From 3c2988a5030b1e619c1c04fa6111186dc8223e48 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 2 Nov 2019 13:37:59 +0000
Subject: Provide tls_conn_cipher_strength().

This returns the strength in bits of the symmetric cipher used for the
connection.

Diff from gilles@

ok tb@
---
 src/lib/libtls/Symbols.list   |  1 +
 src/lib/libtls/tls.h          |  3 ++-
 src/lib/libtls/tls_conninfo.c | 11 ++++++++++-
 src/lib/libtls/tls_internal.h |  3 ++-
 4 files changed, 15 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libtls/Symbols.list b/src/lib/libtls/Symbols.list
index 4064be1b08..e3fcb67fb3 100644
--- a/src/lib/libtls/Symbols.list
+++ b/src/lib/libtls/Symbols.list
@@ -51,6 +51,7 @@ tls_config_verify_client_optional
 tls_configure
 tls_conn_alpn_selected
 tls_conn_cipher
+tls_conn_cipher_strength
 tls_conn_servername
 tls_conn_session_resumed
 tls_conn_version
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 560809ee19..fee60c7cc8 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.55 2018/11/29 14:24:23 tedu Exp $ */
+/* $OpenBSD: tls.h,v 1.56 2019/11/02 13:37:59 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -190,6 +190,7 @@ const uint8_t *tls_peer_cert_chain_pem(struct tls *_ctx, size_t *_len);
 
 const char *tls_conn_alpn_selected(struct tls *_ctx);
 const char *tls_conn_cipher(struct tls *_ctx);
+int tls_conn_cipher_strength(struct tls *_ctx);
 const char *tls_conn_servername(struct tls *_ctx);
 int tls_conn_session_resumed(struct tls *_ctx);
 const char *tls_conn_version(struct tls *_ctx);
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 8e479ed84c..d44dc842b6 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.20 2018/02/10 04:48:44 jsing Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.21 2019/11/02 13:37:59 jsing Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -246,6 +246,7 @@ tls_conninfo_populate(struct tls *ctx)
 		goto err;
 	if ((ctx->conninfo->cipher = strdup(tmp)) == NULL)
 		goto err;
+	ctx->conninfo->cipher_strength = SSL_get_cipher_bits(ctx->ssl_conn, NULL);
 
 	if (ctx->servername != NULL) {
 		if ((ctx->conninfo->servername =
@@ -312,6 +313,14 @@ tls_conn_cipher(struct tls *ctx)
 	return (ctx->conninfo->cipher);
 }
 
+int
+tls_conn_cipher_strength(struct tls *ctx)
+{
+	if (ctx->conninfo == NULL)
+		return (0);
+	return (ctx->conninfo->cipher_strength);
+}
+
 const char *
 tls_conn_servername(struct tls *ctx)
 {
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 3842439d58..efccc9fdbe 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.74 2019/04/01 15:58:02 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.75 2019/11/02 13:37:59 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -112,6 +112,7 @@ struct tls_config {
 struct tls_conninfo {
 	char *alpn;
 	char *cipher;
+	int cipher_strength;
 	char *servername;
 	int session_resumed;
 	char *version;
-- 
cgit v1.2.3-55-g6feb