diff options
author | David Benjamin <davidben@google.com> | 2016-09-23 21:49:42 +0300 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2016-09-26 20:22:48 +0300 |
commit | 04fe9013c43832b7d5fb89e93094f6e086d5dbc2 (patch) | |
tree | 659f011efaecac9d13f8e005a44504ce04b56ca5 | |
parent | 65ac997f20cb83eb6c7edd6712be63fe1d0f466f (diff) |
Require custom private keys to specify curve in 1.3.
If someone is still using EVP_PKEY_EC (I really should get on converting
Chromium...), don't silently skip the curve match check in TLS 1.3,
otherwise it may work on accident. Refuse to sign anything so this gets
caught.
Change-Id: I4ea46efb0b8f31a656771b9d2e5f882bba64eb99
Reviewed-on: https://boringssl-review.googlesource.com/11244
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
-rw-r--r-- | ssl/ssl_rsa.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index a5f15f45..6f8ceae3 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -763,8 +763,7 @@ int ssl_private_key_supports_signature_algorithm(SSL *ssl, return 1; } - /* TODO(davidben): Remove support for EVP_PKEY_EC keys. */ - return curve != NID_undef && (type == EVP_PKEY_EC || type == curve); + return curve != NID_undef && type == curve; } if (is_rsa_pss(&md, signature_algorithm)) { |