search

openssl / openssl

TLS/SSL and crypto library
https://www.openssl.org
Apache License 2.0
25.89k stars 10.14k forks source link

Libssl should probe the combination of signature and hash alg together #14885

Open mattcaswell opened 3 years ago

mattcaswell commented 3 years ago

As noted in the comment in libssl (ssl/t1_lib.c):

        /*
         * Check hash is available.
         * This test is not perfect. A provider could have support
         * for a signature scheme, but not a particular hash. However the hash
         * could be available from some other loaded provider. In that case it
         * could be that the signature is available, and the hash is available
         * independently - but not as a combination. We ignore this for now.
         */

We should be able probe up front whether a given signature and hash algorithm will work together. This is not currently easily possible to set up.

mattcaswell commented 3 years ago

I've assigned this to the 3.0 milestone, i.e. IMO we should live with this for 3.0 but fix it in the future.