From: Matt Caswell <matt@openssl.org>
Date: Tue, 28 Oct 2025 14:53:11 +0000 (+0000)
Subject: Use the actual NID for provided signature algorithms
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~251
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbfc8cc3dc4f2b437f4dd65a266c9f8ff4cd5781;p=thirdparty%2Fopenssl.git

Use the actual NID for provided signature algorithms

Prior to this change we could confuse the nid used in the pkey with the
nid in the sigalg and mistakenly accept signatures by the wrong algorithm.

Fixes #28762

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)
---

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d965d464989..9c63569e74e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2733,9 +2733,17 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey)
         return 0;
     }
 
-    /* if this sigalg is loaded, set so far unknown pkeyid to its sig NID */
-    if (pkeyid == EVP_PKEY_KEYMGMT)
-        pkeyid = lu->sig;
+    /* If we don't know the pkey nid yet go and find it */
+    if (pkeyid == EVP_PKEY_KEYMGMT) {
+        const SSL_CERT_LOOKUP *scl =
+            ssl_cert_lookup_by_pkey(pkey, NULL, SSL_CONNECTION_GET_CTX(s));
+
+        if (scl == NULL) {
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
+            return 0;
+        }
+        pkeyid = scl->pkey_nid;
+    }
 
     /* Should never happen */
     if (pkeyid == -1) {