From 8112c1236d7030ed37e5b97c3ee8c8301cb64d06 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Tue, 16 Jul 2019 14:59:01 +1000
Subject: [PATCH] Don't pick RSA PSS if not compiled in

---
 src/internal.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 05d5f1382..d3433b4e1 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2014,21 +2014,24 @@ static WC_INLINE void AddSuiteHashSigAlgo(Suites* suites, byte macAlgo, byte sig
 #endif /* USE_ECDSA_KEYSZ_HASH_ALGO */
 
     if (addSigAlgo) {
+#ifdef WC_RSA_PSS
         if (sigAlgo == rsa_pss_sa_algo) {
             /* RSA PSS is sig then mac */
             suites->hashSigAlgo[*inOutIdx] = sigAlgo;
             *inOutIdx += 1;
             suites->hashSigAlgo[*inOutIdx] = macAlgo;
             *inOutIdx += 1;
-#ifdef WOLFSSL_TLS13
+    #ifdef WOLFSSL_TLS13
             /* Add the certificate algorithm as well */
             suites->hashSigAlgo[*inOutIdx] = sigAlgo;
             *inOutIdx += 1;
             suites->hashSigAlgo[*inOutIdx] = PSS_RSAE_TO_PSS_PSS(macAlgo);
             *inOutIdx += 1;
-#endif
+    #endif
         }
-        else {
+        else
+#endif
+        {
             suites->hashSigAlgo[*inOutIdx] = macAlgo;
             *inOutIdx += 1;
             suites->hashSigAlgo[*inOutIdx] = sigAlgo;
@@ -17119,8 +17122,13 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
         }
         else
     #endif
+    #ifdef WC_RSA_PSS
         if (sigAlgo == ssl->suites->sigAlgo || (sigAlgo == rsa_pss_sa_algo &&
-                                         ssl->suites->sigAlgo == rsa_sa_algo)) {
+                                           ssl->suites->sigAlgo == rsa_sa_algo))
+    #else
+        if (sigAlgo == ssl->suites->sigAlgo)
+    #endif
+        {
             /* pick highest available between both server and client */
             switch (hashAlgo) {
                 case sha_mac:
@@ -21258,6 +21266,7 @@ int SendCertificateVerify(WOLFSSL* ssl)
                 /* prepend hdr */
                 c16toa(args->length, args->verify + args->extraSz);
             }
+            #ifdef WC_RSA_PSS
             else if (args->sigAlgo == rsa_pss_sa_algo) {
                 XMEMCPY(ssl->buffers.sig.buffer, ssl->buffers.digest.buffer,
                         ssl->buffers.digest.length);
@@ -21267,6 +21276,7 @@ int SendCertificateVerify(WOLFSSL* ssl)
                 /* prepend hdr */
                 c16toa(args->length, args->verify + args->extraSz);
             }
+            #endif
         #endif /* !NO_RSA */
         #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
             if (args->sigAlgo == ed25519_sa_algo) {