kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix Go TLS 1.3 sigalg handling.

Browse Source 
The TLS 1.3 CertificateRequest code advertised the signing set, not the
verify set. It also wasn't saving the peer's signature algorithm.

Change-Id: I62247d5703e30d8463c92f3d597dbeb403b355ae
Reviewed-on: https://boringssl-review.googlesource.com/8774
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2016-07-13 21:18:49 -04:00
parent bbfff7cb75
commit f74ec79f96
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ssl/test/runner/handshake_client.go
View File

@ -567,6 +567,7 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
return unexpectedMessageError(certVerifyMsg, msg)
}
c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
if err != nil {

3
ssl/test/runner/handshake_server.go
View File

@ -411,7 +411,7 @@ Curves:
hasRequestContext: true,
}
if !config.Bugs.NoSignatureAlgorithms {
certReq.signatureAlgorithms = config.signSignatureAlgorithms()
certReq.signatureAlgorithms = config.verifySignatureAlgorithms()
}
// An empty list of certificateAuthorities signals to
@ -519,6 +519,7 @@ Curves:
return unexpectedMessageError(certVerify, msg)
}
c.peerSignatureAlgorithm = certVerify.signatureAlgorithm
input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
if err := verifyMessage(c.vers, pub, config, certVerify.signatureAlgorithm, input, certVerify.signature); err != nil {
c.sendAlert(alertBadCertificate)