From: Matt Caswell <matt@openssl.org>
Date: Tue, 3 Mar 2026 13:59:58 +0000 (+0000)
Subject: Add a test for a large number of sigalgs
X-Git-Tag: openssl-4.0.0-alpha1~22
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=68dd2e0025e5fa52ae65c02e127d6b7e314f3ebb;p=thirdparty%2Fopenssl.git

Add a test for a large number of sigalgs

Test that we correctly ignore large numbers of sigalgs

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar  6 10:33:04 2026
(Merged from https://github.com/openssl/openssl/pull/30263)
---

diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 904f7e6e61c..c379b2045c6 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -50,7 +50,8 @@ use constant {
     UNRECOGNIZED_SIGALGS_CERT => 10,
     UNRECOGNIZED_SIGALG => 11,
     RSAPSSPSS_SIG_ALG => 12,
-    MLDSA65_SIG_ALG => 13
+    MLDSA65_SIG_ALG => 13,
+    LARGE_NUM_SIG_ALGS => 14
 };
 
 srand(70);
@@ -72,7 +73,7 @@ sub randcase {
 #Test 1: Default sig algs should succeed
 $proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 27;
+plan tests => 28;
 ok(TLSProxy::Message->success, "Default sigalgs");
 my $testtype;
 
@@ -80,7 +81,7 @@ SKIP: {
     skip "TLSv1.3 disabled", 7
         if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
 
-    $proxy->filter(\&sigalgs_filter);
+    $proxy->filter(\&modify_sigalgs_filter);
 
     #Test 2: Sending no sig algs extension in TLSv1.3 should fail
     $proxy->clear();
@@ -174,7 +175,7 @@ SKIP: {
 SKIP: {
     skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec");
 
-    $proxy->filter(\&sigalgs_filter);
+    $proxy->filter(\&modify_sigalgs_filter);
 
     #Test 11: Sending no sig algs extension in TLSv1.2 will make it use
     #         SHA1, which is only supported at security level 0.
@@ -257,7 +258,7 @@ SKIP: {
     $proxy->filter(undef);
     $proxy->start();
     ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
-    $proxy->filter(\&sigalgs_filter);
+    $proxy->filter(\&modify_sigalgs_filter);
 
     #Test 20: No sig algs extension, ECDSA cert, will use SHA1,
     #         TLSv1.2 should succeed at security level 0
@@ -284,7 +285,7 @@ SKIP: {
     $dsa_status = $sha1_status = $sha224_status = 0;
     $proxy->clear();
     $proxy->clientflags("-tls1_3");
-    $proxy->filter(\&modify_sigalgs_filter);
+    $proxy->filter(\&examine_sigalgs_filter);
     $proxy->start();
     ok($dsa_status && $sha1_status && $sha224_status,
        "DSA and SHA1 sigalgs not sent for 1.3-only ClientHello");
@@ -296,7 +297,7 @@ SKIP: {
         $dsa_status = $sha1_status = $sha224_status = 0;
         $proxy->clear();
         $proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0");
-        $proxy->filter(\&modify_sigalgs_filter);
+        $proxy->filter(\&examine_sigalgs_filter);
         $proxy->start();
         ok($dsa_status && $sha1_status && $sha224_status,
            "backwards compatible sigalg sent for compat ClientHello");
@@ -304,7 +305,7 @@ SKIP: {
 }
 
 SKIP: {
-    skip "TLSv1.3 disabled", 5
+    skip "TLSv1.3 disabled", 6
         if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
     #Test 23: Insert signature_algorithms_cert that match normal sigalgs
     $testtype = SIGALGS_CERT_ALL;
@@ -356,9 +357,17 @@ SKIP: {
     $testtype = UNRECOGNIZED_SIGALG;
     $proxy->start();
     ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
+
+    #Test 28: Insert large number of sig algs. We should ignore any beyond our
+    #         limit but the handshake should still complete successfully.
+    $testtype = LARGE_NUM_SIG_ALGS;
+    $proxy->clear();
+    $proxy->filter(\&modify_sigalgs_filter);
+    $proxy->start();
+    ok(TLSProxy::Message->success(), "Large number of sigalgs");
 }
 
-sub sigalgs_filter
+sub modify_sigalgs_filter
 {
     my $proxy = shift;
 
@@ -380,6 +389,12 @@ sub sigalgs_filter
                 } elsif ($testtype == NO_PSS_SIG_ALGS) {
                     #No PSS sig algs - just send rsa_pkcs1_sha256
                     $sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
+                } elsif ($testtype == LARGE_NUM_SIG_ALGS) {
+                    #Send 129 sig algs to test that we correctly ignore those
+                    #beyond our limit of 128
+                    $sigalg = pack "C260", 0x01, 0x02,
+                        0x08, 0x04, # rsa_pss_rsae_sha256
+                        (0xfe, 0x00) x 128; # invalid/reserved sigalg codepoint
                 } else {
                     #PSS sig algs only - just send rsa_pss_rsae_sha256
                     $sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
@@ -392,7 +407,7 @@ sub sigalgs_filter
     }
 }
 
-sub modify_sigalgs_filter
+sub examine_sigalgs_filter
 {
     my $proxy = shift;