From: Matt Caswell <matt@openssl.org>
Date: Tue, 28 Oct 2025 14:53:11 +0000 (+0000)
Subject: Use the actual NID for provided signature algorithms
X-Git-Tag: 3.6-PRE-CLANG-FORMAT-WEBKIT~84
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d5b888aae91f5951ce69829675efb80ba2ac08a0;p=thirdparty%2Fopenssl.git

Use the actual NID for provided signature algorithms

Prior to this change we could confuse the nid used in the pkey with the
nid in the sigalg and mistakenly accept signatures by the wrong algorithm.

Fixes #28762

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)

(cherry picked from commit cbfc8cc3dc4f2b437f4dd65a266c9f8ff4cd5781)
---

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e7c9f546a80..ee9eb656787 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2733,9 +2733,17 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey)
         return 0;
     }
 
-    /* if this sigalg is loaded, set so far unknown pkeyid to its sig NID */
-    if (pkeyid == EVP_PKEY_KEYMGMT)
-        pkeyid = lu->sig;
+    /* If we don't know the pkey nid yet go and find it */
+    if (pkeyid == EVP_PKEY_KEYMGMT) {
+        const SSL_CERT_LOOKUP *scl =
+            ssl_cert_lookup_by_pkey(pkey, NULL, SSL_CONNECTION_GET_CTX(s));
+
+        if (scl == NULL) {
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
+            return 0;
+        }
+        pkeyid = scl->pkey_nid;
+    }
 
     /* Should never happen */
     if (pkeyid == -1) {