store and print out message digest peer signed with in TLS 1.2
(backport from HEAD)
This commit is contained in:
Dr. Stephen Henson
parent
67d9dcf003
commit
a50ecaee56
4 changed files with 31 additions and 0 deletions
|
|
@ -409,10 +409,13 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
|
|||
|
||||
int ssl_print_sigalgs(BIO *out, SSL *s)
|
||||
{
|
||||
int mdnid;
|
||||
if (!SSL_is_server(s))
|
||||
ssl_print_client_cert_types(out, s);
|
||||
do_print_sigalgs(out, s, 0);
|
||||
do_print_sigalgs(out, s, 1);
|
||||
if (SSL_get_peer_signature_nid(s, &mdnid))
|
||||
BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
|||
19
ssl/s3_lib.c
19
ssl/s3_lib.c
|
|
@ -3458,6 +3458,25 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
|||
case SSL_CTRL_SET_CHAIN_CERT_STORE:
|
||||
return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
|
||||
|
||||
case SSL_CTRL_GET_PEER_SIGNATURE_NID:
|
||||
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||
{
|
||||
if (s->session && s->session->sess_cert)
|
||||
{
|
||||
const EVP_MD *sig;
|
||||
sig = s->session->sess_cert->peer_key->digest;
|
||||
if (sig)
|
||||
{
|
||||
*(int *)parg = EVP_MD_type(sig);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
/* Might want to do something here for other versions */
|
||||
else
|
||||
return 0;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1697,6 +1697,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|||
#define SSL_CTRL_BUILD_CERT_CHAIN 105
|
||||
#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
|
||||
#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
|
||||
#define SSL_CTRL_GET_PEER_SIGNATURE_NID 108
|
||||
|
||||
#define DTLSv1_get_timeout(ssl, arg) \
|
||||
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
|
||||
|
|
@ -1821,6 +1822,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|||
#define SSL_set1_client_certificate_types(s, clist, clistlen) \
|
||||
SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
|
||||
|
||||
#define SSL_get_peer_signature_nid(s, pn) \
|
||||
SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
|
||||
|
||||
#ifndef OPENSSL_NO_BIO
|
||||
BIO_METHOD *BIO_f_ssl(void);
|
||||
BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
|
||||
|
|
|
|||
|
|
@ -914,6 +914,11 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
|
|||
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
|
||||
return 0;
|
||||
}
|
||||
/* Store the digest used so applications can retrieve it if they
|
||||
* wish.
|
||||
*/
|
||||
if (s->session && s->session->sess_cert)
|
||||
s->session->sess_cert->peer_key->digest = *pmd;
|
||||
return 1;
|
||||
}
|
||||
/* Get a mask of disabled algorithms: an algorithm is disabled
|
||||
|
|
|
|||
Loading…
Reference in a new issue