From patchwork Wed Apr 2 15:33:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4211 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c6:b0:60a:d70a:d3c7 with SMTP id j6csp3572987maw; Wed, 2 Apr 2025 08:34:10 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV3RssJdacdctymkBsK3pnDx1ahRwHWhsuZoPXdSIn5lEfEFPTOdfS/bv2Tidf6jdTLcXYqhBBaDUo=@openvpn.net X-Google-Smtp-Source: AGHT+IHh6vlwMR6JVezAdWbDdDfZ4PKP1pXhIiYKXoLDlZqLVQWaLjo41d+Dhd0L1I20j3uReHUA X-Received: by 2002:a05:6e02:174f:b0:3d3:e287:3e7a with SMTP id e9e14a558f8ab-3d5e0a01ca0mr186118495ab.19.1743608050618; Wed, 02 Apr 2025 08:34:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1743608050; cv=none; d=google.com; s=arc-20240605; b=L65Q4MNqrx4TcxiapUzDTmx9+Piws2FnKFdj/ZGzDztreFe0DqtmK5acASQjP2Ncrb b1P50OzTy+EpTEVm7paoE8Djv0WpgkbVr+WzcJbLEPcqQgl2vmhifFYrPaT/VTv3koBg N3NlbI2GHvmFKUdkbKSh5jT7vZVWMbTU8zt8cm/BQhnyWEucCwX2So7gxgWDsJEqoJ6B w4GI9s73JTQhmkoQO+AAjSUKyz1srk8bbu8LHABYaL5nEV33/rH99sQyJZBkEg8aOg2b eMeQl1DEpHP60WnvdhfwQsvo6PQzWYX2whi7qJTjJ7p3qsKvSxjAOVDS7bP47xihMwRL xi9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=RszXtHKbhf9h8woc57sqmlGf54oCjN5Yb38/XaYliwU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=iHhUM2fmpvJegYEuXgMGgD+g9Gl4aLgkkeW8ulWO+vtoFGuDdQ0nGp7UiBHt1drD7z abCJYxfqfK423nfaJvOmrYeAHmzY2inHuUOsKVeshnXLEZ4u8FUJi4Uf0meRWDFSAjkZ tmODUy6PJwNBM2YJMbX0XR4h7rscJKXRGgjyCIcBRIyvEr1K7ge5gVnorZz13wDp/nmX ZEbV6arRHvbhX4UxAaOE/NCdoU3uyUIHBxLTsIBBIu+k/Xf1RMrostlCYWjr7aoZzdwH lJqs93Vf7rwXVN8d2B5cCi7tPPt014L/eFuf1MTsTPXePGL022GYIqlThSHDGniyablJ w7EA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aUOEPx3p; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EeD9sdoj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4f464899ff2si11998506173.126.2025.04.02.08.34.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Apr 2025 08:34:10 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aUOEPx3p; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EeD9sdoj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1u006Q-0006TO-94; Wed, 02 Apr 2025 15:34:07 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1u006P-0006TC-09 for openvpn-devel@lists.sourceforge.net; Wed, 02 Apr 2025 15:34:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OjdhQq+Xk3rw5g+Rw0+AJlPCuL0etx6ccoOv8qTh71Q=; b=aUOEPx3pIkvOa+u5pUeZ6Mt9kj /AtXYKoKbRSKcjkCeTAz9pvCp0Fqc5smeE8BtX3qfgJBKEt2qql+s8nmbstD3XoEmWw5p9QCh9BVZ xlmP4xC8ooMEU+G3Cl680jZnTJDsJFWb0cx7F5+f6fIL5vYgIo57cjhitCCuydiwdqf8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OjdhQq+Xk3rw5g+Rw0+AJlPCuL0etx6ccoOv8qTh71Q=; b=EeD9sdojaiLXZQnHK7HkPnl+nO bAXQI++ejXC/vyOi7HyuPh1Kz0RfDtsaPAQ/o/b6fp5oaaQACB8eS0t8ILeeHrsvaltVKJoY2Avvs 84YHHMg9KvsfC25NCEtuSA6FNgtWOm3deIJCfKoL/FFfQjEzTp+f/p7MpBbNqrqxKiVk=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1u0069-0006d0-Hz for openvpn-devel@lists.sourceforge.net; Wed, 02 Apr 2025 15:34:05 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 532FXchQ005293 for ; Wed, 2 Apr 2025 17:33:38 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 532FXc80005292 for openvpn-devel@lists.sourceforge.net; Wed, 2 Apr 2025 17:33:38 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 2 Apr 2025 17:33:28 +0200 Message-ID: <20250402153337.5262-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe SSL_get0_peer_signature_name returns a string instead of hardcoded NIDs. NIDS do not work with provider provided signatures or the new PQ signatures introduced in OpenSSL 3.5. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1u0069-0006d0-Hz Subject: [Openvpn-devel] [PATCH v4] Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1828305059587575214?= X-GMAIL-MSGID: =?utf-8?q?1828305554832624441?= From: Arne Schwabe SSL_get0_peer_signature_name returns a string instead of hardcoded NIDs. NIDS do not work with provider provided signatures or the new PQ signatures introduced in OpenSSL 3.5. Remove also the comment that was added earlier that says that there is no proper API replacement for SSL_get_peer_signature_nid yet as OpenSSL 3.5.0 has now introduced it. Change-Id: I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6 Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/927 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 3e3b406..e2bd9bf 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -173,4 +173,30 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) +static inline int +SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg) +{ + int peer_sig_nid; + if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) + && peer_sig_nid != NID_undef) + { + *sigalg = OBJ_nid2sn(peer_sig_nid); + return 1; + } + return 0; +} +#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3050400fL +/* The older LibreSSL version do not implement any variant of getting the peer + * signature */ +static inline int +SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg) +{ + *sigalg = NULL; + return 0; +} +#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) */ + + + #endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index aad79a4..23b0266 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2454,20 +2454,17 @@ static void print_peer_signature(SSL *ssl, char *buf, size_t buflen) { - int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef; - const char *peer_sig = "unknown"; + int peer_sig_type_nid = NID_undef; + const char *peer_sig_unknown = "unknown"; + const char *peer_sig = peer_sig_unknown; const char *peer_sig_type = "unknown type"; - /* Even though these methods use the deprecated NIDs instead of using - * string as new OpenSSL APIs do, there seem to be no API that replaces - * it yet */ -#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL - if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) - && peer_sig_nid != NID_undef) + const char *signame = NULL; + SSL_get0_peer_signature_name(ssl, &signame); + if (signame) { - peer_sig = OBJ_nid2sn(peer_sig_nid); + peer_sig = signame; } -#endif #if !defined(LIBRESSL_VERSION_NUMBER) \ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL) @@ -2480,7 +2477,7 @@ } #endif - if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef) + if (peer_sig == peer_sig_unknown && peer_sig_type_nid == NID_undef) { return; }