]> Cypherpunks.ru repositories - gostls13.git/blobdiff - src/crypto/tls/auth.go
projects / gostls13.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[dev.boringcrypto] all: merge commit 9d0819b27c (CL 314609) into dev.boringcrypto
[gostls13.git] / src / crypto / tls / auth.go
diff --git a/src/crypto/tls/auth.go b/src/crypto/tls/auth.go
index a9df0da6d624b1b39b3b0813a93573e0319e1ac1..7c5675c6d933bb88dc53153f2b94bdf2920b824d 100644 (file)
--- a/src/crypto/tls/auth.go
+++ b/src/crypto/tls/auth.go
@@ -169,6 +169,7 @@ var rsaSignatureSchemes = []struct {
 // and optionally filtered by its explicit SupportedSignatureAlgorithms.
 //
 // This function must be kept in sync with supportedSignatureAlgorithms.
+// FIPS filtering is applied in the caller, selectSignatureScheme.
 func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme {
        priv, ok := cert.PrivateKey.(crypto.Signer)
        if !ok {
@@ -241,6 +242,9 @@ func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureSche
        // Pick signature scheme in the peer's preference order, as our
        // preference order is not configurable.
        for _, preferredAlg := range peerAlgs {
+               if needFIPS() && !isSupportedSignatureAlgorithm(preferredAlg, fipsSupportedSignatureAlgorithms) {
+                       continue
+               }
                if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
                        return preferredAlg, nil
                }
Go GOST TLS 1.3