Add new ctrl to retrieve client certificate types, print out

details in s_client.

Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.

Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
(backport from HEAD)

4 files changed, 77 insertions, 9 deletions

diff --git a/apps/s_apps.h b/apps/s_apps.h
index 3491b1ab69..c04e2d3611 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -160,7 +160,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                            unsigned char *authz, size_t authz_length);
 # endif
-int ssl_print_sigalgs(BIO *out, SSL *s, int client);
+int ssl_print_sigalgs(BIO *out, SSL *s);
 int ssl_print_curves(BIO *out, SSL *s);
 #endif
 int init_client(int *sock, char *server, int port, int type);
diff --git a/apps/s_cb.c b/apps/s_cb.c
index bd487d35db..6e26d43de4 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -285,9 +285,75 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 	return 1;
 	}
 
-static int do_print_sigalgs(BIO *out, SSL *s, int client, int shared)
+static void ssl_print_client_cert_types(BIO *bio, SSL *s)
 	{
-	int i, nsig;
+	const unsigned char *p;
+	int i;
+	int cert_type_num = SSL_get0_certificate_types(s, &p);
+	if (!cert_type_num)
+		return;
+	BIO_puts(bio, "Client Certificate Types: ");
+	for (i = 0; i < cert_type_num; i++)
+		{
+		unsigned char cert_type = p[i];
+		char *cname;
+		switch(cert_type)
+			{
+		case TLS_CT_RSA_SIGN:
+			cname = "RSA sign";
+			break;
+
+		case TLS_CT_DSS_SIGN:
+			cname = "DSA sign";
+			break;
+
+		case TLS_CT_RSA_FIXED_DH:
+			cname = "RSA fixed DH";
+			break;
+
+		case TLS_CT_DSS_FIXED_DH:
+			cname = "DSS fixed DH";
+			break;
+
+		case TLS_CT_ECDSA_SIGN:
+			cname = "ECDSA sign";
+			break;
+
+		case TLS_CT_RSA_FIXED_ECDH:
+			cname = "RSA fixed ECDH";
+			break;
+
+		case TLS_CT_ECDSA_FIXED_ECDH:
+			cname = "ECDSA fixed ECDH";
+			break;
+
+		case TLS_CT_GOST94_SIGN:
+			cname = "GOST94 Sign";
+			break;
+
+		case TLS_CT_GOST01_SIGN:
+			cname = "GOST01 Sign";
+			break;
+
+		default:
+			 cname = NULL;
+			}
+
+		if (i)
+			BIO_puts(bio, ", ");
+
+		if (cname)
+			BIO_puts(bio, cname);
+		else
+			BIO_printf(bio, "UNKNOWN (%d),", cert_type);
+		}
+	BIO_puts(bio, "\n");
+	}
+
+static int do_print_sigalgs(BIO *out, SSL *s, int shared)
+	{
+	int i, nsig, client;
+	client = SSL_is_server(s) ? 0 : 1;
 	if (shared)
 		nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL,
 							NULL, NULL);
@@ -334,10 +400,12 @@ static int do_print_sigalgs(BIO *out, SSL *s, int client, int shared)
 	return 1;
 	}
 
-int ssl_print_sigalgs(BIO *out, SSL *s, int client)
+int ssl_print_sigalgs(BIO *out, SSL *s)
 	{
-	do_print_sigalgs(out, s, client, 0);
-	do_print_sigalgs(out, s, client, 1);
+	if (!SSL_is_server(s))
+		ssl_print_client_cert_types(out, s);
+	do_print_sigalgs(out, s, 0);
+	do_print_sigalgs(out, s, 1);
 	return 1;
 	}
 
diff --git a/apps/s_client.c b/apps/s_client.c
index f8469f87c7..999bd2043c 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2077,7 +2077,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			BIO_write(bio,"\n",1);
 			}
 
-		ssl_print_sigalgs(bio, s, 1);
+		ssl_print_sigalgs(bio, s);
 
 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
 			BIO_number_read(SSL_get_rbio(s)),
diff --git a/apps/s_server.c b/apps/s_server.c
index 4b07cb0f07..92ca0a7f85 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2575,7 +2575,7 @@ static int init_ssl_connection(SSL *con)
 	if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
-	ssl_print_sigalgs(bio_s_out, con, 0);
+	ssl_print_sigalgs(bio_s_out, con);
 	ssl_print_curves(bio_s_out, con);
 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
 
@@ -2890,7 +2890,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 					}
 				BIO_puts(io,"\n");
 				}
-			ssl_print_sigalgs(io, con, 0);
+			ssl_print_sigalgs(io, con);
 			ssl_print_curves(io, con);
 			BIO_printf(io,(SSL_cache_hit(con)
 				?"---\nReused, "