mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
ITS#7683 log tls prot/cipher info
Note: I could not test the MozNSS patch due to the absence of NSS PEM support on my machine. Given the review comments in https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that trustworthy PEM support will be appearing for MozNSS any time soon.
This commit is contained in:
Howard Chu
parent
9562ad00bd
commit
7d6d6944c5
@ -431,6 +431,8 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
|
||||
LDAPDN_rewrite_dummy *func, unsigned flags ));
|
||||
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
|
||||
LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
|
||||
LDAP_F (const char *) ldap_pvt_tls_get_version LDAP_P(( void *ctx ));
|
||||
LDAP_F (const char *) ldap_pvt_tls_get_cipher LDAP_P(( void *ctx ));
|
||||
|
||||
LDAP_END_DECL
|
||||
|
||||
|
||||
@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
|
||||
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
|
||||
typedef int (TI_session_strength)(tls_session *sess);
|
||||
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
|
||||
typedef const char *(TI_session_name)(tls_session *s);
|
||||
|
||||
typedef void (TI_thr_init)(void);
|
||||
|
||||
@ -66,6 +67,8 @@ typedef struct tls_impl {
|
||||
TI_session_chkhost *ti_session_chkhost;
|
||||
TI_session_strength *ti_session_strength;
|
||||
TI_session_unique *ti_session_unique;
|
||||
TI_session_name *ti_session_version;
|
||||
TI_session_name *ti_session_cipher;
|
||||
|
||||
Sockbuf_IO *ti_sbio;
|
||||
|
||||
|
||||
@ -1005,6 +1005,20 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
|
||||
tls_session *session = s;
|
||||
return tls_imp->ti_session_unique( session, buf, is_server );
|
||||
}
|
||||
|
||||
const char *
|
||||
ldap_pvt_tls_get_version( void *s )
|
||||
{
|
||||
tls_session *session = s;
|
||||
return tls_imp->ti_session_version( session );
|
||||
}
|
||||
|
||||
const char *
|
||||
ldap_pvt_tls_get_cipher( void *s )
|
||||
{
|
||||
tls_session *session = s;
|
||||
return tls_imp->ti_session_cipher( session );
|
||||
}
|
||||
#endif /* HAVE_TLS */
|
||||
|
||||
int
|
||||
|
||||
@ -816,6 +816,20 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static const char *
|
||||
tlsg_session_version( tls_session *sess )
|
||||
{
|
||||
tlsg_session *s = (tlsg_session *)sess;
|
||||
return gnutls_protocol_get_name(gnutls_protocol_get_version( s->session ));
|
||||
}
|
||||
|
||||
static const char *
|
||||
tlsg_session_cipher( tls_session *sess )
|
||||
{
|
||||
tlsg_session *s = (tlsg_session *)sess;
|
||||
return gnutls_cipher_get_name(gnutls_cipher_get( s->session ));
|
||||
}
|
||||
|
||||
/* suites is a string of colon-separated cipher suite names. */
|
||||
static int
|
||||
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
|
||||
@ -1150,6 +1164,8 @@ tls_impl ldap_int_tls_impl = {
|
||||
tlsg_session_chkhost,
|
||||
tlsg_session_strength,
|
||||
tlsg_session_unique,
|
||||
tlsg_session_version,
|
||||
tlsg_session_cipher,
|
||||
|
||||
&tlsg_sbio,
|
||||
|
||||
|
||||
@ -912,6 +912,7 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx)
|
||||
int infd = PR_FileDesc2NativeHandle( PR_STDIN );
|
||||
int isTTY = isatty( infd );
|
||||
unsigned char phrase[200];
|
||||
char *dummy;
|
||||
/* Prompt for password */
|
||||
if ( isTTY ) {
|
||||
fprintf( stdout,
|
||||
@ -919,7 +920,8 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx)
|
||||
token_name ? token_name : DEFAULT_TOKEN_NAME );
|
||||
echoOff( infd );
|
||||
}
|
||||
fgets( (char*)phrase, sizeof(phrase), stdin );
|
||||
dummy = fgets( (char*)phrase, sizeof(phrase), stdin );
|
||||
(void) dummy;
|
||||
if ( isTTY ) {
|
||||
fprintf( stdout, "\n" );
|
||||
echoOn( infd );
|
||||
@ -2841,9 +2843,54 @@ tlsm_session_strength( tls_session *session )
|
||||
static int
|
||||
tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||
{
|
||||
/* Need upstream support https://bugzilla.mozilla.org/show_bug.cgi?id=563276 */
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Yet again, we're pasting in glue that MozNSS ought to provide itself. */
|
||||
static struct {
|
||||
const char *name;
|
||||
int num;
|
||||
} pvers[] = {
|
||||
{ "SSLv2", SSL_LIBRARY_VERSION_2 },
|
||||
{ "SSLv3", SSL_LIBRARY_VERSION_3_0 },
|
||||
{ "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 },
|
||||
{ "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
static const char *
|
||||
tlsm_session_version( tls_session *sess )
|
||||
{
|
||||
tlsm_session *s = (tlsm_session *)sess;
|
||||
SSLChannelInfo info;
|
||||
int rc;
|
||||
rc = SSL_GetChannelInfo( s, &info, sizeof( info ));
|
||||
if ( rc == 0 ) {
|
||||
int i;
|
||||
for (i=0; pvers[i].name; i++)
|
||||
if (pvers[i].num == info.protocolVersion)
|
||||
return pvers[i].name;
|
||||
}
|
||||
return "unknown";
|
||||
}
|
||||
|
||||
static const char *
|
||||
tlsm_session_cipher( tls_session *sess )
|
||||
{
|
||||
tlsm_session *s = (tlsm_session *)sess;
|
||||
SSLChannelInfo info;
|
||||
int rc;
|
||||
rc = SSL_GetChannelInfo( s, &info, sizeof( info ));
|
||||
if ( rc == 0 ) {
|
||||
SSLCipherSuiteInfo csinfo;
|
||||
rc = SSL_GetCipherSuiteInfo( info.cipherSuite, &csinfo, sizeof( csinfo ));
|
||||
if ( rc == 0 )
|
||||
return csinfo.cipherSuiteName;
|
||||
}
|
||||
return "unknown";
|
||||
}
|
||||
|
||||
/*
|
||||
* TLS support for LBER Sockbufs
|
||||
*/
|
||||
@ -3273,6 +3320,8 @@ tls_impl ldap_int_tls_impl = {
|
||||
tlsm_session_chkhost,
|
||||
tlsm_session_strength,
|
||||
tlsm_session_unique,
|
||||
tlsm_session_version,
|
||||
tlsm_session_cipher,
|
||||
|
||||
&tlsm_sbio,
|
||||
|
||||
|
||||
@ -703,6 +703,20 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||
return buf->bv_len;
|
||||
}
|
||||
|
||||
static const char *
|
||||
tlso_session_version( tls_session *sess )
|
||||
{
|
||||
tlso_session *s = (tlso_session *)sess;
|
||||
return SSL_get_version(s);
|
||||
}
|
||||
|
||||
static const char *
|
||||
tlso_session_cipher( tls_session *sess )
|
||||
{
|
||||
tlso_session *s = (tlso_session *)sess;
|
||||
return SSL_CIPHER_get_name(SSL_get_current_cipher(s));
|
||||
}
|
||||
|
||||
/*
|
||||
* TLS support for LBER Sockbufs
|
||||
*/
|
||||
@ -1209,6 +1223,8 @@ tls_impl ldap_int_tls_impl = {
|
||||
tlso_session_chkhost,
|
||||
tlso_session_strength,
|
||||
tlso_session_unique,
|
||||
tlso_session_version,
|
||||
tlso_session_cipher,
|
||||
|
||||
&tlso_sbio,
|
||||
|
||||
|
||||
@ -1388,6 +1388,7 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
|
||||
} else if ( rc == 0 ) {
|
||||
void *ssl;
|
||||
struct berval authid = BER_BVNULL;
|
||||
char msgbuf[32];
|
||||
|
||||
c->c_needs_tls_accept = 0;
|
||||
|
||||
@ -1405,9 +1406,11 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
|
||||
"unable to get TLS client DN, error=%d id=%lu\n",
|
||||
s, rc, c->c_connid );
|
||||
}
|
||||
sprintf(msgbuf, "tls_ssf=%u ssf=%u", c->c_tls_ssf, c->c_ssf);
|
||||
Statslog( LDAP_DEBUG_STATS,
|
||||
"conn=%lu fd=%d TLS established tls_ssf=%u ssf=%u\n",
|
||||
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
|
||||
"conn=%lu fd=%d TLS established %s tls_proto=%s tls_cipher=%s\n",
|
||||
c->c_connid, (int) s,
|
||||
msgbuf, ldap_pvt_tls_get_version( ssl ), ldap_pvt_tls_get_cipher( ssl ));
|
||||
slap_sasl_external( c, c->c_tls_ssf, &authid );
|
||||
if ( authid.bv_val ) free( authid.bv_val );
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user