diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-29 07:56:00 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-29 07:56:00 +0000 |
| commit | 2dbbb5f9459d0eec9342efa16d940731a1d5d22d (patch) | |
| tree | 82bca88f2517030a88e9ae9a878f6617cfbfe7b1 /lib | |
| parent | e2f9e4316365bf163d7d36f496c13192eb8928e8 (diff) | |
Check sigalg security level when selecting them.
ok beck jsing
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/ssl_sigalgs.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index f969e4f5515..9c38a076ac8 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.44 2022/06/29 07:54:54 tb Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.45 2022/06/29 07:55:59 tb Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> @@ -272,6 +272,9 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level) static const struct ssl_sigalg * ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey) { + if (SSL_get_security_level(s) > 1) + return NULL; + /* Default signature algorithms used for TLSv1.2 and earlier. */ switch (EVP_PKEY_id(pkey)) { case EVP_PKEY_RSA: |