diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 102c6e39..16fc55ed 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -891,3 +891,17 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis) return g_sck_can_recv(sck, millis); } + +/*****************************************************************************/ +const char * +ssl_get_version(const struct ssl_st *ssl) +{ + return SSL_get_version(ssl); +} + +/*****************************************************************************/ +const char * +ssl_get_cipher_name(const struct ssl_st *ssl) +{ + return SSL_get_cipher_name(ssl); +} diff --git a/common/ssl_calls.h b/common/ssl_calls.h index 1277505c..38eaeec2 100644 --- a/common/ssl_calls.h +++ b/common/ssl_calls.h @@ -109,4 +109,7 @@ ssl_tls_write(struct ssl_tls *tls, const char *data, int length); int APP_CC ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis); +const char *ssl_get_version(const struct ssl_st *ssl); +const char *ssl_get_cipher_name(const struct ssl_st *ssl); + #endif diff --git a/common/trans.c b/common/trans.c index 432b6334..4beaa56e 100644 --- a/common/trans.c +++ b/common/trans.c @@ -902,6 +902,9 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert, self->trans_send = trans_tls_send; self->trans_can_recv = trans_tls_can_recv; + self->ssl_protocol = ssl_get_version(self->tls->ssl); + self->cipher_name = ssl_get_cipher_name(self->tls->ssl); + return 0; } diff --git a/common/trans.h b/common/trans.h index 53f3203a..26d93dc2 100644 --- a/common/trans.h +++ b/common/trans.h @@ -79,6 +79,8 @@ struct trans int no_stream_init_on_data_in; int extra_flags; /* user defined */ struct ssl_tls *tls; + const char *ssl_protocol; /* e.g. TLSv1, TLSv1.1, TLSv1.2, unknown */ + const char *cipher_name; /* e.g. AES256-GCM-SHA384 */ trans_recv_proc trans_recv; trans_send_proc trans_send; trans_can_recv_proc trans_can_recv; diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 914b6277..ca82df70 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -816,6 +816,9 @@ xrdp_rdp_send_data_update_sync(struct xrdp_rdp *self) int APP_CC xrdp_rdp_incoming(struct xrdp_rdp *self) { + struct xrdp_iso *iso; + iso = self->sec_layer->mcs_layer->iso_layer; + DEBUG(("in xrdp_rdp_incoming")); if (xrdp_sec_incoming(self->sec_layer) != 0) @@ -825,12 +828,32 @@ xrdp_rdp_incoming(struct xrdp_rdp *self) self->mcs_channel = self->sec_layer->mcs_layer->userid + MCS_USERCHANNEL_BASE; DEBUG(("out xrdp_rdp_incoming mcs channel %d", self->mcs_channel)); - g_strncpy(self->client_info.client_addr, - self->sec_layer->mcs_layer->iso_layer->trans->addr, + g_strncpy(self->client_info.client_addr, iso->trans->addr, sizeof(self->client_info.client_addr) - 1); - g_strncpy(self->client_info.client_port, - self->sec_layer->mcs_layer->iso_layer->trans->port, + g_strncpy(self->client_info.client_port, iso->trans->port, sizeof(self->client_info.client_port) - 1); + + /* log TLS version and cipher when TLS is used */ + /* TODO: client_addr, client_port is empty when IPv6 enabled */ + + if (iso->selectedProtocol > PROTOCOL_RDP) + { + log_message(LOG_LEVEL_INFO, + "TLS connection established from %s port %s: %s with cipher %s", + self->client_info.client_addr, + self->client_info.client_port, + iso->trans->ssl_protocol, + iso->trans->cipher_name); + } + else + { + log_message(LOG_LEVEL_INFO, + "Non-TLS connection established from %s port %s: " + "encrypted with standard RDP security", + self->client_info.client_addr, + self->client_info.client_port); + } + return 0; }