From faf994c53be72a270564b92f54fa147ab8500452 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aca=CC=81cio=20Centeno?= <acaciocenteno@gmail.com>
Date: Thu, 25 Sep 2014 16:23:31 +0000
Subject: [PATCH] Added access log fields for SSL protocol version, cipher
 suite, and session reuse.

---
 iocore/net/P_SSLNetVConnection.h | 22 ++++++++++++++++++
 iocore/net/SSLNetVConnection.cc  |  2 +-
 proxy/http/HttpSM.cc             | 39 ++++++++++++++++++++++++++++++--
 proxy/http/HttpSM.h              | 13 +++++++++++
 proxy/logging/Log.cc             | 21 +++++++++++++++++
 proxy/logging/LogAccess.cc       | 20 ++++++++++++++++
 proxy/logging/LogAccess.h        |  3 +++
 proxy/logging/LogAccessHttp.cc   | 38 +++++++++++++++++++++++++++++++
 proxy/logging/LogAccessHttp.h    |  3 +++
 9 files changed, 158 insertions(+), 3 deletions(-)

diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index c464e604c13..0659e51b376 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -120,6 +120,28 @@ class SSLNetVConnection:public UnixNetVConnection
     sslClientRenegotiationAbort = state;
   };
 
+  const char * get_ssl_protocol(void) const
+  {
+    if ( ssl == NULL )
+      return NULL;
+    return SSL_get_cipher_version(ssl);
+  };
+
+  const char * get_ssl_cipher_suite(void) const
+  {
+    if ( ssl == NULL )
+      return NULL;
+    return SSL_get_cipher_name(ssl);    
+  }
+
+  bool get_ssl_session_reused(void) const
+  {
+    if ( ssl == NULL )
+      return false;
+    return SSL_session_reused(ssl);
+  }
+
+
 private:
   SSLNetVConnection(const SSLNetVConnection &);
   SSLNetVConnection & operator =(const SSLNetVConnection &);
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index d3aa858dd62..725776b24a3 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -793,4 +793,4 @@ SSLNetVConnection::select_next_protocol(SSL * ssl, const unsigned char ** out, u
   *out = NULL;
   *outlen = 0;
   return SSL_TLSEXT_ERR_NOACK;
-}
+}
\ No newline at end of file
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 2e54c324b51..57ad2e09409 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -327,7 +327,8 @@ HttpSM::HttpSM()
     pushed_response_hdr_bytes(0), pushed_response_body_bytes(0),
     plugin_tag(0), plugin_id(0),
     hooks_set(false), cur_hook_id(TS_HTTP_LAST_HOOK), cur_hook(NULL),
-    cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), terminate_sm(false), kill_this_async_done(false)
+    cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), terminate_sm(false), kill_this_async_done(false),
+    sec_protocol("-"), sec_cipher_suite("-"), sec_session_reused(false)
 {
   static int scatter_init = 0;
 
@@ -428,7 +429,6 @@ HttpSM::init()
   debug_sm_list.push(this, this->debug_link);
   ink_mutex_release(&debug_sm_list_mutex);
 #endif
-
 }
 
 void
@@ -588,6 +588,8 @@ HttpSM::attach_client_session(HttpClientSession * client_vc, IOBufferReader * bu
     --reentrancy_count;
     ink_assert(reentrancy_count >= 0);
   }
+
+  setup_security_properties();
 }
 
 
@@ -7673,3 +7675,36 @@ HttpSM::is_redirect_required()
   }
   return redirect_required;
 }
+
+inline void
+HttpSM::setup_security_properties(void)
+{
+  ink_assert(ua_session != NULL);
+
+  SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(ua_session->get_netvc());
+
+  if (ssl_vc != NULL) {
+    sec_protocol       = ssl_vc->get_ssl_protocol();
+    sec_cipher_suite   = ssl_vc->get_ssl_cipher_suite();
+    sec_session_reused = ssl_vc->get_ssl_session_reused();
+  } 
+}
+
+const char *
+HttpSM::get_security_protocol(void)
+{
+  return sec_protocol;
+}
+
+
+const char *
+HttpSM::get_security_cipher_suite(void)
+{
+  return sec_cipher_suite;
+}
+
+bool
+HttpSM::get_security_session_reused(void)
+{
+  return sec_session_reused;
+}
\ No newline at end of file
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index 015a59bd4ab..91bcf7750bb 100644
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -532,6 +532,19 @@ class HttpSM: public Continuation
 
 public:
   bool set_server_session_private(bool private_session);
+
+// Info about client's SSL connection.
+private:
+  const char * sec_protocol;
+  const char * sec_cipher_suite;
+  bool         sec_session_reused;
+
+  inline void setup_security_properties(void);
+
+public:
+  const char * get_security_protocol(void);
+  const char * get_security_cipher_suite(void);
+  bool get_security_session_reused(void);
 };
 
 //Function to get the cache_sm object - YTS Team, yamsat
diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc
index a207bec0bb7..04ed35d9bbe 100644
--- a/proxy/logging/Log.cc
+++ b/proxy/logging/Log.cc
@@ -877,6 +877,27 @@ Log::init_fields()
   global_field_list.add(field, false);
   ink_hash_table_insert(field_symbol_hash, "etype", field);
 
+  field = new LogField("client_sec_protocol", "csp",
+                       LogField::STRING,
+                       &LogAccess::marshal_client_security_protocol,
+                       (LogField::UnmarshalFunc)&LogAccess::unmarshal_str);
+  global_field_list.add(field, false);
+  ink_hash_table_insert(field_symbol_hash, "csp", field);
+
+  field = new LogField("client_sec_cipher_suite", "csc",
+                       LogField::STRING,
+                       &LogAccess::marshal_client_security_cipher_suite,
+                       (LogField::UnmarshalFunc)&LogAccess::unmarshal_str);
+  global_field_list.add(field, false);
+  ink_hash_table_insert(field_symbol_hash, "csc", field);
+
+  field = new LogField("client_sec_session_reused", "cssr",
+                       LogField::STRING,
+                       &LogAccess::marshal_client_security_session_reused,
+                       (LogField::UnmarshalFunc)&LogAccess::unmarshal_str);
+  global_field_list.add(field, false);
+  ink_hash_table_insert(field_symbol_hash, "cssr", field);
+
   init_status |= FIELDS_INITIALIZED;
 }
 
diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc
index 1197de279dd..3dfb690679e 100644
--- a/proxy/logging/LogAccess.cc
+++ b/proxy/logging/LogAccess.cc
@@ -234,6 +234,26 @@ LogAccess::marshal_client_finish_status_code(char *buf)
   DEFAULT_INT_FIELD;
 }
 
+/*-------------------------------------------------------------------------
+-------------------------------------------------------------------------*/
+int
+LogAccess::marshal_client_security_protocol(char *buf)
+{
+  DEFAULT_STR_FIELD;
+}
+
+int
+LogAccess::marshal_client_security_cipher_suite(char *buf)
+{
+  DEFAULT_STR_FIELD;
+}
+
+int
+LogAccess::marshal_client_security_session_reused(char *buf)
+{
+  DEFAULT_STR_FIELD;
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 
diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h
index 8fb35b55e34..4940e09ace9 100644
--- a/proxy/logging/LogAccess.h
+++ b/proxy/logging/LogAccess.h
@@ -185,6 +185,9 @@ class LogAccess
   inkcoreapi virtual int marshal_client_req_header_len(char *); // INT
   inkcoreapi virtual int marshal_client_req_body_len(char *);   // INT
   inkcoreapi virtual int marshal_client_finish_status_code(char *);     // INT
+  inkcoreapi virtual int marshal_client_security_protocol(char *); // STR
+  inkcoreapi virtual int marshal_client_security_cipher_suite(char *); // STR
+  inkcoreapi virtual int marshal_client_security_session_reused(char *); // STR
 
   //
   // proxy -> client fields
diff --git a/proxy/logging/LogAccessHttp.cc b/proxy/logging/LogAccessHttp.cc
index 91534f22a0b..baf1b9b3aa6 100644
--- a/proxy/logging/LogAccessHttp.cc
+++ b/proxy/logging/LogAccessHttp.cc
@@ -583,6 +583,44 @@ LogAccessHttp::marshal_client_finish_status_code(char *buf)
   return INK_MIN_ALIGN;
 }
 
+/*-------------------------------------------------------------------------
+-------------------------------------------------------------------------*/
+int
+LogAccessHttp::marshal_client_security_protocol(char *buf)
+{
+  const char * proto = m_http_sm->get_security_protocol();
+  int round_len = LogAccess::strlen(proto);
+  if (buf) {
+    marshal_str(buf, proto, round_len);
+  }
+  return round_len;
+}
+
+int
+LogAccessHttp::marshal_client_security_cipher_suite(char *buf)
+{
+  const char * cipher = m_http_sm->get_security_cipher_suite();
+  int round_len = LogAccess::strlen(cipher);
+  if (buf) {
+    marshal_str(buf, cipher, round_len);
+  }
+  return round_len;
+}
+
+int
+LogAccessHttp::marshal_client_security_session_reused(char *buf)
+{
+  
+  bool reused = m_http_sm->get_security_session_reused();
+  const char * out = (reused) ? "r" : "-";
+  int round_len = LogAccess::strlen(out);
+  if (buf) {
+    marshal_str(buf, out, round_len);
+  }
+  return round_len;
+}
+
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 
diff --git a/proxy/logging/LogAccessHttp.h b/proxy/logging/LogAccessHttp.h
index 51ee9e382dc..0110652c887 100644
--- a/proxy/logging/LogAccessHttp.h
+++ b/proxy/logging/LogAccessHttp.h
@@ -71,6 +71,9 @@ class LogAccessHttp:public LogAccess
   virtual int marshal_client_req_header_len(char *);    // INT
   virtual int marshal_client_req_body_len(char *);      // INT
   virtual int marshal_client_finish_status_code(char *);        // INT
+  virtual int marshal_client_security_protocol(char *);       // STR
+  virtual int marshal_client_security_cipher_suite(char *);   // STR
+  virtual int marshal_client_security_session_reused(char *); // STR
 
   //
   // proxy -> client fields