diff options
Diffstat (limited to 'modules/ssl/ssl_engine_log.c')
-rw-r--r-- | modules/ssl/ssl_engine_log.c | 326 |
1 files changed, 0 insertions, 326 deletions
diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c deleted file mode 100644 index 0e1c53a852..0000000000 --- a/modules/ssl/ssl_engine_log.c +++ /dev/null @@ -1,326 +0,0 @@ -/* _ _ -** _ __ ___ ___ __| | ___ ___| | mod_ssl -** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL -** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org -** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org -** |_____| -** ssl_engine_log.c -** Logging Facility -*/ - -/* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials - * provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by - * Ralf S. Engelschall <rse@engelschall.com> for use in the - * mod_ssl project (http://www.modssl.org/)." - * - * 4. The names "mod_ssl" must not be used to endorse or promote - * products derived from this software without prior written - * permission. For written permission, please contact - * rse@engelschall.com. - * - * 5. Products derived from this software may not be called "mod_ssl" - * nor may "mod_ssl" appear in their names without prior - * written permission of Ralf S. Engelschall. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by - * Ralf S. Engelschall <rse@engelschall.com> for use in the - * mod_ssl project (http://www.modssl.org/)." - * - * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR - * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - */ - /* ``The difference between a computer - industry job and open-source software - hacking is about 30 hours a week.'' - -- Ralf S. Engelschall */ -#include "mod_ssl.h" - - -/* _________________________________________________________________ -** -** Logfile Support -** _________________________________________________________________ -*/ - -/* - * Open the SSL logfile - */ -void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) -{ - char *szLogFile; - SSLSrvConfigRec *sc_main = mySrvConfig(s_main); - SSLSrvConfigRec *sc = mySrvConfig(s); - piped_log *pl; - - /* - * Short-circuit for inherited logfiles in order to save - * filedescriptors in mass-vhost situation. Be careful, this works - * fine because the close happens implicitly by the pool facility. - */ - if ( s != s_main - && sc_main->fileLogFile != NULL - && ( (sc->szLogFile == NULL) - || ( sc->szLogFile != NULL - && sc_main->szLogFile != NULL - && strEQ(sc->szLogFile, sc_main->szLogFile)))) { - sc->fileLogFile = sc_main->fileLogFile; - } - else if (sc->szLogFile != NULL) { - if (strEQ(sc->szLogFile, "/dev/null")) - return; - else if (sc->szLogFile[0] == '|') { - szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile+1); - if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, - "Cannot open reliable pipe to SSL logfile filter %s", szLogFile); - ssl_die(); - } - sc->fileLogFile = ap_pfdopen(p, ap_piped_log_write_fd(pl), "a"); - setbuf(sc->fileLogFile, NULL); - } - else { - szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile); - if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, - "Cannot open SSL logfile %s", szLogFile); - ssl_die(); - } - setbuf(sc->fileLogFile, NULL); - } - } - return; -} - -static struct { - int nLevel; - char *szLevel; -} ssl_log_level2string[] = { - { SSL_LOG_ERROR, "error" }, - { SSL_LOG_WARN, "warn" }, - { SSL_LOG_INFO, "info" }, - { SSL_LOG_TRACE, "trace" }, - { SSL_LOG_DEBUG, "debug" }, - { 0, NULL } -}; - -static struct { - char *cpPattern; - char *cpAnnotation; -} ssl_log_annotate[] = { - { "*envelope*bad*decrypt*", "wrong pass phrase!?" }, - { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" }, - { "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" }, - { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" }, - { "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" }, - { "*peer did not return a certificate*", "No CAs known to server for verification?" }, - { "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" }, - { "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" }, - { "*bad password read*", "You entered an incorrect pass phrase!?" }, - { "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" }, - { NULL, NULL } -}; - -static char *ssl_log_annotation(char *error) -{ - char *errstr; - int i; - - errstr = NULL; - for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) { - if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) { - errstr = ssl_log_annotate[i].cpAnnotation; - break; - } - } - return errstr; -} - -BOOL ssl_log_applies(server_rec *s, int level) -{ - SSLSrvConfigRec *sc; - - sc = mySrvConfig(s); - if ( sc->fileLogFile == NULL - && !(level & SSL_LOG_ERROR)) - return FALSE; - if ( level > sc->nLogLevel - && !(level & SSL_LOG_ERROR)) - return FALSE; - return TRUE; -} - -void ssl_log(server_rec *s, int level, const char *msg, ...) -{ - char tstr[80]; - char lstr[20]; - char vstr[1024]; - char str[1024]; - char nstr[2]; - int timz; - struct tm *t; - va_list ap; - int add; - int i; - char *astr; - int safe_errno; - unsigned long e; - SSLSrvConfigRec *sc; - char *cpE; - char *cpA; - - /* initialization */ - va_start(ap, msg); - safe_errno = errno; - sc = mySrvConfig(s); - - /* strip out additional flags */ - add = (level & ~SSL_LOG_MASK); - level = (level & SSL_LOG_MASK); - - /* reduce flags when not reasonable in context */ - if (add & SSL_ADD_ERRNO && errno == 0) - add &= ~SSL_ADD_ERRNO; - if (add & SSL_ADD_SSLERR && ERR_peek_error() == 0) - add &= ~SSL_ADD_SSLERR; - - /* we log only levels below, except for errors */ - if ( sc->fileLogFile == NULL - && !(level & SSL_LOG_ERROR)) - return; - if ( level > sc->nLogLevel - && !(level & SSL_LOG_ERROR)) - return; - - /* determine the time entry string */ - if (add & SSL_NO_TIMESTAMP) - tstr[0] = NUL; - else { - t = ap_get_gmtoff(&timz); - strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t); - i = strlen(tstr); - ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid()); - } - - /* determine whether newline should be written */ - if (add & SSL_NO_NEWLINE) - nstr[0] = NUL; - else { - nstr[0] = '\n'; - nstr[1] = NUL; - } - - /* determine level name */ - lstr[0] = NUL; - if (!(add & SSL_NO_LEVELID)) { - for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) { - if (ssl_log_level2string[i].nLevel == level) { - ap_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel); - break; - } - } - for (i = strlen(lstr); i <= 7; i++) - lstr[i] = ' '; - lstr[i] = NUL; - } - - /* create custom message */ - ap_vsnprintf(vstr, sizeof(vstr), msg, ap); - - /* write out SSLog message */ - if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR)) - astr = " (System and " SSL_LIBRARY_NAME " library errors follow)"; - else if (add & SSL_ADD_ERRNO) - astr = " (System error follows)"; - else if (add & SSL_ADD_SSLERR) - astr = " (" SSL_LIBRARY_NAME " library error follows)"; - else - astr = ""; - if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { - ap_snprintf(str, sizeof(str), "%s%s%s%s%s", tstr, lstr, vstr, astr, nstr); - fprintf(sc->fileLogFile, "%s", str); - } - if (level & SSL_LOG_ERROR) - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, - "mod_ssl: %s%s", vstr, astr); - - /* write out additional attachment messages */ - if (add & SSL_ADD_ERRNO) { - if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { - ap_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s", - tstr, lstr, strerror(safe_errno), safe_errno, nstr); - fprintf(sc->fileLogFile, "%s", str); - } - if (level & SSL_LOG_ERROR) - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, - "System: %s (errno: %d)", - strerror(safe_errno), safe_errno); - } - if (add & SSL_ADD_SSLERR) { - while ((e = ERR_get_error())) { - cpE = ERR_error_string(e, NULL); - cpA = ssl_log_annotation(cpE); - if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { - ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s", - tstr, lstr, SSL_LIBRARY_NAME, cpE, - cpA != NULL ? " [Hint: " : "", - cpA != NULL ? cpA : "", cpA != NULL ? "]" : "", - nstr); - fprintf(sc->fileLogFile, "%s", str); - } - if (level & SSL_LOG_ERROR) - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, - "%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE, - cpA != NULL ? " [Hint: " : "", - cpA != NULL ? cpA : "", cpA != NULL ? "]" : ""); - } - } - /* make sure the next log starts from a clean base */ - /* ERR_clear_error(); */ - - /* cleanup and return */ - if (sc->fileLogFile != NULL) - fflush(sc->fileLogFile); - errno = safe_errno; - va_end(ap); - return; -} - -void ssl_die(void) -{ - /* - * This is used for fatal errors and here - * it is common module practice to really - * exit from the complete program. - */ - exit(1); -} - |