diff options
author | Matt Caswell <matt@openssl.org> | 2024-04-30 14:31:26 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-05-06 10:45:30 +0200 |
commit | 8cdda690348d281abb75b787a436cd1c9462a9fd (patch) | |
tree | 459bf0686ea2e295dc2e9ee87dadc9f23a05bbdb | |
parent | 6f8ebfb9f73adbb9a2ad74c5d2cf5d4d056dfa71 (diff) |
Set the server sig algs before calling the session_secret_cb
Setting the server sig algs sets up the certificate "s3->tmp.valid_flags".
These are needed when calling ssl3_choose_cipher() which can happen
immediately after calling the session_secret_cb
Fixes #24213
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24309)
(cherry picked from commit 91c7ab27cebe4e6f6a6376e0a691736a2534fdd0)
-rw-r--r-- | ssl/statem/statem_srvr.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d5f0ab091d..fb38c3e22f 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1979,6 +1979,11 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } } + if (!s->hit && !tls1_set_server_sigalgs(s)) { + /* SSLfatal() already called */ + goto err; + } + if (!s->hit && s->version >= TLS1_VERSION && !SSL_CONNECTION_IS_TLS13(s) @@ -2130,10 +2135,6 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) #else s->session->compress_meth = (comp == NULL) ? 0 : comp->id; #endif - if (!tls1_set_server_sigalgs(s)) { - /* SSLfatal() already called */ - goto err; - } } sk_SSL_CIPHER_free(ciphers); |