From 9ba7321c0c472f6b49281bc424025c98e6bd21c1 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 29 Jun 2022 07:54:54 +0000
Subject: [PATCH] Check the security bits of the sigalgs' pkey

ok beck jsing
---
 lib/libssl/ssl_sigalgs.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index 8a1b5f51983..f969e4f5515 100644
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.44 2022/06/29 07:54:54 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -304,6 +304,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
 			return 0;
 	}
 
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+	if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
+	    EVP_PKEY_security_bits(pkey), 0, NULL))
+		return 0;
+#endif
+
 	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
 		return 1;
 
-- 
2.20.1