 68 41 b8  32 94 9b 23 f8 60 7b 60  |..A..hA.2..#.`{`|
-00000040  2c 8a                                             |,.|
+00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 3b 17 73  |.............;.s|
+00000010  78 d6 3a b4 6d 3a 61 52  f6 a5 8c dd 18 3e ff 04  |x.:.m:aR.....>..|
+00000020  d9 3f 22 15 03 03 00 1a  00 00 00 00 00 00 00 02  |.?".............|
+00000030  32 8d 5d 07 14 a9 d2 1c  dd 1e 2f 3d 89 a9 8f 1d  |2.]......./=....|
+00000040  08 0f                                             |..|