Move isSupportedSignatureAlgorithm calls to verifyMessage in Go. Saves worrying about forgetting it. (And indeed I forgot it in the TLS 1.3 code.) Change-Id: Ibb55a83eddba675da64b7cf2c45eac6348c97784 Reviewed-on: https://boringssl-review.googlesource.com/8722 Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index 86b103c..eecb4fc 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go
@@ -742,9 +742,6 @@ var sigAlg signatureAlgorithm if certVerify.hasSignatureAlgorithm { sigAlg = certVerify.signatureAlgorithm - if !isSupportedSignatureAlgorithm(sigAlg, config.verifySignatureAlgorithms()) { - return errors.New("tls: unsupported signature algorithm for client certificate") - } c.peerSignatureAlgorithm = sigAlg }
diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go index 722fc97..9b65fcb 100644 --- a/ssl/test/runner/key_agreement.go +++ b/ssl/test/runner/key_agreement.go
@@ -472,9 +472,6 @@ } sigAlg = signatureAlgorithm(sig[0])<<8 | signatureAlgorithm(sig[1]) sig = sig[2:] - if !isSupportedSignatureAlgorithm(sigAlg, config.verifySignatureAlgorithms()) { - return errors.New("tls: unsupported signature algorithm for ServerKeyExchange") - } // Stash the signature algorithm to be extracted by the handshake. ka.peerSignatureAlgorithm = sigAlg }
diff --git a/ssl/test/runner/sign.go b/ssl/test/runner/sign.go index 6a53958..265f8d0 100644 --- a/ssl/test/runner/sign.go +++ b/ssl/test/runner/sign.go
@@ -60,6 +60,10 @@ } func verifyMessage(version uint16, key crypto.PublicKey, config *Config, sigAlg signatureAlgorithm, msg, sig []byte) error { + if version >= VersionTLS12 && !isSupportedSignatureAlgorithm(sigAlg, config.verifySignatureAlgorithms()) { + return errors.New("tls: unsupported signature algorithm for ServerKeyExchange") + } + signer, err := getSigner(version, key, config, sigAlg) if err != nil { return err