store and print out message digest peer signed with in TLS 1.2
authorDr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 16:23:13 +0000 (16:23 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 16:23:13 +0000 (16:23 +0000)
(backport from HEAD)

apps/s_cb.c
ssl/s3_lib.c
ssl/ssl.h
ssl/t1_lib.c

index 550fa6cc33b5df0014cc196e6e332884f211d843..b592870f96eb606c714f8c00168174fb0c32d6b1 100644 (file)
@@ -409,10 +409,13 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
 
 int ssl_print_sigalgs(BIO *out, SSL *s)
        {
+       int mdnid;
        if (!SSL_is_server(s))
                ssl_print_client_cert_types(out, s);
        do_print_sigalgs(out, s, 0);
        do_print_sigalgs(out, s, 1);
+       if (SSL_get_peer_signature_nid(s, &mdnid))
+               BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
        return 1;
        }
 
index 964e094da12b1fae10eb5800ae8c75b886a4cc38..177511da6898330fb2c3ff6e2e26e4879bf73bed 100644 (file)
@@ -3458,6 +3458,25 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_CHAIN_CERT_STORE:
                return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
 
+       case SSL_CTRL_GET_PEER_SIGNATURE_NID:
+               if (TLS1_get_version(s) >= TLS1_2_VERSION)
+                       {
+                       if (s->session && s->session->sess_cert)
+                               {
+                               const EVP_MD *sig;
+                               sig = s->session->sess_cert->peer_key->digest;
+                               if (sig)
+                                       {
+                                       *(int *)parg = EVP_MD_type(sig);
+                                       return 1;
+                                       }
+                               }
+                       return 0;
+                       }
+               /* Might want to do something here for other versions */
+               else
+                       return 0;
+
        default:
                break;
                }
index 9d9dafeff92259bfb2c8eb39eacdc8bafa3f460a..4979a94ae3c62465672f1e8cec1e49a478ec639b 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1697,6 +1697,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_BUILD_CERT_CHAIN              105
 #define SSL_CTRL_SET_VERIFY_CERT_STORE         106
 #define SSL_CTRL_SET_CHAIN_CERT_STORE          107
+#define SSL_CTRL_GET_PEER_SIGNATURE_NID                108
 
 #define DTLSv1_get_timeout(ssl, arg) \
        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1821,6 +1822,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set1_client_certificate_types(s, clist, clistlen) \
        SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
 
+#define SSL_get_peer_signature_nid(s, pn) \
+       SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
index 2326cb9a4092c3e7cc7bd36bdb6ff64794afbcbb..8f6ced26184bde4f12a18a3c92cbefdc170421e3 100644 (file)
@@ -914,6 +914,11 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
                return 0;
                }
+       /* Store the digest used so applications can retrieve it if they
+        * wish.
+        */
+       if (s->session && s->session->sess_cert)
+               s->session->sess_cert->peer_key->digest = *pmd;
        return 1;
        }
 /* Get a mask of disabled algorithms: an algorithm is disabled