Check that the public key OID matches the sig alg

Using the rsa_pss_rsae_sha256 sig alg should imply that the key OID is rsaEncryption. Similarly rsa_pss_pss_sha256 implies the key OID is rsassaPss. However we did not check this and incorrectly tolerated a key OID that did not match the sig alg sent by the peer. Fixes #6611 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6732)
author: Matt Caswell <matt@openssl.org> 2018-07-17 16:31:07 +0100
committer: Matt Caswell <matt@openssl.org> 2018-07-18 09:58:56 +0100
commit: 11d2641f96ead76deb5b8fac638a3ad36a971a66 (patch)
tree: 7268fce6dcd0dd6f6993d746cc46045323a301e3 /ssl/ssl_locl.h
parent: 1a50eedf2a1fbb1e0e009ad616d8be678e4c6340 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index b38052f614..e7258d439a 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2288,6 +2288,7 @@ __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
 __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
                             void *other);
 
+__owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx);
 __owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk,
                                                       size_t *pidx);
 __owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx);
author	Matt Caswell <matt@openssl.org>	2018-07-17 16:31:07 +0100
committer	Matt Caswell <matt@openssl.org>	2018-07-18 09:58:56 +0100
commit	11d2641f96ead76deb5b8fac638a3ad36a971a66 (patch)
tree	7268fce6dcd0dd6f6993d746cc46045323a301e3 /ssl/ssl_locl.h
parent	1a50eedf2a1fbb1e0e009ad616d8be678e4c6340 (diff)