lrstewart
commented
4 months ago In case it helps: I started on but I guess never finished this last year https://github.com/aws/s2n-tls/commit/e088cb7079a39825f3aeddfab90cd014a0a44340 I'm not sure why I thought skipping extensions was necessary there though, we should just be able to have a separate "process" method we call after receiving the extension, like we do to calculate the PSK binders.
Problem:
Currently the peer's signature schemes are read into the iana_list buffer. This limits the number of possible signature schemes the peer is allowed to send, since the buffer has a fixed size. If too many signature schemes are received, the connection fails.
Solution:
Rather than copy the signature schemes into a separate buffer, the signature schemes should instead be read straight from the client hello/certificate request.