API to get ciphersuite

David Woodhouse dwmw2 at infradead.org
Mon Oct 27 05:51:39 PDT 2014 

On Mon, 2014-10-27 at 10:49 +0100, Nikos Mavrogiannopoulos wrote:
> Hello,
>  As it is now, a program using libopenconnect cannot get the
> ciphersuite in use in a session. This patch adds that API.

You have a habit of sending me patches which give me more work to do :)

Admittedly, I know I do the same to you, but you definitely won that
game by sending me a patch to make it *build* on Win32 without actually
doing anything useful, then letting my OCD kick in and figure out the
TAP-Windows driver and other issues :)

Here's an incremental patch which makes your patch look how I'd *like*
to have received it. It:
 - Fixes the function exports in the shared library.
 - Adds a warning comment about the strings being *purely* cosmetic,
   explaining the reason why.
 - Fixes it for OpenSSL too (which wasn't hard; we really do need to
   either drop support for OpenSSL entirely or try to make it keep up).
 - Fixes the whitespace warning that 'git am' gave me, and another
   slight inconsistency in coding style.
 - Frees vpninfo->cstp_cipher in openconnect_vpninfo_free() instead of
   freeing vpninfo->dtls_cipher twice.
 - Prints the CSTP cipher when connected.

One remaining issue: can the cipher change on a rehandshake? If so, your
cached vpninfo->cstp_cipher string might get out of date, and it needs
to be freed and set to NULL on a renegotiate too.

Oh, and we need to export the new functions to Java too. Kevin helpfully
added a 'NEW LIBRARY FUNCTION CHECKLIST' to openconnect.h to help remind
us to do that...


diff --git a/cstp.c b/cstp.c
index 881b2a3..2adef39 100644
--- a/cstp.c
+++ b/cstp.c
@@ -489,7 +489,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 	}
 	vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),
 		     vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);
-
+	vpn_progress(vpninfo, PRG_DEBUG, _("CSTP Ciphersuite: %s\n"),
+		     openconnect_get_cstp_cipher(vpninfo));
 
 	monitor_fd_new(vpninfo, ssl);
 
diff --git a/gnutls.c b/gnutls.c
index cce2853..5f1c9e5 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2167,7 +2167,7 @@ void openconnect_init_ssl(void)
 	gnutls_global_init();
 }
 
-const char *openconnect_get_cstp_cipher(struct openconnect_info * vpninfo)
+const char *openconnect_get_cstp_cipher(struct openconnect_info *vpninfo)
 {
 	if (vpninfo->cstp_cipher == NULL) {
 #if GNUTLS_VERSION_NUMBER > 0x03010a
diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 97f3de6..96c55ad 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -1,5 +1,7 @@
 OPENCONNECT_4.0 {
  global:
+	openconnect_get_dtls_cipher;
+	openconnect_get_cstp_cipher;
 	openconnect_free_cert_info;
 	openconnect_set_option_value;
 	openconnect_clear_cookie;
diff --git a/library.c b/library.c
index c146f57..1de96c4 100644
--- a/library.c
+++ b/library.c
@@ -192,9 +192,9 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	free(vpninfo->ifname);
 	free(vpninfo->dtls_cipher);
 #if defined(OPENCONNECT_GNUTLS)
-	gnutls_free(vpninfo->dtls_cipher);
+	gnutls_free(vpninfo->cstp_cipher);
 #else
-	free(vpninfo->dtls_cipher);
+	free(vpninfo->cstp_cipher);
 #endif
 	free(vpninfo->dtls_addr);
 
@@ -669,4 +669,3 @@ const char *openconnect_get_dtls_cipher(struct openconnect_info *vpninfo)
 {
 	return vpninfo->dtls_cipher;
 }
-
diff --git a/openconnect.h b/openconnect.h
index 930a722..7d660df 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -29,9 +29,12 @@
 #endif
 
 #define OPENCONNECT_API_VERSION_MAJOR 4
-#define OPENCONNECT_API_VERSION_MINOR 0
+#define OPENCONNECT_API_VERSION_MINOR 1
 
 /*
+ * API version 4.1:
+ *  - Add openconnect_get_cstp_cipher(), openconnect_get_dtls_cipher().
+ *
  * API version 4.0:
  *  - Change string handling to never transfer ownership of allocations.
  *  - Add openconnect_set_option_value(), openconnect_free_cert_info().
@@ -303,6 +306,12 @@ int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo);
 int openconnect_obtain_cookie(struct openconnect_info *vpninfo);
 void openconnect_init_ssl(void);
 
+/* These are strictly cosmetic. The strings differ for the same cipher
+ * suite between DTLS and CSTP, and for CSTP they change depending on
+ * whether OpenSSL or GnuTLS is being used. And even depending on the
+ * version of GnuTLS. Do *not* attempt to do anything meaningful based
+ * on matching these strings; if you want to do something like that then
+ * ask for an API that *does* offer you what you need. */
 const char *openconnect_get_cstp_cipher(struct openconnect_info *);
 const char *openconnect_get_dtls_cipher(struct openconnect_info *);
 
diff --git a/openssl.c b/openssl.c
index 58620bf..aecd4b0 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1594,8 +1594,7 @@ int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
 	return 0;
 }
 
-const char *openconnect_get_cstp_cipher(struct openconnect_info * vpninfo)
+const char *openconnect_get_cstp_cipher(struct openconnect_info *vpninfo)
 {
-	/* no idea */
-	return NULL;
+	return SSL_get_cipher_name(vpninfo->https_ssl);
 }


-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141027/63de5069/attachment.bin>

More information about the openconnect-devel mailing list