Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list

- The signature algorithms are already loaded in SSL_CTX_new()

- Calling ssl_load_sigalgs() again is non-productive, and does
  not look thread safe.

- And of course avoiding the call is cheaper.

- Also fix broken loop test in ssl_cert_lookup_by_pkey()

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26671)

(cherry picked from commit 3252fe646b17c1a3cebed4ff8fe35c19c523e222)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index b242bd7478e7eb07971dd8cd2d3e55dd324549ef..4b63500a93eecdfbbf26bc7f65a8a3165ed12025 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1256,7 +1256,7 @@ SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_C
         }
     }
     /* check provider-loaded pk types */
-    for (i = 0; ctx->sigalg_list_len; i++) {
+    for (i = 0; i < ctx->sigalg_list_len; i++) {
         SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]);
 
         if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 67fa15250f7f7c9df9c336af62aec13db4f01dec..4b0ced210948f46a50f163a8b54901a8457c2a41 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2965,9 +2965,8 @@ int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
     sig_cb_st sig;
     sig.sigalgcnt = 0;
 
-    if (ctx != NULL && ssl_load_sigalgs(ctx)) {
+    if (ctx != NULL)
         sig.ctx = ctx;
-    }
     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
         return 0;
     if (c == NULL)