From patchwork Sat Jul 1 20:08:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3267 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:3c07:b0:d9:b492:11d6 with SMTP id ki7csp3401931dyb; Sat, 1 Jul 2023 13:09:49 -0700 (PDT) X-Google-Smtp-Source: APBJJlGM20sXlfhAfakh0jt9XgrxJI27Jc2ivlYVy+Q7cpo/DbPz1k0cgytaofga+0teYQXt9eDb X-Received: by 2002:a17:902:d501:b0:1b8:8670:541 with SMTP id b1-20020a170902d50100b001b886700541mr1066218plg.25.1688242189463; Sat, 01 Jul 2023 13:09:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688242189; cv=none; d=google.com; s=arc-20160816; b=Gqhv1i93XVvNNH5Ay97hTZAmQ/bo3Xs0zjIzn59BK2eWo9utDbLse4wBZZkJ+3NV4g lvQZuFap1euhiHoHK5st0yixoT92BPHD8bnxC4vMdEXfJCjNbVLCIBF2fh+BmsFwsAz+ l4hR2wEhR64fpcJKXXaMAUXsZUAxaJ/GUXU/vgszrcj0WYesRQ+GbShifyeSa4f6GsIU qieM4FjFThZ0lk8xnWgbRNODJzRhkuX0QtBir2aMsC8buFGk62q0+fq+jZctCdhD05xy /xCM482rfik04IHWGOEDQHpZEl08GDPNvwU657rtODE/yOnVVaFWHxxpypliSoLU99EH WYZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=O56e7DWxMIdxqZWn8MGDDdx2er4JmaMNABA68qejO5o=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=jxshFRwBmGOO6UMVSzGOHah+kxBFF+oIibSCIuFumSqfqxVtD9OpkAc/KeH2C1/ooB KshFlm/spya7JQh92P/kZSkHDU2sWP+dQDR23tvKKF7rHjgosJb/SinoLloqDqbuvHHS D1xtyfW0kdHGeFQHqqsU4dY9OPQ2zqQfn6MyTtdXL/JJ6+TwcrpF6ZhR3yLUj72jr+0w mSDKDcZME/OWv8TXWByv9CZAsPFhKnu/ymKR+7LgCguPNwX7UP2CBmMQWPn3spb6K91n 6TtxgyfuST8A/zljJW+BHVoi3rdAkgg0cRDG0FCw+LEMZMvwYcK0KEGhqeH5K7w0cBTp yrQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DviAbhqx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="P52/G92n"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 22-20020a17090a019600b0026101590c32si15052927pjc.2.2023.07.01.13.09.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Jul 2023 13:09:49 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DviAbhqx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="P52/G92n"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qFgtw-0001Mw-Jv; Sat, 01 Jul 2023 20:09:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qFgto-0001Mk-Pz for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QqjnjJSkw4KkZrxFwpDf/q7jzRwW0+5dOXdZWL/GpzM=; b=DviAbhqxwei8pNB4iT2pcijYcQ fy1fdwhQfmCdwEZ+gwZFNDOqchxeCJkSE00t5b6aLRARnVbLMV6hWljC/b1cZe4D8qhP+3IAF//RV Hk6df8mYZXZ09NXTj4N/gk1f1PGWcaHRTYchyUrEpvz8OMDrK2whwXSGL3MOkUC7vdkc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=QqjnjJSkw4KkZrxFwpDf/q7jzRwW0+5dOXdZWL/GpzM=; b=P 52/G92n5P0ctWdGFUpV7dHhlazaj90hrFzrO8T6tA7vC9bl6YOu4OeuTyE5M8VVJ3T6a0kC4oCKtM SSxrvcdkHn1hPLj4XvCZLPc18O2YHIEVIcOROaCWF2Y8FzcdN/dwq8k9pX0t7WcobxMkzieQu4ouX ZoaCM2FK8VdfCKfo=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qFgto-003TtQ-KT for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:53 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qFgtc-000PlR-OT for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 22:08:40 +0200 Received: (nullmailer pid 3516362 invoked by uid 10006); Sat, 01 Jul 2023 20:08:40 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jul 2023 22:08:38 +0200 Message-Id: <20230701200840.3516314-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 56 ++++++++++++++++++++++++++++++--------- 1 file changed, 44 insert [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1qFgto-003TtQ-KT Subject: [Openvpn-devel] [PATCH 1/3] Print server temp key details X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1770250242145644932?= X-GMAIL-MSGID: =?utf-8?q?1770250242145644932?= Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 56 ++++++++++++++++++++++++++++++--------- 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0b310de31..da1417b82 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2050,18 +2050,11 @@ key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf) return ret; } -/** - * Print human readable information about the certifcate into buf - * @param cert the certificate being used - * @param buf output buffer - * @param buflen output buffer length - */ static void -print_cert_details(X509 *cert, char *buf, size_t buflen) +print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen) { const char *curve = ""; const char *type = "(error getting type)"; - EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey == NULL) { @@ -2124,6 +2117,23 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ } + openvpn_snprintf(buf, buflen, "%d bits %s%s", + EVP_PKEY_bits(pkey), type, curve); +} + +/** + * Print human readable information about the certifcate into buf + * @param cert the certificate being used + * @param buf output buffer + * @param buflen output buffer length + */ +static void +print_cert_details(X509 *cert, char *buf, size_t buflen) +{ + EVP_PKEY *pkey = X509_get_pubkey(cert); + char pkeybuf[128] = { 0 }; + print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); + char sig[128] = { 0 }; int signature_nid = X509_get_signature_nid(cert); if (signature_nid != 0) @@ -2132,8 +2142,27 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) OBJ_nid2sn(signature_nid)); } - openvpn_snprintf(buf, buflen, ", peer certificate: %d bit %s%s%s", - EVP_PKEY_bits(pkey), type, curve, sig); + openvpn_snprintf(buf, buflen, ", peer certificate: %s%s", + pkeybuf, sig); + + EVP_PKEY_free(pkey); +} + +static void +print_server_tempkey(SSL *ssl, char *buf, size_t buflen) +{ + EVP_PKEY *pkey = NULL; + SSL_get_peer_tmp_key(ssl, &pkey); + if (!pkey) + { + return; + } + + char pkeybuf[128] = { 0 }; + print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); + + openvpn_snprintf(buf, buflen, ", server temp key: %s", + pkeybuf); EVP_PKEY_free(pkey); } @@ -2151,8 +2180,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) const SSL_CIPHER *ciph; char s1[256]; char s2[256]; + char s3[256]; - s1[0] = s2[0] = 0; + s1[0] = s2[0] = s3[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, @@ -2166,7 +2196,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) print_cert_details(cert, s2, sizeof(s2)); X509_free(cert); } - msg(D_HANDSHAKE, "%s%s", s1, s2); + print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3)); + + msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3); } void