From: Timo Sirainen <tss@iki.fi>
Date: Sat, 30 Aug 2008 09:00:49 +0000 (+0300)
Subject: login_log_format_elements: Added %k to show SSL protocol/cipher information.
X-Git-Tag: 1.2.alpha1~39
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e35bae013cee5a06d281776a347b534b958aaa4;p=thirdparty%2Fdovecot%2Fcore.git

login_log_format_elements: Added %k to show SSL protocol/cipher information.

--HG--
branch : HEAD
---

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 409f77db90..ae1928064d 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -49,6 +49,7 @@ get_var_expand_table(struct client *client)
 		{ 'a', NULL },
 		{ 'b', NULL },
 		{ 'c', NULL },
+		{ 'k', NULL },
 		{ 'e', NULL },
 		{ '\0', NULL }
 	};
@@ -78,6 +79,7 @@ get_var_expand_table(struct client *client)
 	tab[10].value = dec2str(client->remote_port);
 	if (!client->tls) {
 		tab[11].value = client->secured ? "secured" : NULL;
+		tab[12].value = "";
 	} else {
 		const char *ssl_state = ssl_proxy_is_handshaked(client->proxy) ?
 			"TLS" : "TLS handshaking";
@@ -85,8 +87,9 @@ get_var_expand_table(struct client *client)
 
 		tab[11].value = ssl_error == NULL ? ssl_state :
 			t_strdup_printf("%s: %s", ssl_state, ssl_error);
+		tab[12].value = ssl_proxy_get_security_string(client->proxy);
 	}
-	tab[12].value = dec2str(client->mail_pid);
+	tab[13].value = dec2str(client->mail_pid);
 
 	return tab;
 }
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index 9c97031d78..14025d22cd 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -550,6 +550,22 @@ const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy)
 	return proxy->last_error;
 }
 
+const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy)
+{
+	SSL_CIPHER *cipher;
+	int bits, alg_bits;
+
+	if (!proxy->handshaked)
+		return "";
+
+	cipher = SSL_get_current_cipher(proxy->ssl);
+	bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
+	return t_strdup_printf("%s with cipher %s (%d/%d bits)",
+			       SSL_get_version(proxy->ssl),
+			       SSL_CIPHER_get_name(cipher),
+			       bits, alg_bits);
+}
+
 void ssl_proxy_free(struct ssl_proxy *proxy)
 {
 	ssl_proxy_unref(proxy);
diff --git a/src/login-common/ssl-proxy.c b/src/login-common/ssl-proxy.c
index 8b5acbda18..1c2c17d1ab 100644
--- a/src/login-common/ssl-proxy.c
+++ b/src/login-common/ssl-proxy.c
@@ -36,6 +36,11 @@ const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy ATTR_UNUSED)
 	return NULL;
 }
 
+const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy)
+{
+	return "";
+}
+
 void ssl_proxy_free(struct ssl_proxy *proxy ATTR_UNUSED) {}
 
 unsigned int ssl_proxy_get_count(void)
diff --git a/src/login-common/ssl-proxy.h b/src/login-common/ssl-proxy.h
index aa7d442316..40f8abd014 100644
--- a/src/login-common/ssl-proxy.h
+++ b/src/login-common/ssl-proxy.h
@@ -14,6 +14,7 @@ bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy) ATTR_PURE;
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy);
 bool ssl_proxy_is_handshaked(const struct ssl_proxy *proxy) ATTR_PURE;
 const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) ATTR_PURE;
+const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy);
 void ssl_proxy_free(struct ssl_proxy *proxy);
 
 /* Return number of active SSL proxies */