Bug 1427921 - RSA-PSS codepoints for TLS 1.3 draft-23, r=ekr
authorMartin Thomson <martin.thomson@gmail.com>
Fri, 05 Jan 2018 10:08:01 +1100
changeset 14207 1dd546143b8f28c1090bf78c1d7ba941d2c81e60
parent 14205 db89b28b84e3e6f05a38a31075f341f016a494a7
child 14208 54954c2668f52cbcd3134458e59c94892c20a1b5
push id2952
push usermartin.thomson@gmail.com
push dateTue, 09 Jan 2018 00:04:59 +0000
reviewersekr
bugs1427921
Bug 1427921 - RSA-PSS codepoints for TLS 1.3 draft-23, r=ekr
gtests/ssl_gtest/ssl_auth_unittest.cc
gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
gtests/ssl_gtest/ssl_dhe_unittest.cc
gtests/ssl_gtest/ssl_ecdh_unittest.cc
gtests/ssl_gtest/ssl_extension_unittest.cc
gtests/ssl_gtest/ssl_resumption_unittest.cc
gtests/ssl_gtest/tls_connect.cc
lib/ssl/ssl3con.c
lib/ssl/sslt.h
lib/ssl/tls13con.c
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -122,17 +122,18 @@ TEST_P(TlsConnectTls12, ServerAuthCheckS
 
   const DataBuffer& buffer = capture_ske->buffer();
   EXPECT_LT(3U, buffer.len());
   EXPECT_EQ(3U, buffer.data()[0]) << "curve_type == named_curve";
   uint32_t tmp;
   EXPECT_TRUE(buffer.Read(1, 2, &tmp)) << "read NamedCurve";
   EXPECT_EQ(ssl_grp_ec_curve25519, tmp);
   EXPECT_TRUE(buffer.Read(3, 1, &tmp)) << " read ECPoint";
-  CheckSigScheme(capture_ske, 4 + tmp, client_, ssl_sig_rsa_pss_sha256, 1024);
+  CheckSigScheme(capture_ske, 4 + tmp, client_, ssl_sig_rsa_pss_rsae_sha256,
+                 1024);
 }
 
 TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
   EnsureTlsSetup();
   auto capture_cert_verify =
       std::make_shared<TlsInspectorRecordHandshakeMessage>(
           kTlsHandshakeCertificateVerify);
   client_->SetPacketFilter(capture_cert_verify);
@@ -149,17 +150,18 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsa
   auto capture_cert_verify =
       std::make_shared<TlsInspectorRecordHandshakeMessage>(
           kTlsHandshakeCertificateVerify);
   client_->SetPacketFilter(capture_cert_verify);
   client_->SetupClientAuth();
   server_->RequestClientAuth(true);
   Connect();
   CheckKeys();
-  CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_sha256, 2048);
+  CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
+                 2048);
 }
 
 class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
  public:
   TlsZeroCertificateRequestSigAlgsFilter()
       : TlsHandshakeFilter({kTlsHandshakeCertificateRequest}) {}
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
@@ -791,26 +793,26 @@ TEST_P(TlsSignatureSchemeConfiguration, 
 
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
     ::testing::Combine(
         TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
         ::testing::Values(TlsAgent::kServerRsaSign),
         ::testing::Values(ssl_auth_rsa_sign),
         ::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
-                          ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_sha256,
-                          ssl_sig_rsa_pss_sha384)));
+                          ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_rsae_sha256,
+                          ssl_sig_rsa_pss_rsae_sha384)));
 // PSS with SHA-512 needs a bigger key to work.
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12Plus,
                        ::testing::Values(TlsAgent::kRsa2048),
                        ::testing::Values(ssl_auth_rsa_sign),
-                       ::testing::Values(ssl_sig_rsa_pss_sha512)));
+                       ::testing::Values(ssl_sig_rsa_pss_rsae_sha512)));
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeRsaSha1, TlsSignatureSchemeConfiguration,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12,
                        ::testing::Values(TlsAgent::kServerRsa),
                        ::testing::Values(ssl_auth_rsa_sign),
                        ::testing::Values(ssl_sig_rsa_pkcs1_sha1)));
 INSTANTIATE_TEST_CASE_P(
--- a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -69,22 +69,22 @@ class TlsCipherSuiteTestBase : public Tl
     if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
       switch (sig_scheme_) {
         case ssl_sig_rsa_pkcs1_sha256:
         case ssl_sig_rsa_pkcs1_sha384:
         case ssl_sig_rsa_pkcs1_sha512:
           Reset(TlsAgent::kServerRsaSign);
           auth_type_ = ssl_auth_rsa_sign;
           break;
-        case ssl_sig_rsa_pss_sha256:
-        case ssl_sig_rsa_pss_sha384:
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_rsae_sha384:
           Reset(TlsAgent::kServerRsaSign);
           auth_type_ = ssl_auth_rsa_sign;
           break;
-        case ssl_sig_rsa_pss_sha512:
+        case ssl_sig_rsa_pss_rsae_sha512:
           // You can't fit SHA-512 PSS in a 1024-bit key.
           Reset(TlsAgent::kRsa2048);
           auth_type_ = ssl_auth_rsa_sign;
           break;
         case ssl_sig_ecdsa_secp256r1_sha256:
           Reset(TlsAgent::kServerEcdsa256);
           auth_type_ = ssl_auth_ecdsa;
           break;
@@ -308,18 +308,18 @@ TEST_P(TlsCipherSuiteTest, WriteLimit) {
 static const auto kDummyNamedGroupParams = ::testing::Values(ssl_grp_none);
 static const auto kDummySignatureSchemesParams =
     ::testing::Values(ssl_sig_none);
 
 #ifndef NSS_DISABLE_TLS_1_3
 static SSLSignatureScheme kSignatureSchemesParamsArr[] = {
     ssl_sig_rsa_pkcs1_sha256,       ssl_sig_rsa_pkcs1_sha384,
     ssl_sig_rsa_pkcs1_sha512,       ssl_sig_ecdsa_secp256r1_sha256,
-    ssl_sig_ecdsa_secp384r1_sha384, ssl_sig_rsa_pss_sha256,
-    ssl_sig_rsa_pss_sha384,         ssl_sig_rsa_pss_sha512,
+    ssl_sig_ecdsa_secp384r1_sha384, ssl_sig_rsa_pss_rsae_sha256,
+    ssl_sig_rsa_pss_rsae_sha384,    ssl_sig_rsa_pss_rsae_sha512,
 };
 #endif
 
 INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
                           kDummySignatureSchemesParams,
                           TLS_RSA_WITH_RC4_128_SHA,
                           TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
                           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
--- a/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -19,17 +19,17 @@
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectGeneric, ConnectDhe) {
   EnableOnlyDheCiphers();
   Connect();
   CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 TEST_P(TlsConnectTls13, SharesForBothEcdheAndDhe) {
   EnsureTlsSetup();
   client_->ConfigNamedGroups(kAllDHEGroups);
 
   auto groups_capture =
       std::make_shared<TlsExtensionCapture>(ssl_supported_groups_xtn);
@@ -450,17 +450,17 @@ TEST_P(TlsConnectGenericPre13, NamedGrou
   static const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ffdhe_3072};
   static const std::vector<SSLNamedGroup> client_groups = {
       ssl_grp_ec_secp256r1};
   server_->ConfigNamedGroups(server_groups);
   client_->ConfigNamedGroups(client_groups);
 
   Connect();
   CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_custom, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 // Same test but for TLS 1.3. This has to fail.
 TEST_P(TlsConnectTls13, NamedGroupMismatch13) {
   EnableOnlyDheCiphers();
   static const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ffdhe_3072};
   static const std::vector<SSLNamedGroup> client_groups = {
       ssl_grp_ec_secp256r1};
@@ -494,18 +494,18 @@ TEST_P(TlsConnectGenericPre13, Preferred
   static const SSLDHEGroupType groups[] = {ssl_ff_dhe_3072_group,
                                            ssl_ff_dhe_2048_group};
   EXPECT_EQ(SECSuccess, SSL_DHEGroupPrefSet(server_->ssl_fd(), groups,
                                             PR_ARRAY_SIZE(groups)));
 
   Connect();
   client_->CheckKEA(ssl_kea_dh, ssl_grp_ffdhe_3072, 3072);
   server_->CheckKEA(ssl_kea_dh, ssl_grp_ffdhe_3072, 3072);
-  client_->CheckAuthType(ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
-  server_->CheckAuthType(ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
+  client_->CheckAuthType(ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256);
+  server_->CheckAuthType(ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256);
 }
 
 TEST_P(TlsConnectGenericPre13, MismatchDHE) {
   EnableOnlyDheCiphers();
   client_->SetOption(SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
   static const SSLDHEGroupType serverGroups[] = {ssl_ff_dhe_3072_group};
   EXPECT_EQ(SECSuccess, SSL_DHEGroupPrefSet(server_->ssl_fd(), serverGroups,
                                             PR_ARRAY_SIZE(serverGroups)));
@@ -519,31 +519,31 @@ TEST_P(TlsConnectGenericPre13, MismatchD
 }
 
 TEST_P(TlsConnectTls13, ResumeFfdhe) {
   EnableOnlyDheCiphers();
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   Connect();
   SendReceive();  // Need to read so that we absorb the session ticket.
   CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 
   Reset();
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   EnableOnlyDheCiphers();
   auto clientCapture =
       std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
   client_->SetPacketFilter(clientCapture);
   auto serverCapture =
       std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
   server_->SetPacketFilter(serverCapture);
   ExpectResumption(RESUME_TICKET);
   Connect();
   CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   ASSERT_LT(0UL, clientCapture->extension().len());
   ASSERT_LT(0UL, serverCapture->extension().len());
 }
 
 class TlsDheSkeChangeSignature : public TlsHandshakeFilter {
  public:
   TlsDheSkeChangeSignature(uint16_t version, const uint8_t* data, size_t len)
       : TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}),
--- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -64,30 +64,30 @@ TEST_P(TlsConnectTls12, ConnectEcdheP384
 TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
   EnsureTlsSetup();
   const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
                                              ssl_grp_ffdhe_2048};
   client_->ConfigNamedGroups(groups);
   server_->ConfigNamedGroups(groups);
   Connect();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 // This causes a HelloRetryRequest in TLS 1.3.  Earlier versions don't care.
 TEST_P(TlsConnectGeneric, ConnectEcdheP384Server) {
   EnsureTlsSetup();
   auto hrr_capture = std::make_shared<TlsInspectorRecordHandshakeMessage>(
       kTlsHandshakeHelloRetryRequest);
   server_->SetPacketFilter(hrr_capture);
   const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
   server_->ConfigNamedGroups(groups);
   Connect();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3,
             hrr_capture->buffer().len() != 0);
 }
 
 // This enables only P-256 on the client and disables it on the server.
 // This test will fail when we add other groups that identify as ECDHE.
 TEST_P(TlsConnectGeneric, ConnectEcdheGroupMismatch) {
   EnsureTlsSetup();
@@ -107,34 +107,34 @@ TEST_P(TlsKeyExchangeTest, P384Priority)
       ssl_grp_ec_secp384r1, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1};
   EnsureKeyShareSetup();
   ConfigNamedGroups(groups);
   client_->DisableAllCiphers();
   client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 
   std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
   CheckKEXDetails(groups, shares);
 }
 
 TEST_P(TlsKeyExchangeTest, DuplicateGroupConfig) {
   const std::vector<SSLNamedGroup> groups = {
       ssl_grp_ec_secp384r1, ssl_grp_ec_secp384r1, ssl_grp_ec_secp384r1,
       ssl_grp_ec_secp256r1, ssl_grp_ec_secp256r1};
   EnsureKeyShareSetup();
   ConfigNamedGroups(groups);
   client_->DisableAllCiphers();
   client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 
   std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
   std::vector<SSLNamedGroup> expectedGroups = {ssl_grp_ec_secp384r1,
                                                ssl_grp_ec_secp256r1};
   CheckKEXDetails(expectedGroups, shares);
 }
 
 TEST_P(TlsKeyExchangeTest, P384PriorityDHEnabled) {
@@ -142,17 +142,17 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD
   const std::vector<SSLNamedGroup> groups = {
       ssl_grp_ec_secp384r1, ssl_grp_ffdhe_2048, ssl_grp_ec_secp256r1,
       ssl_grp_ec_secp521r1};
   EnsureKeyShareSetup();
   ConfigNamedGroups(groups);
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 
   if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
     std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
     CheckKEXDetails(groups, shares);
   } else {
     std::vector<SSLNamedGroup> oldtlsgroups = {
         ssl_grp_ec_secp384r1, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1};
     CheckKEXDetails(oldtlsgroups, std::vector<SSLNamedGroup>());
@@ -167,33 +167,33 @@ TEST_P(TlsConnectGenericPre13, P384Prior
   // The server prefers P384. It has to win.
   const std::vector<SSLNamedGroup> server_groups = {
       ssl_grp_ec_secp384r1, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1};
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
   EnsureModelSockets();
 
   /* Both prefer P384, set on the model socket. */
   const std::vector<SSLNamedGroup> groups = {
       ssl_grp_ec_secp384r1, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1,
       ssl_grp_ffdhe_2048};
   client_model_->ConfigNamedGroups(groups);
   server_model_->ConfigNamedGroups(groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
  public:
   TlsKeyExchangeGroupCapture()
       : TlsHandshakeFilter({kTlsHandshakeServerKeyExchange}),
         group_(ssl_grp_none) {}
 
@@ -271,25 +271,25 @@ TEST_P(TlsConnectStreamPre13, Configured
   const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ec_secp256r1,
                                                     ssl_grp_ec_secp256r1};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   CheckConnected();
 
   // The renegotiation has to use the same preferences as the original session.
   server_->PrepareForRenegotiate();
   client_->StartRenegotiate();
   Handshake();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 TEST_P(TlsKeyExchangeTest, Curve25519) {
   Reset(TlsAgent::kServerEcdsa256);
   const std::vector<SSLNamedGroup> groups = {
       ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1};
   EnsureKeyShareSetup();
   ConfigNamedGroups(groups);
@@ -313,17 +313,17 @@ TEST_P(TlsConnectGenericPre13, GroupPref
   const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ec_curve25519,
                                                     ssl_grp_ec_secp256r1};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 #ifndef NSS_DISABLE_TLS_1_3
 TEST_P(TlsKeyExchangeTest13, Curve25519P256EqualPriorityClient13) {
   EnsureKeyShareSetup();
 
   // The client sends a P256 key share while the server prefers 25519.
   // We have to accept P256 without retry.
@@ -332,17 +332,17 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
   const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ec_curve25519,
                                                     ssl_grp_ec_secp256r1};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp256r1};
   CheckKEXDetails(client_groups, shares);
 }
 
 TEST_P(TlsKeyExchangeTest13, Curve25519P256EqualPriorityServer13) {
   EnsureKeyShareSetup();
 
   // The client sends a 25519 key share while the server prefers P256.
@@ -352,17 +352,17 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
   const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ec_secp256r1,
                                                     ssl_grp_ec_curve25519};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
   CheckKEXDetails(client_groups, shares);
 }
 
 TEST_P(TlsKeyExchangeTest13, EqualPriorityTestRetryECServer13) {
   EnsureKeyShareSetup();
 
   // The client sends a 25519 key share while the server prefers P256.
@@ -374,17 +374,17 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori
   const std::vector<SSLNamedGroup> server_groups = {
       ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
   CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
 }
 
 TEST_P(TlsKeyExchangeTest13, NotEqualPriorityWithIntermediateGroup13) {
   EnsureKeyShareSetup();
 
   // The client sends a 25519 key share while the server prefers P256.
@@ -396,17 +396,17 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri
   const std::vector<SSLNamedGroup> server_groups = {
       ssl_grp_ec_secp256r1, ssl_grp_ffdhe_2048, ssl_grp_ec_curve25519};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
   CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
 }
 
 TEST_P(TlsKeyExchangeTest13,
        NotEqualPriorityWithUnsupportedFFIntermediateGroup13) {
   EnsureKeyShareSetup();
 
@@ -418,17 +418,17 @@ TEST_P(TlsKeyExchangeTest13,
   const std::vector<SSLNamedGroup> server_groups = {
       ssl_grp_ec_secp256r1, ssl_grp_ffdhe_2048, ssl_grp_ec_curve25519};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
   CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
 }
 
 TEST_P(TlsKeyExchangeTest13,
        NotEqualPriorityWithUnsupportedECIntermediateGroup13) {
   EnsureKeyShareSetup();
 
@@ -440,17 +440,17 @@ TEST_P(TlsKeyExchangeTest13,
   const std::vector<SSLNamedGroup> server_groups = {
       ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519};
   client_->ConfigNamedGroups(client_groups);
   server_->ConfigNamedGroups(server_groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
   CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
 }
 
 TEST_P(TlsKeyExchangeTest13, EqualPriority13) {
   EnsureKeyShareSetup();
 
   // The client sends a 25519 key share while the server prefers P256.
@@ -502,17 +502,17 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli
 
   // Generate a key share on the client for both curves.
   EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));
 
   Connect();
 
   // The server would accept 25519 but its preferred group (P256) has to win.
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519,
                                              ssl_grp_ec_secp256r1};
   CheckKEXDetails(client_groups, shares);
 }
 
 // Replace the point in the client key exchange message with an empty one
 class ECCClientKEXFilter : public TlsHandshakeFilter {
  public:
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -502,18 +502,18 @@ TEST_P(TlsExtensionTestPre13, Renegotiat
   DataBuffer extension;
   ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
       ssl_renegotiation_info_xtn, extension));
 }
 
 // This only works on TLS 1.2, since it relies on static RSA; otherwise libssl
 // picks the wrong cipher suite.
 TEST_P(TlsExtensionTest12, SignatureAlgorithmConfiguration) {
-  const SSLSignatureScheme schemes[] = {ssl_sig_rsa_pss_sha512,
-                                        ssl_sig_rsa_pss_sha384};
+  const SSLSignatureScheme schemes[] = {ssl_sig_rsa_pss_rsae_sha512,
+                                        ssl_sig_rsa_pss_rsae_sha384};
 
   auto capture =
       std::make_shared<TlsExtensionCapture>(ssl_signature_algorithms_xtn);
   client_->SetSignatureSchemes(schemes, PR_ARRAY_SIZE(schemes));
   client_->SetPacketFilter(capture);
   EnableOnlyStaticRsaCiphers();
   Connect();
 
--- a/gtests/ssl_gtest/ssl_resumption_unittest.cc
+++ b/gtests/ssl_gtest/ssl_resumption_unittest.cc
@@ -392,17 +392,17 @@ TEST_P(TlsConnectTls13, TestTls13ResumeD
 
   Reset();
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   ExpectResumption(RESUME_TICKET);
   client_->ConfigNamedGroups(kFFDHEGroups);
   server_->ConfigNamedGroups(kFFDHEGroups);
   Connect();
   CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
 }
 
 // We need to enable different cipher suites at different times in the following
 // tests.  Those cipher suites need to be suited to the version.
 static uint16_t ChooseOneCipher(uint16_t version) {
   if (version >= SSL_LIBRARY_VERSION_TLS_1_3) {
     return TLS_AES_128_GCM_SHA256;
   }
@@ -567,17 +567,17 @@ TEST_F(TlsConnectTest, TestTls13Resumpti
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
   ExpectResumption(RESUME_TICKET);
   auto c1 = std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
   client_->SetPacketFilter(c1);
   Connect();
   SendReceive();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   // The filter will go away when we reset, so save the captured extension.
   DataBuffer initialTicket(c1->extension());
   ASSERT_LT(0U, initialTicket.len());
 
   ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd()));
   ASSERT_TRUE(!!cert1.get());
 
   Reset();
@@ -585,17 +585,17 @@ TEST_F(TlsConnectTest, TestTls13Resumpti
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
   auto c2 = std::make_shared<TlsExtensionCapture>(ssl_tls13_pre_shared_key_xtn);
   client_->SetPacketFilter(c2);
   ExpectResumption(RESUME_TICKET);
   Connect();
   SendReceive();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   ASSERT_LT(0U, c2->extension().len());
 
   ScopedCERTCertificate cert2(SSL_PeerCertificate(client_->ssl_fd()));
   ASSERT_TRUE(!!cert2.get());
 
   // Check that the cipher suite is reported the same on both sides, though in
   // TLS 1.3 resumption actually negotiates a different cipher suite.
   uint16_t resumed_suite;
@@ -846,60 +846,60 @@ TEST_F(TlsConnectTest, TestTls13Resumpti
 }
 
 TEST_P(TlsConnectGeneric, ReConnectTicket) {
   ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   server_->EnableSingleCipher(ChooseOneCipher(version_));
   Connect();
   SendReceive();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   // Resume
   Reset();
   ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   ExpectResumption(RESUME_TICKET);
   Connect();
   // Only the client knows this.
   CheckKeysResumption(ssl_kea_ecdh, ssl_grp_none, ssl_grp_ec_curve25519,
-                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
+                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256);
 }
 
 TEST_P(TlsConnectGenericPre13, ReConnectCache) {
   ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
   server_->EnableSingleCipher(ChooseOneCipher(version_));
   Connect();
   SendReceive();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   // Resume
   Reset();
   ExpectResumption(RESUME_SESSIONID);
   Connect();
   CheckKeysResumption(ssl_kea_ecdh, ssl_grp_none, ssl_grp_ec_curve25519,
-                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
+                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256);
 }
 
 TEST_P(TlsConnectGeneric, ReConnectAgainTicket) {
   ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   server_->EnableSingleCipher(ChooseOneCipher(version_));
   Connect();
   SendReceive();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-            ssl_sig_rsa_pss_sha256);
+            ssl_sig_rsa_pss_rsae_sha256);
   // Resume
   Reset();
   ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   ExpectResumption(RESUME_TICKET);
   Connect();
   // Only the client knows this.
   CheckKeysResumption(ssl_kea_ecdh, ssl_grp_none, ssl_grp_ec_curve25519,
-                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
+                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256);
   // Resume connection again
   Reset();
   ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   ExpectResumption(RESUME_TICKET, 2);
   Connect();
   // Only the client knows this.
   CheckKeysResumption(ssl_kea_ecdh, ssl_grp_none, ssl_grp_ec_curve25519,
-                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_sha256);
+                      ssl_auth_rsa_sign, ssl_sig_rsa_pss_rsae_sha256);
 }
 
 }  // namespace nss_test
--- a/gtests/ssl_gtest/tls_connect.cc
+++ b/gtests/ssl_gtest/tls_connect.cc
@@ -397,23 +397,23 @@ void TlsConnectTestBase::CheckKeys(SSLKE
 
   SSLSignatureScheme scheme;
   switch (auth_type) {
     case ssl_auth_rsa_decrypt:
       scheme = ssl_sig_none;
       break;
     case ssl_auth_rsa_sign:
       if (version_ >= SSL_LIBRARY_VERSION_TLS_1_2) {
-        scheme = ssl_sig_rsa_pss_sha256;
+        scheme = ssl_sig_rsa_pss_rsae_sha256;
       } else {
         scheme = ssl_sig_rsa_pkcs1_sha256;
       }
       break;
     case ssl_auth_rsa_pss:
-      scheme = ssl_sig_rsa_pss_sha256;
+      scheme = ssl_sig_rsa_pss_rsae_sha256;
       break;
     case ssl_auth_ecdsa:
       scheme = ssl_sig_ecdsa_secp256r1_sha256;
       break;
     case ssl_auth_dsa:
       scheme = ssl_sig_dsa_sha1;
       break;
     default:
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -178,19 +178,19 @@ static ssl3CipherSuiteCfg cipherSuites[s
  * order of signature types is based on the same rules for ordering we use for
  * cipher suites just for consistency.
  */
 static const SSLSignatureScheme defaultSignatureSchemes[] = {
     ssl_sig_ecdsa_secp256r1_sha256,
     ssl_sig_ecdsa_secp384r1_sha384,
     ssl_sig_ecdsa_secp521r1_sha512,
     ssl_sig_ecdsa_sha1,
-    ssl_sig_rsa_pss_sha256,
-    ssl_sig_rsa_pss_sha384,
-    ssl_sig_rsa_pss_sha512,
+    ssl_sig_rsa_pss_rsae_sha256,
+    ssl_sig_rsa_pss_rsae_sha384,
+    ssl_sig_rsa_pss_rsae_sha512,
     ssl_sig_rsa_pkcs1_sha256,
     ssl_sig_rsa_pkcs1_sha384,
     ssl_sig_rsa_pkcs1_sha512,
     ssl_sig_rsa_pkcs1_sha1,
     ssl_sig_dsa_sha256,
     ssl_sig_dsa_sha384,
     ssl_sig_dsa_sha512,
     ssl_sig_dsa_sha1
@@ -3957,27 +3957,30 @@ ssl_SignatureSchemeToHashType(SSLSignatu
 {
     switch (scheme) {
         case ssl_sig_rsa_pkcs1_sha1:
         case ssl_sig_dsa_sha1:
         case ssl_sig_ecdsa_sha1:
             return ssl_hash_sha1;
         case ssl_sig_rsa_pkcs1_sha256:
         case ssl_sig_ecdsa_secp256r1_sha256:
-        case ssl_sig_rsa_pss_sha256:
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_pss_sha256:
         case ssl_sig_dsa_sha256:
             return ssl_hash_sha256;
         case ssl_sig_rsa_pkcs1_sha384:
         case ssl_sig_ecdsa_secp384r1_sha384:
-        case ssl_sig_rsa_pss_sha384:
+        case ssl_sig_rsa_pss_rsae_sha384:
+        case ssl_sig_rsa_pss_pss_sha384:
         case ssl_sig_dsa_sha384:
             return ssl_hash_sha384;
         case ssl_sig_rsa_pkcs1_sha512:
         case ssl_sig_ecdsa_secp521r1_sha512:
-        case ssl_sig_rsa_pss_sha512:
+        case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pss_pss_sha512:
         case ssl_sig_dsa_sha512:
             return ssl_hash_sha512;
         case ssl_sig_rsa_pkcs1_sha1md5:
             return ssl_hash_none; /* Special for TLS 1.0/1.1. */
         case ssl_sig_none:
         case ssl_sig_ed25519:
         case ssl_sig_ed448:
             break;
@@ -3989,19 +3992,22 @@ ssl_SignatureSchemeToHashType(SSLSignatu
 KeyType
 ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme)
 {
     switch (scheme) {
         case ssl_sig_rsa_pkcs1_sha256:
         case ssl_sig_rsa_pkcs1_sha384:
         case ssl_sig_rsa_pkcs1_sha512:
         case ssl_sig_rsa_pkcs1_sha1:
-        case ssl_sig_rsa_pss_sha256:
-        case ssl_sig_rsa_pss_sha384:
-        case ssl_sig_rsa_pss_sha512:
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_rsae_sha384:
+        case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
         case ssl_sig_rsa_pkcs1_sha1md5:
             return rsaKey;
         case ssl_sig_ecdsa_secp256r1_sha256:
         case ssl_sig_ecdsa_secp384r1_sha384:
         case ssl_sig_ecdsa_secp521r1_sha512:
         case ssl_sig_ecdsa_sha1:
             return ecKey;
         case ssl_sig_dsa_sha256:
@@ -4126,45 +4132,48 @@ ssl_CheckSignatureSchemeConsistency(
 PRBool
 ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
 {
     switch (scheme) {
         case ssl_sig_rsa_pkcs1_sha1:
         case ssl_sig_rsa_pkcs1_sha256:
         case ssl_sig_rsa_pkcs1_sha384:
         case ssl_sig_rsa_pkcs1_sha512:
-        case ssl_sig_rsa_pss_sha256:
-        case ssl_sig_rsa_pss_sha384:
-        case ssl_sig_rsa_pss_sha512:
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_rsae_sha384:
+        case ssl_sig_rsa_pss_rsae_sha512:
         case ssl_sig_ecdsa_secp256r1_sha256:
         case ssl_sig_ecdsa_secp384r1_sha384:
         case ssl_sig_ecdsa_secp521r1_sha512:
         case ssl_sig_dsa_sha1:
         case ssl_sig_dsa_sha256:
         case ssl_sig_dsa_sha384:
         case ssl_sig_dsa_sha512:
         case ssl_sig_ecdsa_sha1:
             return PR_TRUE;
 
         case ssl_sig_rsa_pkcs1_sha1md5:
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
         case ssl_sig_none:
         case ssl_sig_ed25519:
         case ssl_sig_ed448:
             return PR_FALSE;
     }
     return PR_FALSE;
 }
 
 PRBool
 ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme)
 {
     switch (scheme) {
-        case ssl_sig_rsa_pss_sha256:
-        case ssl_sig_rsa_pss_sha384:
-        case ssl_sig_rsa_pss_sha512:
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_rsae_sha384:
+        case ssl_sig_rsa_pss_rsae_sha512:
             return PR_TRUE;
 
         default:
             return PR_FALSE;
     }
     return PR_FALSE;
 }
 
--- a/lib/ssl/sslt.h
+++ b/lib/ssl/sslt.h
@@ -118,50 +118,58 @@ typedef enum {
     ssl_sig_rsa_pkcs1_sha256 = 0x0401,
     ssl_sig_rsa_pkcs1_sha384 = 0x0501,
     ssl_sig_rsa_pkcs1_sha512 = 0x0601,
     /* For ECDSA, the pairing of the hash with a specific curve is only enforced
      * in TLS 1.3; in TLS 1.2 any curve can be used with each of these. */
     ssl_sig_ecdsa_secp256r1_sha256 = 0x0403,
     ssl_sig_ecdsa_secp384r1_sha384 = 0x0503,
     ssl_sig_ecdsa_secp521r1_sha512 = 0x0603,
-    ssl_sig_rsa_pss_sha256 = 0x0804,
-    ssl_sig_rsa_pss_sha384 = 0x0805,
-    ssl_sig_rsa_pss_sha512 = 0x0806,
+    ssl_sig_rsa_pss_rsae_sha256 = 0x0804,
+    ssl_sig_rsa_pss_rsae_sha384 = 0x0805,
+    ssl_sig_rsa_pss_rsae_sha512 = 0x0806,
     ssl_sig_ed25519 = 0x0807,
     ssl_sig_ed448 = 0x0808,
+    ssl_sig_rsa_pss_pss_sha256 = 0x0809,
+    ssl_sig_rsa_pss_pss_sha384 = 0x080a,
+    ssl_sig_rsa_pss_pss_sha512 = 0x080b,
 
     ssl_sig_dsa_sha1 = 0x0202,
     ssl_sig_dsa_sha256 = 0x0402,
     ssl_sig_dsa_sha384 = 0x0502,
     ssl_sig_dsa_sha512 = 0x0602,
     ssl_sig_ecdsa_sha1 = 0x0203,
 
     /* The following value (which can't be used in the protocol), represents
      * the RSA signature using SHA-1 and MD5 that is used in TLS 1.0 and 1.1.
      * This is reported as a signature scheme when TLS 1.0 or 1.1 is used.
      * This should not be passed to SSL_SignatureSchemePrefSet(); this
      * signature scheme is always used and cannot be disabled. */
     ssl_sig_rsa_pkcs1_sha1md5 = 0x10101,
 } SSLSignatureScheme;
 
+/* Deprecated names maintained only for source compatibility. */
+#define ssl_sig_rsa_pss_sha256 ssl_sig_rsa_pss_rsae_sha256
+#define ssl_sig_rsa_pss_sha384 ssl_sig_rsa_pss_rsae_sha384
+#define ssl_sig_rsa_pss_sha512 ssl_sig_rsa_pss_rsae_sha512
+
 /*
 ** SSLAuthType describes the type of key that is used to authenticate a
 ** connection.  That is, the type of key in the end-entity certificate.
 */
 typedef enum {
     ssl_auth_null = 0,
-    ssl_auth_rsa_decrypt = 1, /* static RSA */
+    ssl_auth_rsa_decrypt = 1, /* RSA key exchange. */
     ssl_auth_dsa = 2,
     ssl_auth_kea = 3, /* unused */
     ssl_auth_ecdsa = 4,
-    ssl_auth_ecdh_rsa = 5,   /* ECDH cert with an RSA signature */
-    ssl_auth_ecdh_ecdsa = 6, /* ECDH cert with an ECDSA signature */
-    ssl_auth_rsa_sign = 7,   /* RSA PKCS#1.5 signing */
-    ssl_auth_rsa_pss = 8,
+    ssl_auth_ecdh_rsa = 5,   /* ECDH cert with an RSA signature. */
+    ssl_auth_ecdh_ecdsa = 6, /* ECDH cert with an ECDSA signature. */
+    ssl_auth_rsa_sign = 7,   /* RSA signing with an rsaEncryption key. */
+    ssl_auth_rsa_pss = 8,    /* RSA signing with a PSS key. */
     ssl_auth_psk = 9,
     ssl_auth_tls13_any = 10,
     ssl_auth_size /* number of authentication types */
 } SSLAuthType;
 
 /* This is defined for backward compatibility reasons */
 #define ssl_auth_rsa ssl_auth_rsa_decrypt
 
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -1421,19 +1421,19 @@ SSLAuthType
 ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
 {
     switch (scheme) {
         case ssl_sig_rsa_pkcs1_sha1:
         case ssl_sig_rsa_pkcs1_sha256:
         case ssl_sig_rsa_pkcs1_sha384:
         case ssl_sig_rsa_pkcs1_sha512:
         /* We report PSS signatures as being just RSA signatures. */
-        case ssl_sig_rsa_pss_sha256:
-        case ssl_sig_rsa_pss_sha384:
-        case ssl_sig_rsa_pss_sha512:
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_rsae_sha384:
+        case ssl_sig_rsa_pss_rsae_sha512:
             return ssl_auth_rsa_sign;
         case ssl_sig_ecdsa_secp256r1_sha256:
         case ssl_sig_ecdsa_secp384r1_sha384:
         case ssl_sig_ecdsa_secp521r1_sha512:
         case ssl_sig_ecdsa_sha1:
             return ssl_auth_ecdsa;
         default:
             PORT_Assert(0);