Merge pull request #8356 from kareem-wolfssl/gh8355

Properly check for signature_algorithms from the client in a TLS 1.3 server.
2025-01-15 05:54:01 +10:00
parent e037e0875d 9f5c89ab4b
commit e76186f060
1 changed files with 3 additions and 1 deletions
--- a/src/tls13.c
+++ b/src/tls13.c
@ -7053,7 +7053,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
            WOLFSSL_MSG("Client did not send a KeyShare extension");
            ERROR_OUT(INCOMPLETE_DATA, exit_dch);
        }
-        if (TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS) == NULL) {
+        /* Can't check ssl->extensions here as SigAlgs are unconditionally
+           set by TLSX_PopulateExtensions */
+        if (args->clSuites->hashSigAlgoSz == 0) {
            WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension");
            ERROR_OUT(INCOMPLETE_DATA, exit_dch);
        }