Set the server sig algs before calling the session_secret_cb

Setting the server sig algs sets up the certificate "s3->tmp.valid_flags". These are needed when calling ssl3_choose_cipher() which can happen immediately after calling the session_secret_cb Fixes #24213 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24309)
author: Matt Caswell <matt@openssl.org> 2024-04-30 14:31:26 +0100
committer: Tomas Mraz <tomas@openssl.org> 2024-05-06 10:44:14 +0200
commit: 91c7ab27cebe4e6f6a6376e0a691736a2534fdd0 (patch)
tree: 5154718f324d38be13645dd23766a892513997d7 /ssl
parent: c8dddc61d49f84d1667de97e9548f07ccc92dddf (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 47855da5bd..1c38548fe0 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1959,6 +1959,11 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
         }
     }
 
+    if (!s->hit && !tls1_set_server_sigalgs(s)) {
+        /* SSLfatal() already called */
+        goto err;
+    }
+
     if (!s->hit
             && s->version >= TLS1_VERSION
             && !SSL_CONNECTION_IS_TLS13(s)
@@ -2110,10 +2115,6 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
 #else
         s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
 #endif
-        if (!tls1_set_server_sigalgs(s)) {
-            /* SSLfatal() already called */
-            goto err;
-        }
     }
 
     sk_SSL_CIPHER_free(ciphers);
author	Matt Caswell <matt@openssl.org>	2024-04-30 14:31:26 +0100
committer	Tomas Mraz <tomas@openssl.org>	2024-05-06 10:44:14 +0200
commit	91c7ab27cebe4e6f6a6376e0a691736a2534fdd0 (patch)
tree	5154718f324d38be13645dd23766a892513997d7 /ssl
parent	c8dddc61d49f84d1667de97e9548f07ccc92dddf (diff)