From b60d2bb98c77d5836b7e3e2d21eeeb17aa55d3f2 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Wed, 2 Apr 2025 17:33:28 +0200 Subject: [PATCH] Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid SSL_get0_peer_signature_name returns a string instead of hardcoded NIDs. NIDS do not work with provider provided signatures or the new PQ signatures introduced in OpenSSL 3.5. Remove also the comment that was added earlier that says that there is no proper API replacement for SSL_get_peer_signature_nid yet as OpenSSL 3.5.0 has now introduced it. Change-Id: I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6 Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20250402153337.5262-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31336.html Signed-off-by: Gert Doering --- src/openvpn/openssl_compat.h | 26 ++++++++++++++++++++++++++ src/openvpn/ssl_openssl.c | 19 ++++++++----------- 2 files changed, 34 insertions(+), 11 deletions(-) diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 3e3b406a..e2bd9bf2 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -173,4 +173,30 @@ ERR_get_error_all(const char **file, int *line, #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) +static inline int +SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg) +{ + int peer_sig_nid; + if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) + && peer_sig_nid != NID_undef) + { + *sigalg = OBJ_nid2sn(peer_sig_nid); + return 1; + } + return 0; +} +#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3050400fL +/* The older LibreSSL version do not implement any variant of getting the peer + * signature */ +static inline int +SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg) +{ + *sigalg = NULL; + return 0; +} +#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) */ + + + #endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index aad79a4b..23b0266e 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2454,20 +2454,17 @@ get_sigtype(int nid) static void print_peer_signature(SSL *ssl, char *buf, size_t buflen) { - int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef; - const char *peer_sig = "unknown"; + int peer_sig_type_nid = NID_undef; + const char *peer_sig_unknown = "unknown"; + const char *peer_sig = peer_sig_unknown; const char *peer_sig_type = "unknown type"; - /* Even though these methods use the deprecated NIDs instead of using - * string as new OpenSSL APIs do, there seem to be no API that replaces - * it yet */ -#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL - if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) - && peer_sig_nid != NID_undef) + const char *signame = NULL; + SSL_get0_peer_signature_name(ssl, &signame); + if (signame) { - peer_sig = OBJ_nid2sn(peer_sig_nid); + peer_sig = signame; } -#endif #if !defined(LIBRESSL_VERSION_NUMBER) \ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL) @@ -2480,7 +2477,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen) } #endif - if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef) + if (peer_sig == peer_sig_unknown && peer_sig_type_nid == NID_undef) { return; } -- 2.39.5