Restricting signature algorithms for a TLS1.3 session

[Crawl12321]

Hi,

I'm currently configuring an application for TLS1.3 using oqsprovider, everything is working quite well with hybrid certificates and KEM algorithms.

While I'm able to restrict supported groups through SSL_set1_groups_list(), I can't seem to use SSL_set1_sigalgs_list() to restrict supported signature to oqs signature algorithms (using a string list such as "dilithium3+SHA384" or "p384_dilithium3+SHA384:dilithium3+SHA384").

Am I missing something or is it currently not available ?

Best regards !

[baentsch]

Am I missing something or is it currently not available ?

At first glance over the required code, it seems you are not missing anything, but the key openssl function making this possible tls1_set_sigalgs seems to require an update. This appears to pertain to/confirm openssl/openssl#22779 (review) (@mattcaswell may be able to confirm my quick "code-reading-hunch").

As a workaround my suggestion would be to build oqsprovider with only those PQ algorithms you want supported (see here how to do this). However, if you want to disable classic signature algorithms, I'm afraid you're out of luck: You may consider disabling the default provider to make those algorithms unavailable -- but unfortunately, oqsprovider depends on the default provider for classic hybrids and randomness :-( So my best proposal at this time would be to wait for openssl/openssl#22779 to be enhanced/completed and land.

[mattcaswell]

Yeah - this is a bug in OpenSSL (openssl/openssl#22761) - although that bug talks about the config file, it basically applies to anyway of trying to configure the sigalgs to something other than the default.

[Crawl12321]

Thank you for the answer @baentsch, @mattcaswell :-) I guess i can expect this to be corrected in a future version of openssl (which is quite enough !).

Currently for a workaround, if I can enforce using hybrid certificates on client and server side can I be confident that both algorithms will be used ? I'm unsure whether current hybrid certificates signature is made of concatenated signatures from both algorithms (that are verified separately) or contains a single signature using both algorithms...

[baentsch]

Currently for a workaround, if I can enforce using hybrid certificates on client and server side can I be confident that both algorithms will be used ?

Well, yes, if you set up the server, you decide which signature algorithms are used, right? So if you use (only) a classic/PQ hybrid certificate, it must be used and both components' signatures must be OK: See this code verifying the classic part of the signature and this code verifying the PQ algorithm: Both are executed in succession on a hybrid sig and both must be OK.