Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid

SSL_get0_peer_signature_name returns a string instead of hardcoded NIDs. NIDS do not work with provider provided signatures or the new PQ signatures introduced in OpenSSL 3.5. Remove also the comment that was added earlier that says that there is no proper API replacement for SSL_get_peer_signature_nid yet as OpenSSL 3.5.0 has now introduced it. Change-Id: I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Message-Id: <20250402153337.5262-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31336.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2025-06-23 20:40:48 +08:00 · 2025-04-02 17:33:28 +02:00 · 2025-04-02 17:33:28 +02:00 · b60d2bb98c
commit b60d2bb98c
parent a51fb119d7
2 changed files with 34 additions and 11 deletions
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@ -173,4 +173,30 @@ ERR_get_error_all(const char **file, int *line,

 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */

+#if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL)
+static inline int
+SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
+{
+    int peer_sig_nid;
+    if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
+        && peer_sig_nid != NID_undef)
+    {
+        *sigalg = OBJ_nid2sn(peer_sig_nid);
+        return 1;
+    }
+    return 0;
+}
+#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3050400fL
+/* The older LibreSSL version do not implement any variant of getting the peer
+ * signature */
+static inline int
+SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg)
+{
+    *sigalg = NULL;
+    return 0;
+}
+#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) */
+
+
+
 #endif /* OPENSSL_COMPAT_H_ */
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@ -2454,20 +2454,17 @@ get_sigtype(int nid)
 static void
 print_peer_signature(SSL *ssl, char *buf, size_t buflen)
 {
-    int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef;
-    const char *peer_sig = "unknown";
+    int peer_sig_type_nid = NID_undef;
+    const char *peer_sig_unknown = "unknown";
+    const char *peer_sig = peer_sig_unknown;
    const char *peer_sig_type = "unknown type";

-    /* Even though these methods use the deprecated NIDs instead of using
-     * string as new OpenSSL APIs do, there seem to be no API that replaces
-     * it yet */
-#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL
-    if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
-        && peer_sig_nid != NID_undef)
+    const char *signame = NULL;
+    SSL_get0_peer_signature_name(ssl, &signame);
+    if (signame)
    {
-        peer_sig = OBJ_nid2sn(peer_sig_nid);
+        peer_sig = signame;
    }
-#endif

 #if !defined(LIBRESSL_VERSION_NUMBER) \
    || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
@ -2480,7 +2477,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
    }
 #endif

-    if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
+    if (peer_sig == peer_sig_unknown && peer_sig_type_nid == NID_undef)
    {
        return;
    }