From patchwork Fri Feb 9 11:10:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3610 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:e8a8:b0:554:adf7:68e6 with SMTP id oz40csp786249mab; Fri, 9 Feb 2024 03:10:31 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUpz/nAmlN0ChssBFaCcDTR01xwwOp19qCp8vhJtFbGaPYDUfG0YfEfjXfITVBho+BAryT49QCwhwJSwflHMDqxzE/y/Dc= X-Google-Smtp-Source: AGHT+IEDiFVKvVBCWj9BdwM10b0U4kY8PMvVyF/42vjYkv1leyYwqKeEi0g4N7s/WoYsEv0zMq25 X-Received: by 2002:a05:6358:890:b0:178:9f1d:65e9 with SMTP id m16-20020a056358089000b001789f1d65e9mr1101277rwj.2.1707477030944; Fri, 09 Feb 2024 03:10:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1707477030; cv=none; d=google.com; s=arc-20160816; b=V+dl4gcGbHGsfFRpMN38eBAqE8ccZq6oE/Z0lK2Cgb9DO4s6s30ephnocrLTmEHm/h MXePlPi1qV9epckS5Fu2NtjgwG4RifZm1HcVXfJKTd3mzx6CwHipo/fih/z32XssJvHC 17yal+dkxtR1VUHdQu5+oxP5/OCdQgpiJ/T/V8CPxtwRg1tua0TLxKkIb1uEUr0VNHxn OiB5TpjU+PliD5jrTZ0D8NfpvfYRCBde1DkC8JMlCJzKypGZm7O8PCD+M74wS7kXAoUY /n+HrP991dFWHmX+SxnGXUBrEsy71qssL6fuuzw/MoxwSPjNb4GUzQM3ANp1T3uSluZg 2jpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=EXajUHLfwx8JnGBKPbjLkPbNRsD3AyUSyA4uCVphwt4=; fh=WGBHuPt6VVPX1Al5T6v50AkKWAbdlSI9XLR3ov1xGnQ=; b=Cdfvz4n7bEdyOgiMKgPS+c1YSAci5FTmCGukEiVk6YsLulL+iIqUAYvgMEvUkSGKr+ QlHNrc0hBuydB32BuKB4YS4zf9TD1GMqyTh2Aeajhdjzr6W0VaqbIe7+jcMO9QAKAq0Q LI8Wdq4iCDbWuJtXTa92TNmT3C9/AODTlKWDepndL6ykVljozSKM+AvytocUf2LakG3m 2V7VD67ZvGwhzZlrbD3nJZ9yEtGo/yGoRpBGBpUV7lEzBTEQSlsYhBmw2eQ0tFCbgFWc j7CJMbQpZzTgmQxa2HjIEdU1vcP6bl3bgp0TspXmkH3JF5cbEEpSAY//iAL/hZ4vIDFD vOLQ==; darn=openvpn.net ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=AQRKXHZC; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=bm0ulU5Z; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=Cg24xHN1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net X-Forwarded-Encrypted: i=1; AJvYcCX6R6tlUhGPKMDoqiPEO27LTO7dSW1NrFw21S5vhpO0mo5t+R1dwWY5sOM+TC90e1eaP/D9dAXAmZebcpznGCy3dIQ/tlRs8Dsxl0cRATKV+ke2R/XDEtJOd9BolQS0Iu5ZXwGCb54RAdh8oUPv4To2lJcDZHI= Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d6-20020aa78e46000000b006e045c176fcsi127467pfr.324.2024.02.09.03.10.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Feb 2024 03:10:30 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=AQRKXHZC; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=bm0ulU5Z; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=Cg24xHN1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rYOlo-0000D1-3s; Fri, 09 Feb 2024 11:10:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rYOlm-0000Co-M4 for openvpn-devel@lists.sourceforge.net; Fri, 09 Feb 2024 11:10:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BlRdYUfo33tKfzuw+IyBZRl7isd/PCeBXnDq0UFy504=; b=AQRKXHZCYjRJs8UYx0/5OlEatd vSuMG1dEp6ji5Iz4k7jcI6HA6o9X9XjmTu6eTuOTVd+UJvoq9W05kP6CIbxg5z72NmIDl7Zg1h5K0 oOMpr4RukexZwRO+lPNA1UqcFT4gAn4WPzSKS7OMpV0Vsuq9ZMhT+aIQ1NQs51SdgGk4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BlRdYUfo33tKfzuw+IyBZRl7isd/PCeBXnDq0UFy504=; b=bm0ulU5ZUs+8gwK7ORwxVdJ66t mkx4MrQb1fxQOXcivf+g1w6yVbd7TLIT2IGszN26WP1kOkWa5iWmCqU5U/esLsy9PdlZoDUTnJpi+ 1BxMLTlgyOBHZLBWeO8lj9snYGR7g+MrgtGLIfZb8ZEHoiHZCunqiRKJe9MmA1O5tlEM=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rYOll-0008Gn-Gh for openvpn-devel@lists.sourceforge.net; Fri, 09 Feb 2024 11:10:11 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4TWWN93yhzz9tLk; Fri, 9 Feb 2024 12:10:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1707477001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BlRdYUfo33tKfzuw+IyBZRl7isd/PCeBXnDq0UFy504=; b=Cg24xHN1caKlWKPH+O7taxWKMFWgqAWExzJm023r+iiW/1ID5i+qi5opHMrLkjCXAqlrvV I4Gw0UEg0/CtCqfi5H1YFx2zcBYgr7FDoJ6WJgpyaiCb0GPcfsu5xa8ZbuY21iYW90AOGM Iyznlq1AOikSkf7juJ2/z12URVyM3ybm/EfOsiMOiKVifiHdIr3ta+Hr4M5v+xEHdNopsG md2b1gL29z4rAcp+cxyLggH4UpdQoqqbKvGiiklZPxfbUk+hZOHAocf9uMbSWn2iJVP6aB L1RH8/hYEfw3INIkBN5P36TCLF65w76Sg8834o26yBqtWqQ0/HHQpJq301lzEQ== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 9 Feb 2024 12:10:00 +0100 Message-Id: <20240209111000.16258-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4TWWN93yhzz9tLk X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This is more SSL debug information that most people do not really need or care about. OpenSSL's own s_client also logs them: Peer signing digest: SHA256 Peer signature type: ECDSA Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rYOll-0008Gn-Gh Subject: [Openvpn-devel] [PATCH v9] Print SSL peer signature information in handshake debug details X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1790419434992635388?= X-GMAIL-MSGID: =?utf-8?q?1790419434992635388?= From: Arne Schwabe This is more SSL debug information that most people do not really need or care about. OpenSSL's own s_client also logs them: Peer signing digest: SHA256 Peer signature type: ECDSA The complete message looks like this: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, server temp key: 253 bits X25519, peer signing digest/type: SHA256 RSASSA-PSS or when forcing a specific group via tls-groups X448 with a ECDSA server: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, server temp key: 448 bits X448, peer signing digest/type: SHA384 ECDSA Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/365 This mail reflects revision 9 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index c30e6a9..9b6027c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2166,6 +2166,83 @@ EVP_PKEY_free(pkey); } +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL +/** + * Translate an OpenSSL NID into a more human readable name + * @param nid + * @return + */ +static const char * +get_sigtype(int nid) +{ + /* Fix a few OpenSSL names to be better understandable */ + switch (nid) + { + case EVP_PKEY_RSA: + /* will otherwise say rsaEncryption */ + return "RSA"; + + case EVP_PKEY_DSA: + /* dsaEncryption otherwise */ + return "DSA"; + + case EVP_PKEY_EC: + /* will say id-ecPublicKey */ + return "ECDSA"; + + case -1: + return "(error getting name)"; + + default: + return OBJ_nid2sn(nid); + } +} +#endif /* ifndef LIBRESSL_VERSION_NUMBER */ + +/** + * Get the type of the signature that is used by the peer during the + * TLS handshake + */ +static void +print_peer_signature(SSL *ssl, char *buf, size_t buflen) +{ + int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef; + const char *peer_sig = "unknown"; + const char *peer_sig_type = "unknown type"; + + /* Even though these methods use the deprecated NIDs instead of using + * string as new OpenSSL APIs do, there seem to be no API that replaces + * it yet */ +#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL + if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) + && peer_sig_nid != NID_undef) + { + peer_sig = OBJ_nid2sn(peer_sig_nid); + } +#endif + +#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL) \ + || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL) + /* LibreSSL 3.7.x and 3.8.x implement this function but do not export it + * and fail linking with an unresolved symbol */ + if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) + && peer_sig_type_nid != NID_undef) + { + peer_sig_type = get_sigtype(peer_sig_type_nid); + } +#endif + + if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef) + { + return; + } + + openvpn_snprintf(buf, buflen, ", peer signing digest/type: %s %s", + peer_sig, peer_sig_type); +} + + + /* ************************************** * * Information functions @@ -2180,8 +2257,9 @@ char s1[256]; char s2[256]; char s3[256]; + char s4[256]; - s1[0] = s2[0] = s3[0] = 0; + s1[0] = s2[0] = s3[0] = s4[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, @@ -2196,8 +2274,9 @@ X509_free(cert); } print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3)); + print_peer_signature(ks_ssl->ssl, s4, sizeof(s4)); - msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3); + msg(D_HANDSHAKE, "%s%s%s%s", s1, s2, s3, s4); } void