From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Sat, 8 Feb 2025 06:05:20 +0000 (+1100)
Subject: Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list
X-Git-Tag: openssl-3.4.2~194
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d25c7e3977a9f146ae8a353a64a0907734d75e64;p=thirdparty%2Fopenssl.git

Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list

- The signature algorithms are already loaded in SSL_CTX_new()

- Calling ssl_load_sigalgs() again is non-productive, and does
  not look thread safe.

- And of course avoiding the call is cheaper.

- Also fix broken loop test in ssl_cert_lookup_by_pkey()

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26671)

(cherry picked from commit 3252fe646b17c1a3cebed4ff8fe35c19c523e222)
---

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 24ff2f18103..53257f697e0 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1312,7 +1312,7 @@ const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx,
         }
     }
     /* check provider-loaded pk types */
-    for (i = 0; ctx->sigalg_list_len; i++) {
+    for (i = 0; i < ctx->sigalg_list_len; i++) {
         SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]);
 
         if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 0919c85d075..bd85167a289 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3060,9 +3060,8 @@ int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
     sig_cb_st sig;
     sig.sigalgcnt = 0;
 
-    if (ctx != NULL && ssl_load_sigalgs(ctx)) {
+    if (ctx != NULL)
         sig.ctx = ctx;
-    }
     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
         return 0;
     if (sig.sigalgcnt == 0) {