Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list

- The signature algorithms are already loaded in SSL_CTX_new()

- Calling ssl_load_sigalgs() again is non-productive, and does
  not look thread safe.

- And of course avoiding the call is cheaper.

- Also fix broken loop test in ssl_cert_lookup_by_pkey()

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26671)

(cherry picked from commit 3252fe646b17c1a3cebed4ff8fe35c19c523e222)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 24ff2f18103683fb0b19c62c4e0683df11d50ad6..53257f697e0a4877bd76ecb93536f9b0db0d3f11 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1312,7 +1312,7 @@ const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx,
         }
     }
     /* check provider-loaded pk types */
-    for (i = 0; ctx->sigalg_list_len; i++) {
+    for (i = 0; i < ctx->sigalg_list_len; i++) {
         SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]);
 
         if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 0919c85d075561e5e5a54dc5c3fc3ecc43d1ef7e..bd85167a289ee7657d89150c99cde025d73f796d 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3060,9 +3060,8 @@ int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
     sig_cb_st sig;
     sig.sigalgcnt = 0;
 
-    if (ctx != NULL && ssl_load_sigalgs(ctx)) {
+    if (ctx != NULL)
         sig.ctx = ctx;
-    }
     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
         return 0;
     if (sig.sigalgcnt == 0) {