diff options
| author | Alex Bozarth <ajbozart@us.ibm.com> | 2023-11-20 15:20:31 -0600 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-04-03 16:46:33 +0200 |
| commit | 73030db670c80c399346d88d5f0f28d9a38f6613 (patch) | |
| tree | d9ea2e2366af9b27a507bf7e8e8961acff08f673 /ssl/t1_lib.c | |
| parent | 12977315bd904036c3cd4dc0e516e0886eebb934 (diff) | |
Allow provider sigalgs in SignatureAlgorithms conf
Though support for provider-based signature algorithms was added in
ee58915 this functionality did not work with the SignatureAlgorithms
configuration command. If SignatureAlgorithms is set then the provider
sigalgs are not used and instead it used the default value.
This PR adds a check against the provider-base sigalg list when parsing
the SignatureAlgorithms value.
Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
Fixes #22761
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22779)
(cherry picked from commit 4169d58c855718d90424fd5da632cf2f2b46e691)
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 40 |
1 files changed, 31 insertions, 9 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 50ce400e64..b78e0e7823 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -714,6 +714,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx) /* now populate ctx->ssl_cert_info */ if (ctx->sigalg_list_len > 0) { + OPENSSL_free(ctx->ssl_cert_info); ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); if (ctx->ssl_cert_info == NULL) return 0; @@ -2851,6 +2852,7 @@ typedef struct { size_t sigalgcnt; /* TLSEXT_SIGALG_XXX values */ uint16_t sigalgs[TLS_MAX_SIGALGCNT]; + SSL_CTX *ctx; } sig_cb_st; static void get_sigorhash(int *psig, int *phash, const char *str) @@ -2875,7 +2877,7 @@ static void get_sigorhash(int *psig, int *phash, const char *str) static int sig_cb(const char *elem, int len, void *arg) { sig_cb_st *sarg = arg; - size_t i; + size_t i = 0; const SIGALG_LOOKUP *s; char etmp[TLS_MAX_SIGSTRING_LEN], *p; int sig_alg = NID_undef, hash_alg = NID_undef; @@ -2898,15 +2900,31 @@ static int sig_cb(const char *elem, int len, void *arg) * in the table. */ if (p == NULL) { - for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); - i++, s++) { - if (s->name != NULL && strcmp(etmp, s->name) == 0) { - sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; - break; + /* Load provider sigalgs */ + if (sarg->ctx != NULL) { + /* Check if a provider supports the sigalg */ + for (i = 0; i < sarg->ctx->sigalg_list_len; i++) { + if (sarg->ctx->sigalg_list[i].sigalg_name != NULL + && strcmp(etmp, + sarg->ctx->sigalg_list[i].sigalg_name) == 0) { + sarg->sigalgs[sarg->sigalgcnt++] = + sarg->ctx->sigalg_list[i].code_point; + break; + } } } - if (i == OSSL_NELEM(sigalg_lookup_tbl)) - return 0; + /* Check the built-in sigalgs */ + if (sarg->ctx == NULL || i == sarg->ctx->sigalg_list_len) { + for (i = 0, s = sigalg_lookup_tbl; + i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { + if (s->name != NULL && strcmp(etmp, s->name) == 0) { + sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; + break; + } + } + if (i == OSSL_NELEM(sigalg_lookup_tbl)) + return 0; + } } else { *p = 0; p++; @@ -2941,10 +2959,14 @@ static int sig_cb(const char *elem, int len, void *arg) * Set supported signature algorithms based on a colon separated list of the * form sig+hash e.g. RSA+SHA512:DSA+SHA512 */ -int tls1_set_sigalgs_list(CERT *c, const char *str, int client) +int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) { sig_cb_st sig; sig.sigalgcnt = 0; + + if (ctx != NULL && ssl_load_sigalgs(ctx)) { + sig.ctx = ctx; + } if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; if (c == NULL) |