From: Dr. Stephen Henson Date: Wed, 26 Dec 2012 16:23:13 +0000 (+0000) Subject: store and print out message digest peer signed with in TLS 1.2 X-Git-Tag: OpenSSL_1_0_2-beta1~497 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=a50ecaee56e8e2ebf14ed122d15578acd2a2aa06;p=oweals%2Fopenssl.git store and print out message digest peer signed with in TLS 1.2 (backport from HEAD) --- diff --git a/apps/s_cb.c b/apps/s_cb.c index 550fa6cc33..b592870f96 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -409,10 +409,13 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) int ssl_print_sigalgs(BIO *out, SSL *s) { + int mdnid; if (!SSL_is_server(s)) ssl_print_client_cert_types(out, s); do_print_sigalgs(out, s, 0); do_print_sigalgs(out, s, 1); + if (SSL_get_peer_signature_nid(s, &mdnid)) + BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid)); return 1; } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 964e094da1..177511da68 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3458,6 +3458,25 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(s->cert, parg, 1, larg); + case SSL_CTRL_GET_PEER_SIGNATURE_NID: + if (TLS1_get_version(s) >= TLS1_2_VERSION) + { + if (s->session && s->session->sess_cert) + { + const EVP_MD *sig; + sig = s->session->sess_cert->peer_key->digest; + if (sig) + { + *(int *)parg = EVP_MD_type(sig); + return 1; + } + } + return 0; + } + /* Might want to do something here for other versions */ + else + return 0; + default: break; } diff --git a/ssl/ssl.h b/ssl/ssl.h index 9d9dafeff9..4979a94ae3 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1697,6 +1697,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_BUILD_CERT_CHAIN 105 #define SSL_CTRL_SET_VERIFY_CERT_STORE 106 #define SSL_CTRL_SET_CHAIN_CERT_STORE 107 +#define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1821,6 +1822,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_set1_client_certificate_types(s, clist, clistlen) \ SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist) +#define SSL_get_peer_signature_nid(s, pn) \ + SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn) + #ifndef OPENSSL_NO_BIO BIO_METHOD *BIO_f_ssl(void); BIO *BIO_new_ssl(SSL_CTX *ctx,int client); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 2326cb9a40..8f6ced2618 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -914,6 +914,11 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST); return 0; } + /* Store the digest used so applications can retrieve it if they + * wish. + */ + if (s->session && s->session->sess_cert) + s->session->sess_cert->peer_key->digest = *pmd; return 1; } /* Get a mask of disabled algorithms: an algorithm is disabled