From 42ef7aead2b310a183e53a4d336a6706395b5c17 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 25 Jan 2017 23:28:57 +0000 Subject: [PATCH] Add SSL_get_peer_signature_type_nid() function. Add function to retrieve signature type: in the case of RSA keys the signature type can be EVP_PKEY_RSA or EVP_PKEY_RSA_PSS. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/2301) --- apps/s_cb.c | 39 ++++++++++++++++++++++++++++----------- include/openssl/tls1.h | 2 ++ ssl/t1_lib.c | 8 ++++++++ 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/apps/s_cb.c b/apps/s_cb.c index 5026d904c7..2c7fce5272 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -213,6 +213,26 @@ static void ssl_print_client_cert_types(BIO *bio, SSL *s) BIO_puts(bio, "\n"); } +static const char *get_sigtype(int nid) +{ + switch (nid) { + case EVP_PKEY_RSA: + return "RSA"; + + case EVP_PKEY_RSA_PSS: + return "RSA-PSS"; + + case EVP_PKEY_DSA: + return "DSA"; + + case EVP_PKEY_EC: + return "ECDSA"; + + default: + return NULL; + } +} + static int do_print_sigalgs(BIO *out, SSL *s, int shared) { int i, nsig, client; @@ -241,14 +261,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash); if (i) BIO_puts(out, ":"); - if (sign_nid == EVP_PKEY_RSA) - sstr = "RSA"; - else if (sign_nid == EVP_PKEY_RSA_PSS) - sstr = "RSA-PSS"; - else if (sign_nid == EVP_PKEY_DSA) - sstr = "DSA"; - else if (sign_nid == EVP_PKEY_EC) - sstr = "ECDSA"; + sstr= get_sigtype(sign_nid); if (sstr) BIO_printf(out, "%s+", sstr); else @@ -264,13 +277,15 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) int ssl_print_sigalgs(BIO *out, SSL *s) { - int mdnid; + int nid; if (!SSL_is_server(s)) ssl_print_client_cert_types(out, s); do_print_sigalgs(out, s, 0); do_print_sigalgs(out, s, 1); - if (SSL_get_peer_signature_nid(s, &mdnid)) - BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid)); + if (SSL_get_peer_signature_nid(s, &nid)) + BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(nid)); + if (SSL_get_peer_signature_type_nid(s, &nid)) + BIO_printf(bio_err, "Peer signature type: %s\n", get_sigtype(nid)); return 1; } @@ -1090,6 +1105,8 @@ void print_ssl_summary(SSL *s) BIO_puts(bio_err, "\n"); if (SSL_get_peer_signature_nid(s, &nid)) BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); + if (SSL_get_peer_signature_type_nid(s, &nid)) + BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid)); print_verify_detail(s, bio_err); } else BIO_puts(bio_err, "No peer certificate\n"); diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 328b266116..a4258ac886 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -252,6 +252,8 @@ __owur int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const unsigned char *p, size_t plen, int use_context); +int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid); + int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignandhash, unsigned char *rsig, unsigned char *rhash); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 668de7ba93..36f2827064 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -899,6 +899,14 @@ int tls12_check_peer_sigalg(SSL *s, unsigned int sig, EVP_PKEY *pkey) return 1; } +int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) +{ + if (s->s3->tmp.peer_sigtype == NID_undef) + return 0; + *pnid = s->s3->tmp.peer_sigtype; + return 1; +} + /* * Set a mask of disabled algorithms: an algorithm is disabled if it isn't * supported, doesn't appear in supported signature algorithms, isn't supported -- 2.25.1