From patchwork Sat Jul  1 20:08:38 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 3267
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7301:3c07:b0:d9:b492:11d6 with SMTP id ki7csp3401931dyb;
        Sat, 1 Jul 2023 13:09:49 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlGM20sXlfhAfakh0jt9XgrxJI27Jc2ivlYVy+Q7cpo/DbPz1k0cgytaofga+0teYQXt9eDb
X-Received: by 2002:a17:902:d501:b0:1b8:8670:541 with SMTP id
 b1-20020a170902d50100b001b886700541mr1066218plg.25.1688242189463;
        Sat, 01 Jul 2023 13:09:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688242189; cv=none;
        d=google.com; s=arc-20160816;
        b=Gqhv1i93XVvNNH5Ay97hTZAmQ/bo3Xs0zjIzn59BK2eWo9utDbLse4wBZZkJ+3NV4g
         lvQZuFap1euhiHoHK5st0yixoT92BPHD8bnxC4vMdEXfJCjNbVLCIBF2fh+BmsFwsAz+
         l4hR2wEhR64fpcJKXXaMAUXsZUAxaJ/GUXU/vgszrcj0WYesRQ+GbShifyeSa4f6GsIU
         qieM4FjFThZ0lk8xnWgbRNODJzRhkuX0QtBir2aMsC8buFGk62q0+fq+jZctCdhD05xy
         /xCM482rfik04IHWGOEDQHpZEl08GDPNvwU657rtODE/yOnVVaFWHxxpypliSoLU99EH
         WYZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature;
        bh=O56e7DWxMIdxqZWn8MGDDdx2er4JmaMNABA68qejO5o=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=jxshFRwBmGOO6UMVSzGOHah+kxBFF+oIibSCIuFumSqfqxVtD9OpkAc/KeH2C1/ooB
         KshFlm/spya7JQh92P/kZSkHDU2sWP+dQDR23tvKKF7rHjgosJb/SinoLloqDqbuvHHS
         D1xtyfW0kdHGeFQHqqsU4dY9OPQ2zqQfn6MyTtdXL/JJ6+TwcrpF6ZhR3yLUj72jr+0w
         mSDKDcZME/OWv8TXWByv9CZAsPFhKnu/ymKR+7LgCguPNwX7UP2CBmMQWPn3spb6K91n
         6TtxgyfuST8A/zljJW+BHVoi3rdAkgg0cRDG0FCw+LEMZMvwYcK0KEGhqeH5K7w0cBTp
         yrQg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=DviAbhqx;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="P52/G92n";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 22-20020a17090a019600b0026101590c32si15052927pjc.2.2023.07.01.13.09.49
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 01 Jul 2023 13:09:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=DviAbhqx;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="P52/G92n";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1qFgtw-0001Mw-Jv;
	Sat, 01 Jul 2023 20:09:01 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1qFgto-0001Mk-Pz
 for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 20:08:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=QqjnjJSkw4KkZrxFwpDf/q7jzRwW0+5dOXdZWL/GpzM=; b=DviAbhqxwei8pNB4iT2pcijYcQ
 fy1fdwhQfmCdwEZ+gwZFNDOqchxeCJkSE00t5b6aLRARnVbLMV6hWljC/b1cZe4D8qhP+3IAF//RV
 Hk6df8mYZXZ09NXTj4N/gk1f1PGWcaHRTYchyUrEpvz8OMDrK2whwXSGL3MOkUC7vdkc=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From:
 Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=QqjnjJSkw4KkZrxFwpDf/q7jzRwW0+5dOXdZWL/GpzM=; b=P
 52/G92n5P0ctWdGFUpV7dHhlazaj90hrFzrO8T6tA7vC9bl6YOu4OeuTyE5M8VVJ3T6a0kC4oCKtM
 SSxrvcdkHn1hPLj4XvCZLPc18O2YHIEVIcOROaCWF2Y8FzcdN/dwq8k9pX0t7WcobxMkzieQu4ouX
 ZoaCM2FK8VdfCKfo=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1qFgto-003TtQ-KT for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 20:08:53 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1qFgtc-000PlR-OT
 for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 22:08:40 +0200
Received: (nullmailer pid 3516362 invoked by uid 10006);
 Sat, 01 Jul 2023 20:08:40 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat,  1 Jul 2023 22:08:38 +0200
Message-Id: <20230701200840.3516314-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Spam-Score: 0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3
 Signed-off-by:
 Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_openssl.c | 56
 ++++++++++++++++++++++++++++++---------
 1 file changed, 44 insert [...]
 Content analysis details:   (0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Headers-End: 1qFgto-003TtQ-KT
Subject: [Openvpn-devel] [PATCH 1/3] Print server temp key details
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1770250242145644932?=
X-GMAIL-MSGID: =?utf-8?q?1770250242145644932?=

Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_openssl.c | 56 ++++++++++++++++++++++++++++++---------
 1 file changed, 44 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 0b310de31..da1417b82 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2050,18 +2050,11 @@ key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
     return ret;
 }
 
-/**
- * Print human readable information about the certifcate into buf
- * @param cert      the certificate being used
- * @param buf       output buffer
- * @param buflen    output buffer length
- */
 static void
-print_cert_details(X509 *cert, char *buf, size_t buflen)
+print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen)
 {
     const char *curve = "";
     const char *type = "(error getting type)";
-    EVP_PKEY *pkey = X509_get_pubkey(cert);
 
     if (pkey == NULL)
     {
@@ -2124,6 +2117,23 @@ print_cert_details(X509 *cert, char *buf, size_t buflen)
 #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
     }
 
+    openvpn_snprintf(buf, buflen, "%d bits %s%s",
+                     EVP_PKEY_bits(pkey), type, curve);
+}
+
+/**
+ * Print human readable information about the certifcate into buf
+ * @param cert      the certificate being used
+ * @param buf       output buffer
+ * @param buflen    output buffer length
+ */
+static void
+print_cert_details(X509 *cert, char *buf, size_t buflen)
+{
+    EVP_PKEY *pkey = X509_get_pubkey(cert);
+    char pkeybuf[128] = { 0 };
+    print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
+
     char sig[128] = { 0 };
     int signature_nid = X509_get_signature_nid(cert);
     if (signature_nid != 0)
@@ -2132,8 +2142,27 @@ print_cert_details(X509 *cert, char *buf, size_t buflen)
                          OBJ_nid2sn(signature_nid));
     }
 
-    openvpn_snprintf(buf, buflen, ", peer certificate: %d bit %s%s%s",
-                     EVP_PKEY_bits(pkey), type, curve, sig);
+    openvpn_snprintf(buf, buflen, ", peer certificate: %s%s",
+                     pkeybuf, sig);
+
+    EVP_PKEY_free(pkey);
+}
+
+static void
+print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
+{
+    EVP_PKEY *pkey = NULL;
+    SSL_get_peer_tmp_key(ssl, &pkey);
+    if (!pkey)
+    {
+        return;
+    }
+
+    char pkeybuf[128] = { 0 };
+    print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
+
+    openvpn_snprintf(buf, buflen, ", server temp key: %s",
+                     pkeybuf);
 
     EVP_PKEY_free(pkey);
 }
@@ -2151,8 +2180,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
     const SSL_CIPHER *ciph;
     char s1[256];
     char s2[256];
+    char s3[256];
 
-    s1[0] = s2[0] = 0;
+    s1[0] = s2[0] = s3[0] = 0;
     ciph = SSL_get_current_cipher(ks_ssl->ssl);
     openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s",
                      prefix,
@@ -2166,7 +2196,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
         print_cert_details(cert, s2, sizeof(s2));
         X509_free(cert);
     }
-    msg(D_HANDSHAKE, "%s%s", s1, s2);
+    print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3));
+
+    msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3);
 }
 
 void

From patchwork Sat Jul  1 20:08:39 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 3265
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7301:3c07:b0:d9:b492:11d6 with SMTP id ki7csp3401737dyb;
        Sat, 1 Jul 2023 13:09:21 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ5h3IXQMPWtRNxXyus7N1iaQTYk+U+iMDySsW4GVz9NzjX+F2C1yqxhNcaxaXQa2A6+2NYJ
X-Received: by 2002:a05:6a20:9695:b0:127:4fb0:d448 with SMTP id
 hp21-20020a056a20969500b001274fb0d448mr4446526pzc.9.1688242161332;
        Sat, 01 Jul 2023 13:09:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688242161; cv=none;
        d=google.com; s=arc-20160816;
        b=hOH0GBjTFqzOUDNm8u3VInjz32nZUJEUG66fjn4mw+2gF18U9JAN4sng0N5PbswIqX
         AgwbKq3DrrNSJkHUYOzwCKq2ZDLB/lWHmGzlU9Yq6P2mJvkXjcAiVFVTFzGcHDjHni8V
         uuFgKBlWsxDaLXB5fMHt4JHvm8MqNzbByCFR0gcUaYLCHSh3k6s4Q+OxNrTyWYcEpQ+4
         4m8JHf0gqlChXiiDGjnYRBKwlFsrQrObvcH5ROD4qwG8JvAPtQU3VcJSLDXyG0+3l2PH
         WFGXrdVY7IWey6P9Jxh9PsBQcXRF4h6SqfwLE56XTJRMueHI/ebJafSddBlj+uloBXva
         PD4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=M89BsMcQN4m0lJlzvwJBLW0Ef5XqOlG7rmUKvzzyNxI=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=BYzZq1L0jmgXRpH2ydN3TwBP/X9XRRZdXqiq48guzS8Y/3dUPNkO2veIdD2eNOYXDe
         vJ9bvjWT82awON8c4WOmsWUdKBuMQhWkH7BmTVk1WSUBsM6c4UbPPH3oYeIV1rN6ubUs
         LWzlq1UMv1LK+j0C80aYxTyXLuHxJ1OGoUcNUQV17XiZIML0En3f6Et9PXJ2kcZUVM3l
         PRWBvxosRij1zPupcdFfFe8m5cjM//CGKkBgX7n7dUwjEi+oUNQnmz1/O6tshIDUGM+s
         i1BvDk+xi5VZYzEp81z/h4Pta4+M2bDe2ZHAZl25JuNIhlKV34BiTe+8gdAUSy4MtzHA
         zL0w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=dlng5ggA;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=YZu4DF99;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 c1-20020a631c01000000b0053eefa04dc0si14929368pgc.276.2023.07.01.13.09.20
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 01 Jul 2023 13:09:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=dlng5ggA;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=YZu4DF99;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1qFgto-0005E0-Jd;
	Sat, 01 Jul 2023 20:08:52 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1qFgtl-0005Dq-Cr
 for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 20:08:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=SZYzP+rnmQckFN/3AmIkOzzzlwpSeLB5+8ngQzwI2bc=; b=dlng5ggAFSoBKIR8IkEOs5dusV
 tvJCZWhK9rzsUoy13X9Oxb9srmeyZ/iCD/PVmRYIoMwc76SosuNpu7WhPvcPkBymuLPXbQgK6PnVk
 I/qbvxTnykR4PGwC2TvZ/pOocAKZHAduluaDMYvET/NxKlYFZE0borH4z02142vop0MQ=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=SZYzP+rnmQckFN/3AmIkOzzzlwpSeLB5+8ngQzwI2bc=; b=YZu4DF99xAXMQXvw+4NLtkb5ff
 qq1UPvN6ymTYcH/ZQwm+IqwTBrPTl2aiJs83N0MMghzOPMWBSM3/nkuMzXDQzh5/sKSSvBRn+a0bR
 RHyvniNwDrH7pLNlZD+7W6H0Wm6v9qlVWMEH73LgRtiRfjww8IuMhIMB2pRcdeKLlPhs=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1qFgtk-00004z-4d for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 20:08:49 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1qFgtc-000PlT-PD
 for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 22:08:40 +0200
Received: (nullmailer pid 3516365 invoked by uid 10006);
 Sat, 01 Jul 2023 20:08:40 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat,  1 Jul 2023 22:08:39 +0200
Message-Id: <20230701200840.3516314-2-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20230701200840.3516314-1-arne@rfc2549.org>
References: <20230701200840.3516314-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  This is more SSL debug information that most people do not
 really need or care about. OpenSSL's own s_client also logs them: Peer
 signing
 digest: SHA256 Peer signature type: ECDSA The complete message looks like
 this: Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1qFgtk-00004z-4d
Subject: [Openvpn-devel] [PATCH 2/3] Print SSL peer signature information in
 handshake debug details
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1770250212707529170?=
X-GMAIL-MSGID: =?utf-8?q?1770250212707529170?=

This is more SSL debug information that most people do not really need
or care about. OpenSSL's own s_client also logs them:

Peer signing digest: SHA256
Peer signature type: ECDSA

The complete message looks like this:

   Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, server temp key: 253 bits X25519, peer signing digest/type: SHA256 RSASSA-PSS

or when forcing a specific group via tls-groups X448 with a ECDSA server:

   Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, server temp key: 448 bits X448, peer signing digest/type: SHA384 ECDSA

Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_openssl.c | 80 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 78 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index da1417b82..59bbdfc0a 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2167,6 +2167,80 @@ print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
     EVP_PKEY_free(pkey);
 }
 
+#ifndef LIBRESSL_VERSION_NUMBER
+/**
+ * Translate an OpenVPN NID into a more human readable name
+ * @param nid
+ * @return
+ */
+static const char *
+get_sigtype(int nid)
+{
+    /* Fix a few OpenSSL names to be better understandable */
+    switch (nid)
+    {
+        case EVP_PKEY_RSA:
+            /* will otherwise say rsaEncryption */
+            return "RSA";
+
+        case EVP_PKEY_DSA:
+            /* dsaEncryption otherwise */
+            return "DSA";
+
+        case EVP_PKEY_EC:
+            /* will say id-ecPublicKey */
+            return "ECDSA";
+
+        case -1:
+            return "(error getting name)";
+
+        default:
+            return OBJ_nid2sn(nid);
+    }
+}
+#endif /* ifndef LIBRESSL_VERSION_NUMBER */
+
+/**
+ * Get the type of the signature that is used by the peer during the
+ * TLS handshake
+ */
+static void
+print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+{
+    int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef;
+    const char *peer_sig = "";
+    const char *peer_sig_type = "";
+
+    /* Even though these methods use the deprecated NIDs instead of using
+     * string as new OpenSSL APIs do, there seem to be no API that replaces
+     * it yet */
+    if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
+        && peer_sig_nid != NID_undef)
+    {
+        peer_sig = OBJ_nid2sn(peer_sig_nid);
+    }
+
+#ifndef LIBRESSL_VERSION_NUMBER
+    /* LibreSSL 3.7.x and 3.8.0 weirdly implment this function but fail on
+     * linking with an unresolved symbol */
+    if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid)
+        && peer_sig_type_nid != NID_undef)
+    {
+        peer_sig_type = get_sigtype(peer_sig_type_nid);
+    }
+#endif
+
+    if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
+    {
+        return;
+    }
+
+    openvpn_snprintf(buf, buflen, ", peer signing digest/type: %s %s",
+                     peer_sig, peer_sig_type);
+}
+
+
+
 /* **************************************
  *
  * Information functions
@@ -2181,8 +2255,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
     char s1[256];
     char s2[256];
     char s3[256];
+    char s4[256];
 
-    s1[0] = s2[0] = s3[0] = 0;
+    s1[0] = s2[0] = s3[0] = s4[0] = 0;
     ciph = SSL_get_current_cipher(ks_ssl->ssl);
     openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s",
                      prefix,
@@ -2197,8 +2272,9 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
         X509_free(cert);
     }
     print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3));
+    print_peer_signature(ks_ssl->ssl, s4, sizeof(s4));
 
-    msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3);
+    msg(D_HANDSHAKE, "%s%s%s%s", s1, s2, s3, s4);
 }
 
 void

From patchwork Sat Jul  1 20:08:40 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 3266
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7301:3c07:b0:d9:b492:11d6 with SMTP id ki7csp3401922dyb;
        Sat, 1 Jul 2023 13:09:48 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ4V1mBJaLD7pk0uMCC0iP7TYboqsbNAqQRJBoeTmk073tfHvWRbvet6PUnETrwpAX6QqMvK
X-Received: by 2002:a05:6a20:1612:b0:124:eea9:668d with SMTP id
 l18-20020a056a20161200b00124eea9668dmr5572694pzj.40.1688242188645;
        Sat, 01 Jul 2023 13:09:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688242188; cv=none;
        d=google.com; s=arc-20160816;
        b=W/vHSY0yh8qoxvO+tHeQRHcf0hf3u/8+TNjL4zMOjnewArTUCLl3CKys7/y9Y80FQf
         yfkCbWyDAGXxvGhGqMbzgtaVbVK7qKXvtX5pbK+3l6XWu7q2Vjs+zfoLLpAXwPraO4v5
         bn7ceRz4+zXkGIjGy4iGdwX53DJOfqVrHgQvVF2bEw063jqoSAb5Z+RIp8l12apWUbD8
         Nye/m3lVOQq5g2uLR54qhREh50W4nhdEBdDgUUZnEXuWtNga3ZjO9coQOe2nXdH8SibY
         2XB5z3w6+MFQrDQ6IC27DVOx5hzIuDiasJJxhpkPXAG1Mgj3DewWlcKGaAuS58ytEN1U
         7gzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=liIjri1zO/kUxmlpx6tEhLEWth9KofbmmExPqBxH1Qo=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=G+IRnz0bUJXa8EEU5oqEjDidpA3FQQUHUqozdRmxJqMQnicnhDl1YKsRqQLVPmy7gQ
         JcF9R/tFnkovMpV/NPAMVhD4LiE8V3rG0f9k9/7H35Q+0Ov5VDtHrm5WRG0bX1DpNavP
         q1ZshvOKH574Y+bIh+9EvGsLTLwWrsAdwZlIWrAvU4/7PMeCjDo9CeB9AVJEaTakDbQf
         vBED2fDKapseUID835+d1lJ5ov9XRG0gBxzq22Zm5nCaT0JEk685HkfdhdSF0axd842Y
         cR2fZZZ14YIqi2iVoxOFvdUosgkg/qaOkHQzKLGi1fo7aoKchYn//NKHS+jkvorPn+mH
         0svw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SB+dUVuu;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=IV5MqWzP;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 c23-20020a63da17000000b005340840c0c8si15171838pgh.327.2023.07.01.13.09.48
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 01 Jul 2023 13:09:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SB+dUVuu;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=IV5MqWzP;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1qFgtm-0003fm-Ny;
	Sat, 01 Jul 2023 20:08:51 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1qFgtk-0003fg-Ul
 for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 20:08:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=wj2TNNi2HHknCg0In6x/ManrHEGxl6UZjC8cdShzjsw=; b=SB+dUVuurODgTNUNNAH8dKt+gf
 7gWaH4AFpa3SPM922nNRjw1N0g96BkO4HPWhH4JOF4uvGV4V+hvNY8rJPpITFa+Eje37Yh+aftN+i
 TicyB+TOgC4glcd+wdrg4UDh56og17dMnKA1aRIoie/0NnHsb7h2AnrpgYOq23cXmDDE=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=wj2TNNi2HHknCg0In6x/ManrHEGxl6UZjC8cdShzjsw=; b=IV5MqWzPteZRGTAPn0oLo6HM3t
 DOaZQoWpA/djfrKTrpf/fTkBNhyZBIXwAbM7KlX6qHTwHoSMuxRBHMHMc7sijhNO65Cb1fXSp0gep
 fjvCPAcszR77ls53crMu27HAVzrnVPjYyE454N3tRFpxdSx5AUxPvhirsJoArajqPnBw=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1qFgtk-00004y-4e for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 20:08:49 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1qFgtc-000PlV-Pr
 for openvpn-devel@lists.sourceforge.net;
 Sat, 01 Jul 2023 22:08:40 +0200
Received: (nullmailer pid 3516367 invoked by uid 10006);
 Sat, 01 Jul 2023 20:08:40 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat,  1 Jul 2023 22:08:40 +0200
Message-Id: <20230701200840.3516314-3-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20230701200840.3516314-1-arne@rfc2549.org>
References: <20230701200840.3516314-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: OpenSSL has a weird way of only reporting EC curves that are
 implemented in a certain way in the list of all EC cruves. Note this fact
 and point out that also the very important curves X448 and X25519 [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1qFgtk-00004y-4e
Subject: [Openvpn-devel] [PATCH 3/3] Add warning for the --show-groups
 command that some groups are missing
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1770250241048735121?=
X-GMAIL-MSGID: =?utf-8?q?1770250241048735121?=

OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC cruves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.

Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_openssl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 59bbdfc0a..442ae1871 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2355,8 +2355,10 @@ show_available_tls_ciphers_list(const char *cipher_list,
 void
 show_available_curves(void)
 {
-    printf("Consider using openssl 'ecparam -list_curves' as\n"
-           "alternative to running this command.\n");
+    printf("Consider using 'openssl ecparam -list_curves' as alternative to running\n"
+           "this command.\n"
+           "Note this output does only list curves/group that OpenSSL considers as\n"
+           "builtin EC curves. It does not list additional curves nor X448 or X25519\n");
 #ifndef OPENSSL_NO_EC
     EC_builtin_curve *curves = NULL;
     size_t crv_len = 0;