Commit 7d6d6944 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#7683 log tls prot/cipher info

Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.
parent 9562ad00
......@@ -431,6 +431,8 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
LDAPDN_rewrite_dummy *func, unsigned flags ));
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
LDAP_F (const char *) ldap_pvt_tls_get_version LDAP_P(( void *ctx ));
LDAP_F (const char *) ldap_pvt_tls_get_cipher LDAP_P(( void *ctx ));
LDAP_END_DECL
......
......@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
typedef const char *(TI_session_name)(tls_session *s);
typedef void (TI_thr_init)(void);
......@@ -66,6 +67,8 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
TI_session_unique *ti_session_unique;
TI_session_name *ti_session_version;
TI_session_name *ti_session_cipher;
Sockbuf_IO *ti_sbio;
......
......@@ -1005,6 +1005,20 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
tls_session *session = s;
return tls_imp->ti_session_unique( session, buf, is_server );
}
const char *
ldap_pvt_tls_get_version( void *s )
{
tls_session *session = s;
return tls_imp->ti_session_version( session );
}
const char *
ldap_pvt_tls_get_cipher( void *s )
{
tls_session *session = s;
return tls_imp->ti_session_cipher( session );
}
#endif /* HAVE_TLS */
int
......
......@@ -816,6 +816,20 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
static const char *
tlsg_session_version( tls_session *sess )
{
tlsg_session *s = (tlsg_session *)sess;
return gnutls_protocol_get_name(gnutls_protocol_get_version( s->session ));
}
static const char *
tlsg_session_cipher( tls_session *sess )
{
tlsg_session *s = (tlsg_session *)sess;
return gnutls_cipher_get_name(gnutls_cipher_get( s->session ));
}
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
......@@ -1150,6 +1164,8 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_chkhost,
tlsg_session_strength,
tlsg_session_unique,
tlsg_session_version,
tlsg_session_cipher,
&tlsg_sbio,
......
......@@ -912,6 +912,7 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx)
int infd = PR_FileDesc2NativeHandle( PR_STDIN );
int isTTY = isatty( infd );
unsigned char phrase[200];
char *dummy;
/* Prompt for password */
if ( isTTY ) {
fprintf( stdout,
......@@ -919,7 +920,8 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx)
token_name ? token_name : DEFAULT_TOKEN_NAME );
echoOff( infd );
}
fgets( (char*)phrase, sizeof(phrase), stdin );
dummy = fgets( (char*)phrase, sizeof(phrase), stdin );
(void) dummy;
if ( isTTY ) {
fprintf( stdout, "\n" );
echoOn( infd );
......@@ -2841,9 +2843,54 @@ tlsm_session_strength( tls_session *session )
static int
tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
{
/* Need upstream support https://bugzilla.mozilla.org/show_bug.cgi?id=563276 */
return 0;
}
/* Yet again, we're pasting in glue that MozNSS ought to provide itself. */
static struct {
const char *name;
int num;
} pvers[] = {
{ "SSLv2", SSL_LIBRARY_VERSION_2 },
{ "SSLv3", SSL_LIBRARY_VERSION_3_0 },
{ "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 },
{ "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 },
{ NULL, 0 }
};
static const char *
tlsm_session_version( tls_session *sess )
{
tlsm_session *s = (tlsm_session *)sess;
SSLChannelInfo info;
int rc;
rc = SSL_GetChannelInfo( s, &info, sizeof( info ));
if ( rc == 0 ) {
int i;
for (i=0; pvers[i].name; i++)
if (pvers[i].num == info.protocolVersion)
return pvers[i].name;
}
return "unknown";
}
static const char *
tlsm_session_cipher( tls_session *sess )
{
tlsm_session *s = (tlsm_session *)sess;
SSLChannelInfo info;
int rc;
rc = SSL_GetChannelInfo( s, &info, sizeof( info ));
if ( rc == 0 ) {
SSLCipherSuiteInfo csinfo;
rc = SSL_GetCipherSuiteInfo( info.cipherSuite, &csinfo, sizeof( csinfo ));
if ( rc == 0 )
return csinfo.cipherSuiteName;
}
return "unknown";
}
/*
* TLS support for LBER Sockbufs
*/
......@@ -3273,6 +3320,8 @@ tls_impl ldap_int_tls_impl = {
tlsm_session_chkhost,
tlsm_session_strength,
tlsm_session_unique,
tlsm_session_version,
tlsm_session_cipher,
&tlsm_sbio,
......
......@@ -703,6 +703,20 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
return buf->bv_len;
}
static const char *
tlso_session_version( tls_session *sess )
{
tlso_session *s = (tlso_session *)sess;
return SSL_get_version(s);
}
static const char *
tlso_session_cipher( tls_session *sess )
{
tlso_session *s = (tlso_session *)sess;
return SSL_CIPHER_get_name(SSL_get_current_cipher(s));
}
/*
* TLS support for LBER Sockbufs
*/
......@@ -1209,6 +1223,8 @@ tls_impl ldap_int_tls_impl = {
tlso_session_chkhost,
tlso_session_strength,
tlso_session_unique,
tlso_session_version,
tlso_session_cipher,
&tlso_sbio,
......
......@@ -1388,6 +1388,7 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
} else if ( rc == 0 ) {
void *ssl;
struct berval authid = BER_BVNULL;
char msgbuf[32];
c->c_needs_tls_accept = 0;
......@@ -1405,9 +1406,11 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
"unable to get TLS client DN, error=%d id=%lu\n",
s, rc, c->c_connid );
}
sprintf(msgbuf, "tls_ssf=%u ssf=%u", c->c_tls_ssf, c->c_ssf);
Statslog( LDAP_DEBUG_STATS,
"conn=%lu fd=%d TLS established tls_ssf=%u ssf=%u\n",
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
"conn=%lu fd=%d TLS established %s tls_proto=%s tls_cipher=%s\n",
c->c_connid, (int) s,
msgbuf, ldap_pvt_tls_get_version( ssl ), ldap_pvt_tls_get_cipher( ssl ));
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
{
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment