MINOR: Add "sigalg" to "sigalg name" helper function

This function can be used to convert a TLSv1.3 sigAlg entry (2bytes) from the signature_agorithms client hello extension into a string. In order to ease debugging, some TLSv1.2 combinations can also be dumped. In TLSv1.2 those signature algorithms pairs were built out of a one byte signature identifier combined to a one byte hash identifier. In TLSv1.3 those identifiers are two bytes blocs that must be treated as such.
2025-04-18 17:26:49 +02:00 · 2025-04-18 17:26:49 +02:00 · 08e40f4589
commit 08e40f4589
parent 566b384e4e
2 changed files with 100 additions and 0 deletions
--- a/include/haproxy/ssl_utils.h
+++ b/include/haproxy/ssl_utils.h
@ -53,6 +53,7 @@ time_t x509_get_notafter_time_t(X509 *cert);
 #endif
 int curves2nid(const char *curve);
 const char *nid2nist(int nid);
+const char *sigalg2str(int sigalg);

 #endif /* _HAPROXY_SSL_UTILS_H */
 #endif /* USE_OPENSSL */
--- a/src/ssl_utils.c
+++ b/src/ssl_utils.c
@ -824,3 +824,102 @@ const char *nid2nist(int nid)
 	}
 }

+
+/* https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme
+ * Sigalg identifier to sigalg name table.
+ * Some TLSv1.2 combinations are included as well to ease debugging. */
+static struct sigalgs { const char *name; int sigalg; } sigalgs_list [] =
+{
+	/* RSASSA-PKCS1-v1_5 algorithms */
+	{ "rsa_pkcs1_sha256", 0x0401 },
+	{ "rsa_pkcs1_sha384", 0x0501 },
+	{ "rsa_pkcs1_sha512", 0x0601 },
+
+	/* ECDSA algorithms */
+	{ "ecdsa_secp256r1_sha256", 0x0403 },
+	{ "ecdsa_secp384r1_sha384", 0x0503 },
+	{ "ecdsa_secp521r1_sha512", 0x0603 },
+
+	/* RSASSA-PSS algorithms with public key OID rsaEncryption */
+	{ "rsa_pss_rsae_sha256", 0x0804 },
+	{ "rsa_pss_rsae_sha384", 0x0805 },
+	{ "rsa_pss_rsae_sha512", 0x0806 },
+
+	/* EdDSA algorithms */
+	{ "ed25519", 0x0807 },
+	{ "ed448", 0x0808 },
+
+	/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
+	{ "rsa_pss_pss_sha256", 0x0809 },
+	{ "rsa_pss_pss_sha384", 0x080a },
+	{ "rsa_pss_pss_sha512", 0x080b },
+
+	/* Legacy algorithms */
+	{ "rsa_pkcs1_sha1", 0x0201 },
+	{ "ecdsa_sha1", 0x0203 },
+
+
+	/* Other IANA codes */
+	/* https://datatracker.ietf.org/doc/draft-davidben-tls13-pkcs1/00/ */
+	{ "rsa_pkcs1_sha256_legacy", 0x0420 },
+	{ "rsa_pkcs1_sha384_legacy", 0x0520 },
+	{ "rsa_pkcs1_sha512_legacy", 0x0620 },
+
+	/* https://datatracker.ietf.org/doc/draft-wang-tls-raw-public-key-with-ibc/02/ */
+	{ "eccsi_sha256", 0x0704 },
+	{ "iso_ibs1", 0x0705 },
+	{ "iso_ibs2", 0x0706 },
+	{ "iso_chinese_ibs", 0x0707 },
+
+	/* RFC 8998 */
+	{ "sm2sig_sm3", 0x0708 },
+
+	/* RFC 9367 */
+	{ "gostr34102012_256a", 0x0709 },
+	{ "gostr34102012_256b", 0x070A },
+	{ "gostr34102012_256c", 0x070B },
+	{ "gostr34102012_256d", 0x070C },
+	{ "gostr34102012_512a", 0x070D },
+	{ "gostr34102012_512b", 0x070E },
+	{ "gostr34102012_512c", 0x070F },
+
+	/* RFC 8734 */
+	{ "ecdsa_brainpoolP256r1tls13_sha256", 0x081A },
+	{ "ecdsa_brainpoolP384r1tls13_sha384", 0x081B },
+	{ "ecdsa_brainpoolP512r1tls13_sha512", 0x081C },
+
+
+	/* TLSv1.2 backward compatibility */
+	{ "dsa_sha256", 0x0402 },
+	{ "dsa_sha384", 0x0502 },
+	{ "dsa_sha512", 0x0602 },
+	{ "dsa_sha224", 0x0302 },
+	{ "dsa_sha1", 0x0202 },
+
+	{ "ecdsa_sha224", 0x0303 },
+	{ "ecdsa_sha1", 0x0203 },
+
+
+	/* RFC 9189 */
+	{ "gostr34102012_256_intrinsic", 0x0840 },
+	{ "gostr34102012_512_intrinsic", 0x0841 },
+
+	{ NULL, 0 }
+};
+
+/* Convert a signature algorithm identifier (2 bytes) to name */
+const char *sigalg2str(int sigalg)
+{
+	struct sigalgs *item = sigalgs_list;
+
+	while (item->name) {
+		if (item->sigalg == sigalg)
+			return item->name;
+
+		++item;
+	}
+
+	return NULL;
+}
+