Commit 04c32cdd authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Separate client and server permitted signature algorithm support: by default 

the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
(backport from HEAD)
parent 623a5e24

CHANGES

+3 −0
Original line number Diff line number Diff line
@@ -8,6 +8,9 @@ 
     OID NID.

     [Steve Henson]



  *) Support for distinct client and server supported signature algorithms.

     [Steve Henson]



  *) Add certificate callback. If set this is called whenever a certificate

     is required by client or server. An application can decide which

     certificate chain to present based on arbitrary criteria: for example

apps/s_client.c

+12 −0
Original line number Diff line number Diff line
@@ -606,6 +606,7 @@ int MAIN(int argc, char **argv) 
	char *servername = NULL; 

	char *curves=NULL;

	char *sigalgs=NULL;

	char *client_sigalgs=NULL;

        tlsextctx tlsextcbp = 

        {NULL,0};

# ifndef OPENSSL_NO_NEXTPROTONEG
@@ -954,6 +955,11 @@ int MAIN(int argc, char **argv) 
			if (--argc < 1) goto bad;

			sigalgs= *(++argv);

			}

		else if	(strcmp(*argv,"-client_sigalgs") == 0)

			{

			if (--argc < 1) goto bad;

			client_sigalgs= *(++argv);

			}

#endif

#ifndef OPENSSL_NO_JPAKE

		else if (strcmp(*argv,"-jpake") == 0)
@@ -1204,6 +1210,12 @@ bad: 
		ERR_print_errors(bio_err);

		goto end;

	}

	if (client_sigalgs != NULL)

		if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) {

		BIO_printf(bio_err,"error setting client signature algorithms list\n");

		ERR_print_errors(bio_err);

		goto end;

	}

	if (servername != NULL)

		{

		tlsextcbp.biodebug = bio_err;

apps/s_server.c

+21 −0
Original line number Diff line number Diff line
@@ -272,6 +272,7 @@ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL; 
static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;

static char *curves=NULL;

static char *sigalgs=NULL;

static char *client_sigalgs=NULL;

#endif

static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;

#ifdef FIONBIO
@@ -1207,6 +1208,11 @@ int MAIN(int argc, char *argv[]) 
			if (--argc < 1) goto bad;

			sigalgs= *(++argv);

			}

		else if	(strcmp(*argv,"-client_sigalgs") == 0)

			{

			if (--argc < 1) goto bad;

			client_sigalgs= *(++argv);

			}

#endif

		else if	(strcmp(*argv,"-msg") == 0)

			{ s_msg=1; }
@@ -1926,6 +1932,21 @@ bad: 
			goto end;

			}

		}

	if (client_sigalgs)

		{

		if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs))

			{

			BIO_printf(bio_err,"error setting client signature algorithms\n");

			ERR_print_errors(bio_err);

			goto end;

			}

		if(ctx2 && !SSL_CTX_set1_client_sigalgs_list(ctx2,client_sigalgs))

			{

			BIO_printf(bio_err,"error setting client signature algorithms\n");

			ERR_print_errors(bio_err);

			goto end;

			}

		}

#endif

	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);

	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,

ssl/s3_lib.c

+16 −4
Original line number Diff line number Diff line
@@ -3415,10 +3415,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
		break;



	case SSL_CTRL_SET_SIGALGS:

		return tls1_set_sigalgs(s->cert, parg, larg);

		return tls1_set_sigalgs(s->cert, parg, larg, 0);



	case SSL_CTRL_SET_SIGALGS_LIST:

		return tls1_set_sigalgs_list(s->cert, parg);

		return tls1_set_sigalgs_list(s->cert, parg, 0);



	case SSL_CTRL_SET_CLIENT_SIGALGS:

		return tls1_set_sigalgs(s->cert, parg, larg, 1);



	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:

		return tls1_set_sigalgs_list(s->cert, parg, 1);



	default:

		break;
@@ -3698,10 +3704,16 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 
		break;



	case SSL_CTRL_SET_SIGALGS:

		return tls1_set_sigalgs(ctx->cert, parg, larg);

		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);



	case SSL_CTRL_SET_SIGALGS_LIST:

		return tls1_set_sigalgs_list(ctx->cert, parg);

		return tls1_set_sigalgs_list(ctx->cert, parg, 0);



	case SSL_CTRL_SET_CLIENT_SIGALGS:

		return tls1_set_sigalgs(ctx->cert, parg, larg, 1);



	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:

		return tls1_set_sigalgs_list(ctx->cert, parg, 1);



	case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG:

		ctx->tlsext_authz_server_audit_proof_cb_arg = parg;

ssl/ssl.h

+11 −0
Original line number Diff line number Diff line
@@ -1653,6 +1653,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 
#define SSL_CTRL_SET_SIGALGS_LIST		98

#define SSL_CTRL_CERT_FLAGS			99

#define SSL_CTRL_CLEAR_CERT_FLAGS		100

#define SSL_CTRL_SET_CLIENT_SIGALGS		101

#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST	102



#define DTLSv1_get_timeout(ssl, arg) \

	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1738,6 +1740,15 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 
#define SSL_set1_sigalgs_list(ctx, s) \

	SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)



#define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \

	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)slist)

#define SSL_CTX_set1_client_sigalgs_list(ctx, s) \

	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)

#define SSL_set1_client_sigalgs(ctx, slist, slistlen) \

	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)slist)

#define SSL_set1_client_sigalgs_list(ctx, s) \

	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)



#ifndef OPENSSL_NO_BIO

BIO_METHOD *BIO_f_ssl(void);

BIO *BIO_new_ssl(SSL_CTX *ctx,int client);