From d146da4a073136567fc486289ed63de7523961e7 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Thu, 24 Jul 2025 15:27:18 +0200 Subject: [PATCH] Change the cipherinfo, such as in [secure: TLSv1.3...] and in WHOIS. Previously this was like: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256 It is now changed to be like: TLSv1.3/X25519/TLS_CHACHA20_POLY1305_SHA256 So: * Changed from '-' to '/' because sometimes the cipher(suite) contains a hyphen (TLSv1.2 and earlier) * Show the key exchange "group" in the middle, such as X25519 for the usual non-PQC case and X25519MLKEM768 for hybrid group with PQC. * The group is shown in OpenSSL 3.0.0+ (and obviously you need OpenSSL 3.5.0 to ever see X25519MLKEM768 there, but that is something different) --- autoconf/m4/unreal.m4 | 20 ++++++++++++++++++ configure | 48 +++++++++++++++++++++++++++++++++++++++++++ configure.ac | 1 + include/setup.h.in | 3 +++ src/tls.c | 18 ++++++++++++++-- 5 files changed, 88 insertions(+), 2 deletions(-) diff --git a/autoconf/m4/unreal.m4 b/autoconf/m4/unreal.m4 index f77a28853..d1f6bce30 100644 --- a/autoconf/m4/unreal.m4 +++ b/autoconf/m4/unreal.m4 @@ -261,6 +261,26 @@ else fi ]) +AC_DEFUN([CHECK_SSL_GET_NEGOTIATED_GROUP], +[ +AC_MSG_CHECKING([for SSL_get_negotiated_group in SSL library]) +AC_LANG_PUSH(C) +SAVE_LIBS="$LIBS" +LIBS="$LIBS $CRYPTOLIB" +AC_TRY_LINK([#include ], + [SSL *ssl = NULL; SSL_get_negotiated_group(ssl);], + has_function=1, + has_function=0) +LIBS="$SAVE_LIBS" +AC_LANG_POP(C) +if test $has_function = 1; then + AC_MSG_RESULT([yes]) + AC_DEFINE([HAS_SSL_GET_NEGOTIATED_GROUP], [], [Define if ssl library has SSL_get_negotiated_group]) +else + AC_MSG_RESULT([no]) +fi +]) + AC_DEFUN([CHECK_SSL_CTX_SET_MIN_PROTO_VERSION], [ AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version in SSL library]) diff --git a/configure b/configure index f3d4228d4..53fe6c59c 100755 --- a/configure +++ b/configure @@ -7466,6 +7466,54 @@ printf "%s\n" "no" >&6; } fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for SSL_get_negotiated_group in SSL library" >&5 +printf %s "checking for SSL_get_negotiated_group in SSL library... " >&6; } +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +SAVE_LIBS="$LIBS" +LIBS="$LIBS $CRYPTOLIB" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main (void) +{ +SSL *ssl = NULL; SSL_get_negotiated_group(ssl); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + has_function=1 +else $as_nop + has_function=0 +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS="$SAVE_LIBS" +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +if test $has_function = 1; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + +printf "%s\n" "#define HAS_SSL_GET_NEGOTIATED_GROUP /**/" >>confdefs.h + +else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } +fi + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_min_proto_version in SSL library" >&5 printf %s "checking for SSL_CTX_set_min_proto_version in SSL library... " >&6; } ac_ext=c diff --git a/configure.ac b/configure.ac index 399e0453d..40c2aac2f 100644 --- a/configure.ac +++ b/configure.ac @@ -575,6 +575,7 @@ AC_ARG_WITH(system-jansson, [AS_HELP_STRING([--without-system-jansson], [Use bun CHECK_SSL CHECK_SSL_CTX_SET1_CURVES_LIST CHECK_SSL_CTX_SET1_GROUPS_LIST +CHECK_SSL_GET_NEGOTIATED_GROUP CHECK_SSL_CTX_SET_MIN_PROTO_VERSION CHECK_SSL_CTX_SET_SECURITY_LEVEL CHECK_ASN1_TIME_diff diff --git a/include/setup.h.in b/include/setup.h.in index 737e63cbc..67f74ddb9 100644 --- a/include/setup.h.in +++ b/include/setup.h.in @@ -46,6 +46,9 @@ /* Define if ssl library has SSL_CTX_set_security_level */ #undef HAS_SSL_CTX_SET_SECURITY_LEVEL +/* Define if ssl library has SSL_get_negotiated_group */ +#undef HAS_SSL_GET_NEGOTIATED_GROUP + /* Define if ssl library has X509_check_host */ #undef HAS_X509_check_host diff --git a/src/tls.c b/src/tls.c index c59232c1f..7f00d4c56 100644 --- a/src/tls.c +++ b/src/tls.c @@ -742,7 +742,8 @@ void SSL_set_nonblocking(SSL *s) const char *tls_get_cipher(Client *client) { static char buf[256]; - const char *cached; + const char *cached, *s; + int group; cached = moddata_client_get(client, "tls_cipher"); if (cached) @@ -753,7 +754,20 @@ const char *tls_get_cipher(Client *client) buf[0] = '\0'; strlcpy(buf, SSL_get_version(client->local->ssl), sizeof(buf)); - strlcat(buf, "-", sizeof(buf)); +#ifdef HAS_SSL_GET_NEGOTIATED_GROUP + group = SSL_get_negotiated_group(client->local->ssl); + s = SSL_group_to_name(client->local->ssl, group); + if (s) + { + /* "x25519" -> "X25519" */ + char gbuf[64]; + strlcat(buf, "/", sizeof(buf)); + *gbuf = '\0'; + strtoupper_safe(gbuf, s, sizeof(gbuf)); + strlcat(buf, gbuf, sizeof(buf)); + } +#endif + strlcat(buf, "/", sizeof(buf)); strlcat(buf, SSL_get_cipher(client->local->ssl), sizeof(buf)); return buf;