From patchwork Sat Oct 7 10:25:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ordex (Code Review)" X-Patchwork-Id: 3374 Return-Path: Delivered-To: Received: by 2002:a05:7300:b412:b0:f2:62eb:61c1 with SMTP id dj18csp937619dyb; Sat, 7 Oct 2023 03:26:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHqoUTyunduli+EVIuLRT/1DI86zz0b+WzOTDLoPdMiGGi9bJbtFjiO1I03cD08oeOCQFul X-Received: by 2002:a17:902:e885:b0:1c0:bf60:ba82 with SMTP id w5-20020a170902e88500b001c0bf60ba82mr11596456plg.5.1696674370384; Sat, 07 Oct 2023 03:26:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696674370; cv=none;; s=arc-20160816; b=Q59Z60K7z7l9WxP+XIuTqz80KF/6MXCyuZGR6pVLA1Jhr+SJmFNbal0pthxdAO2WGJ zDhHM1NI+7AfR4+zUDNalxJFbDiRXNHw62ebzPjX96dCUtkfTB8/YBtYravxvN1vkbqQ /r961mVxOV/kZEWL0pxEVG0lvpHn1eAYoFDgtFdILHgJebMugjKPoO3OXKNYMhaqnOwZ WL7/ConDxM8fTmBsS/AKzu66Mcbt5OHdIZ2bJSNOpj0KH66cuBjV90UHmk5QOJUE0y9f zey8wd2vN5tJxXnWhasrVUBqyj0GqnZxaI8GAeeNl8Wpjt9u8nPY3UZd+oScxldn1/eX 5A9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=kEN/D7q0COKQyJSM4L3nHcMc63UZhXqfgMdw2urY+Kg=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=d8ghbmLRxBsV/R+IjmgKHZOirMllGQ6vk7AtMqv0Kanv5O9xt7raxb0JFxLJUhrlfG 8B2GTLxcuwmSwiojCt0ctGoX6CBuBjN4N22+bouFU4wMQLxAANSOmpgLxKOay5Vx8BFR SjYpaH2KX64xUvbSyROWhJHRrM4YYWXt80fmeJivGjJOVm8thx5QL0bmFGfkykSitCz1 463E8KJ4HvBlLilURuj6IXD4uJjqsua+pXcVTypg0AMkXCpD93R5WLhK/UPkK5A9DZsm d8Fat8ZFz0evkUhzIxbQZTGehCknpzYE2G9I9zOWMYlMNL4qQFfyooqgsiNCx3mF2S/t C+6A== ARC-Authentication-Results: i=1;; dkim=neutral (body hash did not verify) header.s=x header.b=XwDSHKSY; dkim=neutral (body hash did not verify) header.s=x header.b="Fo/tAph3"; dkim=neutral (body hash did not verify) header.s=google header.b=ZT+lj9hq; spf=pass ( domain of designates as permitted sender); dmarc=fail (p=NONE sp=NONE dis=NONE) Received: from ( []) by with ESMTPS id rj4-20020a17090b3e8400b002774e4d6e7dsi6162172pjb.147.2023. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 Oct 2023 03:26:10 -0700 (PDT) Received-SPF: pass ( domain of designates as permitted sender) client-ip=; Authentication-Results:; dkim=neutral (body hash did not verify) header.s=x header.b=XwDSHKSY; dkim=neutral (body hash did not verify) header.s=x header.b="Fo/tAph3"; dkim=neutral (body hash did not verify) header.s=google header.b=ZT+lj9hq; spf=pass ( domain of designates as permitted sender); dmarc=fail (p=NONE sp=NONE dis=NONE) Received: from [] ( by with esmtp (Exim 4.95) (envelope-from ) id 1qp4VN-0007rE-HL; Sat, 07 Oct 2023 10:25:52 +0000 Received: from [] ( by with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qp4VF-0007r7-Hh for; Sat, 07 Oct 2023 10:25:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=YSpO+10E6uOXVLf4nX4sZw4PN1lfqkMfzT429udkBDI=; b=XwDSHKSYw01AYHmiivb6/YL/tK eQvSXxv/l8jp+LOAV5yMkRduWsEWwfq7Pv9aTgK3rNoTmt0GjKg5BjzXgx+n/NzrDnSIQ3IeAZrFp JJ8ZsOnQowZYH8GHjf6gXqZc+FstPygohAiaS5laRkAfWR7vDdZrnFt7xZ32Wfl15Go8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=YSpO+10E6uOXVLf4nX4sZw4PN1lfqkMfzT429udkBDI=; b=F o/tAph3MRzPTvmWeNfN6DnDukiDBy9SbMKrZFcWktQZRJbDTCGpUf5ZtFiYynvrpc0LBHAyStIXef iorEg7bMpTwzJWKdTq34T/Sqib0RDqmiJLFWv490mv2QGisNPzpq+ZkSpT+/Rx32LguGIJOyjX9Wc 5Dn4OV80WaH0NPv0=; Received: from ([]) by with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1qp4V7-0000yX-QF for; Sat, 07 Oct 2023 10:25:43 +0000 Received: by with SMTP id ffacd0b85a97d-32329d935d4so2603325f8f.2 for ; Sat, 07 Oct 2023 03:25:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; t=1696674331; x=1697279131;; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=YSpO+10E6uOXVLf4nX4sZw4PN1lfqkMfzT429udkBDI=; b=ZT+lj9hqMFxXgNveaMAEhwHkspA2BFt3gfDZ1+W85FPXlEjz5tcgPl2BzRtzdOY1LO L8AUMT6EM7FCoDpXVDSWiWirvLGrUTUv4X9tklx6dFC79m/umXqN2FYY1Du23e/35lYs QVMP25saInmiH5Qx2GjhyWTpiolwOgLnqmNdvzZheih5HR3UTEUCx4CKdvFFyiOCo0oN thVjKp/zEukdGpAcL7TMqSPo4z/ptqbiGrcGR4NS7SJRx4fo9YCx9CuJMEEZ2Zj27eE7 /gvnxpFADKqB3o7NvlhatxsjXnp/AvRa0FTOBH2uXTvm22Zao2M9CSS5tCaRi2PPrKAf FZOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1696674331; x=1697279131; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YSpO+10E6uOXVLf4nX4sZw4PN1lfqkMfzT429udkBDI=; b=PB4eORsgfgzwYq+LXq21TZ/06rkC5WDxm4ZcsAxC1guwyS3nC/uavTlX7l4TrKWUmb InIAYD3iCTWTRlzXCC3Ug6cK97fcswXP7VzxtoIfwOi4mPBUw2eJxgbjUEnduzgHYSlf Hb2cD+cMFfP/aH8Mcg6IGeyJPrv71PFazvhNnLQogXQ/BcuJCp0f/7Wx8iVE3igp8hoP /oubmgZFsEqJs2icxi+AlZci6eL+9W6rL5BFlX9g4nPfn24dfMvMG2lomduRUWnK+trP pmdmYZoKimlWQLefOeZFaWBSPXG4tj+RkobYdv+oqgkFv2GiaJ4jgVvKw8ZsmESZp06X wGpQ== X-Gm-Message-State: AOJu0YyPOubO1fkUrGHJvARgyVHkiWOhMo+Er69DDR99iiTTefdZI04K PWGDG9Sqpfs9uNEnujt3tkIWTWyOZMMqtxvw2RU= X-Received: by 2002:adf:fdc7:0:b0:31f:f982:5395 with SMTP id i7-20020adffdc7000000b0031ff9825395mr9729662wrs.35.1696674331198; Sat, 07 Oct 2023 03:25:31 -0700 (PDT) Received: from ( []) by with ESMTPSA id t6-20020adff046000000b003231a0ca5ebsm3902430wro.49.2023. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 07 Oct 2023 03:25:30 -0700 (PDT) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Sat, 7 Oct 2023 10:25:30 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5 X-Gerrit-Change-Number: 365 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 11d314d91f2b44cf85637a3e421231a1bcf47da9 References: Message-ID: <> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam detection software, running on the system "", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.6 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.4 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [ listed in] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at, no trust [ listed in] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1qp4V7-0000yX-QF Subject: [Openvpn-devel] [M] Change in openvpn[master]: Print SSL peer signature information in handshake debug details X-BeenThere: X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To:,, Cc: openvpn-devel Errors-To: X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1779092024492280147?= X-GMAIL-MSGID: =?utf-8?q?1779092024492280147?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit to review the following change. Change subject: Print SSL peer signature information in handshake debug details ...................................................................... Print SSL peer signature information in handshake debug details This is more SSL debug information that most people do not really need or care about. OpenSSL's own s_client also logs them: Peer signing digest: SHA256 Peer signature type: ECDSA The complete message looks like this: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, server temp key: 253 bits X25519, peer signing digest/type: SHA256 RSASSA-PSS or when forcing a specific group via tls-groups X448 with a ECDSA server: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, server temp key: 448 bits X448, peer signing digest/type: SHA384 ECDSA Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5 --- M src/openvpn/ssl_openssl.c 1 file changed, 78 insertions(+), 2 deletions(-) git pull ssh:// refs/changes/65/365/1 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b91ea07..683d76a 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2169,6 +2169,80 @@ EVP_PKEY_free(pkey); } +#ifndef LIBRESSL_VERSION_NUMBER +/** + * Translate an OpenVPN NID into a more human readable name + * @param nid + * @return + */ +static const char * +get_sigtype(int nid) +{ + /* Fix a few OpenSSL names to be better understandable */ + switch (nid) + { + case EVP_PKEY_RSA: + /* will otherwise say rsaEncryption */ + return "RSA"; + + case EVP_PKEY_DSA: + /* dsaEncryption otherwise */ + return "DSA"; + + case EVP_PKEY_EC: + /* will say id-ecPublicKey */ + return "ECDSA"; + + case -1: + return "(error getting name)"; + + default: + return OBJ_nid2sn(nid); + } +} +#endif /* ifndef LIBRESSL_VERSION_NUMBER */ + +/** + * Get the type of the signature that is used by the peer during the + * TLS handshake + */ +static void +print_peer_signature(SSL *ssl, char *buf, size_t buflen) +{ + int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef; + const char *peer_sig = ""; + const char *peer_sig_type = ""; + + /* Even though these methods use the deprecated NIDs instead of using + * string as new OpenSSL APIs do, there seem to be no API that replaces + * it yet */ + if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) + && peer_sig_nid != NID_undef) + { + peer_sig = OBJ_nid2sn(peer_sig_nid); + } + +#ifndef LIBRESSL_VERSION_NUMBER + /* LibreSSL 3.7.x and 3.8.0 weirdly implment this function but fail on + * linking with an unresolved symbol */ + if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) + && peer_sig_type_nid != NID_undef) + { + peer_sig_type = get_sigtype(peer_sig_type_nid); + } +#endif + + if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef) + { + return; + } + + openvpn_snprintf(buf, buflen, ", peer signing digest/type: %s %s", + peer_sig, peer_sig_type); +} + + + /* ************************************** * * Information functions @@ -2183,8 +2257,9 @@ char s1[256]; char s2[256]; char s3[256]; + char s4[256]; - s1[0] = s2[0] = s3[0] = 0; + s1[0] = s2[0] = s3[0] = s4[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, @@ -2199,8 +2274,9 @@ X509_free(cert); } print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3)); + print_peer_signature(ks_ssl->ssl, s4, sizeof(s4)); - msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3); + msg(D_HANDSHAKE, "%s%s%s%s", s1, s2, s3, s4); } void