MINOR: Add "sigalg" to "sigalg name" helper function

This function can be used to convert a TLSv1.3 sigAlg entry (2bytes)
from the signature_agorithms client hello extension into a string.

In order to ease debugging, some TLSv1.2 combinations can also be
dumped. In TLSv1.2 those signature algorithms pairs were built out of a
one byte signature identifier combined to a one byte hash identifier.
In TLSv1.3 those identifiers are two bytes blocs that must be treated as
such.

diff --git a/include/haproxy/ssl_utils.h b/include/haproxy/ssl_utils.h
index 5493ba7aec3a680fe7292c8f01e0bb0d09abbb22..a0181215978556d636608b10ff1e050d15143599 100644 (file)
--- a/include/haproxy/ssl_utils.h
+++ b/include/haproxy/ssl_utils.h
@@ -53,6 +53,7 @@ time_t x509_get_notafter_time_t(X509 *cert);
 #endif
 int curves2nid(const char *curve);
 const char *nid2nist(int nid);
+const char *sigalg2str(int sigalg);
 
 #endif /* _HAPROXY_SSL_UTILS_H */
 #endif /* USE_OPENSSL */

diff --git a/src/ssl_utils.c b/src/ssl_utils.c
index 7219c2a6612a8b4b8d0302e3e69fcbb92a2d1914..916e230f0df8e72debb1e05e5ee47be9c2b92c56 100644 (file)
--- a/src/ssl_utils.c
+++ b/src/ssl_utils.c
@@ -824,3 +824,102 @@ const char *nid2nist(int nid)
        }
 }
 
+
+/* https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme
+ * Sigalg identifier to sigalg name table.
+ * Some TLSv1.2 combinations are included as well to ease debugging. */
+static struct sigalgs { const char *name; int sigalg; } sigalgs_list [] =
+{
+       /* RSASSA-PKCS1-v1_5 algorithms */
+       { "rsa_pkcs1_sha256", 0x0401 },
+       { "rsa_pkcs1_sha384", 0x0501 },
+       { "rsa_pkcs1_sha512", 0x0601 },
+
+       /* ECDSA algorithms */
+       { "ecdsa_secp256r1_sha256", 0x0403 },
+       { "ecdsa_secp384r1_sha384", 0x0503 },
+       { "ecdsa_secp521r1_sha512", 0x0603 },
+
+       /* RSASSA-PSS algorithms with public key OID rsaEncryption */
+       { "rsa_pss_rsae_sha256", 0x0804 },
+       { "rsa_pss_rsae_sha384", 0x0805 },
+       { "rsa_pss_rsae_sha512", 0x0806 },
+
+       /* EdDSA algorithms */
+       { "ed25519", 0x0807 },
+       { "ed448", 0x0808 },
+
+       /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
+       { "rsa_pss_pss_sha256", 0x0809 },
+       { "rsa_pss_pss_sha384", 0x080a },
+       { "rsa_pss_pss_sha512", 0x080b },
+
+       /* Legacy algorithms */
+       { "rsa_pkcs1_sha1", 0x0201 },
+       { "ecdsa_sha1", 0x0203 },
+
+
+       /* Other IANA codes */
+       /* https://datatracker.ietf.org/doc/draft-davidben-tls13-pkcs1/00/ */
+       { "rsa_pkcs1_sha256_legacy", 0x0420 },
+       { "rsa_pkcs1_sha384_legacy", 0x0520 },
+       { "rsa_pkcs1_sha512_legacy", 0x0620 },
+
+       /* https://datatracker.ietf.org/doc/draft-wang-tls-raw-public-key-with-ibc/02/ */
+       { "eccsi_sha256", 0x0704 },
+       { "iso_ibs1", 0x0705 },
+       { "iso_ibs2", 0x0706 },
+       { "iso_chinese_ibs", 0x0707 },
+
+       /* RFC 8998 */
+       { "sm2sig_sm3", 0x0708 },
+
+       /* RFC 9367 */
+       { "gostr34102012_256a", 0x0709 },
+       { "gostr34102012_256b", 0x070A },
+       { "gostr34102012_256c", 0x070B },
+       { "gostr34102012_256d", 0x070C },
+       { "gostr34102012_512a", 0x070D },
+       { "gostr34102012_512b", 0x070E },
+       { "gostr34102012_512c", 0x070F },
+
+       /* RFC 8734 */
+       { "ecdsa_brainpoolP256r1tls13_sha256", 0x081A },
+       { "ecdsa_brainpoolP384r1tls13_sha384", 0x081B },
+       { "ecdsa_brainpoolP512r1tls13_sha512", 0x081C },
+
+
+       /* TLSv1.2 backward compatibility */
+       { "dsa_sha256", 0x0402 },
+       { "dsa_sha384", 0x0502 },
+       { "dsa_sha512", 0x0602 },
+       { "dsa_sha224", 0x0302 },
+       { "dsa_sha1", 0x0202 },
+
+       { "ecdsa_sha224", 0x0303 },
+       { "ecdsa_sha1", 0x0203 },
+
+
+       /* RFC 9189 */
+       { "gostr34102012_256_intrinsic", 0x0840 },
+       { "gostr34102012_512_intrinsic", 0x0841 },
+
+       { NULL, 0 }
+};
+
+/* Convert a signature algorithm identifier (2 bytes) to name */
+const char *sigalg2str(int sigalg)
+{
+       struct sigalgs *item = sigalgs_list;
+
+       while (item->name) {
+               if (item->sigalg == sigalg)
+                       return item->name;
+
+               ++item;
+       }
+
+       return NULL;
+}
+