Require custom private keys to specify curve in 1.3.

If someone is still using EVP_PKEY_EC (I really should get on converting Chromium...), don't silently skip the curve match check in TLS 1.3, otherwise it may work on accident. Refuse to sign anything so this gets caught. Change-Id: I4ea46efb0b8f31a656771b9d2e5f882bba64eb99 Reviewed-on: https://boringssl-review.googlesource.com/11244 CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
author: David Benjamin <davidben@google.com> 2016-09-23 21:49:42 +0300
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> 2016-09-26 20:22:48 +0300
commit: 04fe9013c43832b7d5fb89e93094f6e086d5dbc2 (patch)
tree: 659f011efaecac9d13f8e005a44504ce04b56ca5
parent: 65ac997f20cb83eb6c7edd6712be63fe1d0f466f (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index a5f15f45..6f8ceae3 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -763,8 +763,7 @@ int ssl_private_key_supports_signature_algorithm(SSL *ssl,
       return 1;
     }
 
-    /* TODO(davidben): Remove support for EVP_PKEY_EC keys. */
-    return curve != NID_undef && (type == EVP_PKEY_EC || type == curve);
+    return curve != NID_undef && type == curve;
   }
 
   if (is_rsa_pss(&md, signature_algorithm)) {
author	David Benjamin <davidben@google.com>	2016-09-23 21:49:42 +0300
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	2016-09-26 20:22:48 +0300
commit	04fe9013c43832b7d5fb89e93094f6e086d5dbc2 (patch)
tree	659f011efaecac9d13f8e005a44504ce04b56ca5
parent	65ac997f20cb83eb6c7edd6712be63fe1d0f466f (diff)