Check the security bits of the sigalgs' pkey

author tb <tb@openbsd.org>

Wed, 29 Jun 2022 07:54:54 +0000 (07:54 +0000)

committer tb <tb@openbsd.org>

Wed, 29 Jun 2022 07:54:54 +0000 (07:54 +0000)
author tb <tb@openbsd.org>
Wed, 29 Jun 2022 07:54:54 +0000 (07:54 +0000)
committer tb <tb@openbsd.org>
Wed, 29 Jun 2022 07:54:54 +0000 (07:54 +0000)
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c

index 8a1b5f5..f969e4f 100644 (file)
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.44 2022/06/29 07:54:54 tb Exp $ */
  /*
   * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
   * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -304,6 +304,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
                         return 0;
         }
  
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+       if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
+           EVP_PKEY_security_bits(pkey), 0, NULL))
+               return 0;
+#endif
+
         if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
                 return 1;
author	tb <tb@openbsd.org>
	Wed, 29 Jun 2022 07:54:54 +0000 (07:54 +0000)
committer	tb <tb@openbsd.org>
	Wed, 29 Jun 2022 07:54:54 +0000 (07:54 +0000)