Separate client and server permitted signature algorithm support: by default the permitted signature algorithms for server and client authentication are the same but it is now possible to set different algorithms for client authentication only.
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 7d10941..2c6e1ad 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c
@@ -3415,10 +3415,16 @@ break; case SSL_CTRL_SET_SIGALGS: - return tls1_set_sigalgs(s->cert, parg, larg); + return tls1_set_sigalgs(s->cert, parg, larg, 0); case SSL_CTRL_SET_SIGALGS_LIST: - return tls1_set_sigalgs_list(s->cert, parg); + return tls1_set_sigalgs_list(s->cert, parg, 0); + + case SSL_CTRL_SET_CLIENT_SIGALGS: + return tls1_set_sigalgs(s->cert, parg, larg, 1); + + case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: + return tls1_set_sigalgs_list(s->cert, parg, 1); default: break; @@ -3703,10 +3709,16 @@ break; case SSL_CTRL_SET_SIGALGS: - return tls1_set_sigalgs(ctx->cert, parg, larg); + return tls1_set_sigalgs(ctx->cert, parg, larg, 0); case SSL_CTRL_SET_SIGALGS_LIST: - return tls1_set_sigalgs_list(ctx->cert, parg); + return tls1_set_sigalgs_list(ctx->cert, parg, 0); + + case SSL_CTRL_SET_CLIENT_SIGALGS: + return tls1_set_sigalgs(ctx->cert, parg, larg, 1); + + case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: + return tls1_set_sigalgs_list(ctx->cert, parg, 1); case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG: ctx->tlsext_authz_server_audit_proof_cb_arg = parg;