Commit 65e89736 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Use X509_get_signature_info to get signature strength. 



Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
parent d3c094ca

ssl/t1_lib.c

+8 −9
Original line number Diff line number Diff line
@@ -2203,20 +2203,19 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) 
static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

{

    /* Lookup signature algorithm digest */

    int secbits = -1, md_nid = NID_undef, sig_nid;

    int secbits, nid, pknid;

    /* Don't check signature if self signed */

    if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)

        return 1;

    sig_nid = X509_get_signature_nid(x);

    if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {

        const EVP_MD *md;

        if (md_nid && (md = EVP_get_digestbynid(md_nid)))

            secbits = EVP_MD_size(md) * 4;

    }

    if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))

        secbits = -1;

    /* If digest NID not defined use signature NID */

    if (nid == NID_undef)

        nid = pknid;

    if (s)

        return ssl_security(s, op, secbits, md_nid, x);

        return ssl_security(s, op, secbits, nid, x);

    else

        return ssl_ctx_security(ctx, op, secbits, md_nid, x);

        return ssl_ctx_security(ctx, op, secbits, nid, x);

}



int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)