Use X509_get_signature_info to get signature strength.

author Dr. Stephen Henson <steve@openssl.org>

Wed, 24 May 2017 21:01:00 +0000 (22:01 +0100)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 21 Jun 2017 13:11:01 +0000 (14:11 +0100)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 24 May 2017 21:01:00 +0000 (22:01 +0100)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 21 Jun 2017 13:11:01 +0000 (14:11 +0100)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 3c5e155066490f42cd4ef76c6b664da123ea005f..9112a0c4921c6638186c21dee7d4f16a11cad285 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2203,20 +2203,19 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  {
      /* Lookup signature algorithm digest */
-    int secbits = -1, md_nid = NID_undef, sig_nid;
+    int secbits, nid, pknid;
      /* Don't check signature if self signed */
      if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
          return 1;
-    sig_nid = X509_get_signature_nid(x);
-    if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
-        const EVP_MD *md;
-        if (md_nid && (md = EVP_get_digestbynid(md_nid)))
-            secbits = EVP_MD_size(md) * 4;
-    }
+    if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
+        secbits = -1;
+    /* If digest NID not defined use signature NID */
+    if (nid == NID_undef)
+        nid = pknid;
      if (s)
-        return ssl_security(s, op, secbits, md_nid, x);
+        return ssl_security(s, op, secbits, nid, x);
      else
-        return ssl_ctx_security(ctx, op, secbits, md_nid, x);
+        return ssl_ctx_security(ctx, op, secbits, nid, x);
  }
  
  int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 24 May 2017 21:01:00 +0000 (22:01 +0100)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 21 Jun 2017 13:11:01 +0000 (14:11 +0100)