From 771c17ec09c98d22b3c97074a8db8b50cc7bef32 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 8 Feb 2025 17:05:20 +1100 Subject: [PATCH] Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list - The signature algorithms are already loaded in SSL_CTX_new() - Calling ssl_load_sigalgs() again is non-productive, and does not look thread safe. - And of course avoiding the call is cheaper. - Also fix broken loop test in ssl_cert_lookup_by_pkey() Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26671) (cherry picked from commit 3252fe646b17c1a3cebed4ff8fe35c19c523e222) --- ssl/ssl_cert.c | 2 +- ssl/t1_lib.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index b242bd7478e..4b63500a93e 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1256,7 +1256,7 @@ SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_C } } /* check provider-loaded pk types */ - for (i = 0; ctx->sigalg_list_len; i++) { + for (i = 0; i < ctx->sigalg_list_len; i++) { SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]); if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid)) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 67fa15250f7..4b0ced21094 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2965,9 +2965,8 @@ int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) sig_cb_st sig; sig.sigalgcnt = 0; - if (ctx != NULL && ssl_load_sigalgs(ctx)) { + if (ctx != NULL) sig.ctx = ctx; - } if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; if (c == NULL) -- 2.47.2