bogo fix: extend -signing-prefs 'hack' for TLS 1.3

reneme · Hannes Rantzsch · commit 348a5bbdd107 · 2022-04-19T11:48:25.000+02:00
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
@@ -897,10 +897,17 @@ class Shim_Policy final : public Botan::TLS::Policy
                schemes.emplace_back(static_cast<uint16_t>(pref));
                }
 
-            // BoGo gets sad if these are not included in our signature_algorithms extension
+            // The relevant tests (*-Sign-Negotiate-*) want to configure a preference
+            // for the scheme of our signing operation (-signing-prefs). However, this
+            // policy method (`allowed_signature_schemes`) also restricts the peer's
+            // signing operation. If we weren't to add a few 'common' algorithms, initial
+            // security parameter negotiation would fail.
+            // By placing the BoGo-configured scheme first we make sure our implementation
+            // meets BoGo's expectation when it is our turn to sign.
             if(!m_args.flag_set("server"))
                {
                schemes.emplace_back(Botan::TLS::Signature_Scheme::RSA_PKCS1_SHA256);
+               schemes.emplace_back(Botan::TLS::Signature_Scheme::RSA_PSS_SHA256);
                schemes.emplace_back(Botan::TLS::Signature_Scheme::ECDSA_SHA256);
                }
 
diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
@@ -114,12 +114,6 @@
         "*EarlyData*": "No TLS 1.3 Early Data, yet",
         "TLS13-1RTT-Client-*": "No TLS 1.3 Early Data, yet",
 
-        "Client-Sign-Negotiate-ECDSA_P256_SHA256-TLS13": "Need investigation before merging GH #2957",
-        "Client-Sign-Negotiate-ECDSA_P384_SHA384-TLS13": "Need investigation before merging GH #2957",
-        "Client-Sign-Negotiate-ECDSA_P521_SHA512-TLS13": "Need investigation before merging GH #2957",
-        "Client-Sign-Negotiate-RSA_PSS_SHA384-TLS13": "Need investigation before merging GH #2957",
-        "Client-Sign-Negotiate-RSA_PSS_SHA512-TLS13": "Need investigation before merging GH #2957",
-
         "SendNoClientCertificateExtensions-TLS13": "-signed-cert-timestamps currently not supported in the shim",
         "KeyUpdate-RequestACK-UnfinishedWrite": "-read-with-unfinished-write currently not supported in the shim",
 

Original file line number	Diff line number	Diff line change
`@@ -897,10 +897,17 @@ class Shim_Policy final : public Botan::TLS::Policy`
`897`	`897`	`schemes.emplace_back(static_cast<uint16_t>(pref));`
`898`	`898`	`}`
`899`	`899`
`900`		`- // BoGo gets sad if these are not included in our signature_algorithms extension`
	`900`	`+ // The relevant tests (-Sign-Negotiate-) want to configure a preference`
	`901`	`+ // for the scheme of our signing operation (-signing-prefs). However, this`
	`902`	+ // policy method (`allowed_signature_schemes`) also restricts the peer's
	`903`	`+ // signing operation. If we weren't to add a few 'common' algorithms, initial`
	`904`	`+ // security parameter negotiation would fail.`
	`905`	`+ // By placing the BoGo-configured scheme first we make sure our implementation`
	`906`	`+ // meets BoGo's expectation when it is our turn to sign.`
`901`	`907`	`if(!m_args.flag_set("server"))`
`902`	`908`	`{`
`903`	`909`	`schemes.emplace_back(Botan::TLS::Signature_Scheme::RSA_PKCS1_SHA256);`
	`910`	`+ schemes.emplace_back(Botan::TLS::Signature_Scheme::RSA_PSS_SHA256);`
`904`	`911`	`schemes.emplace_back(Botan::TLS::Signature_Scheme::ECDSA_SHA256);`
`905`	`912`	`}`
`906`	`913`