From b48f3ac82d52f2adc1786e0c4984a181414a14e4 Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Thu, 2 Nov 2017 14:05:23 +0100 Subject: [PATCH 3/4] MINOR: ssl: add ssl_sock_get_cert_sign function ssl_sock_get_cert_sign can be used to report cert signature to log and ppv2 (SHA1, SHA256,... ). Can only work with openssl >= 1.0.1. --- include/proto/ssl_sock.h | 1 + src/ssl_sock.c | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h index 6a268e969..dbb961aa6 100644 --- a/include/proto/ssl_sock.h +++ b/include/proto/ssl_sock.h @@ -50,6 +50,7 @@ void ssl_sock_free_srv_ctx(struct server *srv); void ssl_sock_free_all_ctx(struct bind_conf *bind_conf); int ssl_sock_load_ca(struct bind_conf *bind_conf); void ssl_sock_free_ca(struct bind_conf *bind_conf); +const char *ssl_sock_get_cert_sign(struct connection *conn); const char *ssl_sock_get_cipher_name(struct connection *conn); const char *ssl_sock_get_proto_version(struct connection *conn); void ssl_sock_set_servername(struct connection *conn, const char *hostname); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f7b4e928f..cc26d6715 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5676,6 +5676,25 @@ int ssl_sock_get_pkey_algo(struct connection *conn, struct chunk *out) return 1; } +const char *ssl_sock_get_cert_sign(struct connection *conn) +{ +#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL) + __OPENSSL_110_CONST__ ASN1_OBJECT *algorithm; + int digest_nid; + X509 *crt; + + if (!ssl_sock_is_ssl(conn)) + return NULL; + crt = SSL_get_certificate(conn->xprt_ctx); + if (!crt) + return NULL; + X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt)); + if (OBJ_find_sigid_algs(OBJ_obj2nid(algorithm), &digest_nid, NULL) && digest_nid != NID_undef) + return OBJ_nid2sn(digest_nid); +#endif + return NULL; +} + /* used for logging/ppv2, may be changed for a sample fetch later */ const char *ssl_sock_get_cipher_name(struct connection *conn) { -- 2.11.0