Check the security bits of the sigalgs' pkey

ok beck jsing
author: tb <> 2022-06-29 07:54:54 +0000
committer: tb <> 2022-06-29 07:54:54 +0000
commit: 472f5e84ac7bece4d9d62275c2ed47a9084848b8 (patch)
tree: 451633de94a7ad3d79f72e7da6fb1d5ef3225e4e /src/lib/libssl/ssl_sigalgs.c
parent: a1086276b4c8f8d8939172bf6629c0b903a7ceae (diff)
download: openbsd-472f5e84ac7bece4d9d62275c2ed47a9084848b8.tar.gz
openbsd-472f5e84ac7bece4d9d62275c2ed47a9084848b8.tar.bz2
openbsd-472f5e84ac7bece4d9d62275c2ed47a9084848b8.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 8a1b5f5198..f969e4f551 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.44 2022/06/29 07:54:54 tb Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -304,6 +304,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
                        return 0;
        }
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+        if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
+            EVP_PKEY_security_bits(pkey), 0, NULL))
+                return 0;
+#endif
        if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
                return 1;
author	tb <>	2022-06-29 07:54:54 +0000
committer	tb <>	2022-06-29 07:54:54 +0000
commit	472f5e84ac7bece4d9d62275c2ed47a9084848b8 (patch)
tree	451633de94a7ad3d79f72e7da6fb1d5ef3225e4e /src/lib/libssl/ssl_sigalgs.c
parent	a1086276b4c8f8d8939172bf6629c0b903a7ceae (diff)
download	openbsd-472f5e84ac7bece4d9d62275c2ed47a9084848b8.tar.gz openbsd-472f5e84ac7bece4d9d62275c2ed47a9084848b8.tar.bz2 openbsd-472f5e84ac7bece4d9d62275c2ed47a9084848b8.zip