apache · acaciocenteno · Sep 25, 2014 · bellofreedom · Oct 16, 2014 · shinrich
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
@@ -120,6 +120,28 @@ class SSLNetVConnection:public UnixNetVConnection
     sslClientRenegotiationAbort = state;
   };
 
+  const char * get_ssl_protocol(void) const
+  {
+    if ( ssl == NULL )
+      return NULL;
+    return SSL_get_cipher_version(ssl);
+  };
+
+  const char * get_ssl_cipher_suite(void) const
+  {
+    if ( ssl == NULL )
+      return NULL;
+    return SSL_get_cipher_name(ssl);    
+  }
+
+  bool get_ssl_session_reused(void) const
+  {
+    if ( ssl == NULL )
+      return false;
+    return SSL_session_reused(ssl);
+  }
+
+
 private:
   SSLNetVConnection(const SSLNetVConnection &);
   SSLNetVConnection & operator =(const SSLNetVConnection &);

diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
@@ -793,4 +793,4 @@ SSLNetVConnection::select_next_protocol(SSL * ssl, const unsigned char ** out, u
   *out = NULL;
   *outlen = 0;
   return SSL_TLSEXT_ERR_NOACK;
-}
+}
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
@@ -327,7 +327,8 @@ HttpSM::HttpSM()
     pushed_response_hdr_bytes(0), pushed_response_body_bytes(0),
     plugin_tag(0), plugin_id(0),
     hooks_set(false), cur_hook_id(TS_HTTP_LAST_HOOK), cur_hook(NULL),
-    cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), terminate_sm(false), kill_this_async_done(false)
+    cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), terminate_sm(false), kill_this_async_done(false),
+    sec_protocol("-"), sec_cipher_suite("-"), sec_session_reused(false)
 {
   static int scatter_init = 0;
 
@@ -428,7 +429,6 @@ HttpSM::init()
   debug_sm_list.push(this, this->debug_link);
   ink_mutex_release(&debug_sm_list_mutex);
 #endif
-
 }
 
 void
@@ -588,6 +588,8 @@ HttpSM::attach_client_session(HttpClientSession * client_vc, IOBufferReader * bu
     --reentrancy_count;
     ink_assert(reentrancy_count >= 0);
   }
+
+  setup_security_properties();
 }
 
 
@@ -7673,3 +7675,36 @@ HttpSM::is_redirect_required()
   }
   return redirect_required;
 }
+
+inline void
+HttpSM::setup_security_properties(void)
+{
+  ink_assert(ua_session != NULL);
+
+  SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(ua_session->get_netvc());
+
+  if (ssl_vc != NULL) {
+    sec_protocol       = ssl_vc->get_ssl_protocol();
+    sec_cipher_suite   = ssl_vc->get_ssl_cipher_suite();
+    sec_session_reused = ssl_vc->get_ssl_session_reused();
+  } 
+}
+
+const char *
+HttpSM::get_security_protocol(void)
+{
+  return sec_protocol;
+}
+
+
+const char *
+HttpSM::get_security_cipher_suite(void)
+{
+  return sec_cipher_suite;
+}
+
+bool
+HttpSM::get_security_session_reused(void)
+{
+  return sec_session_reused;
+}
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
@@ -532,6 +532,19 @@ class HttpSM: public Continuation
 
 public:
   bool set_server_session_private(bool private_session);
+
+// Info about client's SSL connection.
+private:
+  const char * sec_protocol;
+  const char * sec_cipher_suite;
+  bool         sec_session_reused;
+
+  inline void setup_security_properties(void);
+
+public:
+  const char * get_security_protocol(void);
+  const char * get_security_cipher_suite(void);
+  bool get_security_session_reused(void);
 };
 
 //Function to get the cache_sm object - YTS Team, yamsat

diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc
@@ -877,6 +877,27 @@ Log::init_fields()
   global_field_list.add(field, false);
   ink_hash_table_insert(field_symbol_hash, "etype", field);
 
+  field = new LogField("client_sec_protocol", "csp",
+                       LogField::STRING,
+                       &LogAccess::marshal_client_security_protocol,
+                       (LogField::UnmarshalFunc)&LogAccess::unmarshal_str);
+  global_field_list.add(field, false);
+  ink_hash_table_insert(field_symbol_hash, "csp", field);
+
+  field = new LogField("client_sec_cipher_suite", "csc",
+                       LogField::STRING,
+                       &LogAccess::marshal_client_security_cipher_suite,
+                       (LogField::UnmarshalFunc)&LogAccess::unmarshal_str);
+  global_field_list.add(field, false);
+  ink_hash_table_insert(field_symbol_hash, "csc", field);
+
+  field = new LogField("client_sec_session_reused", "cssr",
+                       LogField::STRING,
+                       &LogAccess::marshal_client_security_session_reused,
+                       (LogField::UnmarshalFunc)&LogAccess::unmarshal_str);
+  global_field_list.add(field, false);
+  ink_hash_table_insert(field_symbol_hash, "cssr", field);
+
   init_status |= FIELDS_INITIALIZED;
 }
 

diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc
@@ -234,6 +234,26 @@ LogAccess::marshal_client_finish_status_code(char *buf)
   DEFAULT_INT_FIELD;
 }
 
+/*-------------------------------------------------------------------------
+-------------------------------------------------------------------------*/
+int
+LogAccess::marshal_client_security_protocol(char *buf)
+{
+  DEFAULT_STR_FIELD;
+}
+
+int
+LogAccess::marshal_client_security_cipher_suite(char *buf)
+{
+  DEFAULT_STR_FIELD;
+}
+
+int
+LogAccess::marshal_client_security_session_reused(char *buf)
+{
+  DEFAULT_STR_FIELD;
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 

diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h
@@ -185,6 +185,9 @@ class LogAccess
   inkcoreapi virtual int marshal_client_req_header_len(char *); // INT
   inkcoreapi virtual int marshal_client_req_body_len(char *);   // INT
   inkcoreapi virtual int marshal_client_finish_status_code(char *);     // INT
+  inkcoreapi virtual int marshal_client_security_protocol(char *); // STR
+  inkcoreapi virtual int marshal_client_security_cipher_suite(char *); // STR
+  inkcoreapi virtual int marshal_client_security_session_reused(char *); // STR
 
   //
   // proxy -> client fields

diff --git a/proxy/logging/LogAccessHttp.cc b/proxy/logging/LogAccessHttp.cc
@@ -583,6 +583,44 @@ LogAccessHttp::marshal_client_finish_status_code(char *buf)
   return INK_MIN_ALIGN;
 }
 
+/*-------------------------------------------------------------------------
+-------------------------------------------------------------------------*/
+int
+LogAccessHttp::marshal_client_security_protocol(char *buf)
+{
+  const char * proto = m_http_sm->get_security_protocol();
+  int round_len = LogAccess::strlen(proto);
+  if (buf) {
+    marshal_str(buf, proto, round_len);
+  }
+  return round_len;
+}
+
+int
+LogAccessHttp::marshal_client_security_cipher_suite(char *buf)
+{
+  const char * cipher = m_http_sm->get_security_cipher_suite();
+  int round_len = LogAccess::strlen(cipher);
+  if (buf) {
+    marshal_str(buf, cipher, round_len);
+  }
+  return round_len;
+}
+
+int
+LogAccessHttp::marshal_client_security_session_reused(char *buf)
+{
+
+  bool reused = m_http_sm->get_security_session_reused();
+  const char * out = (reused) ? "r" : "-";
+  int round_len = LogAccess::strlen(out);
+  if (buf) {
+    marshal_str(buf, out, round_len);
+  }
+  return round_len;
+}
+
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 

diff --git a/proxy/logging/LogAccessHttp.h b/proxy/logging/LogAccessHttp.h
@@ -71,6 +71,9 @@ class LogAccessHttp:public LogAccess
   virtual int marshal_client_req_header_len(char *);    // INT
   virtual int marshal_client_req_body_len(char *);      // INT
   virtual int marshal_client_finish_status_code(char *);        // INT
+  virtual int marshal_client_security_protocol(char *);       // STR
+  virtual int marshal_client_security_cipher_suite(char *);   // STR
+  virtual int marshal_client_security_session_reused(char *); // STR
 
   //
   // proxy -> client fields