if (SSL_IS_TLS13(s)) {
/* For TLS 1.3 check curve matches signature algorithm */
- if (curve != lu->curve) {
+ if (lu->curve != NID_undef && curve != lu->curve) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
return 0;
}
else
dh_secbits = 80;
} else {
- CERT_PKEY *cpk;
- if (s->s3->tmp.cert_idx == -1)
+ if (s->s3->tmp.cert == NULL)
return NULL;
- cpk = &s->cert->pkeys[s->s3->tmp.cert_idx];
- dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
}
if (dh_secbits >= 128) {
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
}
- if (curve != lu->curve)
+ if (lu->curve != NID_undef && curve != lu->curve)
continue;
#else
continue;
idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
/* If no certificate for ciphersuite return */
if (idx == -1) {
- s->s3->tmp.cert_idx = -1;
+ s->s3->tmp.cert = NULL;
s->s3->tmp.sigalg = NULL;
return 1;
}
}
}
}
- s->s3->tmp.cert_idx = idx;
+ s->s3->tmp.cert = &s->cert->pkeys[idx];
s->s3->tmp.sigalg = lu;
return 1;
}