Commit 3dbc46df authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Separate client and server permitted signature algorithm support: by default 

the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
parent 32e03a30

CHANGES

+3 −0
Original line number Diff line number Diff line
@@ -4,6 +4,9 @@ 


 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]



  *) Support for distinct client and server supported signature algorithms.

     [Steve Henson]



  *) Add certificate callback. If set this is called whenever a certificate

     is required by client or server. An application can decide which

     certificate chain to present based on arbitrary criteria: for example

apps/s_client.c

+12 −0
Original line number Diff line number Diff line
@@ -607,6 +607,7 @@ int MAIN(int argc, char **argv) 
	char *servername = NULL; 

	char *curves=NULL;

	char *sigalgs=NULL;

	char *client_sigalgs=NULL;

        tlsextctx tlsextcbp = 

        {NULL,0};

# ifndef OPENSSL_NO_NEXTPROTONEG
@@ -964,6 +965,11 @@ int MAIN(int argc, char **argv) 
			if (--argc < 1) goto bad;

			sigalgs= *(++argv);

			}

		else if	(strcmp(*argv,"-client_sigalgs") == 0)

			{

			if (--argc < 1) goto bad;

			client_sigalgs= *(++argv);

			}

#endif

#ifndef OPENSSL_NO_JPAKE

		else if (strcmp(*argv,"-jpake") == 0)
@@ -1215,6 +1221,12 @@ bad: 
		ERR_print_errors(bio_err);

		goto end;

	}

	if (client_sigalgs != NULL)

		if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) {

		BIO_printf(bio_err,"error setting client signature algorithms list\n");

		ERR_print_errors(bio_err);

		goto end;

	}

	if (servername != NULL)

		{

		tlsextcbp.biodebug = bio_err;

apps/s_server.c

+21 −0
Original line number Diff line number Diff line
@@ -275,6 +275,7 @@ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL; 
static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;

static char *curves=NULL;

static char *sigalgs=NULL;

static char *client_sigalgs=NULL;

#endif

static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;

#ifdef FIONBIO
@@ -1219,6 +1220,11 @@ int MAIN(int argc, char *argv[]) 
			if (--argc < 1) goto bad;

			sigalgs= *(++argv);

			}

		else if	(strcmp(*argv,"-client_sigalgs") == 0)

			{

			if (--argc < 1) goto bad;

			client_sigalgs= *(++argv);

			}

#endif

		else if	(strcmp(*argv,"-msg") == 0)

			{ s_msg=1; }
@@ -1963,6 +1969,21 @@ bad: 
			goto end;

			}

		}

	if (client_sigalgs)

		{

		if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs))

			{

			BIO_printf(bio_err,"error setting client signature algorithms\n");

			ERR_print_errors(bio_err);

			goto end;

			}

		if(ctx2 && !SSL_CTX_set1_client_sigalgs_list(ctx2,client_sigalgs))

			{

			BIO_printf(bio_err,"error setting client signature algorithms\n");

			ERR_print_errors(bio_err);

			goto end;

			}

		}

#endif

	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);

	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,

ssl/s3_lib.c

+16 −4
Original line number Diff line number Diff line
@@ -3415,10 +3415,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
		break;



	case SSL_CTRL_SET_SIGALGS:

		return tls1_set_sigalgs(s->cert, parg, larg);

		return tls1_set_sigalgs(s->cert, parg, larg, 0);



	case SSL_CTRL_SET_SIGALGS_LIST:

		return tls1_set_sigalgs_list(s->cert, parg);

		return tls1_set_sigalgs_list(s->cert, parg, 0);



	case SSL_CTRL_SET_CLIENT_SIGALGS:

		return tls1_set_sigalgs(s->cert, parg, larg, 1);



	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:

		return tls1_set_sigalgs_list(s->cert, parg, 1);



	default:

		break;
@@ -3703,10 +3709,16 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 
		break;



	case SSL_CTRL_SET_SIGALGS:

		return tls1_set_sigalgs(ctx->cert, parg, larg);

		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);



	case SSL_CTRL_SET_SIGALGS_LIST:

		return tls1_set_sigalgs_list(ctx->cert, parg);

		return tls1_set_sigalgs_list(ctx->cert, parg, 0);



	case SSL_CTRL_SET_CLIENT_SIGALGS:

		return tls1_set_sigalgs(ctx->cert, parg, larg, 1);



	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:

		return tls1_set_sigalgs_list(ctx->cert, parg, 1);



	case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG:

		ctx->tlsext_authz_server_audit_proof_cb_arg = parg;

ssl/ssl.h

+11 −0
Original line number Diff line number Diff line
@@ -1662,6 +1662,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 
#define SSL_CTRL_SET_SIGALGS_LIST		98

#define SSL_CTRL_CERT_FLAGS			99

#define SSL_CTRL_CLEAR_CERT_FLAGS		100

#define SSL_CTRL_SET_CLIENT_SIGALGS		101

#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST	102



#define DTLSv1_get_timeout(ssl, arg) \

	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1747,6 +1749,15 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 
#define SSL_set1_sigalgs_list(ctx, s) \

	SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)



#define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \

	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)slist)

#define SSL_CTX_set1_client_sigalgs_list(ctx, s) \

	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)

#define SSL_set1_client_sigalgs(ctx, slist, slistlen) \

	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)slist)

#define SSL_set1_client_sigalgs_list(ctx, s) \

	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)



#ifndef OPENSSL_NO_BIO

BIO_METHOD *BIO_f_ssl(void);

BIO *BIO_new_ssl(SSL_CTX *ctx,int client);