Check sigalg security level when selecting them.

ok beck jsing
author: tb <> 2022-06-29 07:55:59 +0000
committer: tb <> 2022-06-29 07:55:59 +0000
commit: e67811d4f85d2856d76caac7ad01420a49024d6d (patch)
tree: dd322685004ac37bb43c4752269306dce91da691
parent: f0d9f479cf05d5da8447d4b12da004d34d2ee9ce (diff)
download: openbsd-e67811d4f85d2856d76caac7ad01420a49024d6d.tar.gz
openbsd-e67811d4f85d2856d76caac7ad01420a49024d6d.tar.bz2
openbsd-e67811d4f85d2856d76caac7ad01420a49024d6d.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index f969e4f551..9c38a076ac 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.44 2022/06/29 07:54:54 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.45 2022/06/29 07:55:59 tb Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -272,6 +272,9 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
 static const struct ssl_sigalg *
 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
 {
+        if (SSL_get_security_level(s) > 1)
+                return NULL;
        /* Default signature algorithms used for TLSv1.2 and earlier. */
        switch (EVP_PKEY_id(pkey)) {
        case EVP_PKEY_RSA:
author	tb <>	2022-06-29 07:55:59 +0000
committer	tb <>	2022-06-29 07:55:59 +0000
commit	e67811d4f85d2856d76caac7ad01420a49024d6d (patch)
tree	dd322685004ac37bb43c4752269306dce91da691
parent	f0d9f479cf05d5da8447d4b12da004d34d2ee9ce (diff)
download	openbsd-e67811d4f85d2856d76caac7ad01420a49024d6d.tar.gz openbsd-e67811d4f85d2856d76caac7ad01420a49024d6d.tar.bz2 openbsd-e67811d4f85d2856d76caac7ad01420a49024d6d.zip