diff options
| author |   jsing <jsing@openbsd.org> | 2019-03-25 17:21:18 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2019-03-25 17:21:18 +0000 |
| commit | 96b13b45524b5752bdf903f51661790288f40746 (patch) | |
| tree | d2d95e01a29dad12804e56b06ea8005958cd61ee /lib/libssl/t1_lib.c | |
| parent | Rework ssl_ctx_use_certificate_chain_bio() to use the CERT_PKEY chain. (diff) | |
| download | wireguard-openbsd-96b13b45524b5752bdf903f51661790288f40746.tar.xz wireguard-openbsd-96b13b45524b5752bdf903f51661790288f40746.zip | |
Defer sigalgs selection until the certificate is known.
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
Diffstat (limited to 'lib/libssl/t1_lib.c')
0 files changed, 0 insertions, 0 deletions