Reorganise supported signature algorithm extension processing.

snhenson · snhenson · commit c70a1fee7111 · 2012-12-26T14:26:16.000Z
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
(backport from HEAD)
diff --git a/CHANGES b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
 
+  *) Update and tidy signature algorithm extension processing. Work out
+     shared signature algorithms based on preferences and peer algorithms
+     and print them out in s_client and s_server. Abort handshake if no
+     shared signature algorithms.
+     [Steve Henson]
+
   *) Add new functions to allow customised supported signature algorithms
      for SSL and SSL_CTX structures. Add options to s_client and s_server
      to support them.
diff --git a/apps/s_apps.h b/apps/s_apps.h
@@ -160,7 +160,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                            unsigned char *authz, size_t authz_length);
 # endif
-int ssl_print_sigalgs(BIO *out, SSL *s);
+int ssl_print_sigalgs(BIO *out, SSL *s, int client);
 int ssl_print_curves(BIO *out, SSL *s);
 #endif
 int init_client(int *sock, char *server, int port, int type);
diff --git a/apps/s_cb.c b/apps/s_cb.c
@@ -285,20 +285,33 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 	return 1;
 	}
 
-int ssl_print_sigalgs(BIO *out, SSL *s)
+static int do_print_sigalgs(BIO *out, SSL *s, int client, int shared)
 	{
 	int i, nsig;
-	nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
+	if (shared)
+		nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL,
+							NULL, NULL);
+	else
+		nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
 	if (nsig == 0)
 		return 1;
 
+	if (shared)
+		BIO_puts(out, "Shared ");
+
+	if (client)
+		BIO_puts(out, "Requested ");
 	BIO_puts(out, "Signature Algorithms: ");
 	for (i = 0; i < nsig; i++)
 		{
 		int hash_nid, sign_nid;
 		unsigned char rhash, rsign;
 		const char *sstr = NULL;
-		SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
+		if (shared)
+			SSL_get_shared_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
+							&rsign, &rhash);
+		else
+			SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
 							&rsign, &rhash);
 		if (i)
 			BIO_puts(out, ":");
@@ -321,6 +334,13 @@ int ssl_print_sigalgs(BIO *out, SSL *s)
 	return 1;
 	}
 
+int ssl_print_sigalgs(BIO *out, SSL *s, int client)
+	{
+	do_print_sigalgs(out, s, client, 0);
+	do_print_sigalgs(out, s, client, 1);
+	return 1;
+	}
+
 int ssl_print_curves(BIO *out, SSL *s)
 	{
 	int i, ncurves, *curves, nid;
diff --git a/apps/s_client.c b/apps/s_client.c
@@ -2049,7 +2049,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			BIO_write(bio,"\n",1);
 			}
 
-		ssl_print_sigalgs(bio, s);
+		ssl_print_sigalgs(bio, s, 1);
 
 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
 			BIO_number_read(SSL_get_rbio(s)),
diff --git a/apps/s_server.c b/apps/s_server.c
@@ -2536,7 +2536,7 @@ static int init_ssl_connection(SSL *con)
 	if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
-	ssl_print_sigalgs(bio_s_out, con);
+	ssl_print_sigalgs(bio_s_out, con, 0);
 	ssl_print_curves(bio_s_out, con);
 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
 
@@ -2851,7 +2851,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 					}
 				BIO_puts(io,"\n");
 				}
-			ssl_print_sigalgs(io, con);
+			ssl_print_sigalgs(io, con, 0);
 			ssl_print_curves(io, con);
 			BIO_printf(io,(SSL_cache_hit(con)
 				?"---\nReused, "
diff --git a/ssl/ssl.h b/ssl/ssl.h
@@ -2532,6 +2532,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NO_RENEGOTIATION				 339
 #define SSL_R_NO_REQUIRED_DIGEST			 324
 #define SSL_R_NO_SHARED_CIPHER				 193
+#define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS		 376
 #define SSL_R_NO_SRTP_PROFILES				 359
 #define SSL_R_NO_VERIFY_CALLBACK			 194
 #define SSL_R_NULL_SSL_CTX				 195
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
@@ -160,7 +160,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void)
 	return ssl_x509_store_ctx_idx;
 	}
 
-static void ssl_cert_set_default_md(CERT *cert)
+void ssl_cert_set_default_md(CERT *cert)
 	{
 	/* Set digest values to defaults */
 #ifndef OPENSSL_NO_DSA
@@ -373,6 +373,8 @@ CERT *ssl_cert_dup(CERT *cert)
 		}
 	else
 		ret->conf_sigalgs = NULL;
+	/* Shared sigalgs also NULL */
+	ret->shared_sigalgs = NULL;
 
 	return(ret);
 	
@@ -464,6 +466,8 @@ void ssl_cert_free(CERT *c)
 		OPENSSL_free(c->peer_sigalgs);
 	if (c->conf_sigalgs)
 		OPENSSL_free(c->conf_sigalgs);
+	if (c->shared_sigalgs)
+		OPENSSL_free(c->shared_sigalgs);
 	OPENSSL_free(c);
 	}
 
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
@@ -463,6 +463,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_NO_RENEGOTIATION)      ,"no renegotiation"},
 {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST)    ,"digest requred for handshake isn't computed"},
 {ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},
+{ERR_REASON(SSL_R_NO_SHARED_SIGATURE_ALGORITHMS),"no shared sigature algorithms"},
 {ERR_REASON(SSL_R_NO_SRTP_PROFILES)      ,"no srtp profiles"},
 {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    ,"no verify callback"},
 {ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
@@ -523,15 +523,20 @@ typedef struct cert_st
 	 * algorithms extension for server or as part of a certificate
 	 * request for client.
 	 */
-	TLS_SIGALGS *peer_sigalgs;
+	unsigned char *peer_sigalgs;
 	/* Size of above array */
 	size_t peer_sigalgslen;
 	/* configured signature algorithms (can be NULL for default).
 	 * sent in signature algorithms extension or certificate request.
 	 */
-	TLS_SIGALGS *conf_sigalgs;
+	unsigned char *conf_sigalgs;
 	/* Size of above array */
 	size_t conf_sigalgslen;
+	/* Signature algorithms shared by client and server: cached
+	 * because these are used most often
+	 */
+	TLS_SIGALGS *shared_sigalgs;
+	size_t shared_sigalgslen;
 
 	int references; /* >1 only if SSL_copy_session_id is used */
 	} CERT;
@@ -841,6 +846,7 @@ void ssl_clear_cipher_ctx(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);
+void ssl_cert_set_default_md(CERT *cert);
 int ssl_cert_inst(CERT **o);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
diff --git a/ssl/tls1.h b/ssl/tls1.h

Original file line number	Diff line number	Diff line change
`@@ -2049,7 +2049,7 @@ static void print_stuff(BIO bio, SSL s, int full)`
`2049`	`2049`	`BIO_write(bio,"\n",1);`
`2050`	`2050`	`}`
`2051`	`2051`
`2052`		`- ssl_print_sigalgs(bio, s);`
	`2052`	`+ ssl_print_sigalgs(bio, s, 1);`
`2053`	`2053`
`2054`	`2054`	`BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",`
`2055`	`2055`	`BIO_number_read(SSL_get_rbio(s)),`
Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void)`
`160`	`160`	`return ssl_x509_store_ctx_idx;`
`161`	`161`	`}`
`162`	`162`
`163`		`-static void ssl_cert_set_default_md(CERT *cert)`
	`163`	`+void ssl_cert_set_default_md(CERT *cert)`
`164`	`164`	`{`
`165`	`165`	`/* Set digest values to defaults */`
`166`	`166`	`#ifndef OPENSSL_NO_DSA`
`@@ -373,6 +373,8 @@ CERT ssl_cert_dup(CERT cert)`
`373`	`373`	`}`
`374`	`374`	`else`
`375`	`375`	`ret->conf_sigalgs = NULL;`
	`376`	`+ /* Shared sigalgs also NULL */`
	`377`	`+ ret->shared_sigalgs = NULL;`
`376`	`378`
`377`	`379`	`return(ret);`
`378`	`380`
`@@ -464,6 +466,8 @@ void ssl_cert_free(CERT *c)`
`464`	`466`	`OPENSSL_free(c->peer_sigalgs);`
`465`	`467`	`if (c->conf_sigalgs)`
`466`	`468`	`OPENSSL_free(c->conf_sigalgs);`
	`469`	`+ if (c->shared_sigalgs)`
	`470`	`+ OPENSSL_free(c->shared_sigalgs);`
`467`	`471`	`OPENSSL_free(c);`
`468`	`472`	`}`
`469`	`473`