[dev.boringcrypto] all: merge master into dev.boringcrypto

[gostls13.git] / src / crypto / tls / handshake_server.go

diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index f8dd630a04b796feb74e07a6e1b3748101126d66..5b1aa64166b30b783b084050e2ff3bb8709612e9 100644 (file)
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -419,7 +419,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {
                }
                if c.vers >= VersionTLS12 {
                        certReq.hasSignatureAndHash = true
-                       certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
+                       certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
                }
 
                // An empty list of certificateAuthorities signals to
@@ -524,7 +524,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {
                var sigType uint8
                if certVerify.hasSignatureAndHash {
                        signatureAlgorithm = certVerify.signatureAlgorithm
-                       if !isSupportedSignatureAlgorithm(signatureAlgorithm, supportedSignatureAlgorithms) {
+                       if !isSupportedSignatureAlgorithm(signatureAlgorithm, supportedSignatureAlgorithms()) {
                                return errors.New("tls: unsupported hash function for client certificate")
                        }
                        sigType = signatureFromSignatureScheme(signatureAlgorithm)
@@ -722,6 +722,8 @@ func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (c
 
        if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
                opts := x509.VerifyOptions{
+                       IsBoring: isBoringCertificate,
+
                        Roots:         c.config.ClientCAs,
                        CurrentTime:   c.config.time(),
                        Intermediates: x509.NewCertPool(),