CVSROOT: /cvs
Module name: src
Changes by: js...@cvs.openbsd.org 2019/03/25 11:21:19
Modified files:
lib/libssl : s3_lib.c ssl_clnt.c ssl_lib.c ssl_locl.h
ssl_sigalgs.c ssl_sigalgs.h ssl_srvr.c
ssl_tlsext.c tls13_client.c
Log message:
Defer sigalgs selection until the certificate is known.
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
