From cd2cdb6158086c4904d186c718c887cc693b906d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 14 Dec 2023 18:04:58 +0100 Subject: [PATCH] Document that unknown groups and sigalgs marked with ? are ignored Reviewed-by: Nicola Tuveri Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/23050) --- CHANGES.md | 13 +++++++++++++ doc/man3/SSL_CTX_set1_curves.pod | 6 +++++- doc/man3/SSL_CTX_set1_sigalgs.pod | 11 ++++++++++- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 962186be752d6..c67d0bd6aaba9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -40,6 +40,19 @@ OpenSSL 3.3 *Job Snijders* + * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms + config options and the respective calls to SSL[_CTX]_set1_sigalgs() and + SSL[_CTX]_set1_client_sigalgs() that start with `?` character are + ignored and the configuration will still be used. + + Similarly unknown entries that start with `?` character in a TLS + Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored + and the configuration will still be used. + + In both cases if the resulting list is empty, an error is returned. + + *Tomáš Mráz* + * The EVP_PKEY_fromdata function has been augmented to allow for the derivation of CRT (Chinese Remainder Theorem) parameters when requested. See the OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation. diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod index c26ef00306395..f0566e148eb08 100644 --- a/doc/man3/SSL_CTX_set1_curves.pod +++ b/doc/man3/SSL_CTX_set1_curves.pod @@ -58,7 +58,8 @@ string B. The string is a colon separated list of group names, for example are B, B, B, B, B, B, B, B, B, B, B, B and B. Support for other groups may be -added by external providers. +added by external providers. If a group name is preceded with the C +character, it will be ignored if an implementation is missing. SSL_set1_groups() and SSL_set1_groups_list() are similar except they set supported groups for the SSL structure B. @@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function was added in OpenSSL 3.0.0. +Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and +SSL_set1_groups_list() was added in OpenSSL 3.3. + =head1 COPYRIGHT Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod index eb3100634626f..5b7de7d956521 100644 --- a/doc/man3/SSL_CTX_set1_sigalgs.pod +++ b/doc/man3/SSL_CTX_set1_sigalgs.pod @@ -33,7 +33,9 @@ signature algorithms for B or B. The B parameter must be a null terminated string consisting of a colon separated list of elements, where each element is either a combination of a public key algorithm and a digest separated by B<+>, or a TLS 1.3-style named -SignatureScheme such as rsa_pss_pss_sha256. +SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded +with the C character, it will be ignored if an implementation is missing. + SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(), SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set @@ -106,6 +108,13 @@ using a string: L, L, L +=head1 HISTORY + +Support for ignoring unknown signature algorithms in +SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(), +SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() +was added in OpenSSL 3.3. + =head1 COPYRIGHT Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.