Set useRsaPss flag in both SSL and CTX structures

2026-01-26 18:52:25 +01:00 · 2025-11-26 10:30:38 -05:00
parent d766b82bac
commit 36418aca76
4 changed files with 13 additions and 5 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -6983,6 +6983,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #endif
 #ifndef NO_RSA
    ssl->options.minRsaKeySz = ctx->minRsaKeySz;
+  #ifdef WC_RSA_PSS
+    ssl->useRsaPss = ctx->useRsaPss;
+  #endif
 #endif
 #ifdef HAVE_ECC
    ssl->options.minEccKeySz = ctx->minEccKeySz;
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -1625,10 +1625,12 @@ static int ProcessBufferCertPublicKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
                    ctx->minRsaKeySz, RSA_MAX_SIZE / 8, keySz, RSA_KEY_SIZE_E);
            }
    #ifdef WC_RSA_PSS
-            if (ssl)
-                ssl->ctx->useRsaPss = cert->keyOID == RSAPSSk;
-            else
+            if (ssl) {
+                ssl->useRsaPss = cert->keyOID == RSAPSSk;
+            }
+            if (ctx) {
                ctx->useRsaPss = cert->keyOID == RSAPSSk;
+            }
    #endif
            break;
 #endif /* !NO_RSA */
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -7907,7 +7907,7 @@ static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo, byte hsTy
            /* If the private key uses the RSA-PSS OID, and the peer supports
             * the rsa_pss_pss_* signature algorithm in use, then report
             * rsa_pss_pss_* rather than rsa_pss_rsae_*. */
-            if (ssl->ctx->useRsaPss &&
+            if (ssl->useRsaPss &&
                ((ssl->pssAlgo & (1U << hashAlgo)) != 0U) &&
                (sha256_mac <= hashAlgo) && (hashAlgo <= sha512_mac))
            {
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -3908,7 +3908,7 @@ struct WOLFSSL_CTX {
 #ifndef NO_RSA
    short       minRsaKeySz;      /* minimum RSA key size */
 #ifdef WC_RSA_PSS
-    word8       useRsaPss;
+    word8       useRsaPss;        /* cert supports RSA-PSS */
 #endif
 #endif
 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
@@ -5941,6 +5941,9 @@ struct WOLFSSL {
    byte*           peerSceTsipEncRsaKeyIndex;
 #endif
    byte            peerRsaKeyPresent;
+#ifdef WC_RSA_PSS
+    word8           useRsaPss;           /* cert supports RSA-PSS */
+#endif
 #endif
 #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
    word16          namedGroup;