Use tls_choose_sigalg for client auth. For client auth call tls_choose_sigalg to select the certificate and signature algorithm. Use the selected algorithm in tls_construct_cert_verify. Remove obsolete tls12_get_sigandhash. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2643)

commit: ad4dd362e036b8481d51e1bfc6e9322b6cf074dc [log] [tgz]
author: Dr. Stephen Henson <steve@openssl.org> Wed Feb 15 16:23:49 2017 +0000
committer: Dr. Stephen Henson <steve@openssl.org> Thu Feb 16 16:43:44 2017 +0000
tree: 2481f0f1db2e133c493306b2155c9cdf55b34b83
parent: 717a265aa5f618fb30f857f240f6b2b0ab7ad4c7 [diff] [blame]
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 8ca3c4c..4923e24 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c

@@ -3090,10 +3090,8 @@
  */
 static int ssl3_check_client_certificate(SSL *s)
 {
-    if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
-        return 0;
     /* If no suitable signature algorithm can't use certificate */
-    if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys])
+    if (!tls_choose_sigalg(s, NULL) || s->s3->tmp.sigalg == NULL)
         return 0;
     /*
      * If strict mode check suitability of chain before using it. This also
commit	ad4dd362e036b8481d51e1bfc6e9322b6cf074dc	[log] [tgz]
author	Dr. Stephen Henson <steve@openssl.org>	Wed Feb 15 16:23:49 2017 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	Thu Feb 16 16:43:44 2017 +0000
tree	2481f0f1db2e133c493306b2155c9cdf55b34b83
parent	717a265aa5f618fb30f857f240f6b2b0ab7ad4c7 [diff] [blame]