Configure verify/sign signature algorithms in Go separately.
This way we can test failing client auth without having to worry about
first getting through server auth.
Change-Id: Iaf996d87ac3df702a17e76c26006ca9b2a5bdd1f
Reviewed-on: https://boringssl-review.googlesource.com/8721
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index d04486f..86b103c 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -233,7 +233,7 @@
}
if config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
- hs.clientHello.signatureAlgorithms = config.signatureAlgorithmsForServer()
+ hs.clientHello.signatureAlgorithms = config.signSignatureAlgorithms()
}
if config.Bugs.IgnorePeerCurvePreferences {
hs.clientHello.supportedCurves = config.curvePreferences()
@@ -626,7 +626,7 @@
if c.vers >= VersionTLS12 {
certReq.hasSignatureAlgorithm = true
if !config.Bugs.NoSignatureAlgorithms {
- certReq.signatureAlgorithms = config.signatureAlgorithmsForServer()
+ certReq.signatureAlgorithms = config.verifySignatureAlgorithms()
}
}
@@ -742,7 +742,7 @@
var sigAlg signatureAlgorithm
if certVerify.hasSignatureAlgorithm {
sigAlg = certVerify.signatureAlgorithm
- if !isSupportedSignatureAlgorithm(sigAlg, config.signatureAlgorithmsForServer()) {
+ if !isSupportedSignatureAlgorithm(sigAlg, config.verifySignatureAlgorithms()) {
return errors.New("tls: unsupported signature algorithm for client certificate")
}
c.peerSignatureAlgorithm = sigAlg