Improve server certificate selection for TLSv1.3.

This allows an EC certificate to be selected and used, if the client
sigalgs would allow it.

With feedback from tb@

ok inoguchi@ tb@

1 files changed, 11 insertions, 7 deletions

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 046c4bba52..e7e3e56154 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.276 2020/05/29 17:39:42 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.277 2020/05/29 18:00:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -435,6 +435,12 @@ typedef struct ssl_handshake_st {
         uint8_t *sigalgs;
 } SSL_HANDSHAKE;
 
+typedef struct cert_pkey_st {
+        X509 *x509;
+        EVP_PKEY *privatekey;
+        STACK_OF(X509) *chain;
+} CERT_PKEY;
+
 typedef struct ssl_handshake_tls13_st {
         uint16_t min_version;
         uint16_t max_version;
@@ -443,6 +449,10 @@ typedef struct ssl_handshake_tls13_st {
         int use_legacy;
         int hrr;
 
+        /* Certificate and sigalg selected for use (static pointers). */
+        const CERT_PKEY *cpk;
+        const struct ssl_sigalg *sigalg;
+
         /* Version proposed by peer server. */
         uint16_t server_version;
 
@@ -985,12 +995,6 @@ typedef struct dtls1_state_internal_st {
 } DTLS1_STATE_INTERNAL;
 #define D1I(s) (s->d1->internal)
 
-typedef struct cert_pkey_st {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        STACK_OF(X509) *chain;
-} CERT_PKEY;
-
 typedef struct cert_st {
         /* Current active set */
         CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array