From patchwork Sun Sep 19 06:29:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1957 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SD0kM9hlR2FyHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id IAr9MthlR2EAQwAAvGGmqA (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTPS id QPiPMthlR2EcVwAATCaURg (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 05075b02-1967-11ec-ab50-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:50828] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 13/C7-02350-8D567416; Sun, 19 Sep 2021 12:31:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mRzhu-0002qY-Tx; Sun, 19 Sep 2021 16:30:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mRzht-0002pC-6B for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XJZ0rLCVaSsFs6ttKA32RHs9uglznBY3IoAE44Af8Lc=; b=MkplhfRrlfQKn+nnYLhgYtzkHk M2QSqLno2GYhjj667Qr5xiZuOYTtmvxNDvq3ErGn8H3A8oXrqSIHjTwMTXVk7cEAGp5nLrzcB7Ixb 35miLZIaMa/SJBXYFj70B6kzcMzPUD1ft5gYcXQAQHzTebzIBuWyZgdubQQ8iMmpLA3Q=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XJZ0rLCVaSsFs6ttKA32RHs9uglznBY3IoAE44Af8Lc=; b=Ic/jgK7eCpa7pMMafQu60n+mXb WpL1TJntcg/jN/c++v6xDN1U8Ld2OSwQqbQL2cCJemeuNGxbQ+eF+9M3VVvUAG/1cJ1HOAEQ9kYKE pu9FhQ0XQTc4/7vDdMwHBCZ8Wy+COFW1rMteQRg1IYZn/5+1s5T/arhh8IVAze6k9hjw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhi-00Fy7V-EA for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002Yq-T3 for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695570 invoked by uid 10006); Sun, 19 Sep 2021 16:29:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:56 +0200 Message-Id: <20210919162956.695496-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: EC_Key methods are deprecated in OpenSSL 3.0. Use EVP_PKEY_get_group_name instead to query the EC group name from an EVP_PKEY and add a compatibility function for older OpenSSL versions. --- src/openv [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhi-00Fy7V-EA Subject: [Openvpn-devel] [PATCH 8/8] [OSSL 3.0] Use EVP_PKEY_get_group_name to query group name X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox EC_Key methods are deprecated in OpenSSL 3.0. Use EVP_PKEY_get_group_name instead to query the EC group name from an EVP_PKEY and add a compatibility function for older OpenSSL versions. --- src/openvpn/openssl_compat.h | 32 ++++++++++++++++++++++++++++++++ src/openvpn/ssl_openssl.c | 14 ++++++++------ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index ce8e2b360..933a71848 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -46,6 +46,38 @@ #include #include +/* Functionality missing in 1.1.1 */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L + +/* Note that this is not a perfect emulation of the new function but + * is good enough for our case of printing certificate details during + * handshake */ +static inline +int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, + size_t *gname_len) + { + if ((EVP_PKEY_get0_EC_KEY(pkey) == NULL || + EVP_PKEY_get0_EC_KEY(pkey) != NULL)) + { + return 0; + } + const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(pkey); + const EC_GROUP* group = EC_KEY_get0_group(ec); + + int nid = EC_GROUP_get_curve_name(group); + + if (nid != 0) + { + return 0; + } + const char *curve = OBJ_nid2sn(nid); + + strncpy(gname, curve, gname_sz); + *gname_len = min_int(strlen(curve), gname_sz); + return 1; +} +#endif + /* Functionality missing in 1.1.0 */ #if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL) #define SSL_CTX_set1_groups SSL_CTX_set1_curves diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 68cdb880c..dc0ae20a7 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2049,13 +2049,15 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) int typeid = EVP_PKEY_id(pkey); #ifndef OPENSSL_NO_EC - if (typeid == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL) + char groupname[256]; + if (typeid == EVP_PKEY_EC) { - const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); - const EC_GROUP *group = EC_KEY_get0_group(ec); - - int nid = EC_GROUP_get_curve_name(group); - if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL) + size_t len; + if(EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &len)) + { + curve = groupname; + } + else { curve = "(error getting curve name)"; }