From patchwork Wed Apr  2 13:54:10 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4207
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:6c6:b0:60a:d70a:d3c7 with SMTP id j6csp3568065maw;
        Wed, 2 Apr 2025 08:26:18 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCU31G6iKojwngWZOUXs5t7Op7ZbZZRyzI8DKyPzfJlnkeg6raKrhWC90auHBDQLV25ldnwuzoqh5do=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IGI03ATYhbI/ugmCGMGnygAYcx2kvMtizHLVUpwwfMVbP25p9cqT3xU3f29ot9Ghj/6JQI8
X-Received: by 2002:a05:6602:7284:b0:85b:5869:b6a with SMTP id
 ca18e2360f4ac-85e9e842db3mr1968792739f.3.1743607578112;
        Wed, 02 Apr 2025 08:26:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1743607578; cv=none;
        d=google.com; s=arc-20240605;
        b=bNwF/JW3wnBneSdpsyZfnC0z8ve3eP88KktvH3wPqc2BrlyHfhthreTb8h6VXwR3FN
         YaZcXxNNcF6vEtDF8r7m0MtElLB6T8ki3tmW79GI5qjjsis04X3+1jFOCUeoqJB4ir20
         gGbk7a7s9zxoOwI3uslpOAt8FvnCkjUkhJt+6vbFKNvU/nHOJQYwkd0q1zbb6WkFs7/s
         XM516WBF4VIMX7F11wfIvhzhJupCxVlnKI2ckmYpFBgUMKIHAg1HDxsyzczHvnHnmeCY
         MI6SQD8DTyIvsR5iFVudt/fVDlneSpBL3cfOdNm/ExUqyxOH5c3Irja9NzpsJ8lk97yd
         CEPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=RszXtHKbhf9h8woc57sqmlGf54oCjN5Yb38/XaYliwU=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=KaiEE2GFhA/cXt3Cn/eI9nGtcHG+/zxU/t89yv6eo5xdxSrefATo7/09n+nRsgihbn
         Y//2yy3o6bSTawgMo32f16y4bTE2nb40i9ur4H/O4K2CrrU0j8LLOjytrdFtC5t1DAzX
         XF8AV0qa2eArc81k+yuAmmTzIpfeoTj8oYiz8W1h0e6FFqLWotGunRSXIeHmRhQKrx/6
         biqDzHZ4lXSVw2wl2JmPXRRlOslyuIJIAODtOvuPxxEIu8fxx0sHiZ9/5OEAoJ7t4GCH
         HLv0QxcRiXTC+i2+s3xbzO+CEDfEAW5QBKyfdFkQACEtbdxicdpN/oPdra8L/Rd3c/0C
         314Q==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=mJfyKSD2;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=EqveSIpZ;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 8926c6da1cb9f-4f4647668b0si14959524173.43.2025.04.02.08.26.17
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 02 Apr 2025 08:26:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=mJfyKSD2;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=EqveSIpZ;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1tzzyo-0000tc-O0;
	Wed, 02 Apr 2025 15:26:14 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue.greenie.muc.de>) id 1tzzym-0000tU-Rb
 for openvpn-devel@lists.sourceforge.net;
 Wed, 02 Apr 2025 15:26:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=OjdhQq+Xk3rw5g+Rw0+AJlPCuL0etx6ccoOv8qTh71Q=; b=mJfyKSD29lMvfTjWstWR2ox2vd
 N7reNhfvao2IxSHjn4b0r/blRUwhfhYaH6a5kNxHtdM1DUtLNHio1jm21BDq7o3xucCXSrJ3+8QKq
 dmyeuulM1owJ5UzWY7l3uGiLeTu41c1tVvrJCLpKK7YbWLVD+84eOFTxyTgUHccBKfmA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=OjdhQq+Xk3rw5g+Rw0+AJlPCuL0etx6ccoOv8qTh71Q=; b=EqveSIpZ6afGl5XnfS6RpyqQYx
 MuPbEdETcjnj4m77Vem3k+Jw+EP0Arm9MVeUaAtJud1Uw2PKeDkdc3gKUVyQ6K7TKdMzY7WzeDWhd
 vkEWTD+fTvSrXfyp/gqpsXUT9rZ8EG5ywoKohWmt16HsVJkbpasSl+NdcP6NVIT5j5YY=;
Received: from dhcp-174.greenie.muc.de ([193.149.48.174]
 helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1tzzyW-0005pB-59 for openvpn-devel@lists.sourceforge.net;
 Wed, 02 Apr 2025 15:26:12 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 532DsG88008928
 for <openvpn-devel@lists.sourceforge.net>; Wed, 2 Apr 2025 15:54:16 +0200
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 532DsGLS008927
 for openvpn-devel@lists.sourceforge.net; Wed, 2 Apr 2025 15:54:16 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Wed,  2 Apr 2025 15:54:10 +0200
Message-ID: <20250402135416.8862-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.45.2
In-Reply-To: 
 <gerrit.1743496145000.I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6@gerrit.openvpn.net>
References: 
 <gerrit.1743496145000.I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Arne Schwabe <arne@rfc2549.org>
 SSL_get0_peer_signature_name
 returns a string instead of hardcoded NIDs. NIDS do not work with provider
 provided signatures or the new PQ signatures introduced in OpenSSL 3.5.
 Content analysis details:   (0.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [193.149.48.174 listed in sa-accredit.habeas.com]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [193.149.48.174 listed in bl.score.senderscore.com]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
X-Headers-End: 1tzzyW-0005pB-59
Subject: [Openvpn-devel] [PATCH v4] Use SSL_get0_peer_signature_name instead
 of SSL_get_peer_signature_nid
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1828305059587575214?=
X-GMAIL-MSGID: =?utf-8?q?1828305059587575214?=

From: Arne Schwabe <arne@rfc2549.org>

SSL_get0_peer_signature_name returns a string instead of hardcoded NIDs.
NIDS do not work with provider provided signatures or the new PQ
signatures introduced in OpenSSL 3.5.

Remove also the comment that was added earlier that says that there
is no proper API replacement for SSL_get_peer_signature_nid yet as
OpenSSL 3.5.0 has now introduced it.

Change-Id: I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/927
This mail reflects revision 4 of this Change.

Acked-by according to Gerrit (reflected above):
Antonio Quartulli <antonio@mandelbit.com>

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 3e3b406..e2bd9bf 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -173,4 +173,30 @@
 
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
+#if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL)
+static inline int
+SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
+{
+    int peer_sig_nid;
+    if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
+        && peer_sig_nid != NID_undef)
+    {
+        *sigalg = OBJ_nid2sn(peer_sig_nid);
+        return 1;
+    }
+    return 0;
+}
+#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3050400fL
+/* The older LibreSSL version do not implement any variant of getting the peer
+ * signature */
+static inline int
+SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg)
+{
+    *sigalg = NULL;
+    return 0;
+}
+#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) */
+
+
+
 #endif /* OPENSSL_COMPAT_H_ */
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index aad79a4..23b0266 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2454,20 +2454,17 @@
 static void
 print_peer_signature(SSL *ssl, char *buf, size_t buflen)
 {
-    int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef;
-    const char *peer_sig = "unknown";
+    int peer_sig_type_nid = NID_undef;
+    const char *peer_sig_unknown = "unknown";
+    const char *peer_sig = peer_sig_unknown;
     const char *peer_sig_type = "unknown type";
 
-    /* Even though these methods use the deprecated NIDs instead of using
-     * string as new OpenSSL APIs do, there seem to be no API that replaces
-     * it yet */
-#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL
-    if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
-        && peer_sig_nid != NID_undef)
+    const char *signame = NULL;
+    SSL_get0_peer_signature_name(ssl, &signame);
+    if (signame)
     {
-        peer_sig = OBJ_nid2sn(peer_sig_nid);
+        peer_sig = signame;
     }
-#endif
 
 #if !defined(LIBRESSL_VERSION_NUMBER) \
     || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
@@ -2480,7 +2477,7 @@
     }
 #endif
 
-    if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
+    if (peer_sig == peer_sig_unknown && peer_sig_type_nid == NID_undef)
     {
         return;
     }