X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Ft1_lib.c;fp=ssl%2Ft1_lib.c;h=156497988a622e3484fbca499fe307dbbcf9f2ec;hb=b8fef8ee929a8775262cb4371f62c35f7058dbed;hp=ca05a3a55a4205970384df34ebd319faaef12fd7;hpb=8614a4eb4ae8e38c3f5064113eb571aa8ca6b272;p=openssl.git

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ca05a3a55a..156497988a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2473,7 +2473,10 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
     const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx);
 
     /* If not recognised or not supported by cipher mask it is not suitable */
-    if (clu == NULL || !(clu->amask & s->s3->tmp.new_cipher->algorithm_auth))
+    if (clu == NULL
+            || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0
+            || (clu->nid == EVP_PKEY_RSA_PSS
+                && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0))
         return -1;
 
     return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1;
@@ -2643,8 +2646,9 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
                 if (i == s->cert->shared_sigalgslen) {
                     if (!fatalerrs)
                         return 1;
-                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
-                             ERR_R_INTERNAL_ERROR);
+                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+                             SSL_F_TLS_CHOOSE_SIGALG,
+                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
                     return 0;
                 }
             } else {