From e54e43a6f31368338de68eeea77a87ad2be5b85f Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 25 Mar 2019 17:21:18 +0000
Subject: Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.
---
 src/lib/libssl/tls13_client.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/tls13_client.c')

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 56faf3f5d4..5b4ecdb47d 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.13 2019/02/28 17:51:19 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.14 2019/03/25 17:21:18 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -527,7 +527,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
 		goto err;
 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
 		goto err;
-	if (!ssl_sigalg_pkey_ok(sigalg, pkey))
+	if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
 		goto err;
 
 	if (CBS_len(&signature) > EVP_PKEY_size(pkey))
-- 
cgit v1.2.3-55-g6feb