Add SSL_CTX_set_verify_algorithm_prefs.
When writing tests and BoGo isn't available, it is useful to be able to
configure the set of signature algorithms accepted on the verify side.
Add an API for this.
Change-Id: Ic873189da7f8853e412acd68614df9d9a872a0c8
Reviewed-on: https://boringssl-review.googlesource.com/15125
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c4b7387..b52d80c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2366,9 +2366,17 @@
OPENSSL_EXPORT int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store);
/* SSL_CTX_set_ed25519_enabled configures whether |ctx| advertises support for
- * the Ed25519 signature algorithm. */
+ * the Ed25519 signature algorithm when using the default preference list. */
OPENSSL_EXPORT void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled);
+/* SSL_CTX_set_verify_algorithm_prefs confingures |ctx| to use |prefs| as the
+ * preference list when verifying signature's from the peer's long-term key. It
+ * returns one on zero on error. |prefs| should not include the internal-only
+ * value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
+OPENSSL_EXPORT int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx,
+ const uint16_t *prefs,
+ size_t num_prefs);
+
/* Client certificate CA list.
*
@@ -4245,6 +4253,11 @@
* session tickets. */
const SSL_TICKET_AEAD_METHOD *ticket_aead_method;
+ /* verify_sigalgs, if not empty, is the set of signature algorithms
+ * accepted from the peer in decreasing order of preference. */
+ uint16_t *verify_sigalgs;
+ size_t num_verify_sigalgs;
+
/* quiet_shutdown is true if the connection should not send a close_notify on
* shutdown. */
unsigned quiet_shutdown:1;