Change tls_choose_sigalg so it can set errors and alerts.

Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)

Change tls_choose_sigalg so it can set errors and alerts.
Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
4a419f60 · Dr. Stephen Henson · 4020c0b3 · 4a419f60 · 4a419f60 · 4a419f60
Showing with 7 addition and 7 deletion

include/openssl/ssl.h include/openssl/ssl.h +1 -0

ssl/ssl_err.c ssl/ssl_err.c +1 -0

ssl/ssl_locl.h ssl/ssl_locl.h +1 -1

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +1 -5

ssl/t1_lib.c ssl/t1_lib.c +3 -1

未找到文件。
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2259,6 +2259,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_TLS1_PRF                                   284
 # define SSL_F_TLS1_SETUP_KEY_BLOCK                       211
 # define SSL_F_TLS1_SET_SERVER_SIGALGS                    335
+# define SSL_F_TLS_CHOOSE_SIGALG                          510
 # define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK          354
 # define SSL_F_TLS_COLLECT_EXTENSIONS                     435
 # define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST          372

--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -261,6 +261,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
    {ERR_FUNC(SSL_F_TLS1_PRF), "tls1_PRF"},
    {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"},
    {ERR_FUNC(SSL_F_TLS1_SET_SERVER_SIGALGS), "tls1_set_server_sigalgs"},
+    {ERR_FUNC(SSL_F_TLS_CHOOSE_SIGALG), "tls_choose_sigalg"},
    {ERR_FUNC(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK),
     "tls_client_key_exchange_post_work"},
    {ERR_FUNC(SSL_F_TLS_COLLECT_EXTENSIONS), "tls_collect_extensions"},

--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2280,7 +2280,7 @@ __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee);
 __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex,
                                   int vfy);

-int tls_choose_sigalg(SSL *s);
+int tls_choose_sigalg(SSL *s, int *al);

 __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);
 void ssl_clear_hash_ctx(EVP_MD_CTX **hash);

--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1822,12 +1822,8 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
                goto f_err;
            }
            s->s3->tmp.new_cipher = cipher;
-            if (!tls_choose_sigalg(s)) {
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
-                       SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+            if (!tls_choose_sigalg(s, &al))
                goto f_err;
-            }
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
                s->session->not_resumable =

--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2268,7 +2268,7 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
 * Choose an appropriate signature algorithm based on available certificates
 * Set current certificate and digest to match chosen algorithm.
 */
-int tls_choose_sigalg(SSL *s)
+int tls_choose_sigalg(SSL *s, int *al)
 {
    if (SSL_IS_TLS13(s)) {
        size_t i;
@@ -2312,6 +2312,8 @@ int tls_choose_sigalg(SSL *s)
            s->cert->key = s->cert->pkeys + idx;
            return 1;
        }
+        *al = SSL_AD_HANDSHAKE_FAILURE;
+        SSLerr(SSL_F_TLS_CHOOSE_SIGALG, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
        return 0;
    }
    /*