1=pod 2 3=head1 NAME 4 5SSL_get_shared_sigalgs, SSL_get_sigalgs - get supported signature algorithms 6 7=head1 SYNOPSIS 8 9 #include <openssl/ssl.h> 10 11 int SSL_get_shared_sigalgs(SSL *s, int idx, 12 int *psign, int *phash, int *psignhash, 13 unsigned char *rsig, unsigned char *rhash); 14 15 int SSL_get_sigalgs(SSL *s, int idx, 16 int *psign, int *phash, int *psignhash, 17 unsigned char *rsig, unsigned char *rhash); 18 19=head1 DESCRIPTION 20 21SSL_get_shared_sigalgs() returns information about the shared signature 22algorithms supported by peer B<s>. The parameter B<idx> indicates the index 23of the shared signature algorithm to return starting from zero. The signature 24algorithm NID is written to B<*psign>, the hash NID to B<*phash> and the 25sign and hash NID to B<*psignhash>. The raw signature and hash values 26are written to B<*rsig> and B<*rhash>. 27 28SSL_get_sigalgs() is similar to SSL_get_shared_sigalgs() except it returns 29information about all signature algorithms supported by B<s> in the order 30they were sent by the peer. 31 32=head1 RETURN VALUES 33 34SSL_get_shared_sigalgs() and SSL_get_sigalgs() return the number of 35signature algorithms or B<0> if the B<idx> parameter is out of range. 36 37=head1 NOTES 38 39These functions are typically called for debugging purposes (to report 40the peer's preferences) or where an application wants finer control over 41certificate selection. Most applications will rely on internal handling 42and will not need to call them. 43 44If an application is only interested in the highest preference shared 45signature algorithm it can just set B<idx> to zero. 46 47Any or all of the parameters B<psign>, B<phash>, B<psignhash>, B<rsig> or 48B<rhash> can be set to B<NULL> if the value is not required. By setting 49them all to B<NULL> and setting B<idx> to zero the total number of 50signature algorithms can be determined: which can be zero. 51 52These functions must be called after the peer has sent a list of supported 53signature algorithms: after a client hello (for servers) or a certificate 54request (for clients). They can (for example) be called in the certificate 55callback. 56 57Only TLS 1.2, TLS 1.3 and DTLS 1.2 currently support signature algorithms. 58If these 59functions are called on an earlier version of TLS or DTLS zero is returned. 60 61The shared signature algorithms returned by SSL_get_shared_sigalgs() are 62ordered according to configuration and peer preferences. 63 64The raw values correspond to the on the wire form as defined by RFC5246 et al. 65The NIDs are OpenSSL equivalents. For example if the peer sent sha256(4) and 66rsa(1) then B<*rhash> would be 4, B<*rsign> 1, B<*phash> NID_sha256, B<*psig> 67NID_rsaEncryption and B<*psignhash> NID_sha256WithRSAEncryption. 68 69If a signature algorithm is not recognised the corresponding NIDs 70will be set to B<NID_undef>. This may be because the value is not supported, 71is not an appropriate combination (for example MD5 and DSA) or the 72signature algorithm does not use a hash (for example Ed25519). 73 74=head1 SEE ALSO 75 76L<SSL_CTX_set_cert_cb(3)>, 77L<ssl(7)> 78 79=head1 COPYRIGHT 80 81Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 82 83Licensed under the Apache License 2.0 (the "License"). You may not use 84this file except in compliance with the License. You can obtain a copy 85in the file LICENSE in the source distribution or at 86L<https://www.openssl.org/source/license.html>. 87 88=cut 89