summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2021-06-29 19:36:15 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2021-06-29 19:36:15 +0000
commit55e366974cf1a0a46546203dcb75d6ce25cba2a6 (patch)
treec493628930b2a3061e442c271a96b3254d7ce6bb
parent63b4625f811adb32a70a487b6480b5bf819d0b1e (diff)
Pull up and dedup the TLS version check in ssl_sigalg_pkey_ok().
Suggested by tb@
Diffstat
-rw-r--r--lib/libssl/ssl_sigalgs.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index 619ba57f0de..765f39d4a94 100644
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.36 2021/06/29 19:33:46 jsing Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.37 2021/06/29 19:36:14 jsing Exp $ */
/*
* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -277,15 +277,16 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
return 0;
}
+ if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION)
+ return 1;
+
/* RSA cannot be used without PSS in TLSv1.3. */
- if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
- sigalg->key_type == EVP_PKEY_RSA &&
+ if (sigalg->key_type == EVP_PKEY_RSA &&
(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
return 0;
/* Ensure that curve matches for EC keys. */
- if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
- pkey->type == EVP_PKEY_EC) {
+ if (pkey->type == EVP_PKEY_EC) {
if (sigalg->curve_nid == 0)
return 0;
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-23 09:01:26 +0000