summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/ssl_sigalgs.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 619ba57f0d..765f39d4a9 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.36 2021/06/29 19:33:46 jsing Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.37 2021/06/29 19:36:14 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -277,15 +277,16 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
277 return 0; 277 return 0;
278 } 278 }
279 279
280 if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION)
281 return 1;
282
280 /* RSA cannot be used without PSS in TLSv1.3. */ 283 /* RSA cannot be used without PSS in TLSv1.3. */
281 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 284 if (sigalg->key_type == EVP_PKEY_RSA &&
282 sigalg->key_type == EVP_PKEY_RSA &&
283 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) 285 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
284 return 0; 286 return 0;
285 287
286 /* Ensure that curve matches for EC keys. */ 288 /* Ensure that curve matches for EC keys. */
287 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 289 if (pkey->type == EVP_PKEY_EC) {
288 pkey->type == EVP_PKEY_EC) {
289 if (sigalg->curve_nid == 0) 290 if (sigalg->curve_nid == 0)
290 return 0; 291 return 0;
291 if (EC_GROUP_get_curve_name(EC_KEY_get0_group( 292 if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 00:23:21 +0000