1SSL_GET_SHARED_SIGALGS(3) OpenSSL SSL_GET_SHARED_SIGALGS(3)
2
3
4
6 SSL_get_shared_sigalgs, SSL_get_sigalgs - get supported signature
7 algorithms
8
10 #include <openssl/ssl.h>
11
12 int SSL_get_shared_sigalgs(SSL *s, int idx,
13 int *psign, int *phash, int *psignhash,
14 unsigned char *rsig, unsigned char *rhash);
15
16 int SSL_get_sigalgs(SSL *s, int idx,
17 int *psign, int *phash, int *psignhash,
18 unsigned char *rsig, unsigned char *rhash);
19
21 SSL_get_shared_sigalgs() returns information about the shared signature
22 algorithms supported by peer s. The parameter idx indicates the index
23 of the shared signature algorithm to return starting from zero. The
24 signature algorithm NID is written to *psign, the hash NID to *phash
25 and the sign and hash NID to *psignhash. The raw signature and hash
26 values are written to *rsig and *rhash.
27
28 SSL_get_sigalgs() is similar to SSL_get_shared_sigalgs() except it
29 returns information about all signature algorithms supported by s in
30 the order they were sent by the peer.
31
33 SSL_get_shared_sigalgs() and SSL_get_sigalgs() return the number of
34 signature algorithms or 0 if the idx parameter is out of range.
35
37 These functions are typically called for debugging purposes (to report
38 the peer's preferences) or where an application wants finer control
39 over certificate selection. Most applications will rely on internal
40 handling and will not need to call them.
41
42 If an application is only interested in the highest preference shared
43 signature algorithm it can just set idx to zero.
44
45 Any or all of the parameters psign, phash, psignhash, rsig or rhash can
46 be set to NULL if the value is not required. By setting them all to
47 NULL and setting idx to zero the total number of signature algorithms
48 can be determined: which can be zero.
49
50 These functions must be called after the peer has sent a list of
51 supported signature algorithms: after a client hello (for servers) or a
52 certificate request (for clients). They can (for example) be called in
53 the certificate callback.
54
55 Only TLS 1.2, TLS 1.3 and DTLS 1.2 currently support signature
56 algorithms. If these functions are called on an earlier version of TLS
57 or DTLS zero is returned.
58
59 The shared signature algorithms returned by SSL_get_shared_sigalgs()
60 are ordered according to configuration and peer preferences.
61
62 The raw values correspond to the on the wire form as defined by RFC5246
63 et al. The NIDs are OpenSSL equivalents. For example if the peer sent
64 sha256(4) and rsa(1) then *rhash would be 4, *rsign 1, *phash
65 NID_sha256, *psig NID_rsaEncryption and *psighash
66 NID_sha256WithRSAEncryption.
67
68 If a signature algorithm is not recognised the corresponding NIDs will
69 be set to NID_undef. This may be because the value is not supported, is
70 not an appropriate combination (for example MD5 and DSA) or the
71 signature algorithm does not use a hash (for example Ed25519).
72
74 SSL_CTX_set_cert_cb(3), ssl(7)
75
77 Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
78
79 Licensed under the OpenSSL license (the "License"). You may not use
80 this file except in compliance with the License. You can obtain a copy
81 in the file LICENSE in the source distribution or at
82 <https://www.openssl.org/source/license.html>.
83
84
85
861.1.1q 2023-02-06 SSL_GET_SHARED_SIGALGS(3)