### Changes between 3.3 and 3.4 [xx XXX xxxx]
+ * Add feature to retrieve configured TLS signature algorithms,
+ e.g., via the openssl list command.
+
+ *Michael Baentsch*
+
* Add FIPS provider configuration option to enforce the a minimal
MAC length check. The option '-no_short_mac' can optionally be
supplied to 'openssl fipsinstall'.
#include <openssl/store.h>
#include <openssl/core_names.h>
#include <openssl/rand.h>
+#include <openssl/tls1.h>
#include "apps.h"
#include "app_params.h"
#include "progs.h"
{
if (select_name != NULL
&& (c == NULL
- || OPENSSL_strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0))
+ || OPENSSL_strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0))
return;
if (c != NULL) {
BIO_printf(arg, " %s\n", EVP_CIPHER_get0_name(c));
BIO_printf(bio_out, " -\n");
}
+static int list_provider_tls_sigalgs(const OSSL_PARAM params[], void *data)
+{
+ const OSSL_PARAM *p;
+
+ /* Get registered IANA name */
+ p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME);
+ if (p != NULL && p->data_type == OSSL_PARAM_UTF8_STRING) {
+ if (*((int *)data) > 0)
+ BIO_printf(bio_out, ":");
+ BIO_printf(bio_out, "%s", (char *)(p->data));
+ /* mark presence of a provider-based sigalg */
+ *((int *)data) = 2;
+ }
+ /* As built-in providers don't have this capability, never error */
+ return 1;
+}
+
+static int list_tls_sigalg_caps(OSSL_PROVIDER *provider, void *cbdata)
+{
+ OSSL_PROVIDER_get_capabilities(provider, "TLS-SIGALG",
+ list_provider_tls_sigalgs,
+ cbdata);
+ /* As built-in providers don't have this capability, never error */
+ return 1;
+}
+
+static void list_tls_signatures(void)
+{
+ int tls_sigalg_listed = 0;
+ char *builtin_sigalgs = SSL_get1_builtin_sigalgs(app_get0_libctx());
+
+ if (builtin_sigalgs != NULL && builtin_sigalgs[0] != 0) {
+ BIO_printf(bio_out, "%s", builtin_sigalgs);
+ OPENSSL_free(builtin_sigalgs);
+ tls_sigalg_listed = 1;
+ }
+
+ /* As built-in providers don't have this capability, never error */
+ OSSL_PROVIDER_do_all(NULL, list_tls_sigalg_caps, &tls_sigalg_listed);
+ if (tls_sigalg_listed < 2)
+ BIO_printf(bio_out,
+ "\nNo TLS sig algs registered by currently active providers");
+ BIO_printf(bio_out, "\n");
+}
+
DEFINE_STACK_OF(EVP_KEM)
static int kem_cmp(const EVP_KEM * const *a,
const EVP_KEM * const *b)
static int collect_providers(OSSL_PROVIDER *provider, void *stack)
{
STACK_OF(OSSL_PROVIDER) *provider_stack = stack;
+
/*
* If OK - result is the index of inserted data
* Error - result is -1 or 0
OPT_PK_ALGORITHMS, OPT_PK_METHOD, OPT_DISABLED,
OPT_KDF_ALGORITHMS, OPT_RANDOM_INSTANCES, OPT_RANDOM_GENERATORS,
OPT_ENCODERS, OPT_DECODERS, OPT_KEYMANAGERS, OPT_KEYEXCHANGE_ALGORITHMS,
- OPT_KEM_ALGORITHMS, OPT_SIGNATURE_ALGORITHMS, OPT_ASYM_CIPHER_ALGORITHMS,
- OPT_STORE_LOADERS, OPT_PROVIDER_INFO,
- OPT_OBJECTS, OPT_SELECT_NAME,
+ OPT_KEM_ALGORITHMS, OPT_SIGNATURE_ALGORITHMS,
+ OPT_TLS_SIGNATURE_ALGORITHMS, OPT_ASYM_CIPHER_ALGORITHMS,
+ OPT_STORE_LOADERS, OPT_PROVIDER_INFO, OPT_OBJECTS,
+ OPT_SELECT_NAME,
#ifndef OPENSSL_NO_DEPRECATED_3_0
OPT_ENGINES,
#endif
"List of message authentication code algorithms"},
#ifndef OPENSSL_NO_DEPRECATED_3_0
{"cipher-commands", OPT_CIPHER_COMMANDS, '-',
- "List of cipher commands (deprecated)"},
+ "List of cipher commands (deprecated)"},
#endif
{"cipher-algorithms", OPT_CIPHER_ALGORITHMS, '-',
"List of symmetric cipher algorithms"},
"List of key encapsulation mechanism algorithms" },
{"signature-algorithms", OPT_SIGNATURE_ALGORITHMS, '-',
"List of signature algorithms" },
+ {"tls-signature-algorithms", OPT_TLS_SIGNATURE_ALGORITHMS, '-',
+ "List of TLS signature algorithms" },
{"asymcipher-algorithms", OPT_ASYM_CIPHER_ALGORITHMS, '-',
"List of asymmetric cipher algorithms" },
{"public-key-algorithms", OPT_PK_ALGORITHMS, '-',
unsigned int decoder_algorithms:1;
unsigned int keymanager_algorithms:1;
unsigned int signature_algorithms:1;
+ unsigned int tls_signature_algorithms:1;
unsigned int keyexchange_algorithms:1;
unsigned int kem_algorithms:1;
unsigned int asym_cipher_algorithms:1;
case OPT_SIGNATURE_ALGORITHMS:
todo.signature_algorithms = 1;
break;
+ case OPT_TLS_SIGNATURE_ALGORITHMS:
+ todo.tls_signature_algorithms = 1;
+ break;
case OPT_KEYEXCHANGE_ALGORITHMS:
todo.keyexchange_algorithms = 1;
break;
BIO_printf(bio_out, "\n"); \
} \
cmd; \
- } while(0)
+ } while (0)
if (todo.commands)
MAYBE_ADD_NL(list_type(FT_general, one));
MAYBE_ADD_NL(list_keymanagers());
if (todo.signature_algorithms)
MAYBE_ADD_NL(list_signatures());
+ if (todo.tls_signature_algorithms)
+ MAYBE_ADD_NL(list_tls_signatures());
if (todo.asym_cipher_algorithms)
MAYBE_ADD_NL(list_asymciphers());
if (todo.keyexchange_algorithms)
GENERATE[html/man3/SSL_get0_peer_scts.html]=man3/SSL_get0_peer_scts.pod
DEPEND[man/man3/SSL_get0_peer_scts.3]=man3/SSL_get0_peer_scts.pod
GENERATE[man/man3/SSL_get0_peer_scts.3]=man3/SSL_get0_peer_scts.pod
+DEPEND[html/man3/SSL_get1_builtin_sigalgs.html]=man3/SSL_get1_builtin_sigalgs.pod
+GENERATE[html/man3/SSL_get1_builtin_sigalgs.html]=man3/SSL_get1_builtin_sigalgs.pod
+DEPEND[man/man3/SSL_get1_builtin_sigalgs.3]=man3/SSL_get1_builtin_sigalgs.pod
+GENERATE[man/man3/SSL_get1_builtin_sigalgs.3]=man3/SSL_get1_builtin_sigalgs.pod
DEPEND[html/man3/SSL_get_SSL_CTX.html]=man3/SSL_get_SSL_CTX.pod
GENERATE[html/man3/SSL_get_SSL_CTX.html]=man3/SSL_get_SSL_CTX.pod
DEPEND[man/man3/SSL_get_SSL_CTX.3]=man3/SSL_get_SSL_CTX.pod
html/man3/SSL_get0_group_name.html \
html/man3/SSL_get0_peer_rpk.html \
html/man3/SSL_get0_peer_scts.html \
+html/man3/SSL_get1_builtin_sigalgs.html \
html/man3/SSL_get_SSL_CTX.html \
html/man3/SSL_get_all_async_fds.html \
html/man3/SSL_get_certificate.html \
man/man3/SSL_get0_group_name.3 \
man/man3/SSL_get0_peer_rpk.3 \
man/man3/SSL_get0_peer_scts.3 \
+man/man3/SSL_get1_builtin_sigalgs.3 \
man/man3/SSL_get_SSL_CTX.3 \
man/man3/SSL_get_all_async_fds.3 \
man/man3/SSL_get_certificate.3 \
[B<-key-exchange-algorithms>]
[B<-kem-algorithms>]
[B<-signature-algorithms>]
+[B<-tls-signature-algorithms>]
[B<-asymcipher-algorithms>]
[B<-public-key-algorithms>]
[B<-public-key-methods>]
Display a list of signature algorithms.
+=item B<-tls-signature-algorithms>
+
+Display the list of signature algorithms available for TLS handshakes
+made available by all currently active providers.
+The output format is colon delimited in a form directly usable in
+L<SSL_CONF_cmd(3)> specifying SignatureAlgorithms.
+
=item B<-asymcipher-algorithms>
Display a list of asymmetric cipher algorithms.
--- /dev/null
+=pod
+
+=head1 NAME
+
+SSL_get1_builtin_sigalgs - get list of built-in signature algorithms
+
+=head1 SYNOPSIS
+
+ #include <openssl/tls1.h>
+
+ char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX *libctx);
+
+=head1 DESCRIPTION
+
+Return the colon-separated list of built-in and available TLS signature
+algorithms.
+The string returned must be freed by the user using L<OPENSSL_free(3)>.
+
+=head1 NOTES
+
+The string may be empty (strlen==0) if none of the built-in TLS signature
+algorithms can be activated, e.g., if suitable providers are missing.
+
+=head1 RETURN VALUES
+
+NULL may be returned if no memory could be allocated. Otherwise, a
+newly allocated string is always returned but it may have strlen == 0.
+
+=head1 COPYRIGHT
+
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
int *psign, int *phash, int *psignandhash,
unsigned char *rsig, unsigned char *rhash);
+char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX *libctx);
+
int SSL_get_shared_sigalgs(SSL *s, int idx,
int *psign, int *phash, int *psignandhash,
unsigned char *rsig, unsigned char *rhash);
#define TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384 0x081b
#define TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512 0x081c
+/* Sigalgs names */
+#define TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name "ecdsa_secp256r1_sha256"
+#define TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name "ecdsa_secp384r1_sha384"
+#define TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name "ecdsa_secp521r1_sha512"
+#define TLSEXT_SIGALG_ecdsa_sha224_name "ecdsa_sha224"
+#define TLSEXT_SIGALG_ecdsa_sha1_name "ecdsa_sha1"
+#define TLSEXT_SIGALG_rsa_pss_rsae_sha256_name "rsa_pss_rsae_sha256"
+#define TLSEXT_SIGALG_rsa_pss_rsae_sha384_name "rsa_pss_rsae_sha384"
+#define TLSEXT_SIGALG_rsa_pss_rsae_sha512_name "rsa_pss_rsae_sha512"
+#define TLSEXT_SIGALG_rsa_pss_pss_sha256_name "rsa_pss_pss_sha256"
+#define TLSEXT_SIGALG_rsa_pss_pss_sha384_name "rsa_pss_pss_sha384"
+#define TLSEXT_SIGALG_rsa_pss_pss_sha512_name "rsa_pss_pss_sha512"
+#define TLSEXT_SIGALG_rsa_pkcs1_sha256_name "rsa_pkcs1_sha256"
+#define TLSEXT_SIGALG_rsa_pkcs1_sha384_name "rsa_pkcs1_sha384"
+#define TLSEXT_SIGALG_rsa_pkcs1_sha512_name "rsa_pkcs1_sha512"
+#define TLSEXT_SIGALG_rsa_pkcs1_sha224_name "rsa_pkcs1_sha224"
+#define TLSEXT_SIGALG_rsa_pkcs1_sha1_name "rsa_pkcs1_sha1"
+#define TLSEXT_SIGALG_dsa_sha256_name "dsa_sha256"
+#define TLSEXT_SIGALG_dsa_sha384_name "dsa_sha384"
+#define TLSEXT_SIGALG_dsa_sha512_name "dsa_sha512"
+#define TLSEXT_SIGALG_dsa_sha224_name "dsa_sha224"
+#define TLSEXT_SIGALG_dsa_sha1_name "dsa_sha1"
+#define TLSEXT_SIGALG_gostr34102012_256_intrinsic_name "gost2012_256"
+#define TLSEXT_SIGALG_gostr34102012_512_intrinsic_name "gost2012_512"
+#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name "gost2012_256"
+#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name "gost2012_512"
+#define TLSEXT_SIGALG_gostr34102001_gostr3411_name "gost2001_gost94"
+
+#define TLSEXT_SIGALG_ed25519_name "ed25519"
+#define TLSEXT_SIGALG_ed448_name "ed448"
+#define TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name "ecdsa_brainpoolP256r1_sha256"
+#define TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name "ecdsa_brainpoolP384r1_sha384"
+#define TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name "ecdsa_brainpoolP512r1_sha512"
+
/* Known PSK key exchange modes */
#define TLSEXT_KEX_MODE_KE 0x00
#define TLSEXT_KEX_MODE_KE_DHE 0x01
};
static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
- {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
+ {TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name, TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA256, NID_X9_62_prime256v1, 1},
- {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
+ {TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name, TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA384, NID_secp384r1, 1},
- {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
+ {TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name, TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA512, NID_secp521r1, 1},
- {"ed25519", TLSEXT_SIGALG_ed25519,
+ {TLSEXT_SIGALG_ed25519_name, TLSEXT_SIGALG_ed25519,
NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519,
NID_undef, NID_undef, 1},
- {"ed448", TLSEXT_SIGALG_ed448,
+ {TLSEXT_SIGALG_ed448_name, TLSEXT_SIGALG_ed448,
NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_ecdsa_sha224,
+ {TLSEXT_SIGALG_ecdsa_sha224_name, TLSEXT_SIGALG_ecdsa_sha224,
NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA224, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_ecdsa_sha1,
+ {TLSEXT_SIGALG_ecdsa_sha1_name, TLSEXT_SIGALG_ecdsa_sha1,
NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA1, NID_undef, 1},
- {"ecdsa_brainpoolP256r1_sha256", TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
+ {TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name, TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA256, NID_brainpoolP256r1, 1},
- {"ecdsa_brainpoolP384r1_sha384", TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
+ {TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name, TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA384, NID_brainpoolP384r1, 1},
- {"ecdsa_brainpoolP512r1_sha512", TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
+ {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name, TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA512, NID_brainpoolP512r1, 1},
- {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha256_name, TLSEXT_SIGALG_rsa_pss_rsae_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
NID_undef, NID_undef, 1},
- {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384,
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha384_name, TLSEXT_SIGALG_rsa_pss_rsae_sha384,
NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
NID_undef, NID_undef, 1},
- {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512,
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha512_name, TLSEXT_SIGALG_rsa_pss_rsae_sha512,
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
NID_undef, NID_undef, 1},
- {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256,
+ {TLSEXT_SIGALG_rsa_pss_pss_sha256_name, TLSEXT_SIGALG_rsa_pss_pss_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
NID_undef, NID_undef, 1},
- {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384,
+ {TLSEXT_SIGALG_rsa_pss_pss_sha384_name, TLSEXT_SIGALG_rsa_pss_pss_sha384,
NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
NID_undef, NID_undef, 1},
- {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512,
+ {TLSEXT_SIGALG_rsa_pss_pss_sha512_name, TLSEXT_SIGALG_rsa_pss_pss_sha512,
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN,
NID_undef, NID_undef, 1},
- {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256,
+ {TLSEXT_SIGALG_rsa_pkcs1_sha256_name, TLSEXT_SIGALG_rsa_pkcs1_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha256WithRSAEncryption, NID_undef, 1},
- {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384,
+ {TLSEXT_SIGALG_rsa_pkcs1_sha384_name, TLSEXT_SIGALG_rsa_pkcs1_sha384,
NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha384WithRSAEncryption, NID_undef, 1},
- {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512,
+ {TLSEXT_SIGALG_rsa_pkcs1_sha512_name, TLSEXT_SIGALG_rsa_pkcs1_sha512,
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha512WithRSAEncryption, NID_undef, 1},
- {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224,
+ {TLSEXT_SIGALG_rsa_pkcs1_sha224_name, TLSEXT_SIGALG_rsa_pkcs1_sha224,
NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha224WithRSAEncryption, NID_undef, 1},
- {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
+ {TLSEXT_SIGALG_rsa_pkcs1_sha1_name, TLSEXT_SIGALG_rsa_pkcs1_sha1,
NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
NID_sha1WithRSAEncryption, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_dsa_sha256,
+ {TLSEXT_SIGALG_dsa_sha256_name, TLSEXT_SIGALG_dsa_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
NID_dsa_with_SHA256, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_dsa_sha384,
+ {TLSEXT_SIGALG_dsa_sha384_name, TLSEXT_SIGALG_dsa_sha384,
NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_dsa_sha512,
+ {TLSEXT_SIGALG_dsa_sha512_name, TLSEXT_SIGALG_dsa_sha512,
NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_dsa_sha224,
+ {TLSEXT_SIGALG_dsa_sha224_name, TLSEXT_SIGALG_dsa_sha224,
NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_dsa_sha1,
+ {TLSEXT_SIGALG_dsa_sha1_name, TLSEXT_SIGALG_dsa_sha1,
NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
NID_dsaWithSHA1, NID_undef, 1},
#ifndef OPENSSL_NO_GOST
- {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic,
+ {TLSEXT_SIGALG_gostr34102012_256_intrinsic_name, TLSEXT_SIGALG_gostr34102012_256_intrinsic,
NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_gostr34102012_512_intrinsic,
+ {TLSEXT_SIGALG_gostr34102012_512_intrinsic_name, TLSEXT_SIGALG_gostr34102012_512_intrinsic,
NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
+ {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
+ {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
NID_undef, NID_undef, 1},
- {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
+ {TLSEXT_SIGALG_gostr34102001_gostr3411_name, TLSEXT_SIGALG_gostr34102001_gostr3411,
NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
NID_id_GostR3410_2001, SSL_PKEY_GOST01,
NID_undef, NID_undef, 1}
return ret;
}
+#define SIGLEN_BUF_INCREMENT 100
+
+char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX *libctx)
+{
+ size_t i, maxretlen = SIGLEN_BUF_INCREMENT;
+ const SIGALG_LOOKUP *lu;
+ EVP_PKEY *tmpkey = EVP_PKEY_new();
+ char *retval = OPENSSL_malloc(maxretlen);
+
+ if (retval == NULL)
+ return NULL;
+
+ /* ensure retval string is NUL terminated */
+ retval[0] = (char)0;
+
+ for (i = 0, lu = sigalg_lookup_tbl;
+ i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
+ EVP_PKEY_CTX *pctx;
+ int enabled = 1;
+
+ ERR_set_mark();
+ /* Check hash is available in some provider. */
+ if (lu->hash != NID_undef) {
+ EVP_MD *hash = EVP_MD_fetch(libctx, OBJ_nid2ln(lu->hash), NULL);
+
+ /* If unable to create we assume the hash algorithm is unavailable */
+ if (hash == NULL) {
+ enabled = 0;
+ ERR_pop_to_mark();
+ continue;
+ }
+ EVP_MD_free(hash);
+ }
+
+ if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
+ enabled = 0;
+ ERR_pop_to_mark();
+ continue;
+ }
+ pctx = EVP_PKEY_CTX_new_from_pkey(libctx, tmpkey, NULL);
+ /* If unable to create pctx we assume the sig algorithm is unavailable */
+ if (pctx == NULL)
+ enabled = 0;
+ ERR_pop_to_mark();
+ EVP_PKEY_CTX_free(pctx);
+
+ if (enabled) {
+ const char *sa = lu->name;
+
+ if (sa != NULL) {
+ if (strlen(sa) + strlen(retval) + 1 >= maxretlen) {
+ char *tmp;
+
+ maxretlen += SIGLEN_BUF_INCREMENT;
+ tmp = OPENSSL_realloc(retval, maxretlen);
+ if (tmp == NULL) {
+ OPENSSL_free(retval);
+ return NULL;
+ }
+ retval = tmp;
+ }
+ if (strlen(retval) > 0)
+ OPENSSL_strlcat(retval, ":", maxretlen);
+ OPENSSL_strlcat(retval, sa, maxretlen);
+ } else {
+ /* lu->name must not be NULL */
+ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ }
+ }
+ }
+
+ EVP_PKEY_free(tmpkey);
+ return retval;
+}
+
/* Lookup TLS signature algorithm */
static const SIGALG_LOOKUP *tls1_lookup_sigalg(const SSL_CONNECTION *s,
uint16_t sigalg)
};
static const ssl_trace_tbl ssl_sigalg_tbl[] = {
- {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, "ecdsa_secp256r1_sha256"},
- {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, "ecdsa_secp384r1_sha384"},
- {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, "ecdsa_secp521r1_sha512"},
- {TLSEXT_SIGALG_ecdsa_sha224, "ecdsa_sha224"},
- {TLSEXT_SIGALG_ed25519, "ed25519"},
- {TLSEXT_SIGALG_ed448, "ed448"},
- {TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"},
- {TLSEXT_SIGALG_rsa_pss_rsae_sha256, "rsa_pss_rsae_sha256"},
- {TLSEXT_SIGALG_rsa_pss_rsae_sha384, "rsa_pss_rsae_sha384"},
- {TLSEXT_SIGALG_rsa_pss_rsae_sha512, "rsa_pss_rsae_sha512"},
- {TLSEXT_SIGALG_rsa_pss_pss_sha256, "rsa_pss_pss_sha256"},
- {TLSEXT_SIGALG_rsa_pss_pss_sha384, "rsa_pss_pss_sha384"},
- {TLSEXT_SIGALG_rsa_pss_pss_sha512, "rsa_pss_pss_sha512"},
- {TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"},
- {TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"},
- {TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"},
- {TLSEXT_SIGALG_rsa_pkcs1_sha224, "rsa_pkcs1_sha224"},
- {TLSEXT_SIGALG_rsa_pkcs1_sha1, "rsa_pkcs1_sha1"},
- {TLSEXT_SIGALG_dsa_sha256, "dsa_sha256"},
- {TLSEXT_SIGALG_dsa_sha384, "dsa_sha384"},
- {TLSEXT_SIGALG_dsa_sha512, "dsa_sha512"},
- {TLSEXT_SIGALG_dsa_sha224, "dsa_sha224"},
- {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},
- {TLSEXT_SIGALG_gostr34102012_256_intrinsic, "gost2012_256"},
- {TLSEXT_SIGALG_gostr34102012_512_intrinsic, "gost2012_512"},
- {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
- {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
- {TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"},
- {TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, "ecdsa_brainpoolP256r1_sha256"},
- {TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, "ecdsa_brainpoolP384r1_sha384"},
- {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, "ecdsa_brainpoolP512r1_sha512"},
+ {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name},
+ {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name},
+ {TLSEXT_SIGALG_ecdsa_secp521r1_sha512,TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name},
+ {TLSEXT_SIGALG_ecdsa_sha224, TLSEXT_SIGALG_ecdsa_sha224_name},
+ {TLSEXT_SIGALG_ed25519, TLSEXT_SIGALG_ed25519_name},
+ {TLSEXT_SIGALG_ed448, TLSEXT_SIGALG_ed448_name},
+ {TLSEXT_SIGALG_ecdsa_sha1, TLSEXT_SIGALG_ecdsa_sha1_name},
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha256, TLSEXT_SIGALG_rsa_pss_rsae_sha256_name},
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha384, TLSEXT_SIGALG_rsa_pss_rsae_sha384_name},
+ {TLSEXT_SIGALG_rsa_pss_rsae_sha512, TLSEXT_SIGALG_rsa_pss_rsae_sha512_name},
+ {TLSEXT_SIGALG_rsa_pss_pss_sha256, TLSEXT_SIGALG_rsa_pss_pss_sha256_name},
+ {TLSEXT_SIGALG_rsa_pss_pss_sha384, TLSEXT_SIGALG_rsa_pss_pss_sha384_name},
+ {TLSEXT_SIGALG_rsa_pss_pss_sha512, TLSEXT_SIGALG_rsa_pss_pss_sha512_name},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha256, TLSEXT_SIGALG_rsa_pkcs1_sha256_name},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha384, TLSEXT_SIGALG_rsa_pkcs1_sha384_name},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha512, TLSEXT_SIGALG_rsa_pkcs1_sha512_name},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha224, TLSEXT_SIGALG_rsa_pkcs1_sha224_name},
+ {TLSEXT_SIGALG_rsa_pkcs1_sha1, TLSEXT_SIGALG_rsa_pkcs1_sha1_name},
+ {TLSEXT_SIGALG_dsa_sha256, TLSEXT_SIGALG_dsa_sha256_name},
+ {TLSEXT_SIGALG_dsa_sha384, TLSEXT_SIGALG_dsa_sha384_name},
+ {TLSEXT_SIGALG_dsa_sha512, TLSEXT_SIGALG_dsa_sha512_name},
+ {TLSEXT_SIGALG_dsa_sha224, TLSEXT_SIGALG_dsa_sha224_name},
+ {TLSEXT_SIGALG_dsa_sha1, TLSEXT_SIGALG_dsa_sha1_name},
+ {TLSEXT_SIGALG_gostr34102012_256_intrinsic, TLSEXT_SIGALG_gostr34102012_256_intrinsic_name},
+ {TLSEXT_SIGALG_gostr34102012_512_intrinsic, TLSEXT_SIGALG_gostr34102012_512_intrinsic_name},
+ {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name},
+ {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name},
+ {TLSEXT_SIGALG_gostr34102001_gostr3411, TLSEXT_SIGALG_gostr34102001_gostr3411_name},
+ {TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name},
+ {TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name},
+ {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name}
};
static const ssl_trace_tbl ssl_ctype_tbl[] = {
my $no_check = disabled("fips") || disabled('fips-securitychecks');
plan skip_all => "Test only supported in a fips build with security checks"
if $no_check;
-plan tests => 11;
+plan tests => 12;
my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
my $fipsconf = srctop_file("test", "fips-and-base.cnf");
"provider listing of key encapsulation algorithms");
ok(run(app(['openssl', 'list', '-signature-algorithms', '-verbose'])),
"provider listing of signature algorithms");
+ok(run(app(['openssl', 'list', '-tls-signature-algorithms', '-verbose'])),
+ "provider listing of TLS signature algorithms");
ok(run(app(['openssl', 'list', '-asymcipher-algorithms', '-verbose'])),
"provider listing of encryption algorithms");
ok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])),
SSL_CTX_flush_sessions_ex 587 3_4_0 EXIST::FUNCTION:
SSL_CTX_set_block_padding_ex ? 3_4_0 EXIST::FUNCTION:
SSL_set_block_padding_ex ? 3_4_0 EXIST::FUNCTION:
+SSL_get1_builtin_sigalgs ? 3_4_0 EXIST::FUNCTION:
projects / thirdparty / openssl.git / commitdiff
