xref: /freebsd/crypto/openssl/doc/man3/SSL_get_shared_sigalgs.pod (revision b077aed33b7b6aefca7b17ddb250cf521f938613) 
1e71b7053SJung-uk Kim=pod
2e71b7053SJung-uk Kim
3e71b7053SJung-uk Kim=head1 NAME
4e71b7053SJung-uk Kim
5e71b7053SJung-uk KimSSL_get_shared_sigalgs, SSL_get_sigalgs - get supported signature algorithms
6e71b7053SJung-uk Kim
7e71b7053SJung-uk Kim=head1 SYNOPSIS
8e71b7053SJung-uk Kim
9e71b7053SJung-uk Kim #include <openssl/ssl.h>
10e71b7053SJung-uk Kim
11e71b7053SJung-uk Kim int SSL_get_shared_sigalgs(SSL *s, int idx,
12e71b7053SJung-uk Kim                            int *psign, int *phash, int *psignhash,
13e71b7053SJung-uk Kim                            unsigned char *rsig, unsigned char *rhash);
14e71b7053SJung-uk Kim
15e71b7053SJung-uk Kim int SSL_get_sigalgs(SSL *s, int idx,
16e71b7053SJung-uk Kim                     int *psign, int *phash, int *psignhash,
17e71b7053SJung-uk Kim                     unsigned char *rsig, unsigned char *rhash);
18e71b7053SJung-uk Kim
19e71b7053SJung-uk Kim=head1 DESCRIPTION
20e71b7053SJung-uk Kim
21e71b7053SJung-uk KimSSL_get_shared_sigalgs() returns information about the shared signature
22e71b7053SJung-uk Kimalgorithms supported by peer B<s>. The parameter B<idx> indicates the index
23e71b7053SJung-uk Kimof the shared signature algorithm to return starting from zero. The signature
24e71b7053SJung-uk Kimalgorithm NID is written to B<*psign>, the hash NID to B<*phash> and the
25e71b7053SJung-uk Kimsign and hash NID to B<*psignhash>. The raw signature and hash values
26e71b7053SJung-uk Kimare written to B<*rsig> and B<*rhash>.
27e71b7053SJung-uk Kim
28e71b7053SJung-uk KimSSL_get_sigalgs() is similar to SSL_get_shared_sigalgs() except it returns
29e71b7053SJung-uk Kiminformation about all signature algorithms supported by B<s> in the order
30e71b7053SJung-uk Kimthey were sent by the peer.
31e71b7053SJung-uk Kim
32e71b7053SJung-uk Kim=head1 RETURN VALUES
33e71b7053SJung-uk Kim
34e71b7053SJung-uk KimSSL_get_shared_sigalgs() and SSL_get_sigalgs() return the number of
35e71b7053SJung-uk Kimsignature algorithms or B<0> if the B<idx> parameter is out of range.
36e71b7053SJung-uk Kim
37e71b7053SJung-uk Kim=head1 NOTES
38e71b7053SJung-uk Kim
39e71b7053SJung-uk KimThese functions are typically called for debugging purposes (to report
40e71b7053SJung-uk Kimthe peer's preferences) or where an application wants finer control over
41e71b7053SJung-uk Kimcertificate selection. Most applications will rely on internal handling
42e71b7053SJung-uk Kimand will not need to call them.
43e71b7053SJung-uk Kim
44e71b7053SJung-uk KimIf an application is only interested in the highest preference shared
45e71b7053SJung-uk Kimsignature algorithm it can just set B<idx> to zero.
46e71b7053SJung-uk Kim
47e71b7053SJung-uk KimAny or all of the parameters B<psign>, B<phash>, B<psignhash>, B<rsig> or
48e71b7053SJung-uk KimB<rhash> can be set to B<NULL> if the value is not required. By setting
49e71b7053SJung-uk Kimthem all to B<NULL> and setting B<idx> to zero the total number of
50e71b7053SJung-uk Kimsignature algorithms can be determined: which can be zero.
51e71b7053SJung-uk Kim
52e71b7053SJung-uk KimThese functions must be called after the peer has sent a list of supported
53e71b7053SJung-uk Kimsignature algorithms: after a client hello (for servers) or a certificate
54e71b7053SJung-uk Kimrequest (for clients). They can (for example) be called in the certificate
55e71b7053SJung-uk Kimcallback.
56e71b7053SJung-uk Kim
57e71b7053SJung-uk KimOnly TLS 1.2, TLS 1.3 and DTLS 1.2 currently support signature algorithms.
58e71b7053SJung-uk KimIf these
59e71b7053SJung-uk Kimfunctions are called on an earlier version of TLS or DTLS zero is returned.
60e71b7053SJung-uk Kim
61e71b7053SJung-uk KimThe shared signature algorithms returned by SSL_get_shared_sigalgs() are
62e71b7053SJung-uk Kimordered according to configuration and peer preferences.
63e71b7053SJung-uk Kim
64e71b7053SJung-uk KimThe raw values correspond to the on the wire form as defined by RFC5246 et al.
65e71b7053SJung-uk KimThe NIDs are OpenSSL equivalents. For example if the peer sent sha256(4) and
66e71b7053SJung-uk Kimrsa(1) then B<*rhash> would be 4, B<*rsign> 1, B<*phash> NID_sha256, B<*psig>
67e71b7053SJung-uk KimNID_rsaEncryption and B<*psighash> NID_sha256WithRSAEncryption.
68e71b7053SJung-uk Kim
69e71b7053SJung-uk KimIf a signature algorithm is not recognised the corresponding NIDs
70e71b7053SJung-uk Kimwill be set to B<NID_undef>. This may be because the value is not supported,
71e71b7053SJung-uk Kimis not an appropriate combination (for example MD5 and DSA) or the
72e71b7053SJung-uk Kimsignature algorithm does not use a hash (for example Ed25519).
73e71b7053SJung-uk Kim
74e71b7053SJung-uk Kim=head1 SEE ALSO
75e71b7053SJung-uk Kim
76e71b7053SJung-uk KimL<SSL_CTX_set_cert_cb(3)>,
77e71b7053SJung-uk KimL<ssl(7)>
78e71b7053SJung-uk Kim
79e71b7053SJung-uk Kim=head1 COPYRIGHT
80e71b7053SJung-uk Kim
81e71b7053SJung-uk KimCopyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
82e71b7053SJung-uk Kim
83*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License").  You may not use
84e71b7053SJung-uk Kimthis file except in compliance with the License.  You can obtain a copy
85e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at
86e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>.
87e71b7053SJung-uk Kim
88e71b7053SJung-uk Kim=cut
89