diff options
| author | Alex Bozarth <ajbozart@us.ibm.com> | 2023-11-20 15:20:31 -0600 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-04-03 16:46:33 +0200 |
| commit | 73030db670c80c399346d88d5f0f28d9a38f6613 (patch) | |
| tree | d9ea2e2366af9b27a507bf7e8e8961acff08f673 | |
| parent | 12977315bd904036c3cd4dc0e516e0886eebb934 (diff) | |
Allow provider sigalgs in SignatureAlgorithms conf
Though support for provider-based signature algorithms was added in
ee58915 this functionality did not work with the SignatureAlgorithms
configuration command. If SignatureAlgorithms is set then the provider
sigalgs are not used and instead it used the default value.
This PR adds a check against the provider-base sigalg list when parsing
the SignatureAlgorithms value.
Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
Fixes #22761
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22779)
(cherry picked from commit 4169d58c855718d90424fd5da632cf2f2b46e691)
| -rw-r--r-- | ssl/s3_lib.c | 8 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 2 | ||||
| -rw-r--r-- | ssl/ssl_local.h | 2 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 40 |
4 files changed, 37 insertions, 15 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index e8ec98c221..48a1aa0e61 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return tls1_set_sigalgs(sc->cert, parg, larg, 0); case SSL_CTRL_SET_SIGALGS_LIST: - return tls1_set_sigalgs_list(sc->cert, parg, 0); + return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0); case SSL_CTRL_SET_CLIENT_SIGALGS: return tls1_set_sigalgs(sc->cert, parg, larg, 1); case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: - return tls1_set_sigalgs_list(sc->cert, parg, 1); + return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1); case SSL_CTRL_GET_CLIENT_CERT_TYPES: { @@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_sigalgs(ctx->cert, parg, larg, 0); case SSL_CTRL_SET_SIGALGS_LIST: - return tls1_set_sigalgs_list(ctx->cert, parg, 0); + return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0); case SSL_CTRL_SET_CLIENT_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 1); case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: - return tls1_set_sigalgs_list(ctx->cert, parg, 1); + return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1); case SSL_CTRL_SET_CLIENT_CERT_TYPES: return ssl3_set_req_cert_type(ctx->cert, parg, larg); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 26cae27dae..4afb43bc86 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3049,7 +3049,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_groups_list(ctx, NULL, NULL, parg); case SSL_CTRL_SET_SIGALGS_LIST: case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: - return tls1_set_sigalgs_list(NULL, parg, 0); + return tls1_set_sigalgs_list(ctx, NULL, parg, 0); default: return 0; } diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 0d3acfbe66..a73b2c4770 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s); void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op); -__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client); +__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client); __owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, int client); __owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 50ce400e64..b78e0e7823 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -714,6 +714,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx) /* now populate ctx->ssl_cert_info */ if (ctx->sigalg_list_len > 0) { + OPENSSL_free(ctx->ssl_cert_info); ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); if (ctx->ssl_cert_info == NULL) return 0; @@ -2851,6 +2852,7 @@ typedef struct { size_t sigalgcnt; /* TLSEXT_SIGALG_XXX values */ uint16_t sigalgs[TLS_MAX_SIGALGCNT]; + SSL_CTX *ctx; } sig_cb_st; static void get_sigorhash(int *psig, int *phash, const char *str) @@ -2875,7 +2877,7 @@ static void get_sigorhash(int *psig, int *phash, const char *str) static int sig_cb(const char *elem, int len, void *arg) { sig_cb_st *sarg = arg; - size_t i; + size_t i = 0; const SIGALG_LOOKUP *s; char etmp[TLS_MAX_SIGSTRING_LEN], *p; int sig_alg = NID_undef, hash_alg = NID_undef; @@ -2898,15 +2900,31 @@ static int sig_cb(const char *elem, int len, void *arg) * in the table. */ if (p == NULL) { - for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); - i++, s++) { - if (s->name != NULL && strcmp(etmp, s->name) == 0) { - sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; - break; + /* Load provider sigalgs */ + if (sarg->ctx != NULL) { + /* Check if a provider supports the sigalg */ + for (i = 0; i < sarg->ctx->sigalg_list_len; i++) { + if (sarg->ctx->sigalg_list[i].sigalg_name != NULL + && strcmp(etmp, + sarg->ctx->sigalg_list[i].sigalg_name) == 0) { + sarg->sigalgs[sarg->sigalgcnt++] = + sarg->ctx->sigalg_list[i].code_point; + break; + } } } - if (i == OSSL_NELEM(sigalg_lookup_tbl)) - return 0; + /* Check the built-in sigalgs */ + if (sarg->ctx == NULL || i == sarg->ctx->sigalg_list_len) { + for (i = 0, s = sigalg_lookup_tbl; + i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { + if (s->name != NULL && strcmp(etmp, s->name) == 0) { + sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; + break; + } + } + if (i == OSSL_NELEM(sigalg_lookup_tbl)) + return 0; + } } else { *p = 0; p++; @@ -2941,10 +2959,14 @@ static int sig_cb(const char *elem, int len, void *arg) * Set supported signature algorithms based on a colon separated list of the * form sig+hash e.g. RSA+SHA512:DSA+SHA512 */ -int tls1_set_sigalgs_list(CERT *c, const char *str, int client) +int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) { sig_cb_st sig; sig.sigalgcnt = 0; + + if (ctx != NULL && ssl_load_sigalgs(ctx)) { + sig.ctx = ctx; + } if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; if (c == NULL) |