Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) Support for distinct client and server supported signature algorithms.
+ [Steve Henson]
+
*) Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
char *servername = NULL;
char *curves=NULL;
char *sigalgs=NULL;
+ char *client_sigalgs=NULL;
tlsextctx tlsextcbp =
{NULL,0};
# ifndef OPENSSL_NO_NEXTPROTONEG
if (--argc < 1) goto bad;
sigalgs= *(++argv);
}
+ else if (strcmp(*argv,"-client_sigalgs") == 0)
+ {
+ if (--argc < 1) goto bad;
+ client_sigalgs= *(++argv);
+ }
#endif
#ifndef OPENSSL_NO_JPAKE
else if (strcmp(*argv,"-jpake") == 0)
ERR_print_errors(bio_err);
goto end;
}
+ if (client_sigalgs != NULL)
+ if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) {
+ BIO_printf(bio_err,"error setting client signature algorithms list\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
if (servername != NULL)
{
tlsextcbp.biodebug = bio_err;
static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
static char *curves=NULL;
static char *sigalgs=NULL;
+static char *client_sigalgs=NULL;
#endif
static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
#ifdef FIONBIO
if (--argc < 1) goto bad;
sigalgs= *(++argv);
}
+ else if (strcmp(*argv,"-client_sigalgs") == 0)
+ {
+ if (--argc < 1) goto bad;
+ client_sigalgs= *(++argv);
+ }
#endif
else if (strcmp(*argv,"-msg") == 0)
{ s_msg=1; }
goto end;
}
}
+ if (client_sigalgs)
+ {
+ if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs))
+ {
+ BIO_printf(bio_err,"error setting client signature algorithms\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if(ctx2 && !SSL_CTX_set1_client_sigalgs_list(ctx2,client_sigalgs))
+ {
+ BIO_printf(bio_err,"error setting client signature algorithms\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
#endif
SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
break;
case SSL_CTRL_SET_SIGALGS:
- return tls1_set_sigalgs(s->cert, parg, larg);
+ return tls1_set_sigalgs(s->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS_LIST:
- return tls1_set_sigalgs_list(s->cert, parg);
+ return tls1_set_sigalgs_list(s->cert, parg, 0);
+
+ case SSL_CTRL_SET_CLIENT_SIGALGS:
+ return tls1_set_sigalgs(s->cert, parg, larg, 1);
+
+ case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+ return tls1_set_sigalgs_list(s->cert, parg, 1);
default:
break;
break;
case SSL_CTRL_SET_SIGALGS:
- return tls1_set_sigalgs(ctx->cert, parg, larg);
+ return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS_LIST:
- return tls1_set_sigalgs_list(ctx->cert, parg);
+ return tls1_set_sigalgs_list(ctx->cert, parg, 0);
+
+ case SSL_CTRL_SET_CLIENT_SIGALGS:
+ return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
+
+ case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+ return tls1_set_sigalgs_list(ctx->cert, parg, 1);
case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG:
ctx->tlsext_authz_server_audit_proof_cb_arg = parg;
#define SSL_CTRL_SET_SIGALGS_LIST 98
#define SSL_CTRL_CERT_FLAGS 99
#define SSL_CTRL_CLEAR_CERT_FLAGS 100
+#define SSL_CTRL_SET_CLIENT_SIGALGS 101
+#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
#define SSL_set1_sigalgs_list(ctx, s) \
SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)
+#define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)slist)
+#define SSL_CTX_set1_client_sigalgs_list(ctx, s) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+#define SSL_set1_client_sigalgs(ctx, slist, slistlen) \
+ SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)slist)
+#define SSL_set1_client_sigalgs_list(ctx, s) \
+ SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+
#ifndef OPENSSL_NO_BIO
BIO_METHOD *BIO_f_ssl(void);
BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
/* Peer sigalgs set to NULL as we get these from handshake too */
ret->peer_sigalgs = NULL;
ret->peer_sigalgslen = 0;
- /* Configure sigalgs however we copy across */
+ /* Configured sigalgs however we copy across */
+
if (cert->conf_sigalgs)
{
- ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen
- * sizeof(TLS_SIGALGS));
+ ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
if (!ret->conf_sigalgs)
goto err;
memcpy(ret->conf_sigalgs, cert->conf_sigalgs,
- cert->conf_sigalgslen * sizeof(TLS_SIGALGS));
+ cert->conf_sigalgslen);
ret->conf_sigalgslen = cert->conf_sigalgslen;
}
else
ret->conf_sigalgs = NULL;
+
+ if (cert->client_sigalgs)
+ {
+ ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
+ if (!ret->client_sigalgs)
+ goto err;
+ memcpy(ret->client_sigalgs, cert->client_sigalgs,
+ cert->client_sigalgslen);
+ ret->client_sigalgslen = cert->client_sigalgslen;
+ }
+ else
+ ret->client_sigalgs = NULL;
/* Shared sigalgs also NULL */
ret->shared_sigalgs = NULL;
OPENSSL_free(c->peer_sigalgs);
if (c->conf_sigalgs)
OPENSSL_free(c->conf_sigalgs);
+ if (c->client_sigalgs)
+ OPENSSL_free(c->client_sigalgs);
if (c->shared_sigalgs)
OPENSSL_free(c->shared_sigalgs);
OPENSSL_free(c);
unsigned char *peer_sigalgs;
/* Size of above array */
size_t peer_sigalgslen;
- /* configured signature algorithms (can be NULL for default).
- * sent in signature algorithms extension or certificate request.
+ /* suppported signature algorithms.
+ * When set on a client this is sent in the client hello as the
+ * supported signature algorithms extension. For servers
+ * it represents the signature algorithms we are willing to use.
*/
unsigned char *conf_sigalgs;
/* Size of above array */
size_t conf_sigalgslen;
+ /* Client authentication signature algorithms, if not set then
+ * uses conf_sigalgs. On servers these will be the signature
+ * algorithms sent to the client in a cerificate request for TLS 1.2.
+ * On a client this represents the signature algortithms we are
+ * willing to use for client authentication.
+ */
+ unsigned char *client_sigalgs;
+ /* Size of above array */
+ size_t client_sigalgslen;
/* Signature algorithms shared by client and server: cached
- * because these are used most often
+ * because these are used most often.
*/
TLS_SIGALGS *shared_sigalgs;
size_t shared_sigalgslen;
int tls12_get_sigid(const EVP_PKEY *pk);
const EVP_MD *tls12_get_hash(unsigned char hash_alg);
-int tls1_set_sigalgs_list(CERT *c, const char *str);
-int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen);
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
+int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client);
int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
int idx);
void tls1_set_cert_validity(SSL *s);
{
const unsigned char *sigs;
size_t sigslen;
- sigs = s->cert->conf_sigalgs;
-
- if (sigs)
+ /* If server use client authentication sigalgs if not NULL */
+ if (s->server && s->cert->client_sigalgs)
+ {
+ sigs = s->cert->client_sigalgs;
+ sigslen = s->cert->client_sigalgslen;
+ }
+ else if (s->cert->conf_sigalgs)
+ {
+ sigs = s->cert->conf_sigalgs;
sigslen = s->cert->conf_sigalgslen;
+ }
else
{
sigs = tls12_sigalgs;
size_t nmatch;
TLS_SIGALGS *salgs = NULL;
CERT *c = s->cert;
- conf = c->conf_sigalgs;
- if (conf)
+ /* If client use client signature algorithms if not NULL */
+ if (!s->server && c->client_sigalgs)
+ {
+ conf = c->client_sigalgs;
+ conflen = c->client_sigalgslen;
+ }
+ else if (c->conf_sigalgs)
+ {
+ conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
+ }
else
{
conf = tls12_sigalgs;
/* Set suppored signature algorithms based on a colon separated list
* of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
-int tls1_set_sigalgs_list(CERT *c, const char *str)
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
{
sig_cb_st sig;
sig.sigalgcnt = 0;
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
return 0;
- return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt);
+ return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
}
-int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen)
+int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
{
unsigned char *sigalgs, *sptr;
int rhash, rsign;
*sptr++ = rsign;
}
- if (c->conf_sigalgs)
- OPENSSL_free(c->conf_sigalgs);
+ if (client)
+ {
+ if (c->client_sigalgs)
+ OPENSSL_free(c->client_sigalgs);
+ c->client_sigalgs = sigalgs;
+ c->client_sigalgslen = salglen;
+ }
+ else
+ {
+ if (c->conf_sigalgs)
+ OPENSSL_free(c->conf_sigalgs);
+ c->conf_sigalgs = sigalgs;
+ c->conf_sigalgslen = salglen;
+ }
- c->conf_sigalgs = sigalgs;
- c->conf_sigalgslen = salglen;
return 1;
err:
* have set preferred signature algorithms check we support
* sha1.
*/
- if (default_nid > 0 && c->conf_sigalgs)
+ if (s->server && default_nid > 0 && c->conf_sigalgs)
{
size_t j;
const unsigned char *p = c->conf_sigalgs;
projects / oweals / openssl.git / commitdiff