From afe368b81ca436675b4a89596ab2ac73c838bd30 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 7 Jan 2015 11:35:32 -0800
Subject: [PATCH 294/305] Ticket #47945 - Add SSL/TLS version info to the
access log
Description: Added the currently used SSL library version info per
connection to the access log.
Sample output:
SSL
[..] conn=3 fd=64 slot=64 SSL connection from ::1 to ::1
[..] conn=3 TLS1.2 128-bit AES-GCM
startTLS
[..] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[..] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[..] conn=4 TLS1.2 128-bit AES-GCM
To convert the SSL version number to string (e.g., SSL_LIBRARY_VERSION_
TLS_1_2 --> "TLS1.2"), instead of maintaining a mapping table, this
patch calculates the number and generates the version string.
Back-ported commit a2e0de3aa90f04593427628afeb7fe090dac93fb
https://fedorahosted.org/389/ticket/47945
(cherry picked from commit d62b281480c4c17438a6541c150bdb1e80abf14f)
---
ldap/servers/slapd/auth.c | 115 ++++++++++++++++++++-----------------
ldap/servers/slapd/slapi-private.h | 19 ++++++
2 files changed, 80 insertions(+), 54 deletions(-)
diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c
index 4976406..73f6c0e 100644
--- a/ldap/servers/slapd/auth.c
+++ b/ldap/servers/slapd/auth.c
@@ -433,6 +433,7 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
SSLChannelInfo channelInfo;
SSLCipherSuiteInfo cipherInfo;
char* subject = NULL;
+ char sslversion[64];
if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) {
PRErrorCode errorCode = PR_GetError();
@@ -465,59 +466,63 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
}
}
+ (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion));
if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- conn->c_connid, keySize, cipher ? cipher : "NULL" );
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
goto done;
- }
+ }
if (clientCert == NULL) {
- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " SSL %i-bit %s\n",
- conn->c_connid, keySize, cipher ? cipher : "NULL" );
+ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL" );
} else {
- subject = subject_of (clientCert);
- if (!subject) {
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; missing subject\n",
- conn->c_connid, keySize, cipher ? cipher : "NULL");
- goto done;
- }
- {
- char* issuer = issuer_of (clientCert);
- char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
- slapi_log_access( LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL %i-bit %s; client %s; issuer %s\n",
- conn->c_connid, keySize, cipher ? cipher : "NULL",
- subject ? escape_string( subject, sbuf ) : "NULL",
- issuer ? escape_string( issuer, ibuf ) : "NULL");
- if (issuer) free (issuer);
- }
- slapi_dn_normalize (subject);
- {
- LDAPMessage* chain = NULL;
- char *basedn = config_get_basedn();
- int err;
-
- err = ldapu_cert_to_ldap_entry
- (clientCert, internal_ld, basedn?basedn:""/*baseDN*/, &chain);
- if (err == LDAPU_SUCCESS && chain) {
- LDAPMessage* entry = slapu_first_entry (internal_ld, chain);
- if (entry) {
- /* clientDN is duplicated in slapu_get_dn */
- clientDN = slapu_get_dn (internal_ld, entry);
- } else {
-
- extraErrorMsg = "no entry";
- LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %s\n",
- extraErrorMsg, 0, 0);
- }
- } else {
- extraErrorMsg = ldapu_err2string(err);
- LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %i (%s)%s\n",
- err, extraErrorMsg, chain ? "" : " NULL");
- }
- slapi_ch_free_string(&basedn);
- slapu_msgfree (internal_ld, chain);
- }
+ subject = subject_of (clientCert);
+ if (!subject) {
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL");
+ goto done;
+ }
+ {
+ char* issuer = issuer_of (clientCert);
+ char sbuf[ BUFSIZ ], ibuf[ BUFSIZ ];
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, keySize, cipher ? cipher : "NULL",
+ subject ? escape_string( subject, sbuf ) : "NULL",
+ issuer ? escape_string( issuer, ibuf ) : "NULL");
+ if (issuer) free (issuer);
+ }
+ slapi_dn_normalize (subject);
+ {
+ LDAPMessage* chain = NULL;
+ char *basedn = config_get_basedn();
+ int err;
+
+ err = ldapu_cert_to_ldap_entry
+ (clientCert, internal_ld, basedn?basedn:""/*baseDN*/, &chain);
+ if (err == LDAPU_SUCCESS && chain) {
+ LDAPMessage* entry = slapu_first_entry (internal_ld, chain);
+ if (entry) {
+ /* clientDN is duplicated in slapu_get_dn */
+ clientDN = slapu_get_dn (internal_ld, entry);
+ } else {
+ extraErrorMsg = "no entry";
+ LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %s\n",
+ extraErrorMsg, 0, 0);
+ }
+ } else {
+ extraErrorMsg = ldapu_err2string(err);
+ LDAPDebug (LDAP_DEBUG_TRACE, "<= ldapu_cert_to_ldap_entry() %i (%s)%s\n",
+ err, extraErrorMsg, chain ? "" : " NULL");
+ }
+ slapi_ch_free_string(&basedn);
+ slapu_msgfree (internal_ld, chain);
+ }
}
if (clientDN != NULL) {
@@ -525,14 +530,16 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
sdn = slapi_sdn_new_dn_passin(clientDN);
clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
slapi_sdn_free(&sdn);
- slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL client bound as %s\n",
- conn->c_connid, clientDN);
+ slapi_log_access (LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " %s client bound as %s\n",
+ (long long unsigned int)conn->c_connid,
+ sslversion, clientDN);
} else if (clientCert != NULL) {
slapi_log_access (LDAP_DEBUG_STATS,
- "conn=%" NSPRIu64 " SSL failed to map client "
+ "conn=%" NSPRIu64 " %s failed to map client "
"certificate to LDAP DN (%s)\n",
- conn->c_connid, extraErrorMsg );
+ (long long unsigned int)conn->c_connid,
+ sslversion, extraErrorMsg);
}
/*
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 8507f47..18f0e94 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1278,6 +1278,25 @@ void modify_update_last_modified_attr(Slapi_PBlock *pb, Slapi_Mods *smods);
/* add.c */
void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e);
+/* ssl.c */
+/*
+ * If non NULL buf and positive bufsize is given,
+ * the memory is used to store the version string.
+ * Otherwise, the memory for the string is allocated.
+ * The latter case, caller is responsible to free it.
+ */
+/* vnum is supposed to be in one of the following:
+ * nss3/sslproto.h
+ * #define SSL_LIBRARY_VERSION_2 0x0002
+ * #define SSL_LIBRARY_VERSION_3_0 0x0300
+ * #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301
+ * #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302
+ * #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303
+ * #define SSL_LIBRARY_VERSION_TLS_1_3 0x0304
+ * ...
+ */
+char *slapi_getSSLVersion_str(PRUint16 vnum, char *buf, size_t bufsize);
+
#ifdef __cplusplus
}
#endif
--
1.9.3