Merge pull request #8356 from kareem-wolfssl/gh8355

Properly check for signature_algorithms from the client in a TLS 1.3 server.
wolfSSL · Jan 14, 2025 · e76186f · e76186f
2 parents e037e08 + 9f5c89a
commit e76186f
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/tls13.c b/src/tls13.c
@@ -7053,7 +7053,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             WOLFSSL_MSG("Client did not send a KeyShare extension");
             ERROR_OUT(INCOMPLETE_DATA, exit_dch);
         }
-        if (TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS) == NULL) {
+        /* Can't check ssl->extensions here as SigAlgs are unconditionally
+           set by TLSX_PopulateExtensions */
+        if (args->clSuites->hashSigAlgoSz == 0) {
             WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension");
             ERROR_OUT(INCOMPLETE_DATA, exit_dch);
         }