Skip to content

Commit

Permalink
Document that unknown groups and sigalgs marked with ? are ignored
Browse files Browse the repository at this point in the history
Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from openssl#23050)
  • Loading branch information
t8m authored and beldmit committed Mar 6, 2024
1 parent 2b4cea1 commit cd2cdb6
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 2 deletions.
13 changes: 13 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,19 @@ OpenSSL 3.3

*Job Snijders*

* Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
ignored and the configuration will still be used.

Similarly unknown entries that start with `?` character in a TLS
Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
and the configuration will still be used.

In both cases if the resulting list is empty, an error is returned.

*Tomáš Mráz*

* The EVP_PKEY_fromdata function has been augmented to allow for the derivation
of CRT (Chinese Remainder Theorem) parameters when requested. See the
OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
Expand Down
6 changes: 5 additions & 1 deletion doc/man3/SSL_CTX_set1_curves.pod
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
added by external providers.
added by external providers. If a group name is preceded with the C<?>
character, it will be ignored if an implementation is missing.

SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
supported groups for the SSL structure B<ssl>.
Expand Down Expand Up @@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
was added in OpenSSL 3.0.0.

Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
SSL_set1_groups_list() was added in OpenSSL 3.3.

=head1 COPYRIGHT

Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
Expand Down
11 changes: 10 additions & 1 deletion doc/man3/SSL_CTX_set1_sigalgs.pod
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
must be a null terminated string consisting of a colon separated list of
elements, where each element is either a combination of a public key
algorithm and a digest separated by B<+>, or a TLS 1.3-style named
SignatureScheme such as rsa_pss_pss_sha256.
SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
with the C<?> character, it will be ignored if an implementation is missing.


SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
Expand Down Expand Up @@ -106,6 +108,13 @@ using a string:
L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
L<SSL_CONF_CTX_new(3)>

=head1 HISTORY

Support for ignoring unknown signature algorithms in
SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
was added in OpenSSL 3.3.

=head1 COPYRIGHT

Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
Expand Down

0 comments on commit cd2cdb6

Please sign in to comment.