diff options
author | Tomas Mraz <tomas@openssl.org> | 2023-12-14 17:08:56 +0100 |
---|---|---|
committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2024-03-06 10:42:05 +0100 |
commit | 10f65f7282d07c308cba5e26488bc504f56abc8a (patch) | |
tree | 32e26a8cb16dbf03e66fd16695e9bb8ad959bb45 /ssl | |
parent | d6d9277b2e61a99aaa01a6c1f89ceb10a1422249 (diff) |
Allow ignoring unknown sigalgs and groups in the configuration
Related to #20789
Signature algorithms and groups in the configuration that are
preceded with ? character and are unknown to libssl are just ignored.
The handling for them is similar to handling of ciphers.
I.e., there should be a failure only in case the configuration produces
no valid sigalgs or groups.
Also ignore duplicate sigalgs and groups as such confiuration errors
should not be fatal.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/t1_lib.c | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ed40f1091b..bfe6331aae 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1044,9 +1044,15 @@ static int gid_cb(const char *elem, int len, void *arg) size_t i; uint16_t gid = 0; char etmp[GROUP_NAME_BUFFER_LENGTH]; + int ignore_unknown = 0; if (elem == NULL) return 0; + if (elem[0] == '?') { + ignore_unknown = 1; + ++elem; + --len; + } if (garg->gidcnt == garg->gidmax) { uint16_t *tmp = OPENSSL_realloc(garg->gid_arr, @@ -1063,13 +1069,14 @@ static int gid_cb(const char *elem, int len, void *arg) gid = tls1_group_name2id(garg->ctx, etmp); if (gid == 0) { - ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, - "group '%s' cannot be set", etmp); - return 0; + /* Unknown group - ignore, if ignore_unknown */ + return ignore_unknown; } for (i = 0; i < garg->gidcnt; i++) - if (garg->gid_arr[i] == gid) - return 0; + if (garg->gid_arr[i] == gid) { + /* Duplicate group - ignore */ + return 1; + } garg->gid_arr[garg->gidcnt++] = gid; return 1; } @@ -1090,6 +1097,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, gcb.ctx = ctx; if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) goto end; + if (gcb.gidcnt == 0) { + ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, + "No valid groups in '%s'", str); + goto end; + } if (pext == NULL) { ret = 1; goto end; @@ -2870,8 +2882,15 @@ static int sig_cb(const char *elem, int len, void *arg) const SIGALG_LOOKUP *s; char etmp[TLS_MAX_SIGSTRING_LEN], *p; int sig_alg = NID_undef, hash_alg = NID_undef; + int ignore_unknown = 0; + if (elem == NULL) return 0; + if (elem[0] == '?') { + ignore_unknown = 1; + ++elem; + --len; + } if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) return 0; if (len > (int)(sizeof(etmp) - 1)) @@ -2896,8 +2915,10 @@ static int sig_cb(const char *elem, int len, void *arg) break; } } - if (i == OSSL_NELEM(sigalg_lookup_tbl)) - return 0; + if (i == OSSL_NELEM(sigalg_lookup_tbl)) { + /* Ignore unknown algorithms if ignore_unknown */ + return ignore_unknown; + } } else { *p = 0; p++; @@ -2905,8 +2926,10 @@ static int sig_cb(const char *elem, int len, void *arg) return 0; get_sigorhash(&sig_alg, &hash_alg, etmp); get_sigorhash(&sig_alg, &hash_alg, p); - if (sig_alg == NID_undef || hash_alg == NID_undef) - return 0; + if (sig_alg == NID_undef || hash_alg == NID_undef) { + /* Ignore unknown algorithms if ignore_unknown */ + return ignore_unknown; + } for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { if (s->hash == hash_alg && s->sig == sig_alg) { @@ -2914,15 +2937,17 @@ static int sig_cb(const char *elem, int len, void *arg) break; } } - if (i == OSSL_NELEM(sigalg_lookup_tbl)) - return 0; + if (i == OSSL_NELEM(sigalg_lookup_tbl)) { + /* Ignore unknown algorithms if ignore_unknown */ + return ignore_unknown; + } } - /* Reject duplicates */ + /* Ignore duplicates */ for (i = 0; i < sarg->sigalgcnt - 1; i++) { if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { sarg->sigalgcnt--; - return 0; + return 1; } } return 1; @@ -2938,6 +2963,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) sig.sigalgcnt = 0; if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; + if (sig.sigalgcnt == 0) { + ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, + "No valid signature algorithms in '%s'", str); + return 0; + } if (c == NULL) return 1; return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); |