Use X509_get_signature_info to get signature strength.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3c5e155..9112a0c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2203,20 +2203,19 @@
static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
{
/* Lookup signature algorithm digest */
- int secbits = -1, md_nid = NID_undef, sig_nid;
+ int secbits, nid, pknid;
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
return 1;
- sig_nid = X509_get_signature_nid(x);
- if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
- const EVP_MD *md;
- if (md_nid && (md = EVP_get_digestbynid(md_nid)))
- secbits = EVP_MD_size(md) * 4;
- }
+ if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
+ secbits = -1;
+ /* If digest NID not defined use signature NID */
+ if (nid == NID_undef)
+ nid = pknid;
if (s)
- return ssl_security(s, op, secbits, md_nid, x);
+ return ssl_security(s, op, secbits, nid, x);
else
- return ssl_ctx_security(ctx, op, secbits, md_nid, x);
+ return ssl_ctx_security(ctx, op, secbits, nid, x);
}
int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
