aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-07-08 16:51:03 (GMT)
committerJouni Malinen <j@w1.fi>2015-07-08 16:51:03 (GMT)
commitfe1bf32974f5e09a9f07a4d170ac708e2ab0dcfb (patch)
treee0d186dd1b93396c82f0df108fc1aa30c61c46c0
parent5650d379a344482d47cb7b83fc314d5a6adbe5e1 (diff)
downloadhostap-fe1bf32974f5e09a9f07a4d170ac708e2ab0dcfb.zip
hostap-fe1bf32974f5e09a9f07a4d170ac708e2ab0dcfb.tar.gz
hostap-fe1bf32974f5e09a9f07a4d170ac708e2ab0dcfb.tar.bz2
Make TLS version number available in STATUS command
This adds a new STATUS command field "eap_tls_version" that shows the TLS version number that was used during EAP-TLS/TTLS/PEAP/FAST exchange. For now, this is only supported with OpenSSL. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/crypto/tls.h13
-rw-r--r--src/crypto/tls_gnutls.c8
-rw-r--r--src/crypto/tls_internal.c8
-rw-r--r--src/crypto/tls_none.c7
-rw-r--r--src/crypto/tls_openssl.c16
-rw-r--r--src/eap_peer/eap_tls_common.c28
6 files changed, 68 insertions, 12 deletions
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 26f0e36..dbe9fd1 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -467,6 +467,19 @@ int __must_check tls_connection_set_cipher_list(void *tls_ctx,
u8 *ciphers);
/**
+ * tls_get_version - Get the current TLS version number
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @buf: Buffer for returning the TLS version number
+ * @buflen: buf size
+ * Returns: 0 on success, -1 on failure
+ *
+ * Get the currently used TLS version number.
+ */
+int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn,
+ char *buf, size_t buflen);
+
+/**
* tls_get_cipher - Get current cipher name
* @tls_ctx: TLS context data from tls_init()
* @conn: Connection context data from tls_connection_init()
diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index 6ff7194..11be4c1 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -1426,6 +1426,14 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
}
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+ char *buf, size_t buflen)
+{
+ /* TODO */
+ return -1;
+}
+
+
int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
char *buf, size_t buflen)
{
diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index 48f27e6..9704a14 100644
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -617,6 +617,14 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
}
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+ char *buf, size_t buflen)
+{
+ /* TODO */
+ return -1;
+}
+
+
int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
char *buf, size_t buflen)
{
diff --git a/src/crypto/tls_none.c b/src/crypto/tls_none.c
index bd3da7e..9ca5f1c 100644
--- a/src/crypto/tls_none.c
+++ b/src/crypto/tls_none.c
@@ -140,6 +140,13 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
}
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+ char *buf, size_t buflen)
+{
+ return -1;
+}
+
+
int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
char *buf, size_t buflen)
{
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index fb5af90..eff942c 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3097,6 +3097,22 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
}
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+ char *buf, size_t buflen)
+{
+ const char *name;
+ if (conn == NULL || conn->ssl == NULL)
+ return -1;
+
+ name = SSL_get_version(conn->ssl);
+ if (name == NULL)
+ return -1;
+
+ os_strlcpy(buf, name, buflen);
+ return 0;
+}
+
+
int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
char *buf, size_t buflen)
{
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 2b5a048..2a108da 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -753,20 +753,24 @@ int eap_peer_tls_reauth_init(struct eap_sm *sm, struct eap_ssl_data *data)
int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data,
char *buf, size_t buflen, int verbose)
{
- char name[128];
+ char version[20], name[128];
int len = 0, ret;
- if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) == 0)
- {
- ret = os_snprintf(buf + len, buflen - len,
- "EAP TLS cipher=%s\n"
- "tls_session_reused=%d\n",
- name, tls_connection_resumed(data->ssl_ctx,
- data->conn));
- if (os_snprintf_error(buflen - len, ret))
- return len;
- len += ret;
- }
+ if (tls_get_version(data->ssl_ctx, data->conn, version,
+ sizeof(version)) < 0)
+ version[0] = '\0';
+ if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) < 0)
+ name[0] = '\0';
+
+ ret = os_snprintf(buf + len, buflen - len,
+ "eap_tls_version=%s\n"
+ "EAP TLS cipher=%s\n"
+ "tls_session_reused=%d\n",
+ version, name,
+ tls_connection_resumed(data->ssl_ctx, data->conn));
+ if (os_snprintf_error(buflen - len, ret))
+ return len;
+ len += ret;
return len;
}