tls13: don't create a new suite in CertificateRequest, fallback to WOLFSSL_SUITES(sa->ssl)

[rizlik]

Description

Currently in CertificateRequest we always create a new SigAlgoHash list with all algorithms enabled.
Avoid creating a new one so we fallback to WOLFSSL_SUITE(ssl) that either use the one in the main context or the one create by wolfSSL_set1_sigalgs_list.

[Copilot]

Pull request overview

Adjusts TLS 1.3 CertificateRequest signature-algorithms handling so wolfSSL_set1_sigalgs_list() is honored (avoiding creation of a new suite buffer), and adds a regression test to validate behavior.

Changes:

• Update TLS 1.3 CertificateRequest extension creation to rely on suite-backed sigalgs rather than generating a fresh list.
• Add a TLS 1.3 test that restricts server sigalgs to RSA-PSS+SHA256 and validates ECC client fails / RSA client succeeds.
• Register the new test in the TLS 1.3 API test declarations.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
tests/api/test_tls13.h	Declares and registers the new TLS 1.3 CertificateRequest sigalgs test.
tests/api/test_tls13.c	Adds a memio-based regression test for TLS 1.3 CertificateRequest honoring wolfSSL_set1_sigalgs_list().
src/tls13.c	Changes CertificateRequest SA extension setup to use suite-backed behavior (size 0 fallback).

Comments suppressed due to low confidence (2)

tests/api/test_tls13.c:3156

• The test zeroes test_ctx and re-calls test_memio_setup() without an explicit teardown of test_ctx. If test_memio_setup() allocates/initializes resources tracked in test_ctx (common for memio helpers), XMEMSET will drop those handles and prevent proper cleanup (leak / fd leak). Call the appropriate memio cleanup/teardown helper for test_ctx before resetting/reusing it (and also at the end of the test).

    wolfSSL_free(ssl_c);    ssl_c = NULL;
    wolfSSL_free(ssl_s);    ssl_s = NULL;
    wolfSSL_CTX_free(ctx_c); ctx_c = NULL;
    wolfSSL_CTX_free(ctx_s); ctx_s = NULL;

    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
        wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);

src/tls13.c:7806

• The comment says GetSize/Write will fall back to WOLFSSL_SUITES(ssl), but this code path is typically driven off the SignatureAlgorithms object (often WOLFSSL_SUITES(sa->ssl) / suite associated with the extension). Please adjust the comment to match the actual fallback used by the SignatureAlgorithms GetSize/Write implementation to avoid misleading future readers.

    /* Use ssl->suites->hashSigAlgo so wolfSSL_set1_sigalgs_list() is honored.
     * hashSigAlgoSz=0 makes GetSize/Write fall back to WOLFSSL_SUITES(ssl). */
    sa = TLSX_SignatureAlgorithms_New(ssl, 0, ssl->heap);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rizlik]

retest this please