4 files changed, 15 insertions, 3 deletions

diff --git a/src/lib/libtls/Symbols.list b/src/lib/libtls/Symbols.list
index 4064be1b08..e3fcb67fb3 100644
--- a/src/lib/libtls/Symbols.list
+++ b/src/lib/libtls/Symbols.list
@@ -51,6 +51,7 @@ tls_config_verify_client_optional
 tls_configure
 tls_conn_alpn_selected
 tls_conn_cipher
+tls_conn_cipher_strength
 tls_conn_servername
 tls_conn_session_resumed
 tls_conn_version
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 560809ee19..fee60c7cc8 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.55 2018/11/29 14:24:23 tedu Exp $ */
+/* $OpenBSD: tls.h,v 1.56 2019/11/02 13:37:59 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -190,6 +190,7 @@ const uint8_t *tls_peer_cert_chain_pem(struct tls *_ctx, size_t *_len);
 
 const char *tls_conn_alpn_selected(struct tls *_ctx);
 const char *tls_conn_cipher(struct tls *_ctx);
+int tls_conn_cipher_strength(struct tls *_ctx);
 const char *tls_conn_servername(struct tls *_ctx);
 int tls_conn_session_resumed(struct tls *_ctx);
 const char *tls_conn_version(struct tls *_ctx);
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 8e479ed84c..d44dc842b6 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.20 2018/02/10 04:48:44 jsing Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.21 2019/11/02 13:37:59 jsing Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -246,6 +246,7 @@ tls_conninfo_populate(struct tls *ctx)
                 goto err;
         if ((ctx->conninfo->cipher = strdup(tmp)) == NULL)
                 goto err;
+        ctx->conninfo->cipher_strength = SSL_get_cipher_bits(ctx->ssl_conn, NULL);
 
         if (ctx->servername != NULL) {
                 if ((ctx->conninfo->servername =
@@ -312,6 +313,14 @@ tls_conn_cipher(struct tls *ctx)
         return (ctx->conninfo->cipher);
 }
 
+int
+tls_conn_cipher_strength(struct tls *ctx)
+{
+        if (ctx->conninfo == NULL)
+                return (0);
+        return (ctx->conninfo->cipher_strength);
+}
+
 const char *
 tls_conn_servername(struct tls *ctx)
 {
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 3842439d58..efccc9fdbe 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.74 2019/04/01 15:58:02 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.75 2019/11/02 13:37:59 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -112,6 +112,7 @@ struct tls_config {
 struct tls_conninfo {
         char *alpn;
         char *cipher;
+        int cipher_strength;
         char *servername;
         int session_resumed;
         char *version;