Separate client and server permitted signature algorithm support: by default

the permitted signature algorithms for server and client authentication are the same but it is now possible to set different algorithms for client authentication only.

Separate client and server permitted signature algorithm support: by default
the permitted signature algorithms for server and client authentication are the same but it is now possible to set different algorithms for client authentication only.
3dbc46df · Dr. Stephen Henson · 32e03a30 · 3dbc46df · 3dbc46df · 3dbc46df
8 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@

 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]

+  *) Support for distinct client and server supported signature algorithms.
+     [Steve Henson]
+
  *) Add certificate callback. If set this is called whenever a certificate
     is required by client or server. An application can decide which
     certificate chain to present based on arbitrary criteria: for example

--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -607,6 +607,7 @@ int MAIN(int argc, char **argv)
 	char *servername = NULL; 
 	char *curves=NULL;
 	char *sigalgs=NULL;
+	char *client_sigalgs=NULL;
        tlsextctx tlsextcbp = 
        {NULL,0};
 # ifndef OPENSSL_NO_NEXTPROTONEG
@@ -964,6 +965,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			sigalgs= *(++argv);
 			}
+		else if	(strcmp(*argv,"-client_sigalgs") == 0)
+			{
+			if (--argc < 1) goto bad;
+			client_sigalgs= *(++argv);
+			}
 #endif
 #ifndef OPENSSL_NO_JPAKE
 		else if (strcmp(*argv,"-jpake") == 0)
@@ -1215,6 +1221,12 @@ bad:
 		ERR_print_errors(bio_err);
 		goto end;
 	}
+	if (client_sigalgs != NULL)
+		if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) {
+		BIO_printf(bio_err,"error setting client signature algorithms list\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
 	if (servername != NULL)
 		{
 		tlsextcbp.biodebug = bio_err;

--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -275,6 +275,7 @@ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
 static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
 static char *curves=NULL;
 static char *sigalgs=NULL;
+static char *client_sigalgs=NULL;
 #endif
 static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
 #ifdef FIONBIO
@@ -1219,6 +1220,11 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			sigalgs= *(++argv);
 			}
+		else if	(strcmp(*argv,"-client_sigalgs") == 0)
+			{
+			if (--argc < 1) goto bad;
+			client_sigalgs= *(++argv);
+			}
 #endif
 		else if	(strcmp(*argv,"-msg") == 0)
 			{ s_msg=1; }
@@ -1963,6 +1969,21 @@ bad:
 			goto end;
 			}
 		}
+	if (client_sigalgs)
+		{
+		if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs))
+			{
+			BIO_printf(bio_err,"error setting client signature algorithms\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if(ctx2 && !SSL_CTX_set1_client_sigalgs_list(ctx2,client_sigalgs))
+			{
+			BIO_printf(bio_err,"error setting client signature algorithms\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
 #endif
 	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
 	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,

--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3415,10 +3415,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 		break;

 	case SSL_CTRL_SET_SIGALGS:
-		return tls1_set_sigalgs(s->cert, parg, larg);
+		return tls1_set_sigalgs(s->cert, parg, larg, 0);

 	case SSL_CTRL_SET_SIGALGS_LIST:
-		return tls1_set_sigalgs_list(s->cert, parg);
+		return tls1_set_sigalgs_list(s->cert, parg, 0);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS:
+		return tls1_set_sigalgs(s->cert, parg, larg, 1);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+		return tls1_set_sigalgs_list(s->cert, parg, 1);

 	default:
 		break;
@@ -3703,10 +3709,16 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		break;

 	case SSL_CTRL_SET_SIGALGS:
-		return tls1_set_sigalgs(ctx->cert, parg, larg);
+		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);

 	case SSL_CTRL_SET_SIGALGS_LIST:
-		return tls1_set_sigalgs_list(ctx->cert, parg);
+		return tls1_set_sigalgs_list(ctx->cert, parg, 0);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS:
+		return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+		return tls1_set_sigalgs_list(ctx->cert, parg, 1);

 	case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG:
 		ctx->tlsext_authz_server_audit_proof_cb_arg = parg;

--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1662,6 +1662,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_SET_SIGALGS_LIST		98
 #define SSL_CTRL_CERT_FLAGS			99
 #define SSL_CTRL_CLEAR_CERT_FLAGS		100
+#define SSL_CTRL_SET_CLIENT_SIGALGS		101
+#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST	102

 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1747,6 +1749,15 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set1_sigalgs_list(ctx, s) \
 	SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)

+#define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)slist)
+#define SSL_CTX_set1_client_sigalgs_list(ctx, s) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+#define SSL_set1_client_sigalgs(ctx, slist, slistlen) \
+	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)slist)
+#define SSL_set1_client_sigalgs_list(ctx, s) \
+	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);

--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -361,19 +361,31 @@ CERT *ssl_cert_dup(CERT *cert)
 	/* Peer sigalgs set to NULL as we get these from handshake too */
 	ret->peer_sigalgs = NULL;
 	ret->peer_sigalgslen = 0;
-	/* Configure sigalgs however we copy across */
+	/* Configured sigalgs however we copy across */
+
 	if (cert->conf_sigalgs)
 		{
-		ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen
-							* sizeof(TLS_SIGALGS));
+		ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
 		if (!ret->conf_sigalgs)
 			goto err;
 		memcpy(ret->conf_sigalgs, cert->conf_sigalgs,
-				cert->conf_sigalgslen * sizeof(TLS_SIGALGS));
+						cert->conf_sigalgslen);
 		ret->conf_sigalgslen = cert->conf_sigalgslen;
 		}
 	else
 		ret->conf_sigalgs = NULL;
+
+	if (cert->client_sigalgs)
+		{
+		ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
+		if (!ret->client_sigalgs)
+			goto err;
+		memcpy(ret->client_sigalgs, cert->client_sigalgs,
+						cert->client_sigalgslen);
+		ret->client_sigalgslen = cert->client_sigalgslen;
+		}
+	else
+		ret->client_sigalgs = NULL;
 	/* Shared sigalgs also NULL */
 	ret->shared_sigalgs = NULL;

@@ -473,6 +485,8 @@ void ssl_cert_free(CERT *c)
 		OPENSSL_free(c->peer_sigalgs);
 	if (c->conf_sigalgs)
 		OPENSSL_free(c->conf_sigalgs);
+	if (c->client_sigalgs)
+		OPENSSL_free(c->client_sigalgs);
 	if (c->shared_sigalgs)
 		OPENSSL_free(c->shared_sigalgs);
 	OPENSSL_free(c);

--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -538,14 +538,25 @@ typedef struct cert_st
 	unsigned char *peer_sigalgs;
 	/* Size of above array */
 	size_t peer_sigalgslen;
-	/* configured signature algorithms (can be NULL for default).
-	 * sent in signature algorithms extension or certificate request.
+	/* suppported signature algorithms.
+	 * When set on a client this is sent in the client hello as the 
+	 * supported signature algorithms extension. For servers
+	 * it represents the signature algorithms we are willing to use.
 	 */
 	unsigned char *conf_sigalgs;
 	/* Size of above array */
 	size_t conf_sigalgslen;
+	/* Client authentication signature algorithms, if not set then
+	 * uses conf_sigalgs. On servers these will be the signature
+	 * algorithms sent to the client in a cerificate request for TLS 1.2.
+	 * On a client this represents the signature algortithms we are
+	 * willing to use for client authentication.
+	 */
+	unsigned char *client_sigalgs;
+	/* Size of above array */
+	size_t client_sigalgslen;
 	/* Signature algorithms shared by client and server: cached
-	 * because these are used most often
+	 * because these are used most often.
 	 */
 	TLS_SIGALGS *shared_sigalgs;
 	size_t shared_sigalgslen;
@@ -1200,8 +1211,8 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
 int tls12_get_sigid(const EVP_PKEY *pk);
 const EVP_MD *tls12_get_hash(unsigned char hash_alg);

-int tls1_set_sigalgs_list(CERT *c, const char *str);
-int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen);
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
+int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client);
 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 								int idx);
 void tls1_set_cert_validity(SSL *s);

--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -639,10 +639,17 @@ size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
 	{
 	const unsigned char *sigs;
 	size_t sigslen;
+	/* If server use client authentication sigalgs if not NULL */
+	if (s->server && s->cert->client_sigalgs)
+		{
+		sigs = s->cert->client_sigalgs;
+		sigslen = s->cert->client_sigalgslen;
+		}
+	else if (s->cert->conf_sigalgs)
+		{
 		sigs = s->cert->conf_sigalgs;
-
-	if (sigs)
 		sigslen = s->cert->conf_sigalgslen;
+		}
 	else
 		{
 		sigs = tls12_sigalgs;
@@ -2975,9 +2982,17 @@ static int tls1_set_shared_sigalgs(SSL *s)
 	size_t nmatch;
 	TLS_SIGALGS *salgs = NULL;
 	CERT *c = s->cert;
+	/* If client use client signature algorithms if not NULL */
+	if (!s->server && c->client_sigalgs)
+		{
+		conf = c->client_sigalgs;
+		conflen = c->client_sigalgslen;
+		}
+	else if (c->conf_sigalgs)
+		{
 		conf = c->conf_sigalgs;
-	if (conf)
 		conflen = c->conf_sigalgslen;
+		}
 	else
 		{
 		conf = tls12_sigalgs;
@@ -3328,16 +3343,16 @@ static int sig_cb(const char *elem, int len, void *arg)

 /* Set suppored signature algorithms based on a colon separated list
 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
-int tls1_set_sigalgs_list(CERT *c, const char *str)
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
 	{
 	sig_cb_st sig;
 	sig.sigalgcnt = 0;
 	if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
 		return 0;
-	return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt);
+	return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
 	}

-int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen)
+int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
 	{
 	unsigned char *sigalgs, *sptr;
 	int rhash, rsign;
@@ -3360,11 +3375,21 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen)
 		*sptr++ = rsign;
 		}

+	if (client)
+		{
+		if (c->client_sigalgs)
+			OPENSSL_free(c->client_sigalgs);
+		c->client_sigalgs = sigalgs;
+		c->client_sigalgslen = salglen;
+		}
+	else
+		{
 		if (c->conf_sigalgs)
 			OPENSSL_free(c->conf_sigalgs);
-
 		c->conf_sigalgs = sigalgs;
 		c->conf_sigalgslen = salglen;
+		}
+
 	return 1;

 	err:
@@ -3457,7 +3482,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 		 * have set preferred signature algorithms check we support
 		 * sha1.
 		 */
-		if (default_nid > 0 && c->conf_sigalgs)
+		if (s->server && default_nid > 0 && c->conf_sigalgs)
 			{
 			size_t j;
 			const unsigned char *p = c->conf_sigalgs;