Document that unknown groups and sigalgs marked with ? are ignored

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)

diff --git a/CHANGES.md b/CHANGES.md
index 962186be752d642f244410e887e10aa332053eaa..c67d0bd6aaba95738b753779966d9f69b4b4034f 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -40,6 +40,19 @@ OpenSSL 3.3
 
    *Job Snijders*
 
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
+   config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
+   SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
+   ignored and the configuration will still be used.
+
+   Similarly unknown entries that start with `?` character in a TLS
+   Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
+   and the configuration will still be used.
+
+   In both cases if the resulting list is empty, an error is returned.
+
+   *Tomáš Mráz*
+
  * The EVP_PKEY_fromdata function has been augmented to allow for the derivation
    of CRT (Chinese Remainder Theorem) parameters when requested.  See the
    OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.

diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
index c26ef00306395c5caa26df7e163a2a7d74b8b90e..f0566e148eb089987a3aaa50cfdb1392dcaf948c 100644 (file)
--- a/doc/man3/SSL_CTX_set1_curves.pod
+++ b/doc/man3/SSL_CTX_set1_curves.pod
@@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
 are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
 B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
 B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
-added by external providers.
+added by external providers. If a group name is preceded with the C<?>
+character, it will be ignored if an implementation is missing.
 
 SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
 supported groups for the SSL structure B<ssl>.
@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
 functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
 was added in OpenSSL 3.0.0.
 
+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
+SSL_set1_groups_list() was added in OpenSSL 3.3.
+
 =head1 COPYRIGHT
 
 Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
index eb3100634626fca5368d36ce3188239e984f8ab5..5b7de7d9565219657585196c99c34e4d95deb911 100644 (file)
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
@@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
 must be a null terminated string consisting of a colon separated list of
 elements, where each element is either a combination of a public key
 algorithm and a digest separated by B<+>, or a TLS 1.3-style named
-SignatureScheme such as rsa_pss_pss_sha256.
+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
+with the C<?> character, it will be ignored if an implementation is missing.
+
 
 SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
 SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
@@ -106,6 +108,13 @@ using a string:
 L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
 L<SSL_CONF_CTX_new(3)>
 
+=head1 HISTORY
+
+Support for ignoring unknown signature algorithms in
+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
+was added in OpenSSL 3.3.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.