Need to move sigalg check down because it does not consider hybrids.

This commit is contained in:
Anthony Hu
2025-11-21 21:28:03 -05:00
parent 59f4fa5686
commit a765bbdb79
+12 -12
View File
@@ -10215,18 +10215,6 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
validSigAlgo = 0;
for (i = 0; i < suites->hashSigAlgoSz; i += 2) {
if ((suites->hashSigAlgo[i + 0] == input[args->idx + 0]) &&
(suites->hashSigAlgo[i + 1] == input[args->idx + 1])) {
validSigAlgo = 1;
break;
}
}
if (!validSigAlgo) {
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->peerSigSpec == NULL) {
/* The peer did not respond. We didn't send CKS or they don't
@@ -10243,6 +10231,18 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_NATIVE ||
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
#endif /* WOLFSSL_DUAL_ALG_CERTS */
validSigAlgo = 0;
for (i = 0; i < suites->hashSigAlgoSz; i += 2) {
if ((suites->hashSigAlgo[i + 0] == input[args->idx + 0]) &&
(suites->hashSigAlgo[i + 1] == input[args->idx + 1])) {
validSigAlgo = 1;
break;
}
}
if (!validSigAlgo) {
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
ret = DecodeTls13SigAlg(input + args->idx,
&ssl->options.peerHashAlgo, &ssl->options.peerSigAlgo);
#ifdef WOLFSSL_DUAL_ALG_CERTS