From 40e8194122ea914be0679b8c21f2d4aa30b47b96 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Fri, 9 Sep 2016 15:42:04 +0900 Subject: [PATCH] TLS: log TLS version and cipher --- common/ssl_calls.c | 14 ++++++++++++++ common/ssl_calls.h | 3 +++ common/trans.c | 3 +++ common/trans.h | 2 ++ libxrdp/xrdp_rdp.c | 21 +++++++++++++++++---- 5 files changed, 39 insertions(+), 4 deletions(-) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 72ab5eb7..f20ea76c 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -891,3 +891,17 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis) return g_sck_can_recv(sck, millis); } + +/*****************************************************************************/ +const char* +ssl_get_version(const struct ssl_st *ssl) +{ + return SSL_get_version(ssl); +} + +/*****************************************************************************/ +const char* +ssl_get_cipher_name(const struct ssl_st *ssl) +{ + return SSL_get_cipher_name(ssl); +} diff --git a/common/ssl_calls.h b/common/ssl_calls.h index 1277505c..38eaeec2 100644 --- a/common/ssl_calls.h +++ b/common/ssl_calls.h @@ -109,4 +109,7 @@ ssl_tls_write(struct ssl_tls *tls, const char *data, int length); int APP_CC ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis); +const char *ssl_get_version(const struct ssl_st *ssl); +const char *ssl_get_cipher_name(const struct ssl_st *ssl); + #endif diff --git a/common/trans.c b/common/trans.c index 432b6334..4beaa56e 100644 --- a/common/trans.c +++ b/common/trans.c @@ -902,6 +902,9 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert, self->trans_send = trans_tls_send; self->trans_can_recv = trans_tls_can_recv; + self->ssl_protocol = ssl_get_version(self->tls->ssl); + self->cipher_name = ssl_get_cipher_name(self->tls->ssl); + return 0; } diff --git a/common/trans.h b/common/trans.h index 39fba5c0..73c6d591 100644 --- a/common/trans.h +++ b/common/trans.h @@ -79,6 +79,8 @@ struct trans int no_stream_init_on_data_in; int extra_flags; /* user defined */ struct ssl_tls *tls; + const char *ssl_protocol; /* e.g. TLSv1, TLSv1.1, TLSv1.2, unknown */ + const char *cipher_name; /* e.g. AES256-GCM-SHA384 */ trans_recv_proc trans_recv; trans_send_proc trans_send; trans_can_recv_proc trans_can_recv; diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 6aff5830..a66b6d0d 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -811,6 +811,9 @@ xrdp_rdp_send_data_update_sync(struct xrdp_rdp *self) int APP_CC xrdp_rdp_incoming(struct xrdp_rdp *self) { + struct xrdp_iso *iso; + iso = self->sec_layer->mcs_layer->iso_layer; + DEBUG(("in xrdp_rdp_incoming")); if (xrdp_sec_incoming(self->sec_layer) != 0) @@ -820,12 +823,22 @@ xrdp_rdp_incoming(struct xrdp_rdp *self) self->mcs_channel = self->sec_layer->mcs_layer->userid + MCS_USERCHANNEL_BASE; DEBUG(("out xrdp_rdp_incoming mcs channel %d", self->mcs_channel)); - g_strncpy(self->client_info.client_addr, - self->sec_layer->mcs_layer->iso_layer->trans->addr, + g_strncpy(self->client_info.client_addr, iso->trans->addr, sizeof(self->client_info.client_addr) - 1); - g_strncpy(self->client_info.client_port, - self->sec_layer->mcs_layer->iso_layer->trans->port, + g_strncpy(self->client_info.client_port, iso->trans->port, sizeof(self->client_info.client_port) - 1); + + /* log TLS version and cipher when TLS is used */ + /* TODO: client_addr, client_port is empty when IPv6 enabled */ + if (iso->selectedProtocol > PROTOCOL_RDP) + { + log_message(LOG_LEVEL_INFO, + "TLS connection established from %s: %s with cipher %s", + self->client_info.client_addr, + iso->trans->ssl_protocol, + iso->trans->cipher_name); + } + return 0; }