Use the actual NID for provided signature algorithms

Prior to this change we could confuse the nid used in the pkey with the
nid in the sigalg and mistakenly accept signatures by the wrong algorithm.

Fixes #28762

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d965d46498987ad9ba7fe2dd2a0edf3eb840365f..9c63569e74e0615e3a5fccb3cec4d49bdb0118cd 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2733,9 +2733,17 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey)
         return 0;
     }
 
-    /* if this sigalg is loaded, set so far unknown pkeyid to its sig NID */
-    if (pkeyid == EVP_PKEY_KEYMGMT)
-        pkeyid = lu->sig;
+    /* If we don't know the pkey nid yet go and find it */
+    if (pkeyid == EVP_PKEY_KEYMGMT) {
+        const SSL_CERT_LOOKUP *scl =
+            ssl_cert_lookup_by_pkey(pkey, NULL, SSL_CONNECTION_GET_CTX(s));
+
+        if (scl == NULL) {
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
+            return 0;
+        }
+        pkeyid = scl->pkey_nid;
+    }
 
     /* Should never happen */
     if (pkeyid == -1) {