Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Added API to read the ciphersuites used for CSTP and DTLS
[dwmw2: Various fixes, export new library functions properly]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
Nikos Mavrogiannopoulos authored and David Woodhouse committed Oct 27, 2014
1 parent f98cb7f commit 9f6f0df
Show file tree
Hide file tree
Showing 7 changed files with 47 additions and 2 deletions.
3 changes: 2 additions & 1 deletion cstp.c
Expand Up @@ -489,7 +489,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
}
vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),
vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);

vpn_progress(vpninfo, PRG_DEBUG, _("CSTP Ciphersuite: %s\n"),
openconnect_get_cstp_cipher(vpninfo));

monitor_fd_new(vpninfo, ssl);

Expand Down
14 changes: 14 additions & 0 deletions gnutls.c
Expand Up @@ -2167,6 +2167,20 @@ void openconnect_init_ssl(void)
gnutls_global_init();
}

const char *openconnect_get_cstp_cipher(struct openconnect_info *vpninfo)
{
if (vpninfo->cstp_cipher == NULL) {
#if GNUTLS_VERSION_NUMBER > 0x03010a
vpninfo->cstp_cipher = gnutls_session_get_desc(vpninfo->https_sess);
#else
vpninfo->cstp_cipher = gnutls_strdup(gnutls_cipher_suite_get_name(
gnutls_kx_get(vpninfo->https_sess), gnutls_cipher_get(vpninfo->https_sess),
gnutls_mac_get(vpninfo->https_sess)));
#endif
}
return vpninfo->cstp_cipher;
}

int openconnect_sha1(unsigned char *result, void *data, int datalen)
{
gnutls_datum_t d;
Expand Down
2 changes: 2 additions & 0 deletions libopenconnect.map.in
@@ -1,5 +1,7 @@
OPENCONNECT_4.0 {
global:
openconnect_get_dtls_cipher;
openconnect_get_cstp_cipher;
openconnect_free_cert_info;
openconnect_set_option_value;
openconnect_clear_cookie;
Expand Down
10 changes: 10 additions & 0 deletions library.c
Expand Up @@ -191,6 +191,11 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
free(vpninfo->servercert);
free(vpninfo->ifname);
free(vpninfo->dtls_cipher);
#if defined(OPENCONNECT_GNUTLS)
gnutls_free(vpninfo->cstp_cipher);
#else
free(vpninfo->cstp_cipher);
#endif
free(vpninfo->dtls_addr);

if (vpninfo->csd_scriptname) {
Expand Down Expand Up @@ -659,3 +664,8 @@ int openconnect_setup_tun_device(struct openconnect_info *vpninfo,

return openconnect_setup_tun_fd(vpninfo, tun_fd);
}

const char *openconnect_get_dtls_cipher(struct openconnect_info *vpninfo)
{
return vpninfo->dtls_cipher;
}
1 change: 1 addition & 0 deletions openconnect-internal.h
Expand Up @@ -349,6 +349,7 @@ struct openconnect_info {
unsigned char dtls_secret[48];

char *dtls_cipher;
char *cstp_cipher;
char *vpnc_script;
int script_tun;
char *ifname;
Expand Down
14 changes: 13 additions & 1 deletion openconnect.h
Expand Up @@ -29,9 +29,12 @@
#endif

#define OPENCONNECT_API_VERSION_MAJOR 4
#define OPENCONNECT_API_VERSION_MINOR 0
#define OPENCONNECT_API_VERSION_MINOR 1

/*
* API version 4.1:
* - Add openconnect_get_cstp_cipher(), openconnect_get_dtls_cipher().
*
* API version 4.0:
* - Change string handling to never transfer ownership of allocations.
* - Add openconnect_set_option_value(), openconnect_free_cert_info().
Expand Down Expand Up @@ -303,6 +306,15 @@ int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo);
int openconnect_obtain_cookie(struct openconnect_info *vpninfo);
void openconnect_init_ssl(void);

/* These are strictly cosmetic. The strings differ for the same cipher
* suite between DTLS and CSTP, and for CSTP they change depending on
* whether OpenSSL or GnuTLS is being used. And even depending on the
* version of GnuTLS. Do *not* attempt to do anything meaningful based
* on matching these strings; if you want to do something like that then
* ask for an API that *does* offer you what you need. */
const char *openconnect_get_cstp_cipher(struct openconnect_info *);
const char *openconnect_get_dtls_cipher(struct openconnect_info *);

const char *openconnect_get_hostname(struct openconnect_info *);
int openconnect_set_hostname(struct openconnect_info *, const char *);
char *openconnect_get_urlpath(struct openconnect_info *);
Expand Down
5 changes: 5 additions & 0 deletions openssl.c
Expand Up @@ -1593,3 +1593,8 @@ int openconnect_local_cert_md5(struct openconnect_info *vpninfo,

return 0;
}

const char *openconnect_get_cstp_cipher(struct openconnect_info *vpninfo)
{
return SSL_get_cipher_name(vpninfo->https_ssl);
}

0 comments on commit 9f6f0df

Please sign in to comment.