From 893fd8b877c9005a0b581d00a90b2f6c72a40bc5 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Mon, 1 Apr 2019 02:09:21 +0000
Subject: Correct subtle bug in sigalgs, only care about curve_nid if we are
 checking the curve. ok jsing@ tb@

---
 src/lib/libssl/ssl_sigalgs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 129ccccfbc..37fdcfa73f 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.19 2019/03/25 17:33:26 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.20 2019/04/01 02:09:21 beck Exp $ */
 /*
  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
@@ -244,11 +244,11 @@ ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey,
 			return 0;
 	}
 
-	if (pkey->type == EVP_PKEY_EC) {
+	if (pkey->type == EVP_PKEY_EC && check_curve) {
+		/* Curve must match for EC keys. */
 		if (sigalg->curve_nid == 0)
 			return 0;
-		/* Curve must match for EC keys. */
-		if (check_curve && EC_GROUP_get_curve_name(EC_KEY_get0_group
+		if (EC_GROUP_get_curve_name(EC_KEY_get0_group
 		    (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) {
 			return 0;
 		}
-- 
cgit v1.2.3-55-g6feb