summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/tls13_server.c')
-rw-r--r--src/lib/libssl/tls13_server.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 733a71f7d1..253c1fc208 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_server.c,v 1.87 2021/10/25 10:01:46 jsing Exp $ */ 1/* $OpenBSD: tls13_server.c,v 1.88 2021/10/31 16:37:25 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -557,15 +557,11 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
557 if (cpk->x509 == NULL || cpk->privatekey == NULL) 557 if (cpk->x509 == NULL || cpk->privatekey == NULL)
558 goto done; 558 goto done;
559 559
560 if (!X509_check_purpose(cpk->x509, -1, 0))
561 return 0;
562
563 /* 560 /*
564 * The digitalSignature bit MUST be set if the Key Usage extension is 561 * The digitalSignature bit MUST be set if the Key Usage extension is
565 * present as per RFC 8446 section 4.4.2.2. 562 * present as per RFC 8446 section 4.4.2.2.
566 */ 563 */
567 if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && 564 if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE))
568 !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
569 goto done; 565 goto done;
570 566
571 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 567 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 14:08:09 +0000