From aff697f53de44c995e8905e72be68bfc3e6a9ece Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Mon, 4 Nov 2019 02:14:18 -0500
Subject: [PATCH] crypto/tls: take key size into account in signature algorithm
selection
Fixes #29793
Change-Id: I6e389d166c2d9a2ba8664a41f4b9569f2481b27f
Reviewed-on: https://go-review.googlesource.com/c/go/+/205177
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
---
auth.go | 41 ++++----
auth_test.go | 2 +
handshake_server_test.go | 14 ++-
testdata/Server-TLSv12-RSA-RSAPSS | 39 ++------
testdata/Server-TLSv13-RSA-RSAPSS | 105 ++-------------------
testdata/Server-TLSv13-RSA-RSAPSS-TooSmall | 16 ++++
6 files changed, 71 insertions(+), 146 deletions(-)
create mode 100644 testdata/Server-TLSv13-RSA-RSAPSS-TooSmall
diff --git a/auth.go b/auth.go
index 1407249..009f8d3 100644
--- a/auth.go
+++ b/auth.go
@@ -153,6 +153,25 @@ func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash c
}
}
+var rsaSignatureSchemes = []struct {
+ scheme SignatureScheme
+ minModulusBytes int
+ maxVersion uint16
+}{
+ // RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
+ // emLen >= hLen + sLen + 2
+ {PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13},
+ {PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13},
+ {PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13},
+ // PKCS#1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
+ // emLen >= len(prefix) + hLen + 11
+ // TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS.
+ {PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12},
+ {PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12},
+ {PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12},
+ {PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12},
+}
+
// signatureSchemesForCertificate returns the list of supported SignatureSchemes
// for a given certificate, based on the public key and the protocol version,
// and optionally filtered by its explicit SupportedSignatureAlgorithms.
@@ -189,23 +208,12 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu
return nil
}
case *rsa.PublicKey:
- if version != VersionTLS13 {
- sigAlgs = []SignatureScheme{
- PSSWithSHA256,
- PSSWithSHA384,
- PSSWithSHA512,
- PKCS1WithSHA256,
- PKCS1WithSHA384,
- PKCS1WithSHA512,
- PKCS1WithSHA1,
+ size := pub.Size()
+ sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes))
+ for _, candidate := range rsaSignatureSchemes {
+ if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
+ sigAlgs = append(sigAlgs, candidate.scheme)
}
- break
- }
- // TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS.
- sigAlgs = []SignatureScheme{
- PSSWithSHA256,
- PSSWithSHA384,
- PSSWithSHA512,
}
case ed25519.PublicKey:
sigAlgs = []SignatureScheme{Ed25519}
@@ -275,6 +283,7 @@ func unsupportedCertificateError(cert *Certificate) error {
return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name)
}
case *rsa.PublicKey:
+ return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms")
case ed25519.PublicKey:
default:
return fmt.Errorf("tls: unsupported certificate key (%T)", pub)
diff --git a/auth_test.go b/auth_test.go
index 0b39442..c8d8c8f 100644
--- a/auth_test.go
+++ b/auth_test.go
@@ -108,6 +108,8 @@ func TestSignatureSelection(t *testing.T) {
{rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13},
{pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS13},
{ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13},
+ // The key can be too small for the hash.
+ {rsaCert, []SignatureScheme{PSSWithSHA512}, VersionTLS12},
}
for testNo, test := range badTests {
diff --git a/handshake_server_test.go b/handshake_server_test.go
index e242181..2a44af0 100644
--- a/handshake_server_test.go
+++ b/handshake_server_test.go
@@ -1180,12 +1180,22 @@ func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
}
func TestHandshakeServerRSAPSS(t *testing.T) {
+ // We send rsa_pss_rsae_sha512 first, as the test key won't fit, and we
+ // verify the server implementation will disregard the client preference in
+ // that case. See Issue 29793.
test := &serverTest{
name: "RSA-RSAPSS",
- command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"},
+ command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
}
runServerTestTLS12(t, test)
runServerTestTLS13(t, test)
+
+ test = &serverTest{
+ name: "RSA-RSAPSS-TooSmall",
+ command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512"},
+ expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms",
+ }
+ runServerTestTLS13(t, test)
}
func TestHandshakeServerEd25519(t *testing.T) {
@@ -1637,7 +1647,7 @@ T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
config.MinVersion = VersionTLS13
server := Server(serverConn, config)
err := server.Handshake()
- expectError(t, err, "key size too small for PSS signature")
+ expectError(t, err, "key size too small")
close(done)
}()
err = client.Handshake()
diff --git a/testdata/Server-TLSv12-RSA-RSAPSS b/testdata/Server-TLSv12-RSA-RSAPSS
index fdc3c1a..465d8db 100644
--- a/testdata/Server-TLSv12-RSA-RSAPSS
+++ b/testdata/Server-TLSv12-RSA-RSAPSS
@@ -1,14 +1,14 @@
>>> Flow 1 (client to server)
-00000000 16 03 01 00 91 01 00 00 8d 03 03 63 d6 91 ee ad |...........c....|
-00000010 71 ef 42 ad de f0 3f 02 a1 93 33 d9 f0 e1 cf 4c |q.B...?...3....L|
-00000020 30 f7 2c 9f a1 0c b8 d5 4e 0a c5 00 00 2a c0 30 |0.,.....N....*.0|
+00000000 16 03 01 00 91 01 00 00 8d 03 03 6d d9 a6 ff 3e |...........m...>|
+00000010 4b 00 33 67 b4 8c c6 e8 07 ee f3 77 83 31 81 e9 |K.3g.......w.1..|
+00000020 8f 3e 9e 77 8b 5c 8b 84 47 b4 33 00 00 2a c0 30 |.>.w.\..G.3..*.0|
00000030 00 9f cc a8 cc aa c0 2f 00 9e c0 28 00 6b c0 27 |......./...(.k.'|
00000040 00 67 c0 14 00 39 c0 13 00 33 00 9d 00 9c 00 3d |.g...9...3.....=|
00000050 00 3c 00 35 00 2f 00 ff 01 00 00 3a 00 00 00 0e |.<.5./.....:....|
00000060 00 0c 00 00 09 31 32 37 2e 30 2e 30 2e 31 00 0b |.....127.0.0.1..|
00000070 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 |................|
00000080 00 1e 00 19 00 18 00 16 00 00 00 17 00 00 00 0d |................|
-00000090 00 04 00 02 08 04 |......|
+00000090 00 04 00 02 08 06 |......|
>>> Flow 2 (server to client)
00000000 16 03 03 00 37 02 00 00 33 03 03 00 00 00 00 00 |....7...3.......|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -51,32 +51,5 @@
00000260 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d |.\.....l..s..Cw.|
00000270 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db |......@.a.Lr+...|
00000280 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d |F..M...>...B...=|
-00000290 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 00 ac 0c |.`.\!.;.........|
-000002a0 00 00 a8 03 00 1d 20 2f e5 7d a3 47 cd 62 43 15 |...... /.}.G.bC.|
-000002b0 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed |(.._.).0........|
-000002c0 90 99 5f 58 cb 3b 74 08 04 00 80 bf 7b 0d b8 ab |.._X.;t.....{...|
-000002d0 95 96 80 37 60 fb 2f 53 0d 21 aa 6a 0d c9 48 6f |...7`./S.!.j..Ho|
-000002e0 d7 d2 d3 ca 22 58 9e 77 4a aa 32 c6 e7 0a 77 2e |...."X.wJ.2...w.|
-000002f0 59 72 f2 24 5a 2c 9e a3 7e a5 cc a1 b5 68 55 30 |Yr.$Z,..~....hU0|
-00000300 c8 a8 c1 b0 5b 74 49 85 07 bf 7b 36 16 ba 48 54 |....[tI...{6..HT|
-00000310 3f 1d 28 08 d7 c3 26 c3 8e 6f 5c 49 13 e9 49 55 |?.(...&..o\I..IU|
-00000320 b3 3e bb 70 8c df 6f 0b f0 e7 6c ac 7d fe 1e 4c |.>.p..o...l.}..L|
-00000330 6b 8c 22 e7 d0 97 b0 c9 4a b9 11 94 ef 13 c7 d3 |k.".....J.......|
-00000340 3f 07 d8 e6 6f 87 85 de 97 25 b2 16 03 03 00 04 |?...o....%......|
-00000350 0e 00 00 00 |....|
->>> Flow 3 (client to server)
-00000000 16 03 03 00 25 10 00 00 21 20 3f 05 77 b8 ef bf |....%...! ?.w...|
-00000010 2e dd af ba 76 d7 6f 36 35 7e c7 99 23 dc e7 a6 |....v.o65~..#...|
-00000020 52 a3 81 76 71 8a b0 be 85 73 14 03 03 00 01 01 |R..vq....s......|
-00000030 16 03 03 00 28 d1 45 19 f0 ef 75 54 ff 90 a0 36 |....(.E...uT...6|
-00000040 d0 06 c8 9e e5 67 fa 38 eb 13 4c ed 84 ab 8f 37 |.....g.8..L....7|
-00000050 63 23 8a 5d 8c d7 ce 96 2f 4f 91 b7 03 |c#.]..../O...|
->>> Flow 4 (server to client)
-00000000 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 |..........(.....|
-00000010 00 00 00 2d d2 61 48 46 5b 15 3b d8 09 bc be 9a |...-.aHF[.;.....|
-00000020 08 39 e3 b1 9f 2a 33 50 64 8b 11 92 13 dd dd 34 |.9...*3Pd......4|
-00000030 90 43 a2 17 03 03 00 25 00 00 00 00 00 00 00 01 |.C.....%........|
-00000040 81 7f c4 4f 37 a3 d0 b3 e7 b9 b7 c1 90 8e 96 51 |...O7..........Q|
-00000050 4e 77 2c 4c a9 85 d5 61 6c b7 8b 8a 8c 15 03 03 |Nw,L...al.......|
-00000060 00 1a 00 00 00 00 00 00 00 02 1f 57 78 97 2b 6f |...........Wx.+o|
-00000070 11 95 09 77 61 82 6e 7c 6d 48 05 c0 |...wa.n|mH..|
+00000290 13 60 84 5c 21 d3 3b e9 fa e7 15 03 03 00 02 02 |.`.\!.;.........|
+000002a0 28 |(|
diff --git a/testdata/Server-TLSv13-RSA-RSAPSS b/testdata/Server-TLSv13-RSA-RSAPSS
index 21f57b7..8151fd4 100644
--- a/testdata/Server-TLSv13-RSA-RSAPSS
+++ b/testdata/Server-TLSv13-RSA-RSAPSS
@@ -1,101 +1,16 @@
>>> Flow 1 (client to server)
-00000000 16 03 01 00 c6 01 00 00 c2 03 03 39 95 ab cc 1c |...........9....|
-00000010 64 13 9d 19 2e 3e 73 33 48 b1 a9 f7 88 14 5a 83 |d....>s3H.....Z.|
-00000020 19 f7 b5 08 8d e4 80 09 72 21 99 20 23 ad 4c 2c |........r!. #.L,|
-00000030 66 84 1e e8 c3 0c 9f 66 19 76 df a3 e0 62 cd 7d |f......f.v...b.}|
-00000040 95 85 70 4f 37 fb 39 58 50 b1 d5 7b 00 08 13 02 |..pO7.9XP..{....|
+00000000 16 03 01 00 c6 01 00 00 c2 03 03 6b 64 fe be 82 |...........kd...|
+00000010 d3 c7 f8 26 35 c1 7c 50 d0 a9 19 a5 1d 6b d5 1b |...&5.|P.....k..|
+00000020 25 9b 47 fb 49 01 fc df 2e dc 8e 20 92 d0 73 81 |%.G.I...... ..s.|
+00000030 91 5a 8a f9 2a cf 29 c7 9d 43 b2 b0 7d b9 5a a3 |.Z..*.)..C..}.Z.|
+00000040 5f 74 53 a0 8e fe 4e 2e 83 0d 3b 0f 00 08 13 02 |_tS...N...;.....|
00000050 13 03 13 01 00 ff 01 00 00 71 00 00 00 0e 00 0c |.........q......|
00000060 00 00 09 31 32 37 2e 30 2e 30 2e 31 00 0b 00 04 |...127.0.0.1....|
00000070 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e |................|
00000080 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 04 |................|
-00000090 00 02 08 04 00 2b 00 03 02 03 04 00 2d 00 02 01 |.....+......-...|
-000000a0 01 00 33 00 26 00 24 00 1d 00 20 be 29 89 8d 44 |..3.&.$... .)..D|
-000000b0 4d e5 51 88 7a 1a 56 52 a8 86 74 13 0e e9 a5 a7 |M.Q.z.VR..t.....|
-000000c0 b6 7f 38 b3 ef 62 e6 b0 c5 2a 0a |..8..b...*.|
+00000090 00 02 08 06 00 2b 00 03 02 03 04 00 2d 00 02 01 |.....+......-...|
+000000a0 01 00 33 00 26 00 24 00 1d 00 20 76 43 b3 ed 62 |..3.&.$... vC..b|
+000000b0 22 72 15 69 b5 5b fd 9c ac 4a bd 36 4a 8d 3a 08 |"r.i.[...J.6J.:.|
+000000c0 9d a0 5e 10 e6 13 87 2b 41 51 66 |..^....+AQf|
>>> Flow 2 (server to client)
-00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......|
-00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-00000020 00 00 00 00 00 00 00 00 00 00 00 20 23 ad 4c 2c |........... #.L,|
-00000030 66 84 1e e8 c3 0c 9f 66 19 76 df a3 e0 62 cd 7d |f......f.v...b.}|
-00000040 95 85 70 4f 37 fb 39 58 50 b1 d5 7b 13 02 00 00 |..pO7.9XP..{....|
-00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /|
-00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0|
-00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.|
-00000080 03 03 00 01 01 17 03 03 00 17 49 c6 88 9c 3b 2f |..........I...;/|
-00000090 3a 0a e6 8e 75 d0 39 11 ad 08 87 17 2c 14 96 28 |:...u.9.....,..(|
-000000a0 85 17 03 03 02 6d 2a d6 89 4d 5d f3 6c 28 97 dd |.....m*..M].l(..|
-000000b0 4e 45 88 e8 90 a4 f3 45 86 cf 59 d6 61 6e 1a a7 |NE.....E..Y.an..|
-000000c0 b7 35 7e 9c 6e 11 19 c4 1b 89 b9 5a 7c aa 1f 96 |.5~.n......Z|...|
-000000d0 e2 36 6d 54 09 12 2f 28 12 20 a3 41 06 bd 44 3c |.6mT../(. .A..D<|
-000000e0 73 be d3 8c 78 18 a1 63 ad f9 9d 41 20 5e 32 55 |s...x..c...A ^2U|
-000000f0 8e 18 c1 d8 b0 93 13 7e 88 a0 af 8a 59 e2 af 43 |.......~....Y..C|
-00000100 d2 82 66 ba c5 a1 97 94 e8 63 40 1b 8f c4 eb 49 |..f......c@....I|
-00000110 19 91 65 e9 54 d3 90 76 d6 f8 ff 15 20 31 3c 86 |..e.T..v.... 1<.|
-00000120 88 8a 43 be 77 a0 28 de fa 9f d5 30 14 a8 35 2f |..C.w.(....0..5/|
-00000130 5e ee 9d cf b5 69 d1 f5 f6 55 d1 1a 61 3f 4c a1 |^....i...U..a?L.|
-00000140 97 38 5b 87 7e ce 88 23 8a d0 bd fc 4b c5 da f7 |.8[.~..#....K...|
-00000150 25 6c 6c 0b ec 61 50 72 97 6b f7 fe 9b 5b 5a f9 |%ll..aPr.k...[Z.|
-00000160 59 19 71 10 74 2d 14 8c 1b 52 8b 39 1c 56 ea 7e |Y.q.t-...R.9.V.~|
-00000170 7a c9 8f 7c bd db 1e c5 02 9f 42 8b 63 ee 13 52 |z..|......B.c..R|
-00000180 fe 46 40 de 7b 97 27 b0 16 87 75 96 c7 1c 88 5d |.F@.{.'...u....]|
-00000190 2e 64 7f a8 df e0 16 b9 ee 27 7e b3 98 99 f7 4a |.d.......'~....J|
-000001a0 83 05 78 bb 59 07 8e 1a 46 1d 0f 45 87 ae d9 ae |..x.Y...F..E....|
-000001b0 6f 42 ed b1 72 14 8c 9d 33 72 95 ac 12 bb a0 20 |oB..r...3r..... |
-000001c0 56 a8 8a 23 e4 51 6a 89 f5 8e bc 55 5a e2 8d 78 |V..#.Qj....UZ..x|
-000001d0 84 24 55 99 cf 37 61 8c 7e 46 17 f3 26 ca 27 ec |.$U..7a.~F..&.'.|
-000001e0 f4 04 f6 76 1d cf 82 0c bd 85 82 81 06 f1 96 ce |...v............|
-000001f0 78 54 6c eb a0 f8 cf 30 6a 10 17 08 e6 94 83 4f |xTl....0j......O|
-00000200 56 34 80 ef ac fa ab e7 59 9e 6b f9 f8 38 76 cc |V4......Y.k..8v.|
-00000210 3b 09 b0 16 3f 3f 5c d3 6a ad d9 2c 65 d8 ce b4 |;...??\.j..,e...|
-00000220 19 53 c4 c9 d1 82 e8 19 72 ec bc 85 ef 3a 6e e5 |.S......r....:n.|
-00000230 ba 3c f8 37 98 98 80 47 5f 47 4f cd ed f5 0e bc |.<.7...G_GO.....|
-00000240 4e 14 a2 7d 8d 43 0b 18 ba 3b 10 50 e4 18 fc ac |N..}.C...;.P....|
-00000250 0e 01 21 73 68 da 50 51 8a 64 b6 18 28 ca e3 a4 |..!sh.PQ.d..(...|
-00000260 aa d2 5c 28 ff 64 fd cb 28 00 db b1 5c bf 75 81 |..\(.d..(...\.u.|
-00000270 bb d2 8c df 5c 26 70 1d d6 fe 7a 94 65 27 93 72 |....\&p...z.e'.r|
-00000280 bc ba 17 92 8f be 61 ec f5 88 04 ed fb cc f3 5c |......a........\|
-00000290 71 d0 a4 5d 13 a6 a3 82 89 e8 9e 1a 8e 31 fd 2f |q..].........1./|
-000002a0 57 53 98 d5 1f c4 3f 8e 92 7f 1b 90 a3 ad 6c 96 |WS....?.......l.|
-000002b0 42 cc f2 f0 1c 8d 3f 31 fd b2 53 29 79 16 9a 96 |B.....?1..S)y...|
-000002c0 fd d6 fe d4 3f 13 aa 39 73 d4 73 6d 9a ff f6 db |....?..9s.sm....|
-000002d0 52 0a 1e 76 71 0f d3 ee de a8 b3 05 3b 24 c4 72 |R..vq.......;$.r|
-000002e0 67 78 f1 be df c5 c0 87 32 60 28 96 8e b2 2e 3f |gx......2`(....?|
-000002f0 7d e9 aa b7 66 57 ee 67 e6 ac 70 da 60 ce c2 00 |}...fW.g..p.`...|
-00000300 55 2f 20 25 39 a5 5e b9 65 c3 00 63 c7 5a a9 31 |U/ %9.^.e..c.Z.1|
-00000310 de fe 65 17 03 03 00 99 95 83 6d be 56 ef 4f a3 |..e.......m.V.O.|
-00000320 96 5f a8 3d d5 a1 f3 8e 9a 8c 40 35 f4 12 2c 0a |._.=......@5..,.|
-00000330 b3 02 3b d2 14 d8 a4 f1 12 01 be e1 8a 6b 5f 01 |..;..........k_.|
-00000340 71 de ac 70 e9 7a 90 78 2e 2a a8 29 64 20 85 dd |q..p.z.x.*.)d ..|
-00000350 57 09 cf 48 29 d0 63 42 bc 9b ec 0c e2 2d 41 d0 |W..H).cB.....-A.|
-00000360 cb d8 68 46 b7 17 fc 1d 95 12 5a 4c c3 10 67 32 |..hF......ZL..g2|
-00000370 f7 7a 14 55 63 fb 57 6e 59 ee b6 66 b8 65 e1 37 |.z.Uc.WnY..f.e.7|
-00000380 e6 7c 6c 07 8b d1 84 80 01 11 ce 7f 20 f0 4d 42 |.|l......... .MB|
-00000390 a7 67 01 12 e6 b5 9b d4 6a fe 38 37 71 ca 60 d6 |.g......j.87q.`.|
-000003a0 12 d7 00 b5 26 c3 97 1d 9f 37 6a 82 31 ef c3 12 |....&....7j.1...|
-000003b0 bc 17 03 03 00 45 65 1e cf 1f 1e 73 93 8d 66 54 |.....Ee....s..fT|
-000003c0 47 b0 73 9f d1 a4 9d 3b b0 72 b4 f2 5f 06 e1 d2 |G.s....;.r.._...|
-000003d0 1f bb 3d 13 48 7c 7a e0 19 15 9f aa a5 ed 09 18 |..=.H|z.........|
-000003e0 2e 4e 8a cd 66 2b 9c b3 fe 99 b0 57 06 2e b3 a0 |.N..f+.....W....|
-000003f0 79 92 c1 bb 0e 29 44 02 f1 b0 43 17 03 03 00 a3 |y....)D...C.....|
-00000400 52 cd d9 d7 60 1c f5 06 83 aa 2f e0 0c 0f 5e 6d |R...`...../...^m|
-00000410 0f 29 93 b9 ae 50 04 c6 f7 d3 ff c7 d1 ac 9d 43 |.)...P.........C|
-00000420 d7 b5 76 7a 16 b7 2c b7 79 48 a4 c3 28 2a 86 10 |..vz..,.yH..(*..|
-00000430 d1 24 7c 04 ed af 1f 8a 0b 18 29 97 7a 7a 47 3f |.$|.......).zzG?|
-00000440 1f fe ba 9c 72 d9 9b ae 9b 83 5f f4 5a 4f 10 b8 |....r....._.ZO..|
-00000450 e5 45 35 76 77 a2 ac 99 1c bc 78 cf 6f 62 ef ef |.E5vw.....x.ob..|
-00000460 9b 1b 90 eb 95 6b a1 25 82 b7 c1 1b 6f da 10 4c |.....k.%....o..L|
-00000470 aa 3e a8 ba dd 77 b1 39 a0 b2 6a 11 18 44 2a 8d |.>...w.9..j..D*.|
-00000480 58 9a 53 31 e1 d1 ec 8b 47 95 63 67 44 67 8d 09 |X.S1....G.cgDg..|
-00000490 2f 16 f5 19 cd 65 1d 52 d7 bd 19 f0 bb ec 7b 55 |/....e.R......{U|
-000004a0 33 4f 84 |3O.|
->>> Flow 3 (client to server)
-00000000 14 03 03 00 01 01 17 03 03 00 45 07 3f db d9 c7 |..........E.?...|
-00000010 05 fd c4 0c 2d ae ee d8 d7 e7 ac 46 19 a2 17 e5 |....-......F....|
-00000020 5e 10 30 65 05 be e0 c7 1e b3 e2 16 a4 d6 69 e1 |^.0e..........i.|
-00000030 2c ff 18 ba e4 8f d0 3d 12 45 df c3 d4 08 0d e6 |,......=.E......|
-00000040 94 6e 83 6d 99 9d f3 f1 02 48 6b 6f d1 2d f0 c6 |.n.m.....Hko.-..|
->>> Flow 4 (server to client)
-00000000 17 03 03 00 1e 2a 3d 96 b4 6a 9e 7f 7f ca e0 8e |.....*=..j......|
-00000010 41 4e bd 82 86 61 b8 59 19 e4 97 02 c2 00 7e 69 |AN...a.Y......~i|
-00000020 81 b0 64 17 03 03 00 13 63 91 94 1a a3 51 bf 95 |..d.....c....Q..|
-00000030 9e 09 a2 a1 f0 01 57 93 00 71 49 |......W..qI|
+00000000 15 03 03 00 02 02 28 |......(|
diff --git a/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall b/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall
new file mode 100644
index 0000000..94f5818
--- /dev/null
+++ b/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall
@@ -0,0 +1,16 @@
+>>> Flow 1 (client to server)
+00000000 16 03 01 00 c6 01 00 00 c2 03 03 7c a4 3e 3b dd |...........|.>;.|
+00000010 d4 90 de 04 87 40 12 a6 f8 63 d9 9d b3 44 7b 52 |.....@...c...D{R|
+00000020 9b b2 2d e2 da 0a 6b 87 30 2e 1f 20 38 be 06 6e |..-...k.0.. 8..n|
+00000030 b8 2d 46 93 8d ed 31 ea 5c 44 5a 3a 6e 3a bd 3c |.-F...1.\DZ:n:.<|
+00000040 0d 69 99 2c 5d 59 30 85 1a bc ce 59 00 08 13 02 |.i.,]Y0....Y....|
+00000050 13 03 13 01 00 ff 01 00 00 71 00 00 00 0e 00 0c |.........q......|
+00000060 00 00 09 31 32 37 2e 30 2e 30 2e 31 00 0b 00 04 |...127.0.0.1....|
+00000070 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e |................|
+00000080 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 04 |................|
+00000090 00 02 08 06 00 2b 00 03 02 03 04 00 2d 00 02 01 |.....+......-...|
+000000a0 01 00 33 00 26 00 24 00 1d 00 20 d9 cb e9 03 27 |..3.&.$... ....'|
+000000b0 59 f0 bd 7a 1f 17 88 c7 35 2b 92 0c d9 0c 0f 9a |Y..z....5+......|
+000000c0 b5 47 c7 e2 97 aa 92 04 c6 63 2d |.G.......c-|
+>>> Flow 2 (server to client)
+00000000 15 03 03 00 02 02 28 |......(|