Add compatibility functions for sigalgs
Node.js recently added an option to override signature algorithms in https://github.com/nodejs/node/pull/29598
which make use of several NIDs and SSL_get_shared_sigalgs. This CL adds
NIDs for Ed448 (but does not implement it) and a shim function for
SSL_get_shared_sigalgs that simply returns 0. This enables Electron to
reduce its patch surface.
Change-Id: I833d30b0248ca68ebce4767dd58d5f087fd1e18e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38404
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h
index 0313a08..53198f9 100644
--- a/crypto/obj/obj_dat.h
+++ b/crypto/obj/obj_dat.h
@@ -57,7 +57,7 @@
/* This file is generated by crypto/obj/objects.go. */
-#define NUM_NID 960
+#define NUM_NID 961
static const uint8_t kObjectData[] = {
/* NID_rsadsi */
@@ -7115,6 +7115,10 @@
0x2b,
0x65,
0x70,
+ /* NID_ED448 */
+ 0x2b,
+ 0x65,
+ 0x71,
};
static const ASN1_OBJECT kObjects[NUM_NID] = {
@@ -8756,6 +8760,7 @@
{"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
{"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
{"CECPQ2", "CECPQ2", NID_CECPQ2, 0, NULL, 0},
+ {"ED448", "ED448", NID_ED448, 3, &kObjectData[6178], 0},
};
static const unsigned kNIDsInShortNameOrder[] = {
@@ -8851,6 +8856,7 @@
67 /* DSA-old */,
297 /* DVCS */,
949 /* ED25519 */,
+ 960 /* ED448 */,
99 /* GN */,
855 /* HMAC */,
780 /* HMAC-MD5 */,
@@ -9729,6 +9735,7 @@
392 /* Domain */,
132 /* E-mail Protection */,
949 /* ED25519 */,
+ 960 /* ED448 */,
389 /* Enterprises */,
384 /* Experimental */,
372 /* Extended OCSP Status */,
@@ -10667,8 +10674,8 @@
static const unsigned kNIDsInOIDOrder[] = {
434 /* 0.9 (OBJ_data) */,
182 /* 1.2 (OBJ_member_body) */,
- 379 /* 1.3 (OBJ_org) */,
676 /* 1.3 (OBJ_identified_organization) */,
+ 379 /* 1.3 (OBJ_org) */,
11 /* 2.5 (OBJ_X500) */,
647 /* 2.23 (OBJ_international_organizations) */,
380 /* 1.3.6 (OBJ_dod) */,
@@ -10681,6 +10688,7 @@
183 /* 1.2.840 (OBJ_ISO_US) */,
381 /* 1.3.6.1 (OBJ_iana) */,
949 /* 1.3.101.112 (OBJ_ED25519) */,
+ 960 /* 1.3.101.113 (OBJ_ED448) */,
677 /* 1.3.132 (OBJ_certicom_arc) */,
394 /* 2.5.1.5 (OBJ_selected_attribute_types) */,
13 /* 2.5.4.3 (OBJ_commonName) */,
diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num
index 5fa839d..5310ceb 100644
--- a/crypto/obj/obj_mac.num
+++ b/crypto/obj/obj_mac.num
@@ -948,3 +948,4 @@
kx_any 957
auth_any 958
CECPQ2 959
+ED448 960
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt
index 6dbb7ad..3d7c7a0 100644
--- a/crypto/obj/objects.txt
+++ b/crypto/obj/objects.txt
@@ -1355,3 +1355,6 @@
# TLS 1.3 cipher suites do not specify key exchange or authentication.
: KxANY : kx-any
: AuthANY : auth-any
+
+# From RFC8410
+1 3 101 113 : ED448
\ No newline at end of file
diff --git a/include/openssl/nid.h b/include/openssl/nid.h
index 270d443..b7fb207 100644
--- a/include/openssl/nid.h
+++ b/include/openssl/nid.h
@@ -4237,6 +4237,10 @@
#define SN_CECPQ2 "CECPQ2"
#define NID_CECPQ2 959
+#define SN_ED448 "ED448"
+#define NID_ED448 960
+#define OBJ_ED448 1L, 3L, 101L, 113L
+
#if defined(__cplusplus)
} /* extern C */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 48a381b..be83edf 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -4120,6 +4120,11 @@
// pointer to |buf|, or NULL if |len| is less than or equal to zero.
OPENSSL_EXPORT char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len);
+// SSL_get_shared_sigalgs returns zero.
+OPENSSL_EXPORT int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign,
+ int *phash, int *psignandhash,
+ uint8_t *rsig, uint8_t *rhash);
+
// SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START.
#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index a53a5e3..1af8506 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -2496,6 +2496,11 @@
return buf;
}
+int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign, int *phash,
+ int *psignandhash, uint8_t *rsig, uint8_t *rhash) {
+ return 0;
+}
+
int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) {
if (ctx->method->is_dtls) {
return 0;