From 319354eb6c6cac74213d754dad105f71abc72547 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Fri, 7 Sep 2012 12:53:42 +0000
Subject: [PATCH] store and print out message digest peer signed with in TLS
 1.2

---
 apps/s_cb.c  |  3 +++
 ssl/s3_lib.c | 19 +++++++++++++++++++
 ssl/ssl.h    |  4 ++++
 ssl/t1_lib.c |  5 +++++
 4 files changed, 31 insertions(+)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 550fa6cc33..b592870f96 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -409,10 +409,13 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
 
 int ssl_print_sigalgs(BIO *out, SSL *s)
 	{
+	int mdnid;
 	if (!SSL_is_server(s))
 		ssl_print_client_cert_types(out, s);
 	do_print_sigalgs(out, s, 0);
 	do_print_sigalgs(out, s, 1);
+	if (SSL_get_peer_signature_nid(s, &mdnid))
+		BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
 	return 1;
 	}
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0147e413ff..9484a7648f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3458,6 +3458,25 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	case SSL_CTRL_SET_CHAIN_CERT_STORE:
 		return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
 
+	case SSL_CTRL_GET_PEER_SIGNATURE_NID:
+		if (TLS1_get_version(s) >= TLS1_2_VERSION)
+			{
+			if (s->session && s->session->sess_cert)
+				{
+				const EVP_MD *sig;
+				sig = s->session->sess_cert->peer_key->digest;
+				if (sig)
+					{
+					*(int *)parg = EVP_MD_type(sig);
+					return 1;
+					}
+				}
+			return 0;
+			}
+		/* Might want to do something here for other versions */
+		else
+			return 0;
+
 	default:
 		break;
 		}
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 857cbf04b3..72504dbe92 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1707,6 +1707,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_BUILD_CERT_CHAIN		105
 #define SSL_CTRL_SET_VERIFY_CERT_STORE		106
 #define SSL_CTRL_SET_CHAIN_CERT_STORE		107
+#define SSL_CTRL_GET_PEER_SIGNATURE_NID		108
 
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1831,6 +1832,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set1_client_certificate_types(s, clist, clistlen) \
 	SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
 
+#define SSL_get_peer_signature_nid(s, pn) \
+	SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b3166d6254..8f54311d8a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -922,6 +922,11 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
 		SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
 		return 0;
 		}
+	/* Store the digest used so applications can retrieve it if they
+	 * wish.
+	 */
+	if (s->session && s->session->sess_cert)
+		s->session->sess_cert->peer_key->digest = *pmd;
 	return 1;
 	}
 /* Get a mask of disabled algorithms: an algorithm is disabled
-- 
2.34.1