From 0b362de5f57547b31eddef5f8a0d298c4b7e0fd3 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 26 Dec 2012 14:25:29 +0000
Subject: Add support for application defined signature algorithms for use with
 TLS v1.2. These are sent as an extension for clients and during a certificate
 request for servers.

TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
(backport from HEAD)
---
 apps/s_client.c | 12 ++++++++++++
 apps/s_server.c | 21 +++++++++++++++++++++
 2 files changed, 33 insertions(+)

(limited to 'apps')

diff --git a/apps/s_client.c b/apps/s_client.c
index 7a75888daf..42e0e24127 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_TLSEXT
 	char *servername = NULL; 
 	char *curves=NULL;
+	char *sigalgs=NULL;
         tlsextctx tlsextcbp = 
         {NULL,0};
 # ifndef OPENSSL_NO_NEXTPROTONEG
@@ -948,6 +949,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			curves= *(++argv);
 			}
+		else if	(strcmp(*argv,"-sigalgs") == 0)
+			{
+			if (--argc < 1) goto bad;
+			sigalgs= *(++argv);
+			}
 #endif
 #ifndef OPENSSL_NO_JPAKE
 		else if (strcmp(*argv,"-jpake") == 0)
@@ -1192,6 +1198,12 @@ bad:
 		ERR_print_errors(bio_err);
 		goto end;
 	}
+	if (sigalgs != NULL)
+		if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) {
+		BIO_printf(bio_err,"error setting signature algorithms list\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
 	if (servername != NULL)
 		{
 		tlsextcbp.biodebug = bio_err;
diff --git a/apps/s_server.c b/apps/s_server.c
index 20f0c221a0..ac88f7c188 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -271,6 +271,7 @@ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
 static char *curves=NULL;
+static char *sigalgs=NULL;
 #endif
 static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
 #ifdef FIONBIO
@@ -1193,6 +1194,11 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			curves= *(++argv);
 			}
+		else if	(strcmp(*argv,"-sigalgs") == 0)
+			{
+			if (--argc < 1) goto bad;
+			sigalgs= *(++argv);
+			}
 #endif
 		else if	(strcmp(*argv,"-msg") == 0)
 			{ s_msg=1; }
@@ -1888,6 +1894,21 @@ bad:
 			goto end;
 			}
 		}
+	if (sigalgs)
+		{
+		if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs))
+			{
+			BIO_printf(bio_err,"error setting signature algorithms\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if(ctx2 && !SSL_CTX_set1_sigalgs_list(ctx2,sigalgs))
+			{
+			BIO_printf(bio_err,"error setting signature algorithms\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
 #endif
 	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
 	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
-- 
cgit v1.2.3