Move the key type check from tls12_check_peer_sigalg to ssl_verify_*.
ssl_verify_* already ought to be checking this, so there's only a need
to check against the configured preferences.
Change-Id: I79bc771969c57f953278e622084641e6e20108e3
Reviewed-on: https://boringssl-review.googlesource.com/8698
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2e0c227..0d35750 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -518,20 +518,10 @@
sizeof(kDefaultSignatureAlgorithms[0]);
}
-static int tls12_get_pkey_type(uint16_t sigalg);
-
-int tls12_check_peer_sigalg(SSL *ssl, int *out_alert,
- uint16_t sigalg, EVP_PKEY *pkey) {
+int tls12_check_peer_sigalg(SSL *ssl, int *out_alert, uint16_t sigalg) {
const uint16_t *sent_sigs;
size_t sent_sigslen, i;
- /* Check key type is consistent with signature */
- if (pkey->type != tls12_get_pkey_type(sigalg)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
- *out_alert = SSL_AD_ILLEGAL_PARAMETER;
- return 0;
- }
-
/* Check signature matches a type we sent */
sent_sigslen = tls12_get_psigalgs(ssl, &sent_sigs);
for (i = 0; i < sent_sigslen; i++) {
