From f0d9f479cf05d5da8447d4b12da004d34d2ee9ce Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 29 Jun 2022 07:54:54 +0000
Subject: Check the security bits of the sigalgs' pkey

ok beck jsing
---
 src/lib/libssl/ssl_sigalgs.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 8a1b5f5198..f969e4f551 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.44 2022/06/29 07:54:54 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -304,6 +304,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
 			return 0;
 	}
 
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+	if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
+	    EVP_PKEY_security_bits(pkey), 0, NULL))
+		return 0;
+#endif
+
 	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
 		return 1;
 
-- 
cgit v1.2.3-55-g6feb