diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-06 10:34:33 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-07 12:51:12 +0200 |
| commit | 32670ccac68e68f801fd1007c3e7987c6eff5299 (patch) | |
| tree | 3b5db57aa93471a3d9466a0379a4f04b287d6b4c /lib/session.c | |
| parent | dfa67683ceb4330f72b0e93476b8539e209425f8 (diff) | |
| download | gnutls-32670ccac68e68f801fd1007c3e7987c6eff5299.tar.gz | |
gnutls_session_get_desc: improved ciphersuite description
That is, separated the key exchange from the signature algorithm
used by the server, and list them in different fields.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/session.c')
| -rw-r--r-- | lib/session.c | 47 |
1 files changed, 34 insertions, 13 deletions
diff --git a/lib/session.c b/lib/session.c index 755864d93b..bb2c8e9e4a 100644 --- a/lib/session.c +++ b/lib/session.c @@ -270,13 +270,14 @@ void gnutls_session_force_valid(gnutls_session_t session) char *gnutls_session_get_desc(gnutls_session_t session) { gnutls_kx_algorithm_t kx; - const char *kx_str; + const char *kx_str, *sign_str; unsigned type; - char kx_name[32]; + char kx_name[64]; char proto_name[32]; const char *curve_name = NULL; unsigned dh_bits = 0; unsigned mac_id; + unsigned sign_algo; char *desc; if (session->internals.initial_negotiation_completed == 0) @@ -296,21 +297,41 @@ char *gnutls_session_get_desc(gnutls_session_t session) #endif } + /* Key exchange - Signature algorithm */ + /* DHE-3072 - RSA-PSS-2048 */ + /* ECDHE-SECP256R1 - ECDSA-SECP256R1 */ + + sign_algo = gnutls_sign_algorithm_get(session); + sign_str = gnutls_sign_get_name(sign_algo); + kx_str = gnutls_kx_get_name(kx); if (kx_str) { - if (curve_name != NULL) - snprintf(kx_name, sizeof(kx_name), "%s-%s", - kx_str, curve_name); - else if (dh_bits != 0) - snprintf(kx_name, sizeof(kx_name), "%s-%u", - kx_str, dh_bits); - else - snprintf(kx_name, sizeof(kx_name), "%s", + if (kx == GNUTLS_KX_ECDHE_ECDSA || kx == GNUTLS_KX_ECDHE_RSA || + kx == GNUTLS_KX_ECDHE_PSK) { + if (sign_str) + snprintf(kx_name, sizeof(kx_name), "(ECDHE-%s)-(%s)", + curve_name, sign_str); + else + snprintf(kx_name, sizeof(kx_name), "(ECDHE-%s)", + curve_name); + } else if (kx == GNUTLS_KX_DHE_DSS || kx == GNUTLS_KX_DHE_RSA || + kx == GNUTLS_KX_DHE_PSK) { + if (sign_str) + snprintf(kx_name, sizeof(kx_name), "(DHE-%u)-(%s)", dh_bits, sign_str); + else + snprintf(kx_name, sizeof(kx_name), "(DHE-%u)", dh_bits); + } else if (kx == GNUTLS_KX_RSA) { + /* Possible enhancement: include the certificate bits */ + snprintf(kx_name, sizeof(kx_name), "(RSA)"); + } else { + snprintf(kx_name, sizeof(kx_name), "(%s)", kx_str); + } } else { - strcpy(kx_name, "NULL"); + strcpy(kx_name, "(NULL)"); } + type = gnutls_certificate_type_get(session); if (type == GNUTLS_CRT_X509) snprintf(proto_name, sizeof(proto_name), "%s", @@ -329,13 +350,13 @@ char *gnutls_session_get_desc(gnutls_session_t session) mac_id = gnutls_mac_get(session); if (mac_id == GNUTLS_MAC_AEAD) { /* no need to print */ snprintf(desc, DESC_SIZE, - "(%s)-(%s)-(%s)", + "(%s)-%s-(%s)", proto_name, kx_name, gnutls_cipher_get_name(gnutls_cipher_get(session))); } else { snprintf(desc, DESC_SIZE, - "(%s)-(%s)-(%s)-(%s)", + "(%s)-%s-(%s)-(%s)", proto_name, kx_name, gnutls_cipher_get_name(gnutls_cipher_get(session)), |