From 7d6d6944c574e9030807369213b5aea53662167a Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 7 Sep 2013 12:22:09 -0700 Subject: [PATCH] ITS#7683 log tls prot/cipher info Note: I could not test the MozNSS patch due to the absence of NSS PEM support on my machine. Given the review comments in https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that trustworthy PEM support will be appearing for MozNSS any time soon. --- include/ldap_pvt.h | 2 ++ libraries/libldap/ldap-tls.h | 3 +++ libraries/libldap/tls2.c | 14 ++++++++++ libraries/libldap/tls_g.c | 16 +++++++++++ libraries/libldap/tls_m.c | 51 +++++++++++++++++++++++++++++++++++- libraries/libldap/tls_o.c | 16 +++++++++++ servers/slapd/connection.c | 7 +++-- 7 files changed, 106 insertions(+), 3 deletions(-) diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h index fdc9d2de36..066fabab46 100644 --- a/include/ldap_pvt.h +++ b/include/ldap_pvt.h @@ -431,6 +431,8 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn, LDAPDN_rewrite_dummy *func, unsigned flags )); LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server )); +LDAP_F (const char *) ldap_pvt_tls_get_version LDAP_P(( void *ctx )); +LDAP_F (const char *) ldap_pvt_tls_get_cipher LDAP_P(( void *ctx )); LDAP_END_DECL diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h index 1eb5ae47e8..548814d7fe 100644 --- a/libraries/libldap/ldap-tls.h +++ b/libraries/libldap/ldap-tls.h @@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); typedef int (TI_session_strength)(tls_session *sess); typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); +typedef const char *(TI_session_name)(tls_session *s); typedef void (TI_thr_init)(void); @@ -66,6 +67,8 @@ typedef struct tls_impl { TI_session_chkhost *ti_session_chkhost; TI_session_strength *ti_session_strength; TI_session_unique *ti_session_unique; + TI_session_name *ti_session_version; + TI_session_name *ti_session_cipher; Sockbuf_IO *ti_sbio; diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c index d0193b9ef9..e4f63a60a9 100644 --- a/libraries/libldap/tls2.c +++ b/libraries/libldap/tls2.c @@ -1005,6 +1005,20 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) tls_session *session = s; return tls_imp->ti_session_unique( session, buf, is_server ); } + +const char * +ldap_pvt_tls_get_version( void *s ) +{ + tls_session *session = s; + return tls_imp->ti_session_version( session ); +} + +const char * +ldap_pvt_tls_get_cipher( void *s ) +{ + tls_session *session = s; + return tls_imp->ti_session_cipher( session ); +} #endif /* HAVE_TLS */ int diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c index c793828e73..ce422387c9 100644 --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -816,6 +816,20 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server) return 0; } +static const char * +tlsg_session_version( tls_session *sess ) +{ + tlsg_session *s = (tlsg_session *)sess; + return gnutls_protocol_get_name(gnutls_protocol_get_version( s->session )); +} + +static const char * +tlsg_session_cipher( tls_session *sess ) +{ + tlsg_session *s = (tlsg_session *)sess; + return gnutls_cipher_get_name(gnutls_cipher_get( s->session )); +} + /* suites is a string of colon-separated cipher suite names. */ static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) @@ -1150,6 +1164,8 @@ tls_impl ldap_int_tls_impl = { tlsg_session_chkhost, tlsg_session_strength, tlsg_session_unique, + tlsg_session_version, + tlsg_session_cipher, &tlsg_sbio, diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index 240bd9ff6e..4bd9e63cb5 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -912,6 +912,7 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx) int infd = PR_FileDesc2NativeHandle( PR_STDIN ); int isTTY = isatty( infd ); unsigned char phrase[200]; + char *dummy; /* Prompt for password */ if ( isTTY ) { fprintf( stdout, @@ -919,7 +920,8 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx) token_name ? token_name : DEFAULT_TOKEN_NAME ); echoOff( infd ); } - fgets( (char*)phrase, sizeof(phrase), stdin ); + dummy = fgets( (char*)phrase, sizeof(phrase), stdin ); + (void) dummy; if ( isTTY ) { fprintf( stdout, "\n" ); echoOn( infd ); @@ -2841,9 +2843,54 @@ tlsm_session_strength( tls_session *session ) static int tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server) { + /* Need upstream support https://bugzilla.mozilla.org/show_bug.cgi?id=563276 */ return 0; } +/* Yet again, we're pasting in glue that MozNSS ought to provide itself. */ +static struct { + const char *name; + int num; +} pvers[] = { + { "SSLv2", SSL_LIBRARY_VERSION_2 }, + { "SSLv3", SSL_LIBRARY_VERSION_3_0 }, + { "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 }, + { "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 }, + { NULL, 0 } +}; + +static const char * +tlsm_session_version( tls_session *sess ) +{ + tlsm_session *s = (tlsm_session *)sess; + SSLChannelInfo info; + int rc; + rc = SSL_GetChannelInfo( s, &info, sizeof( info )); + if ( rc == 0 ) { + int i; + for (i=0; pvers[i].name; i++) + if (pvers[i].num == info.protocolVersion) + return pvers[i].name; + } + return "unknown"; +} + +static const char * +tlsm_session_cipher( tls_session *sess ) +{ + tlsm_session *s = (tlsm_session *)sess; + SSLChannelInfo info; + int rc; + rc = SSL_GetChannelInfo( s, &info, sizeof( info )); + if ( rc == 0 ) { + SSLCipherSuiteInfo csinfo; + rc = SSL_GetCipherSuiteInfo( info.cipherSuite, &csinfo, sizeof( csinfo )); + if ( rc == 0 ) + return csinfo.cipherSuiteName; + } + return "unknown"; +} + /* * TLS support for LBER Sockbufs */ @@ -3273,6 +3320,8 @@ tls_impl ldap_int_tls_impl = { tlsm_session_chkhost, tlsm_session_strength, tlsm_session_unique, + tlsm_session_version, + tlsm_session_cipher, &tlsm_sbio, diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index ba936fa09c..0bd7e97201 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -703,6 +703,20 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) return buf->bv_len; } +static const char * +tlso_session_version( tls_session *sess ) +{ + tlso_session *s = (tlso_session *)sess; + return SSL_get_version(s); +} + +static const char * +tlso_session_cipher( tls_session *sess ) +{ + tlso_session *s = (tlso_session *)sess; + return SSL_CIPHER_get_name(SSL_get_current_cipher(s)); +} + /* * TLS support for LBER Sockbufs */ @@ -1209,6 +1223,8 @@ tls_impl ldap_int_tls_impl = { tlso_session_chkhost, tlso_session_strength, tlso_session_unique, + tlso_session_version, + tlso_session_cipher, &tlso_sbio, diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index bc2b8a4d09..c47114c7fa 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -1388,6 +1388,7 @@ connection_read( ber_socket_t s, conn_readinfo *cri ) } else if ( rc == 0 ) { void *ssl; struct berval authid = BER_BVNULL; + char msgbuf[32]; c->c_needs_tls_accept = 0; @@ -1405,9 +1406,11 @@ connection_read( ber_socket_t s, conn_readinfo *cri ) "unable to get TLS client DN, error=%d id=%lu\n", s, rc, c->c_connid ); } + sprintf(msgbuf, "tls_ssf=%u ssf=%u", c->c_tls_ssf, c->c_ssf); Statslog( LDAP_DEBUG_STATS, - "conn=%lu fd=%d TLS established tls_ssf=%u ssf=%u\n", - c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); + "conn=%lu fd=%d TLS established %s tls_proto=%s tls_cipher=%s\n", + c->c_connid, (int) s, + msgbuf, ldap_pvt_tls_get_version( ssl ), ldap_pvt_tls_get_cipher( ssl )); slap_sasl_external( c, c->c_tls_ssf, &authid ); if ( authid.bv_val ) free( authid.bv_val ); { -- 2.39.5