CVSROOT: /cvs Module name: src Changes by: js...@cvs.openbsd.org 2019/03/25 11:21:19
Modified files: lib/libssl : s3_lib.c ssl_clnt.c ssl_lib.c ssl_locl.h ssl_sigalgs.c ssl_sigalgs.h ssl_srvr.c ssl_tlsext.c tls13_client.c Log message: Defer sigalgs selection until the certificate is known. Previously the signature algorithm was selected when the TLS extension was parsed (or the client received a certificate request), however the actual certificate to be used is not known at this stage. This leads to various problems, including the selection of a signature algorithm that cannot be used with the certificate key size (as found by jeremy@ via ruby regress). Instead, store the signature algorithms list and only select a signature algorithm when we're ready to do signature generation. Joint work with beck@.