Make TLS version number available in STATUS command

This adds a new STATUS command field "eap_tls_version" that shows the
TLS version number that was used during EAP-TLS/TTLS/PEAP/FAST exchange.
For now, this is only supported with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 26f0e36768e7cd2d8b556e5214bfe2988f87ce9e..dbe9fd1e8cfaf3479888fa0ace48a83fef1e2455 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -466,6 +466,19 @@ int __must_check tls_connection_set_cipher_list(void *tls_ctx,
                                                struct tls_connection *conn,
                                                u8 *ciphers);
 
+/**
+ * tls_get_version - Get the current TLS version number
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @buf: Buffer for returning the TLS version number
+ * @buflen: buf size
+ * Returns: 0 on success, -1 on failure
+ *
+ * Get the currently used TLS version number.
+ */
+int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn,
+                                char *buf, size_t buflen);
+
 /**
  * tls_get_cipher - Get current cipher name
  * @tls_ctx: TLS context data from tls_init()

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index 6ff7194dfcb29edd1a68ed9c0d7d0349f3d61b53..11be4c194e42f28347ceb3b18d519b0d7c52f9cf 100644 (file)
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -1426,6 +1426,14 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 }
 
 
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+                   char *buf, size_t buflen)
+{
+       /* TODO */
+       return -1;
+}
+
+
 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
                   char *buf, size_t buflen)
 {

diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index 48f27e61868165b5736c967d5a892bfcb4646a7e..9704a14ed25052da134ad53c34f17c6b7c708f48 100644 (file)
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -617,6 +617,14 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 }
 
 
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+                   char *buf, size_t buflen)
+{
+       /* TODO */
+       return -1;
+}
+
+
 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
                   char *buf, size_t buflen)
 {

diff --git a/src/crypto/tls_none.c b/src/crypto/tls_none.c
index bd3da7ed220af78a79f409d365893454c5108fe6..9ca5f1c62da1b8795e7cbdbc1de90f25c49511ae 100644 (file)
--- a/src/crypto/tls_none.c
+++ b/src/crypto/tls_none.c
@@ -140,6 +140,13 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 }
 
 
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+                   char *buf, size_t buflen)
+{
+       return -1;
+}
+
+
 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
                   char *buf, size_t buflen)
 {

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index fb5af908a292d1439cc359538f82719790a9da25..eff942cacd2cffb3a673dcbc6c9c14b3e83a7bf8 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3097,6 +3097,22 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 }
 
 
+int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
+                   char *buf, size_t buflen)
+{
+       const char *name;
+       if (conn == NULL || conn->ssl == NULL)
+               return -1;
+
+       name = SSL_get_version(conn->ssl);
+       if (name == NULL)
+               return -1;
+
+       os_strlcpy(buf, name, buflen);
+       return 0;
+}
+
+
 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
                   char *buf, size_t buflen)
 {

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 2b5a048eb63755e3d43d38c499f1831a7e99772d..2a108da67e6481a78f502edc38440bb3568f9dce 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -753,20 +753,24 @@ int eap_peer_tls_reauth_init(struct eap_sm *sm, struct eap_ssl_data *data)
 int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data,
                        char *buf, size_t buflen, int verbose)
 {
-       char name[128];
+       char version[20], name[128];
        int len = 0, ret;
 
-       if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) == 0)
-       {
-               ret = os_snprintf(buf + len, buflen - len,
-                                 "EAP TLS cipher=%s\n"
-                                 "tls_session_reused=%d\n",
-                                 name, tls_connection_resumed(data->ssl_ctx,
-                                                              data->conn));
-               if (os_snprintf_error(buflen - len, ret))
-                       return len;
-               len += ret;
-       }
+       if (tls_get_version(data->ssl_ctx, data->conn, version,
+                           sizeof(version)) < 0)
+               version[0] = '\0';
+       if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) < 0)
+               name[0] = '\0';
+
+       ret = os_snprintf(buf + len, buflen - len,
+                         "eap_tls_version=%s\n"
+                         "EAP TLS cipher=%s\n"
+                         "tls_session_reused=%d\n",
+                         version, name,
+                         tls_connection_resumed(data->ssl_ctx, data->conn));
+       if (os_snprintf_error(buflen - len, ret))
+               return len;
+       len += ret;
 
        return len;
 }