Add compatibility functions for sigalgs Node.js recently added an option to override signature algorithms in https://github.com/nodejs/node/pull/29598 which make use of several NIDs and SSL_get_shared_sigalgs. This CL adds NIDs for Ed448 (but does not implement it) and a shim function for SSL_get_shared_sigalgs that simply returns 0. This enables Electron to reduce its patch surface. Change-Id: I833d30b0248ca68ebce4767dd58d5f087fd1e18e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38404 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h index 0313a08..53198f9 100644 --- a/crypto/obj/obj_dat.h +++ b/crypto/obj/obj_dat.h
@@ -57,7 +57,7 @@ /* This file is generated by crypto/obj/objects.go. */ -#define NUM_NID 960 +#define NUM_NID 961 static const uint8_t kObjectData[] = { /* NID_rsadsi */ @@ -7115,6 +7115,10 @@ 0x2b, 0x65, 0x70, + /* NID_ED448 */ + 0x2b, + 0x65, + 0x71, }; static const ASN1_OBJECT kObjects[NUM_NID] = { @@ -8756,6 +8760,7 @@ {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0}, {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0}, {"CECPQ2", "CECPQ2", NID_CECPQ2, 0, NULL, 0}, + {"ED448", "ED448", NID_ED448, 3, &kObjectData[6178], 0}, }; static const unsigned kNIDsInShortNameOrder[] = { @@ -8851,6 +8856,7 @@ 67 /* DSA-old */, 297 /* DVCS */, 949 /* ED25519 */, + 960 /* ED448 */, 99 /* GN */, 855 /* HMAC */, 780 /* HMAC-MD5 */, @@ -9729,6 +9735,7 @@ 392 /* Domain */, 132 /* E-mail Protection */, 949 /* ED25519 */, + 960 /* ED448 */, 389 /* Enterprises */, 384 /* Experimental */, 372 /* Extended OCSP Status */, @@ -10667,8 +10674,8 @@ static const unsigned kNIDsInOIDOrder[] = { 434 /* 0.9 (OBJ_data) */, 182 /* 1.2 (OBJ_member_body) */, - 379 /* 1.3 (OBJ_org) */, 676 /* 1.3 (OBJ_identified_organization) */, + 379 /* 1.3 (OBJ_org) */, 11 /* 2.5 (OBJ_X500) */, 647 /* 2.23 (OBJ_international_organizations) */, 380 /* 1.3.6 (OBJ_dod) */, @@ -10681,6 +10688,7 @@ 183 /* 1.2.840 (OBJ_ISO_US) */, 381 /* 1.3.6.1 (OBJ_iana) */, 949 /* 1.3.101.112 (OBJ_ED25519) */, + 960 /* 1.3.101.113 (OBJ_ED448) */, 677 /* 1.3.132 (OBJ_certicom_arc) */, 394 /* 2.5.1.5 (OBJ_selected_attribute_types) */, 13 /* 2.5.4.3 (OBJ_commonName) */,
diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num index 5fa839d..5310ceb 100644 --- a/crypto/obj/obj_mac.num +++ b/crypto/obj/obj_mac.num
@@ -948,3 +948,4 @@ kx_any 957 auth_any 958 CECPQ2 959 +ED448 960
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt index 6dbb7ad..3d7c7a0 100644 --- a/crypto/obj/objects.txt +++ b/crypto/obj/objects.txt
@@ -1355,3 +1355,6 @@ # TLS 1.3 cipher suites do not specify key exchange or authentication. : KxANY : kx-any : AuthANY : auth-any + +# From RFC8410 +1 3 101 113 : ED448 \ No newline at end of file
diff --git a/include/openssl/nid.h b/include/openssl/nid.h index 270d443..b7fb207 100644 --- a/include/openssl/nid.h +++ b/include/openssl/nid.h
@@ -4237,6 +4237,10 @@ #define SN_CECPQ2 "CECPQ2" #define NID_CECPQ2 959 +#define SN_ED448 "ED448" +#define NID_ED448 960 +#define OBJ_ED448 1L, 3L, 101L, 113L + #if defined(__cplusplus) } /* extern C */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 48a381b..be83edf 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -4120,6 +4120,11 @@ // pointer to |buf|, or NULL if |len| is less than or equal to zero. OPENSSL_EXPORT char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len); +// SSL_get_shared_sigalgs returns zero. +OPENSSL_EXPORT int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign, + int *phash, int *psignandhash, + uint8_t *rsig, uint8_t *rhash); + // SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START. #define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index a53a5e3..1af8506 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc
@@ -2496,6 +2496,11 @@ return buf; } +int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign, int *phash, + int *psignandhash, uint8_t *rsig, uint8_t *rhash) { + return 0; +} + int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) { if (ctx->method->is_dtls) { return 0;