From 9e9565ea4c2788455b5fa597b0cbe8a6c5974c41 Mon Sep 17 00:00:00 2001 From: "Jean-Marc Pigeon (Delson)" Date: Sun, 4 May 2025 10:29:40 -0400 Subject: [PATCH] Display cipher in incoming logs --- lib/devsoc.c | 25 +++++++++++++++++++++++++ lib/devsoc.h | 5 ++++- lib/lvleml.c | 3 ++- lib/unitls.c | 18 ++++++++++++------ lib/unitls.h | 1 + 5 files changed, 44 insertions(+), 8 deletions(-) diff --git a/lib/devsoc.c b/lib/devsoc.c index 2db032c..17dc3fb 100644 --- a/lib/devsoc.c +++ b/lib/devsoc.c @@ -1448,6 +1448,31 @@ return iscrypted; */ /********************************************************/ /* */ +/* Procedure to get the cipher name used in cypted */ +/* mode. */ +/* */ +/********************************************************/ +PUBLIC const char *soc_get_cipher_name(SOCPTR *socptr) + +{ +const char *cipher; +SOCTYP *soc; + +cipher="Unknown"; +soc=(SOCTYP *)socptr; +if (soc!=(SOCTYP *)0) { + const char *ptr; + + if ((ptr=SSL_get_cipher_name(soc->tls->ssl))!=(const char *)0) + cipher=ptr; + } +return cipher; +} +/* +^L +*/ +/********************************************************/ +/* */ /* Procedure to return the socket mode as a string */ /* */ /********************************************************/ diff --git a/lib/devsoc.h b/lib/devsoc.h index 5090b30..14b202e 100644 --- a/lib/devsoc.h +++ b/lib/devsoc.h @@ -81,9 +81,12 @@ extern SOCPTR *soc_release(SOCPTR *socptr); //procedure to initiate crypted mode on plain channel extern _Bool soc_starttls(SOCPTR *socptr,_Bool server,const char *certs[3]); -//return flag true if socet is in crypted mode +//return flag true if socket is in crypted mode extern _Bool soc_iscrypted(SOCPTR *socptr); +//return the cipher mame used on the crypted link +extern const char *soc_get_cipher_name(SOCPTR *socptr); + //return line socket mode (cleartext, crypted) extern const char *soc_getstrmode(SOCPTR *socptr); diff --git a/lib/lvleml.c b/lib/lvleml.c index 7837edd..d7a2e07 100644 --- a/lib/lvleml.c +++ b/lib/lvleml.c @@ -418,7 +418,8 @@ while (proceed==true) { case c_starttls : //EHLO start encrypted link in server mode switch (soc_starttls(contact->socptr,true,srvr_certs)) { case true : //link now in TLS crypted mode - (void) transmit(contact,"%d Link now encrypted",CMDOK); + (void) transmit(contact,"%d Link now encrypted (cipher=<%s>)", + CMDOK,soc_get_cipher_name(contact->socptr)); break; case false : //unable to establish link (void) transmit(contact,"%d 5.3.3 command starttls not successful", diff --git a/lib/unitls.c b/lib/unitls.c index 901b47d..ffe6bfa 100644 --- a/lib/unitls.c +++ b/lib/unitls.c @@ -327,7 +327,11 @@ phase=0; proceed=true; while (proceed==true) { switch (phase) { - case 0 : //get remote certificate + case 0 : //do we need to check peer + if (tls->checkpeer==false) + phase=999; //No need to check certificate + break; + case 1 : //get remote certificate if ((peer=SSL_get_peer_certificate(tls->ssl))==(X509 *)0) { char msg[200]; @@ -338,7 +342,7 @@ while (proceed==true) { phase=999; //no need to go furter } break; - case 1 : //displaying certificate + case 2 : //displaying certificate if (peer!=(X509 *)0) { //always char *line; @@ -350,7 +354,11 @@ while (proceed==true) { (void) free(line); } break; - case 3 : { //verifying certificate + case 3 : //everything is fine + (void) X509_free(peer); + ok=true; + break; + case 4 : { //verifying certificate int verif; verif=SSL_get_verify_result(tls->ssl); @@ -364,9 +372,7 @@ while (proceed==true) { } } break; - case 2 : //everything is fine - (void) X509_free(peer); - ok=true; + case 5 : //display cipher used break; default : //SAFE Guard proceed=false; diff --git a/lib/unitls.h b/lib/unitls.h index 681d107..726626d 100644 --- a/lib/unitls.h +++ b/lib/unitls.h @@ -13,6 +13,7 @@ typedef struct { _Bool server; //SSL server/client mode + _Bool checkpeer;//Check peer certificate _Bool goteof; //SSL End Of File _Bool tls; //link in TLS (crypted) mode BIO *bio; //SSL Basic IO -- 2.47.3