diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-09-07 12:53:42 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-09-07 12:53:42 +0000 |
| commit | 319354eb6c6cac74213d754dad105f71abc72547 (patch) | |
| tree | 656310e605df82ac0f5cac28d6f8f49fc1b25fbf | |
| parent | e7db9896bb9b94ee5a3255b4311322385b407c2f (diff) | |
store and print out message digest peer signed with in TLS 1.2
| -rw-r--r-- | apps/s_cb.c | 3 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 19 | ||||
| -rw-r--r-- | ssl/ssl.h | 4 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 5 |
4 files changed, 31 insertions, 0 deletions
diff --git a/apps/s_cb.c b/apps/s_cb.c index 550fa6cc33..b592870f96 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -409,10 +409,13 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) int ssl_print_sigalgs(BIO *out, SSL *s) { + int mdnid; if (!SSL_is_server(s)) ssl_print_client_cert_types(out, s); do_print_sigalgs(out, s, 0); do_print_sigalgs(out, s, 1); + if (SSL_get_peer_signature_nid(s, &mdnid)) + BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid)); return 1; } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 0147e413ff..9484a7648f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3458,6 +3458,25 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(s->cert, parg, 1, larg); + case SSL_CTRL_GET_PEER_SIGNATURE_NID: + if (TLS1_get_version(s) >= TLS1_2_VERSION) + { + if (s->session && s->session->sess_cert) + { + const EVP_MD *sig; + sig = s->session->sess_cert->peer_key->digest; + if (sig) + { + *(int *)parg = EVP_MD_type(sig); + return 1; + } + } + return 0; + } + /* Might want to do something here for other versions */ + else + return 0; + default: break; } @@ -1707,6 +1707,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_BUILD_CERT_CHAIN 105 #define SSL_CTRL_SET_VERIFY_CERT_STORE 106 #define SSL_CTRL_SET_CHAIN_CERT_STORE 107 +#define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1831,6 +1832,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_set1_client_certificate_types(s, clist, clistlen) \ SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist) +#define SSL_get_peer_signature_nid(s, pn) \ + SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn) + #ifndef OPENSSL_NO_BIO BIO_METHOD *BIO_f_ssl(void); BIO *BIO_new_ssl(SSL_CTX *ctx,int client); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index b3166d6254..8f54311d8a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -922,6 +922,11 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST); return 0; } + /* Store the digest used so applications can retrieve it if they + * wish. + */ + if (s->session && s->session->sess_cert) + s->session->sess_cert->peer_key->digest = *pmd; return 1; } /* Get a mask of disabled algorithms: an algorithm is disabled |