Separate client and server permitted signature algorithm support: by default

the permitted signature algorithms for server and client authentication are the same but it is now possible to set different algorithms for client authentication only. (backport from HEAD)
2012-12-26 14:44:56 +00:00
parent 623a5e24cb
commit 04c32cddaa
8 changed files with 135 additions and 26 deletions
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1653,6 +1653,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_SET_SIGALGS_LIST		98
 #define SSL_CTRL_CERT_FLAGS			99
 #define SSL_CTRL_CLEAR_CERT_FLAGS		100
+#define SSL_CTRL_SET_CLIENT_SIGALGS		101
+#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST	102

 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1738,6 +1740,15 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set1_sigalgs_list(ctx, s) \
 	SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)

+#define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)slist)
+#define SSL_CTX_set1_client_sigalgs_list(ctx, s) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+#define SSL_set1_client_sigalgs(ctx, slist, slistlen) \
+	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)slist)
+#define SSL_set1_client_sigalgs_list(ctx, s) \
+	SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);