On Mon, 2014-10-27 at 10:49 +0100, Nikos Mavrogiannopoulos wrote:
> Hello,
> As it is now, a program using libopenconnect cannot get the
> ciphersuite in use in a session. This patch adds that API.
You have a habit of sending me patches which give me more work to do :)
Admittedly, I know I do the same to you, but you definitely won that
game by sending me a patch to make it *build* on Win32 without actually
doing anything useful, then letting my OCD kick in and figure out the
TAP-Windows driver and other issues :)
Here's an incremental patch which makes your patch look how I'd *like*
to have received it. It:
- Fixes the function exports in the shared library.
- Adds a warning comment about the strings being *purely* cosmetic,
explaining the reason why.
- Fixes it for OpenSSL too (which wasn't hard; we really do need to
either drop support for OpenSSL entirely or try to make it keep up).
- Fixes the whitespace warning that 'git am' gave me, and another
slight inconsistency in coding style.
- Frees vpninfo->cstp_cipher in openconnect_vpninfo_free() instead of
freeing vpninfo->dtls_cipher twice.
- Prints the CSTP cipher when connected.
One remaining issue: can the cipher change on a rehandshake? If so, your
cached vpninfo->cstp_cipher string might get out of date, and it needs
to be freed and set to NULL on a renegotiate too.
Oh, and we need to export the new functions to Java too. Kevin helpfully
added a 'NEW LIBRARY FUNCTION CHECKLIST' to openconnect.h to help remind
us to do that...
diff --git a/cstp.c b/cstp.c
index 881b2a3..2adef39 100644
--- a/cstp.c
+++ b/cstp.c
@@ -489,7 +489,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
}
vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),
vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);
-
+ vpn_progress(vpninfo, PRG_DEBUG, _("CSTP Ciphersuite: %s\n"),
+ openconnect_get_cstp_cipher(vpninfo));
monitor_fd_new(vpninfo, ssl);
diff --git a/gnutls.c b/gnutls.c
index cce2853..5f1c9e5 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2167,7 +2167,7 @@ void openconnect_init_ssl(void)
gnutls_global_init();
}
-const char *openconnect_get_cstp_cipher(struct openconnect_info * vpninfo)
+const char *openconnect_get_cstp_cipher(struct openconnect_info *vpninfo)
{
if (vpninfo->cstp_cipher == NULL) {
#if GNUTLS_VERSION_NUMBER > 0x03010a
diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 97f3de6..96c55ad 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -1,5 +1,7 @@
OPENCONNECT_4.0 {
global:
+ openconnect_get_dtls_cipher;
+ openconnect_get_cstp_cipher;
openconnect_free_cert_info;
openconnect_set_option_value;
openconnect_clear_cookie;
diff --git a/library.c b/library.c
index c146f57..1de96c4 100644
--- a/library.c
+++ b/library.c
@@ -192,9 +192,9 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
free(vpninfo->ifname);
free(vpninfo->dtls_cipher);
#if defined(OPENCONNECT_GNUTLS)
- gnutls_free(vpninfo->dtls_cipher);
+ gnutls_free(vpninfo->cstp_cipher);
#else
- free(vpninfo->dtls_cipher);
+ free(vpninfo->cstp_cipher);
#endif
free(vpninfo->dtls_addr);
@@ -669,4 +669,3 @@ const char *openconnect_get_dtls_cipher(struct openconnect_info *vpninfo)
{
return vpninfo->dtls_cipher;
}
-
diff --git a/openconnect.h b/openconnect.h
index 930a722..7d660df 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -29,9 +29,12 @@
#endif
#define OPENCONNECT_API_VERSION_MAJOR 4
-#define OPENCONNECT_API_VERSION_MINOR 0
+#define OPENCONNECT_API_VERSION_MINOR 1
/*
+ * API version 4.1:
+ * - Add openconnect_get_cstp_cipher(), openconnect_get_dtls_cipher().
+ *
* API version 4.0:
* - Change string handling to never transfer ownership of allocations.
* - Add openconnect_set_option_value(), openconnect_free_cert_info().
@@ -303,6 +306,12 @@ int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo);
int openconnect_obtain_cookie(struct openconnect_info *vpninfo);
void openconnect_init_ssl(void);
+/* These are strictly cosmetic. The strings differ for the same cipher
+ * suite between DTLS and CSTP, and for CSTP they change depending on
+ * whether OpenSSL or GnuTLS is being used. And even depending on the
+ * version of GnuTLS. Do *not* attempt to do anything meaningful based
+ * on matching these strings; if you want to do something like that then
+ * ask for an API that *does* offer you what you need. */
const char *openconnect_get_cstp_cipher(struct openconnect_info *);
const char *openconnect_get_dtls_cipher(struct openconnect_info *);
diff --git a/openssl.c b/openssl.c
index 58620bf..aecd4b0 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1594,8 +1594,7 @@ int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
return 0;
}
-const char *openconnect_get_cstp_cipher(struct openconnect_info * vpninfo)
+const char *openconnect_get_cstp_cipher(struct openconnect_info *vpninfo)
{
- /* no idea */
- return NULL;
+ return SSL_get_cipher_name(vpninfo->https_ssl);
}
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141027/63de5069/attachment.bin>
