From patchwork Mon Oct 9 10:55:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3388 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:b412:b0:f2:62eb:61c1 with SMTP id dj18csp1947381dyb; Mon, 9 Oct 2023 03:55:50 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFLFijEde86q5Wh893rkRqkNFed/FCLiJdkv7uNoefhoxh53Cx7lzJqtusI0H/wc6kg2P9U X-Received: by 2002:a05:6a20:3d04:b0:13d:d5bd:758f with SMTP id y4-20020a056a203d0400b0013dd5bd758fmr19123340pzi.6.1696848950773; Mon, 09 Oct 2023 03:55:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696848950; cv=none; d=google.com; s=arc-20160816; b=d4HaFM+hEeHYng7UXbzyDVE5mnA9xvhlrkhZCxl7GnEo8UPkPE0nA04qhzU/1gByb3 r025UlqNCqUOiZ8JLlnJZS1Ewg+SQmjmq7f3LcleEUpQ4YRRsPFrxRdNcIoM+HMZYbb/ 3p0m6a9ZEJ5tKd0eTKhc8hRgOc3fckb2vebqWCqhnaMMuO8qgPOcfz16AqTUO1ZErPyR IzQXsll2SEBNtusvQGSJC00mnFkgKuWH0YsrpPfW6JPJcwo4REHBcDFhmQt9MkoSt++l R3CCDiZo/ULOKnaH95LCKjy7mQ7Dm9AY0K1JFE0VsQEoMS6dgP6SZhMtQpOqz41op8wr T8FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=LqlobyUG7xYGz32xdjKQ893cwXuIZVCaIhVfAVgGHk0=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Pk9s4jgsGNKFyc3F86CYfZAWIvRCkIv0Dgl3TOF9/QVi3TLFHR6SAykEWT2hwLEqg4 +duScWdBlVOaa0ZhLZnNmfndI8QBmj8+/+QeNWtImcr4PShB+T/OxZkL/8QG3ldn08+A ilvcW0Q53LBh7s52NI9khgh8+ne3LPtDzN8hfeF52qw1Fj3ldWEUfHHTuteEbJNZc3+E HOjkcVEIxxVGWxIwI9+WTlbEtLHsUWJL2nKaWlAZ3Th1zED8PKR2hQHts8E+dxtbVtoa EpfrX6kzZvoB2FnwBD3OBlhoQqrtLgrxyocRSbMRGwZi96xodzGpRVGgkwzB1RHRLgEa neEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EZx+n84A; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MfeKa3Ka; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=tv5hKo3e; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d2-20020a170902cec200b001c61226fe40si10058145plg.392.2023.10.09.03.55.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Oct 2023 03:55:50 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EZx+n84A; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MfeKa3Ka; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=tv5hKo3e; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qpnvB-00052z-Lj; Mon, 09 Oct 2023 10:55:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qpnv9-00052m-Sv for openvpn-devel@lists.sourceforge.net; Mon, 09 Oct 2023 10:55:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ExbDu+giR4cRt1bimvgk3fe4SBrK99IwI7tfkA8y2EE=; b=EZx+n84ACpAq5Up2JmmdfqOYb+ ASoCa2QWugkQ3Fqy4nEnCOxNWKx2Z7XDYLkszt1cTbQfY796QutzzA3tUgC0o0Zp21PGFCfM4+eTw 6cmfE8eLte0EMzRNMm3F3+inmL5s8Jb5iVzeO+KzopvCGfr8jQBFPI1sssYBjFVcypx4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ExbDu+giR4cRt1bimvgk3fe4SBrK99IwI7tfkA8y2EE=; b=MfeKa3KaMEbQHcN0tSLA7saPAf dW29MvGJzHEg4A4tkz7HIhI90uNS1eU52ryUQV8d9vzEQ+QP2mwibqezqBlhYZeBLGzy87/2R6xX8 ZVzqKTgqM5A22oju3TFiNGBQreUI5dIR3zQYfyHDkL1VFqc2gMzSvgt/vxIswMlQH5gg=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qpnv7-0004mJ-ID for openvpn-devel@lists.sourceforge.net; Mon, 09 Oct 2023 10:55:31 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4S3wsz4ZPCz9sp8; Mon, 9 Oct 2023 12:55:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1696848919; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ExbDu+giR4cRt1bimvgk3fe4SBrK99IwI7tfkA8y2EE=; b=tv5hKo3ez6mX04qQlcH8Qw60OCVA09V72io5wEUAlOTZzNJGbzjFWfAVfD4Bk+ddpOMeal EV8LGhss4ZkjSuwqbHqxiFJX1ETYQPYYoXBuCiydYYuVsC73kIVEVWSd92zGwlaLrGohxP hh0KAJ0sfzidC7KriQtcFvf9yzeFxssOfmTiL05u5bRHc8Ea+U4wA3kMVlkaHnFs0R9C0h /Z4BatUPj/PRLyFDUBr2Fis6vZ88cUKWsHiiZ1wCwxxKHT5GyIBDrEEt2dUb3nzmnAGIkl XfbeJa90V0LKn7rcE7jEQhkhHD4NzuLqxOIWMo4ssH61IOTuUTH8KdC0KB6CeA== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Mon, 9 Oct 2023 12:55:18 +0200 Message-Id: <20231009105518.34432-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4S3wsz4ZPCz9sp8 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The peer temporary key in TLS session is related to the PFS exchange/generation. From the SSL_get_peer_tmp_key manual page: For example, if ECDHE is in use, then this represents the peer's public ECDHE key. Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.172 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1qpnv7-0004mJ-ID Subject: [Openvpn-devel] [PATCH] Print peer temporary key details X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1779275084984349628?= X-GMAIL-MSGID: =?utf-8?q?1779275084984349628?= From: Arne Schwabe The peer temporary key in TLS session is related to the PFS exchange/generation. From the SSL_get_peer_tmp_key manual page: For example, if ECDHE is in use, then this represents the peer's public ECDHE key. Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3 Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/364 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index efc85d4..f487b1b 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -75,6 +75,10 @@ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #endif +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL) +#define SSL_get_peer_tmp_key SSL_get_server_tmp_key +#endif + /* Functionality missing in 1.0.2 */ #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL) /** diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b5cc9a7..6ff2c1c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2052,18 +2052,11 @@ return ret; } -/** - * Print human readable information about the certifcate into buf - * @param cert the certificate being used - * @param buf output buffer - * @param buflen output buffer length - */ static void -print_cert_details(X509 *cert, char *buf, size_t buflen) +print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen) { const char *curve = ""; const char *type = "(error getting type)"; - EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey == NULL) { @@ -2126,6 +2119,23 @@ #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ } + openvpn_snprintf(buf, buflen, "%d bits %s%s", + EVP_PKEY_bits(pkey), type, curve); +} + +/** + * Print human readable information about the certificate into buf + * @param cert the certificate being used + * @param buf output buffer + * @param buflen output buffer length + */ +static void +print_cert_details(X509 *cert, char *buf, size_t buflen) +{ + EVP_PKEY *pkey = X509_get_pubkey(cert); + char pkeybuf[128] = { 0 }; + print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); + char sig[128] = { 0 }; int signature_nid = X509_get_signature_nid(cert); if (signature_nid != 0) @@ -2134,8 +2144,27 @@ OBJ_nid2sn(signature_nid)); } - openvpn_snprintf(buf, buflen, ", peer certificate: %d bit %s%s%s", - EVP_PKEY_bits(pkey), type, curve, sig); + openvpn_snprintf(buf, buflen, ", peer certificate: %s%s", + pkeybuf, sig); + + EVP_PKEY_free(pkey); +} + +static void +print_server_tempkey(SSL *ssl, char *buf, size_t buflen) +{ + EVP_PKEY *pkey = NULL; + SSL_get_peer_tmp_key(ssl, &pkey); + if (!pkey) + { + return; + } + + char pkeybuf[128] = { 0 }; + print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); + + openvpn_snprintf(buf, buflen, ", peer temporary key: %s", + pkeybuf); EVP_PKEY_free(pkey); } @@ -2153,8 +2182,9 @@ const SSL_CIPHER *ciph; char s1[256]; char s2[256]; + char s3[256]; - s1[0] = s2[0] = 0; + s1[0] = s2[0] = s3[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, @@ -2168,7 +2198,9 @@ print_cert_details(cert, s2, sizeof(s2)); X509_free(cert); } - msg(D_HANDSHAKE, "%s%s", s1, s2); + print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3)); + + msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3); } void