From 86d9cd293828904660c1d37b91c643053e33f02f Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Sun, 13 Sep 2015 10:32:47 +0000 Subject: add visibility of ciper and connection version strings ok jsing@ --- lib/libtls/tls.h | 4 +++- lib/libtls/tls_conninfo.c | 28 +++++++++++++++++++++++++++- lib/libtls/tls_init.3 | 26 +++++++++++++++++++++++--- lib/libtls/tls_internal.h | 4 +++- 4 files changed, 56 insertions(+), 6 deletions(-) diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 2f91ea68bab..442fe350649 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.22 2015/09/12 21:00:38 beck Exp $ */ +/* $OpenBSD: tls.h,v 1.23 2015/09/13 10:32:46 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -105,6 +105,8 @@ int tls_peer_cert_contains_name(struct tls *ctx, const char *name); const char * tls_peer_cert_hash(struct tls *_ctx); const char * tls_peer_cert_issuer(struct tls *ctx); const char * tls_peer_cert_subject(struct tls *ctx); +const char * tls_conn_version(struct tls *ctx); +const char * tls_conn_cipher(struct tls *ctx); uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c index 267a8747c91..0c99741b635 100644 --- a/lib/libtls/tls_conninfo.c +++ b/lib/libtls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.1 2015/09/12 21:00:38 beck Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.2 2015/09/13 10:32:46 beck Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -130,6 +130,12 @@ tls_get_conninfo(struct tls *ctx) { goto err; if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1) goto err; + ctx->conninfo->version = strdup(SSL_get_version(ctx->ssl_conn)); + if (ctx->conninfo->version == NULL) + goto err; + ctx->conninfo->cipher = strdup(SSL_get_cipher(ctx->ssl_conn)); + if (ctx->conninfo->cipher == NULL) + goto err; } rv = 0; err: @@ -145,5 +151,25 @@ tls_free_conninfo(struct tls_conninfo *conninfo) { conninfo->subject = NULL; free(conninfo->issuer); conninfo->issuer = NULL; + free(conninfo->version); + conninfo->version = NULL; + free(conninfo->cipher); + conninfo->cipher = NULL; } } + +const char * +tls_conn_cipher(struct tls *ctx) +{ + if (ctx->conninfo) + return (ctx->conninfo->cipher); + return NULL; +} + +const char * +tls_conn_version(struct tls *ctx) +{ + if (ctx->conninfo) + return (ctx->conninfo->version); + return NULL; +} diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 90cbdb3f3bd..ead2a8095db 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.43 2015/09/12 21:00:38 beck Exp $ +.\" $OpenBSD: tls_init.3,v 1.44 2015/09/13 10:32:46 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 12 2015 $ +.Dd $Mdocdate: September 13 2015 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -127,6 +127,10 @@ .Fn tls_peer_cert_subject "struct tls *ctx" .Ft "const char *" .Fn tls_peer_cert_hash "struct tls *ctx" +.Ft "const char *" +.Fn tls_conn_version "struct tls *ctx" +.Ft "const char *" +.Fn tls_conn_cipher "struct tls *ctx" .Ft "uint8_t *" .Fn tls_load_file "const char *file" "size_t *len" "char *password" .Ft "struct tls *" @@ -416,7 +420,23 @@ h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\\n" .Ed .Pp -.Fn tls_peer_cert_subject +.It +.Fn tls_conn_version +returns a string +corresponding to a TLS version negotiated with the peer +connected to +.Ar ctx +.It +.Fn tls_conn_version +will only succeed after the handshake is complete. +.It +.Fn tls_conn_cipher +returns a string +corresponding to a the cipher suite negotated with the peer +connected to +.Ar ctx +.It +.Fn tls_conn_cipher will only succeed after the handshake is complete. .Em (Server and client) .It diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index e31c39a135b..d7878a75e32 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.21 2015/09/12 21:00:38 beck Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.22 2015/09/13 10:32:46 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -54,6 +54,8 @@ struct tls_conninfo { char *hash; char *serial; char *fingerprint; + char *version; + char *cipher; }; #define TLS_CLIENT (1 << 0) -- cgit v1.2.3