Fix Go TLS 1.3 sigalg handling.
The TLS 1.3 CertificateRequest code advertised the signing set, not the
verify set. It also wasn't saving the peer's signature algorithm.
Change-Id: I62247d5703e30d8463c92f3d597dbeb403b355ae
Reviewed-on: https://boringssl-review.googlesource.com/8774
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 4660726..c9081ac 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -411,7 +411,7 @@
hasRequestContext: true,
}
if !config.Bugs.NoSignatureAlgorithms {
- certReq.signatureAlgorithms = config.signSignatureAlgorithms()
+ certReq.signatureAlgorithms = config.verifySignatureAlgorithms()
}
// An empty list of certificateAuthorities signals to
@@ -519,6 +519,7 @@
return unexpectedMessageError(certVerify, msg)
}
+ c.peerSignatureAlgorithm = certVerify.signatureAlgorithm
input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
if err := verifyMessage(c.vers, pub, config, certVerify.signatureAlgorithm, input, certVerify.signature); err != nil {
c.sendAlert(alertBadCertificate)