Modify sigalgs extension processing for TLS 1.3.

- Make a separate sigalgs list for TLS 1.3 including only modern algorithm choices which we use when the handshake will not negotiate TLS 1.2 - Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2 ok jsing@ tb@
author: beck <beck@openbsd.org> 2019-01-23 16:46:04 +0000
committer: beck <beck@openbsd.org> 2019-01-23 16:46:04 +0000
commit: fbffb3299c3edc0e008406dc9acac58f5594204c (patch)
tree: e88678280031c95538552db5cee544d347c93e36 /lib/libssl/ssl_clnt.c
parent: Remove uneeded header. (diff)
download: wireguard-openbsd-fbffb3299c3edc0e008406dc9acac58f5594204c.tar.xz
wireguard-openbsd-fbffb3299c3edc0e008406dc9acac58f5594204c.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index acc48389c07..ee26a200b14 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.52 2019/01/18 00:54:42 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.53 2019/01/23 16:46:04 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1680,7 +1680,8 @@ ssl3_get_certificate_request(SSL *s)
 			SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
 			goto err;
 		}
-		if (!tls1_process_sigalgs(s, &sigalgs)) {
+		if (!tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+		    tls12_sigalgs_len)) {
 			ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
 			SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
 			goto err;
author	beck <beck@openbsd.org>	2019-01-23 16:46:04 +0000
committer	beck <beck@openbsd.org>	2019-01-23 16:46:04 +0000
commit	fbffb3299c3edc0e008406dc9acac58f5594204c (patch)
tree	e88678280031c95538552db5cee544d347c93e36 /lib/libssl/ssl_clnt.c
parent	Remove uneeded header. (diff)
download	wireguard-openbsd-fbffb3299c3edc0e008406dc9acac58f5594204c.tar.xz wireguard-openbsd-fbffb3299c3edc0e008406dc9acac58f5594204c.zip