Merge pull request #426 from metalefty/log-tls-version-and-cipher

TLS: log TLS version and cipher

common/ssl_calls.c

@@ -891,3 +891,17 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis)
     return g_sck_can_recv(sck, millis);
 }
 
+
+/*****************************************************************************/
+const char *
+ssl_get_version(const struct ssl_st *ssl)
+{
+    return SSL_get_version(ssl);
+}
+
+/*****************************************************************************/
+const char *
+ssl_get_cipher_name(const struct ssl_st *ssl)
+{
+    return SSL_get_cipher_name(ssl);
+}

common/ssl_calls.h

@@ -109,4 +109,7 @@ ssl_tls_write(struct ssl_tls *tls, const char *data, int length);
 int APP_CC
 ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis);
 
+const char *ssl_get_version(const struct ssl_st *ssl);
+const char *ssl_get_cipher_name(const struct ssl_st *ssl);
+
 #endif

common/trans.c

@@ -902,6 +902,9 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
     self->trans_send = trans_tls_send;
     self->trans_can_recv = trans_tls_can_recv;
 
+    self->ssl_protocol = ssl_get_version(self->tls->ssl);
+    self->cipher_name = ssl_get_cipher_name(self->tls->ssl);
+
     return 0;
 }
 

common/trans.h

@@ -79,6 +79,8 @@ struct trans
     int no_stream_init_on_data_in;
     int extra_flags; /* user defined */
     struct ssl_tls *tls;
+    const char *ssl_protocol; /* e.g. TLSv1, TLSv1.1, TLSv1.2, unknown */
+    const char *cipher_name;  /* e.g. AES256-GCM-SHA384 */
     trans_recv_proc trans_recv;
     trans_send_proc trans_send;
     trans_can_recv_proc trans_can_recv;

libxrdp/xrdp_rdp.c

@@ -816,6 +816,9 @@ xrdp_rdp_send_data_update_sync(struct xrdp_rdp *self)
 int APP_CC
 xrdp_rdp_incoming(struct xrdp_rdp *self)
 {
+    struct xrdp_iso *iso;
+    iso = self->sec_layer->mcs_layer->iso_layer;
+
     DEBUG(("in xrdp_rdp_incoming"));
 
     if (xrdp_sec_incoming(self->sec_layer) != 0)
@@ -825,12 +828,32 @@ xrdp_rdp_incoming(struct xrdp_rdp *self)
     self->mcs_channel = self->sec_layer->mcs_layer->userid +
                         MCS_USERCHANNEL_BASE;
     DEBUG(("out xrdp_rdp_incoming mcs channel %d", self->mcs_channel));
-    g_strncpy(self->client_info.client_addr,
-              self->sec_layer->mcs_layer->iso_layer->trans->addr,
+    g_strncpy(self->client_info.client_addr, iso->trans->addr,
               sizeof(self->client_info.client_addr) - 1);
-    g_strncpy(self->client_info.client_port,
-              self->sec_layer->mcs_layer->iso_layer->trans->port,
+    g_strncpy(self->client_info.client_port, iso->trans->port,
               sizeof(self->client_info.client_port) - 1);
+
+    /* log TLS version and cipher when TLS is used */
+    /* TODO: client_addr, client_port is empty when IPv6 enabled */
+
+    if (iso->selectedProtocol > PROTOCOL_RDP)
+    {
+        log_message(LOG_LEVEL_INFO,
+                    "TLS connection established from %s port %s: %s with cipher %s",
+                    self->client_info.client_addr,
+                    self->client_info.client_port,
+                    iso->trans->ssl_protocol,
+                    iso->trans->cipher_name);
+    }
+    else
+    {
+        log_message(LOG_LEVEL_INFO,
+                    "Non-TLS connection established from %s port %s: "
+                    "encrypted with standard RDP security",
+                    self->client_info.client_addr,
+                    self->client_info.client_port);
+    }
+
     return 0;
 }