Merge pull request #426 from metalefty/log-tls-version-and-cipher

TLS: log TLS version and cipher
This commit is contained in:
Idan Freiberg 2017-01-16 07:26:51 +02:00 committed by GitHub
commit 19375dda7a
5 changed files with 49 additions and 4 deletions

View File

@ -891,3 +891,17 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis)
return g_sck_can_recv(sck, millis); return g_sck_can_recv(sck, millis);
} }
/*****************************************************************************/
const char *
ssl_get_version(const struct ssl_st *ssl)
{
return SSL_get_version(ssl);
}
/*****************************************************************************/
const char *
ssl_get_cipher_name(const struct ssl_st *ssl)
{
return SSL_get_cipher_name(ssl);
}

View File

@ -109,4 +109,7 @@ ssl_tls_write(struct ssl_tls *tls, const char *data, int length);
int APP_CC int APP_CC
ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis); ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis);
const char *ssl_get_version(const struct ssl_st *ssl);
const char *ssl_get_cipher_name(const struct ssl_st *ssl);
#endif #endif

View File

@ -902,6 +902,9 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
self->trans_send = trans_tls_send; self->trans_send = trans_tls_send;
self->trans_can_recv = trans_tls_can_recv; self->trans_can_recv = trans_tls_can_recv;
self->ssl_protocol = ssl_get_version(self->tls->ssl);
self->cipher_name = ssl_get_cipher_name(self->tls->ssl);
return 0; return 0;
} }

View File

@ -79,6 +79,8 @@ struct trans
int no_stream_init_on_data_in; int no_stream_init_on_data_in;
int extra_flags; /* user defined */ int extra_flags; /* user defined */
struct ssl_tls *tls; struct ssl_tls *tls;
const char *ssl_protocol; /* e.g. TLSv1, TLSv1.1, TLSv1.2, unknown */
const char *cipher_name; /* e.g. AES256-GCM-SHA384 */
trans_recv_proc trans_recv; trans_recv_proc trans_recv;
trans_send_proc trans_send; trans_send_proc trans_send;
trans_can_recv_proc trans_can_recv; trans_can_recv_proc trans_can_recv;

View File

@ -816,6 +816,9 @@ xrdp_rdp_send_data_update_sync(struct xrdp_rdp *self)
int APP_CC int APP_CC
xrdp_rdp_incoming(struct xrdp_rdp *self) xrdp_rdp_incoming(struct xrdp_rdp *self)
{ {
struct xrdp_iso *iso;
iso = self->sec_layer->mcs_layer->iso_layer;
DEBUG(("in xrdp_rdp_incoming")); DEBUG(("in xrdp_rdp_incoming"));
if (xrdp_sec_incoming(self->sec_layer) != 0) if (xrdp_sec_incoming(self->sec_layer) != 0)
@ -825,12 +828,32 @@ xrdp_rdp_incoming(struct xrdp_rdp *self)
self->mcs_channel = self->sec_layer->mcs_layer->userid + self->mcs_channel = self->sec_layer->mcs_layer->userid +
MCS_USERCHANNEL_BASE; MCS_USERCHANNEL_BASE;
DEBUG(("out xrdp_rdp_incoming mcs channel %d", self->mcs_channel)); DEBUG(("out xrdp_rdp_incoming mcs channel %d", self->mcs_channel));
g_strncpy(self->client_info.client_addr, g_strncpy(self->client_info.client_addr, iso->trans->addr,
self->sec_layer->mcs_layer->iso_layer->trans->addr,
sizeof(self->client_info.client_addr) - 1); sizeof(self->client_info.client_addr) - 1);
g_strncpy(self->client_info.client_port, g_strncpy(self->client_info.client_port, iso->trans->port,
self->sec_layer->mcs_layer->iso_layer->trans->port,
sizeof(self->client_info.client_port) - 1); sizeof(self->client_info.client_port) - 1);
/* log TLS version and cipher when TLS is used */
/* TODO: client_addr, client_port is empty when IPv6 enabled */
if (iso->selectedProtocol > PROTOCOL_RDP)
{
log_message(LOG_LEVEL_INFO,
"TLS connection established from %s port %s: %s with cipher %s",
self->client_info.client_addr,
self->client_info.client_port,
iso->trans->ssl_protocol,
iso->trans->cipher_name);
}
else
{
log_message(LOG_LEVEL_INFO,
"Non-TLS connection established from %s port %s: "
"encrypted with standard RDP security",
self->client_info.client_addr,
self->client_info.client_port);
}
return 0; return 0;
} }