From 2084659c33f3dd4553097139197351f79d9931da Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 29 Jun 2021 19:10:08 +0000
Subject: Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().

Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.

ok inoguchi@ tb@
---
 src/lib/libssl/tls13_server.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/tls13_server.c')

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 18cb056755..c3d4ca9bd8 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.81 2021/06/27 19:23:51 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.82 2021/06/29 19:10:08 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -994,7 +994,7 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 		goto err;
 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
 		goto err;
-	if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
+	if (!ssl_sigalg_pkey_ok(ctx->ssl, sigalg, pkey))
 		goto err;
 	ctx->hs->peer_sigalg = sigalg;
 
-- 
cgit v1.2.3-55-g6feb