From patchwork Sat Jul 1 20:08:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3267 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:3c07:b0:d9:b492:11d6 with SMTP id ki7csp3401931dyb; Sat, 1 Jul 2023 13:09:49 -0700 (PDT) X-Google-Smtp-Source: APBJJlGM20sXlfhAfakh0jt9XgrxJI27Jc2ivlYVy+Q7cpo/DbPz1k0cgytaofga+0teYQXt9eDb X-Received: by 2002:a17:902:d501:b0:1b8:8670:541 with SMTP id b1-20020a170902d50100b001b886700541mr1066218plg.25.1688242189463; Sat, 01 Jul 2023 13:09:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688242189; cv=none; d=google.com; s=arc-20160816; b=Gqhv1i93XVvNNH5Ay97hTZAmQ/bo3Xs0zjIzn59BK2eWo9utDbLse4wBZZkJ+3NV4g lvQZuFap1euhiHoHK5st0yixoT92BPHD8bnxC4vMdEXfJCjNbVLCIBF2fh+BmsFwsAz+ l4hR2wEhR64fpcJKXXaMAUXsZUAxaJ/GUXU/vgszrcj0WYesRQ+GbShifyeSa4f6GsIU qieM4FjFThZ0lk8xnWgbRNODJzRhkuX0QtBir2aMsC8buFGk62q0+fq+jZctCdhD05xy /xCM482rfik04IHWGOEDQHpZEl08GDPNvwU657rtODE/yOnVVaFWHxxpypliSoLU99EH WYZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=O56e7DWxMIdxqZWn8MGDDdx2er4JmaMNABA68qejO5o=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=jxshFRwBmGOO6UMVSzGOHah+kxBFF+oIibSCIuFumSqfqxVtD9OpkAc/KeH2C1/ooB KshFlm/spya7JQh92P/kZSkHDU2sWP+dQDR23tvKKF7rHjgosJb/SinoLloqDqbuvHHS D1xtyfW0kdHGeFQHqqsU4dY9OPQ2zqQfn6MyTtdXL/JJ6+TwcrpF6ZhR3yLUj72jr+0w mSDKDcZME/OWv8TXWByv9CZAsPFhKnu/ymKR+7LgCguPNwX7UP2CBmMQWPn3spb6K91n 6TtxgyfuST8A/zljJW+BHVoi3rdAkgg0cRDG0FCw+LEMZMvwYcK0KEGhqeH5K7w0cBTp yrQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DviAbhqx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="P52/G92n"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 22-20020a17090a019600b0026101590c32si15052927pjc.2.2023.07.01.13.09.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Jul 2023 13:09:49 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DviAbhqx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="P52/G92n"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qFgtw-0001Mw-Jv; Sat, 01 Jul 2023 20:09:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qFgto-0001Mk-Pz for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QqjnjJSkw4KkZrxFwpDf/q7jzRwW0+5dOXdZWL/GpzM=; b=DviAbhqxwei8pNB4iT2pcijYcQ fy1fdwhQfmCdwEZ+gwZFNDOqchxeCJkSE00t5b6aLRARnVbLMV6hWljC/b1cZe4D8qhP+3IAF//RV Hk6df8mYZXZ09NXTj4N/gk1f1PGWcaHRTYchyUrEpvz8OMDrK2whwXSGL3MOkUC7vdkc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=QqjnjJSkw4KkZrxFwpDf/q7jzRwW0+5dOXdZWL/GpzM=; b=P 52/G92n5P0ctWdGFUpV7dHhlazaj90hrFzrO8T6tA7vC9bl6YOu4OeuTyE5M8VVJ3T6a0kC4oCKtM SSxrvcdkHn1hPLj4XvCZLPc18O2YHIEVIcOROaCWF2Y8FzcdN/dwq8k9pX0t7WcobxMkzieQu4ouX ZoaCM2FK8VdfCKfo=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qFgto-003TtQ-KT for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:53 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qFgtc-000PlR-OT for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 22:08:40 +0200 Received: (nullmailer pid 3516362 invoked by uid 10006); Sat, 01 Jul 2023 20:08:40 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jul 2023 22:08:38 +0200 Message-Id: <20230701200840.3516314-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 56 ++++++++++++++++++++++++++++++--------- 1 file changed, 44 insert [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1qFgto-003TtQ-KT Subject: [Openvpn-devel] [PATCH 1/3] Print server temp key details X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1770250242145644932?= X-GMAIL-MSGID: =?utf-8?q?1770250242145644932?= Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 56 ++++++++++++++++++++++++++++++--------- 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0b310de31..da1417b82 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2050,18 +2050,11 @@ key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf) return ret; } -/** - * Print human readable information about the certifcate into buf - * @param cert the certificate being used - * @param buf output buffer - * @param buflen output buffer length - */ static void -print_cert_details(X509 *cert, char *buf, size_t buflen) +print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen) { const char *curve = ""; const char *type = "(error getting type)"; - EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey == NULL) { @@ -2124,6 +2117,23 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ } + openvpn_snprintf(buf, buflen, "%d bits %s%s", + EVP_PKEY_bits(pkey), type, curve); +} + +/** + * Print human readable information about the certifcate into buf + * @param cert the certificate being used + * @param buf output buffer + * @param buflen output buffer length + */ +static void +print_cert_details(X509 *cert, char *buf, size_t buflen) +{ + EVP_PKEY *pkey = X509_get_pubkey(cert); + char pkeybuf[128] = { 0 }; + print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); + char sig[128] = { 0 }; int signature_nid = X509_get_signature_nid(cert); if (signature_nid != 0) @@ -2132,8 +2142,27 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) OBJ_nid2sn(signature_nid)); } - openvpn_snprintf(buf, buflen, ", peer certificate: %d bit %s%s%s", - EVP_PKEY_bits(pkey), type, curve, sig); + openvpn_snprintf(buf, buflen, ", peer certificate: %s%s", + pkeybuf, sig); + + EVP_PKEY_free(pkey); +} + +static void +print_server_tempkey(SSL *ssl, char *buf, size_t buflen) +{ + EVP_PKEY *pkey = NULL; + SSL_get_peer_tmp_key(ssl, &pkey); + if (!pkey) + { + return; + } + + char pkeybuf[128] = { 0 }; + print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); + + openvpn_snprintf(buf, buflen, ", server temp key: %s", + pkeybuf); EVP_PKEY_free(pkey); } @@ -2151,8 +2180,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) const SSL_CIPHER *ciph; char s1[256]; char s2[256]; + char s3[256]; - s1[0] = s2[0] = 0; + s1[0] = s2[0] = s3[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, @@ -2166,7 +2196,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) print_cert_details(cert, s2, sizeof(s2)); X509_free(cert); } - msg(D_HANDSHAKE, "%s%s", s1, s2); + print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3)); + + msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3); } void From patchwork Sat Jul 1 20:08:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3265 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:3c07:b0:d9:b492:11d6 with SMTP id ki7csp3401737dyb; Sat, 1 Jul 2023 13:09:21 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5h3IXQMPWtRNxXyus7N1iaQTYk+U+iMDySsW4GVz9NzjX+F2C1yqxhNcaxaXQa2A6+2NYJ X-Received: by 2002:a05:6a20:9695:b0:127:4fb0:d448 with SMTP id hp21-20020a056a20969500b001274fb0d448mr4446526pzc.9.1688242161332; Sat, 01 Jul 2023 13:09:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688242161; cv=none; d=google.com; s=arc-20160816; b=hOH0GBjTFqzOUDNm8u3VInjz32nZUJEUG66fjn4mw+2gF18U9JAN4sng0N5PbswIqX AgwbKq3DrrNSJkHUYOzwCKq2ZDLB/lWHmGzlU9Yq6P2mJvkXjcAiVFVTFzGcHDjHni8V uuFgKBlWsxDaLXB5fMHt4JHvm8MqNzbByCFR0gcUaYLCHSh3k6s4Q+OxNrTyWYcEpQ+4 4m8JHf0gqlChXiiDGjnYRBKwlFsrQrObvcH5ROD4qwG8JvAPtQU3VcJSLDXyG0+3l2PH WFGXrdVY7IWey6P9Jxh9PsBQcXRF4h6SqfwLE56XTJRMueHI/ebJafSddBlj+uloBXva PD4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=M89BsMcQN4m0lJlzvwJBLW0Ef5XqOlG7rmUKvzzyNxI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=BYzZq1L0jmgXRpH2ydN3TwBP/X9XRRZdXqiq48guzS8Y/3dUPNkO2veIdD2eNOYXDe vJ9bvjWT82awON8c4WOmsWUdKBuMQhWkH7BmTVk1WSUBsM6c4UbPPH3oYeIV1rN6ubUs LWzlq1UMv1LK+j0C80aYxTyXLuHxJ1OGoUcNUQV17XiZIML0En3f6Et9PXJ2kcZUVM3l PRWBvxosRij1zPupcdFfFe8m5cjM//CGKkBgX7n7dUwjEi+oUNQnmz1/O6tshIDUGM+s i1BvDk+xi5VZYzEp81z/h4Pta4+M2bDe2ZHAZl25JuNIhlKV34BiTe+8gdAUSy4MtzHA zL0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dlng5ggA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YZu4DF99; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id c1-20020a631c01000000b0053eefa04dc0si14929368pgc.276.2023.07.01.13.09.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Jul 2023 13:09:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dlng5ggA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YZu4DF99; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qFgto-0005E0-Jd; Sat, 01 Jul 2023 20:08:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qFgtl-0005Dq-Cr for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=SZYzP+rnmQckFN/3AmIkOzzzlwpSeLB5+8ngQzwI2bc=; b=dlng5ggAFSoBKIR8IkEOs5dusV tvJCZWhK9rzsUoy13X9Oxb9srmeyZ/iCD/PVmRYIoMwc76SosuNpu7WhPvcPkBymuLPXbQgK6PnVk I/qbvxTnykR4PGwC2TvZ/pOocAKZHAduluaDMYvET/NxKlYFZE0borH4z02142vop0MQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=SZYzP+rnmQckFN/3AmIkOzzzlwpSeLB5+8ngQzwI2bc=; b=YZu4DF99xAXMQXvw+4NLtkb5ff qq1UPvN6ymTYcH/ZQwm+IqwTBrPTl2aiJs83N0MMghzOPMWBSM3/nkuMzXDQzh5/sKSSvBRn+a0bR RHyvniNwDrH7pLNlZD+7W6H0Wm6v9qlVWMEH73LgRtiRfjww8IuMhIMB2pRcdeKLlPhs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qFgtk-00004z-4d for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:49 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qFgtc-000PlT-PD for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 22:08:40 +0200 Received: (nullmailer pid 3516365 invoked by uid 10006); Sat, 01 Jul 2023 20:08:40 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jul 2023 22:08:39 +0200 Message-Id: <20230701200840.3516314-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230701200840.3516314-1-arne@rfc2549.org> References: <20230701200840.3516314-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is more SSL debug information that most people do not really need or care about. OpenSSL's own s_client also logs them: Peer signing digest: SHA256 Peer signature type: ECDSA The complete message looks like this: Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1qFgtk-00004z-4d Subject: [Openvpn-devel] [PATCH 2/3] Print SSL peer signature information in handshake debug details X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1770250212707529170?= X-GMAIL-MSGID: =?utf-8?q?1770250212707529170?= This is more SSL debug information that most people do not really need or care about. OpenSSL's own s_client also logs them: Peer signing digest: SHA256 Peer signature type: ECDSA The complete message looks like this: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, server temp key: 253 bits X25519, peer signing digest/type: SHA256 RSASSA-PSS or when forcing a specific group via tls-groups X448 with a ECDSA server: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, server temp key: 448 bits X448, peer signing digest/type: SHA384 ECDSA Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 80 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 78 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index da1417b82..59bbdfc0a 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2167,6 +2167,80 @@ print_server_tempkey(SSL *ssl, char *buf, size_t buflen) EVP_PKEY_free(pkey); } +#ifndef LIBRESSL_VERSION_NUMBER +/** + * Translate an OpenVPN NID into a more human readable name + * @param nid + * @return + */ +static const char * +get_sigtype(int nid) +{ + /* Fix a few OpenSSL names to be better understandable */ + switch (nid) + { + case EVP_PKEY_RSA: + /* will otherwise say rsaEncryption */ + return "RSA"; + + case EVP_PKEY_DSA: + /* dsaEncryption otherwise */ + return "DSA"; + + case EVP_PKEY_EC: + /* will say id-ecPublicKey */ + return "ECDSA"; + + case -1: + return "(error getting name)"; + + default: + return OBJ_nid2sn(nid); + } +} +#endif /* ifndef LIBRESSL_VERSION_NUMBER */ + +/** + * Get the type of the signature that is used by the peer during the + * TLS handshake + */ +static void +print_peer_signature(SSL *ssl, char *buf, size_t buflen) +{ + int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef; + const char *peer_sig = ""; + const char *peer_sig_type = ""; + + /* Even though these methods use the deprecated NIDs instead of using + * string as new OpenSSL APIs do, there seem to be no API that replaces + * it yet */ + if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) + && peer_sig_nid != NID_undef) + { + peer_sig = OBJ_nid2sn(peer_sig_nid); + } + +#ifndef LIBRESSL_VERSION_NUMBER + /* LibreSSL 3.7.x and 3.8.0 weirdly implment this function but fail on + * linking with an unresolved symbol */ + if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) + && peer_sig_type_nid != NID_undef) + { + peer_sig_type = get_sigtype(peer_sig_type_nid); + } +#endif + + if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef) + { + return; + } + + openvpn_snprintf(buf, buflen, ", peer signing digest/type: %s %s", + peer_sig, peer_sig_type); +} + + + /* ************************************** * * Information functions @@ -2181,8 +2255,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) char s1[256]; char s2[256]; char s3[256]; + char s4[256]; - s1[0] = s2[0] = s3[0] = 0; + s1[0] = s2[0] = s3[0] = s4[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, @@ -2197,8 +2272,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) X509_free(cert); } print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3)); + print_peer_signature(ks_ssl->ssl, s4, sizeof(s4)); - msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3); + msg(D_HANDSHAKE, "%s%s%s%s", s1, s2, s3, s4); } void From patchwork Sat Jul 1 20:08:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3266 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:3c07:b0:d9:b492:11d6 with SMTP id ki7csp3401922dyb; Sat, 1 Jul 2023 13:09:48 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4V1mBJaLD7pk0uMCC0iP7TYboqsbNAqQRJBoeTmk073tfHvWRbvet6PUnETrwpAX6QqMvK X-Received: by 2002:a05:6a20:1612:b0:124:eea9:668d with SMTP id l18-20020a056a20161200b00124eea9668dmr5572694pzj.40.1688242188645; Sat, 01 Jul 2023 13:09:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688242188; cv=none; d=google.com; s=arc-20160816; b=W/vHSY0yh8qoxvO+tHeQRHcf0hf3u/8+TNjL4zMOjnewArTUCLl3CKys7/y9Y80FQf yfkCbWyDAGXxvGhGqMbzgtaVbVK7qKXvtX5pbK+3l6XWu7q2Vjs+zfoLLpAXwPraO4v5 bn7ceRz4+zXkGIjGy4iGdwX53DJOfqVrHgQvVF2bEw063jqoSAb5Z+RIp8l12apWUbD8 Nye/m3lVOQq5g2uLR54qhREh50W4nhdEBdDgUUZnEXuWtNga3ZjO9coQOe2nXdH8SibY 2XB5z3w6+MFQrDQ6IC27DVOx5hzIuDiasJJxhpkPXAG1Mgj3DewWlcKGaAuS58ytEN1U 7gzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=liIjri1zO/kUxmlpx6tEhLEWth9KofbmmExPqBxH1Qo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=G+IRnz0bUJXa8EEU5oqEjDidpA3FQQUHUqozdRmxJqMQnicnhDl1YKsRqQLVPmy7gQ JcF9R/tFnkovMpV/NPAMVhD4LiE8V3rG0f9k9/7H35Q+0Ov5VDtHrm5WRG0bX1DpNavP q1ZshvOKH574Y+bIh+9EvGsLTLwWrsAdwZlIWrAvU4/7PMeCjDo9CeB9AVJEaTakDbQf vBED2fDKapseUID835+d1lJ5ov9XRG0gBxzq22Zm5nCaT0JEk685HkfdhdSF0axd842Y cR2fZZZ14YIqi2iVoxOFvdUosgkg/qaOkHQzKLGi1fo7aoKchYn//NKHS+jkvorPn+mH 0svw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SB+dUVuu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IV5MqWzP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id c23-20020a63da17000000b005340840c0c8si15171838pgh.327.2023.07.01.13.09.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Jul 2023 13:09:48 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SB+dUVuu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IV5MqWzP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qFgtm-0003fm-Ny; Sat, 01 Jul 2023 20:08:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qFgtk-0003fg-Ul for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wj2TNNi2HHknCg0In6x/ManrHEGxl6UZjC8cdShzjsw=; b=SB+dUVuurODgTNUNNAH8dKt+gf 7gWaH4AFpa3SPM922nNRjw1N0g96BkO4HPWhH4JOF4uvGV4V+hvNY8rJPpITFa+Eje37Yh+aftN+i TicyB+TOgC4glcd+wdrg4UDh56og17dMnKA1aRIoie/0NnHsb7h2AnrpgYOq23cXmDDE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=wj2TNNi2HHknCg0In6x/ManrHEGxl6UZjC8cdShzjsw=; b=IV5MqWzPteZRGTAPn0oLo6HM3t DOaZQoWpA/djfrKTrpf/fTkBNhyZBIXwAbM7KlX6qHTwHoSMuxRBHMHMc7sijhNO65Cb1fXSp0gep fjvCPAcszR77ls53crMu27HAVzrnVPjYyE454N3tRFpxdSx5AUxPvhirsJoArajqPnBw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qFgtk-00004y-4e for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 20:08:49 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qFgtc-000PlV-Pr for openvpn-devel@lists.sourceforge.net; Sat, 01 Jul 2023 22:08:40 +0200 Received: (nullmailer pid 3516367 invoked by uid 10006); Sat, 01 Jul 2023 20:08:40 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jul 2023 22:08:40 +0200 Message-Id: <20230701200840.3516314-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230701200840.3516314-1-arne@rfc2549.org> References: <20230701200840.3516314-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OpenSSL has a weird way of only reporting EC curves that are implemented in a certain way in the list of all EC cruves. Note this fact and point out that also the very important curves X448 and X25519 [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1qFgtk-00004y-4e Subject: [Openvpn-devel] [PATCH 3/3] Add warning for the --show-groups command that some groups are missing X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1770250241048735121?= X-GMAIL-MSGID: =?utf-8?q?1770250241048735121?= OpenSSL has a weird way of only reporting EC curves that are implemented in a certain way in the list of all EC cruves. Note this fact and point out that also the very important curves X448 and X25519 are affected. Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 59bbdfc0a..442ae1871 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2355,8 +2355,10 @@ show_available_tls_ciphers_list(const char *cipher_list, void show_available_curves(void) { - printf("Consider using openssl 'ecparam -list_curves' as\n" - "alternative to running this command.\n"); + printf("Consider using 'openssl ecparam -list_curves' as alternative to running\n" + "this command.\n" + "Note this output does only list curves/group that OpenSSL considers as\n" + "builtin EC curves. It does not list additional curves nor X448 or X25519\n"); #ifndef OPENSSL_NO_EC EC_builtin_curve *curves = NULL; size_t crv_len = 0;