From f7f3ba9c768300e871ce6a4ef86e94bfc69c888c Mon Sep 17 00:00:00 2001
From: jordan <jordan@wolfssl.com>
Date: Wed, 3 Jul 2024 11:59:18 -0500
Subject: [PATCH] check hashsigalgo matches ssl suites on client side.

---
 src/internal.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 0423e86e8..982502be2 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -31104,6 +31104,15 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                             ERROR_OUT(BUFFER_ERROR, exit_dske);
                         }
 
+                        /* Check if hashSigAlgo in Server Key Exchange is supported
+                         * in our ssl->suites or ssl->ctx->suites. */
+                        if (!SupportedHashSigAlgo(ssl, &input[args->idx])) {
+                        #ifdef WOLFSSL_EXTRA_ALERTS
+                            SendAlert(ssl, alert_fatal, handshake_failure);
+                        #endif
+                            ERROR_OUT(MATCH_SUITE_ERROR, exit_dske);
+                        }
+
                         DecodeSigAlg(&input[args->idx], &ssl->options.peerHashAlgo,
                                      &sigAlgo);
                     #ifndef NO_RSA