From 4971137ca5f4d3de0801bec3fdc944bc625b0211 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 29 Jun 2022 07:53:58 +0000
Subject: Check the security level when building sigalgs

ok beck jsing
---
 src/lib/libssl/ssl_sigalgs.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'src/lib/libssl/ssl_sigalgs.c')

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 79239ef597..8a1b5f5198 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.42 2022/06/29 07:53:00 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -241,11 +241,13 @@ ssl_sigalg_from_value(SSL *s, uint16_t value)
 }
 
 int
-ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
+ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
 {
+	const struct ssl_sigalg *sigalg;
 	const uint16_t *values;
 	size_t len;
 	size_t i;
+	int ret = 0;
 
 	ssl_sigalgs_for_version(tls_version, &values, &len);
 
@@ -254,12 +256,17 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
 		/* Do not allow the legacy value for < 1.2 to be used. */
 		if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
 			return 0;
-		if (ssl_sigalg_lookup(values[i]) == NULL)
+		if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
 			return 0;
+		if (sigalg->security_level < security_level)
+			continue;
+
 		if (!CBB_add_u16(cbb, values[i]))
 			return 0;
+
+		ret = 1;
 	}
-	return 1;
+	return ret;
 }
 
 static const struct ssl_sigalg *
-- 
cgit v1.2.3-55-g6feb