store and print out message digest peer signed with in TLS 1.2
authorDr. Stephen Henson <steve@openssl.org>
Fri, 7 Sep 2012 12:53:42 +0000 (12:53 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 7 Sep 2012 12:53:42 +0000 (12:53 +0000)
apps/s_cb.c
ssl/s3_lib.c
ssl/ssl.h
ssl/t1_lib.c

index 550fa6c..b592870 100644 (file)
@@ -409,10 +409,13 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
 
 int ssl_print_sigalgs(BIO *out, SSL *s)
        {
+       int mdnid;
        if (!SSL_is_server(s))
                ssl_print_client_cert_types(out, s);
        do_print_sigalgs(out, s, 0);
        do_print_sigalgs(out, s, 1);
+       if (SSL_get_peer_signature_nid(s, &mdnid))
+               BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
        return 1;
        }
 
index 0147e41..9484a76 100644 (file)
@@ -3458,6 +3458,25 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_CHAIN_CERT_STORE:
                return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
 
+       case SSL_CTRL_GET_PEER_SIGNATURE_NID:
+               if (TLS1_get_version(s) >= TLS1_2_VERSION)
+                       {
+                       if (s->session && s->session->sess_cert)
+                               {
+                               const EVP_MD *sig;
+                               sig = s->session->sess_cert->peer_key->digest;
+                               if (sig)
+                                       {
+                                       *(int *)parg = EVP_MD_type(sig);
+                                       return 1;
+                                       }
+                               }
+                       return 0;
+                       }
+               /* Might want to do something here for other versions */
+               else
+                       return 0;
+
        default:
                break;
                }
index 857cbf0..72504db 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1707,6 +1707,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_BUILD_CERT_CHAIN              105
 #define SSL_CTRL_SET_VERIFY_CERT_STORE         106
 #define SSL_CTRL_SET_CHAIN_CERT_STORE          107
+#define SSL_CTRL_GET_PEER_SIGNATURE_NID                108
 
 #define DTLSv1_get_timeout(ssl, arg) \
        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1831,6 +1832,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set1_client_certificate_types(s, clist, clistlen) \
        SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
 
+#define SSL_get_peer_signature_nid(s, pn) \
+       SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
index b3166d6..8f54311 100644 (file)
@@ -922,6 +922,11 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
                return 0;
                }
+       /* Store the digest used so applications can retrieve it if they
+        * wish.
+        */
+       if (s->session && s->session->sess_cert)
+               s->session->sess_cert->peer_key->digest = *pmd;
        return 1;
        }
 /* Get a mask of disabled algorithms: an algorithm is disabled