Change ssl_sigalgs_build() to perform sigalg list selection.

Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.

ok tb@

1 files changed, 5 insertions, 3 deletions

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index c4bcd228ef..93fd8cfb85 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.111 2021/05/16 14:10:43 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.112 2021/06/27 17:59:17 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1671,9 +1671,11 @@ ssl3_send_certificate_request(SSL *s)
                         goto err;
 
                 if (SSL_USE_SIGALGS(s)) {
-                        if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
+                        if (!CBB_add_u16_length_prefixed(&cert_request,
+                            &sigalgs))
                                 goto err;
-                        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+                        if (!ssl_sigalgs_build(
+                            S3I(s)->hs.negotiated_tls_version, &sigalgs))
                                 goto err;
                 }