Add SSL_get0_peer_verify_algorithms.
Callers who use SSL_get0_certificate_types today will find an empty list
in TLS 1.3, which removed it. To provide feature parity, add an accessor
for the signature algorithms list. SSL_get_signature_algorithm_key_type
can be used to map it to a key type.
"Peer signature algorithms" was already taken in the public API by
SSL_get_peer_signature_algorithm to refer to which the peer selected, so
I named this matching SSL_CTX_set_verify_algorithm_prefs.
Change-Id: I12d411d7350e744ed9f88c610df48e0d9fc13256
Reviewed-on: https://boringssl-review.googlesource.com/29684
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Vartanian <flooey@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 572e79d..c96307d 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -2156,13 +2156,23 @@
return ssl->s3->negotiated_token_binding_param;
}
-size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) {
- if (ssl->server || ssl->s3->hs == NULL) {
- *out_types = NULL;
- return 0;
+size_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) {
+ Span<const uint8_t> types;
+ if (!ssl->server && ssl->s3->hs != nullptr) {
+ types = ssl->s3->hs->certificate_types;
}
- *out_types = ssl->s3->hs->certificate_types.data();
- return ssl->s3->hs->certificate_types.size();
+ *out_types = types.data();
+ return types.size();
+}
+
+size_t SSL_get0_peer_verify_algorithms(const SSL *ssl,
+ const uint16_t **out_sigalgs) {
+ Span<const uint16_t> sigalgs;
+ if (ssl->s3->hs != nullptr) {
+ sigalgs = ssl->s3->hs->peer_sigalgs;
+ }
+ *out_sigalgs = sigalgs.data();
+ return sigalgs.size();
}
EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
