diff options
Diffstat (limited to 'modules/ssl/ssl_engine_log.c')
| -rw-r--r-- | modules/ssl/ssl_engine_log.c | 326 |
1 files changed, 326 insertions, 0 deletions
diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c new file mode 100644 index 0000000000..0e1c53a852 --- /dev/null +++ b/modules/ssl/ssl_engine_log.c @@ -0,0 +1,326 @@ +/* _ _ +** _ __ ___ ___ __| | ___ ___| | mod_ssl +** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL +** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org +** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org +** |_____| +** ssl_engine_log.c +** Logging Facility +*/ + +/* ==================================================================== + * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by + * Ralf S. Engelschall <rse@engelschall.com> for use in the + * mod_ssl project (http://www.modssl.org/)." + * + * 4. The names "mod_ssl" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * rse@engelschall.com. + * + * 5. Products derived from this software may not be called "mod_ssl" + * nor may "mod_ssl" appear in their names without prior + * written permission of Ralf S. Engelschall. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by + * Ralf S. Engelschall <rse@engelschall.com> for use in the + * mod_ssl project (http://www.modssl.org/)." + * + * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR + * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + /* ``The difference between a computer + industry job and open-source software + hacking is about 30 hours a week.'' + -- Ralf S. Engelschall */ +#include "mod_ssl.h" + + +/* _________________________________________________________________ +** +** Logfile Support +** _________________________________________________________________ +*/ + +/* + * Open the SSL logfile + */ +void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) +{ + char *szLogFile; + SSLSrvConfigRec *sc_main = mySrvConfig(s_main); + SSLSrvConfigRec *sc = mySrvConfig(s); + piped_log *pl; + + /* + * Short-circuit for inherited logfiles in order to save + * filedescriptors in mass-vhost situation. Be careful, this works + * fine because the close happens implicitly by the pool facility. + */ + if ( s != s_main + && sc_main->fileLogFile != NULL + && ( (sc->szLogFile == NULL) + || ( sc->szLogFile != NULL + && sc_main->szLogFile != NULL + && strEQ(sc->szLogFile, sc_main->szLogFile)))) { + sc->fileLogFile = sc_main->fileLogFile; + } + else if (sc->szLogFile != NULL) { + if (strEQ(sc->szLogFile, "/dev/null")) + return; + else if (sc->szLogFile[0] == '|') { + szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile+1); + if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot open reliable pipe to SSL logfile filter %s", szLogFile); + ssl_die(); + } + sc->fileLogFile = ap_pfdopen(p, ap_piped_log_write_fd(pl), "a"); + setbuf(sc->fileLogFile, NULL); + } + else { + szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile); + if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot open SSL logfile %s", szLogFile); + ssl_die(); + } + setbuf(sc->fileLogFile, NULL); + } + } + return; +} + +static struct { + int nLevel; + char *szLevel; +} ssl_log_level2string[] = { + { SSL_LOG_ERROR, "error" }, + { SSL_LOG_WARN, "warn" }, + { SSL_LOG_INFO, "info" }, + { SSL_LOG_TRACE, "trace" }, + { SSL_LOG_DEBUG, "debug" }, + { 0, NULL } +}; + +static struct { + char *cpPattern; + char *cpAnnotation; +} ssl_log_annotate[] = { + { "*envelope*bad*decrypt*", "wrong pass phrase!?" }, + { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" }, + { "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" }, + { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" }, + { "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" }, + { "*peer did not return a certificate*", "No CAs known to server for verification?" }, + { "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" }, + { "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" }, + { "*bad password read*", "You entered an incorrect pass phrase!?" }, + { "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" }, + { NULL, NULL } +}; + +static char *ssl_log_annotation(char *error) +{ + char *errstr; + int i; + + errstr = NULL; + for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) { + if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) { + errstr = ssl_log_annotate[i].cpAnnotation; + break; + } + } + return errstr; +} + +BOOL ssl_log_applies(server_rec *s, int level) +{ + SSLSrvConfigRec *sc; + + sc = mySrvConfig(s); + if ( sc->fileLogFile == NULL + && !(level & SSL_LOG_ERROR)) + return FALSE; + if ( level > sc->nLogLevel + && !(level & SSL_LOG_ERROR)) + return FALSE; + return TRUE; +} + +void ssl_log(server_rec *s, int level, const char *msg, ...) +{ + char tstr[80]; + char lstr[20]; + char vstr[1024]; + char str[1024]; + char nstr[2]; + int timz; + struct tm *t; + va_list ap; + int add; + int i; + char *astr; + int safe_errno; + unsigned long e; + SSLSrvConfigRec *sc; + char *cpE; + char *cpA; + + /* initialization */ + va_start(ap, msg); + safe_errno = errno; + sc = mySrvConfig(s); + + /* strip out additional flags */ + add = (level & ~SSL_LOG_MASK); + level = (level & SSL_LOG_MASK); + + /* reduce flags when not reasonable in context */ + if (add & SSL_ADD_ERRNO && errno == 0) + add &= ~SSL_ADD_ERRNO; + if (add & SSL_ADD_SSLERR && ERR_peek_error() == 0) + add &= ~SSL_ADD_SSLERR; + + /* we log only levels below, except for errors */ + if ( sc->fileLogFile == NULL + && !(level & SSL_LOG_ERROR)) + return; + if ( level > sc->nLogLevel + && !(level & SSL_LOG_ERROR)) + return; + + /* determine the time entry string */ + if (add & SSL_NO_TIMESTAMP) + tstr[0] = NUL; + else { + t = ap_get_gmtoff(&timz); + strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t); + i = strlen(tstr); + ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid()); + } + + /* determine whether newline should be written */ + if (add & SSL_NO_NEWLINE) + nstr[0] = NUL; + else { + nstr[0] = '\n'; + nstr[1] = NUL; + } + + /* determine level name */ + lstr[0] = NUL; + if (!(add & SSL_NO_LEVELID)) { + for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) { + if (ssl_log_level2string[i].nLevel == level) { + ap_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel); + break; + } + } + for (i = strlen(lstr); i <= 7; i++) + lstr[i] = ' '; + lstr[i] = NUL; + } + + /* create custom message */ + ap_vsnprintf(vstr, sizeof(vstr), msg, ap); + + /* write out SSLog message */ + if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR)) + astr = " (System and " SSL_LIBRARY_NAME " library errors follow)"; + else if (add & SSL_ADD_ERRNO) + astr = " (System error follows)"; + else if (add & SSL_ADD_SSLERR) + astr = " (" SSL_LIBRARY_NAME " library error follows)"; + else + astr = ""; + if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { + ap_snprintf(str, sizeof(str), "%s%s%s%s%s", tstr, lstr, vstr, astr, nstr); + fprintf(sc->fileLogFile, "%s", str); + } + if (level & SSL_LOG_ERROR) + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, + "mod_ssl: %s%s", vstr, astr); + + /* write out additional attachment messages */ + if (add & SSL_ADD_ERRNO) { + if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { + ap_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s", + tstr, lstr, strerror(safe_errno), safe_errno, nstr); + fprintf(sc->fileLogFile, "%s", str); + } + if (level & SSL_LOG_ERROR) + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, + "System: %s (errno: %d)", + strerror(safe_errno), safe_errno); + } + if (add & SSL_ADD_SSLERR) { + while ((e = ERR_get_error())) { + cpE = ERR_error_string(e, NULL); + cpA = ssl_log_annotation(cpE); + if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { + ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s", + tstr, lstr, SSL_LIBRARY_NAME, cpE, + cpA != NULL ? " [Hint: " : "", + cpA != NULL ? cpA : "", cpA != NULL ? "]" : "", + nstr); + fprintf(sc->fileLogFile, "%s", str); + } + if (level & SSL_LOG_ERROR) + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, + "%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE, + cpA != NULL ? " [Hint: " : "", + cpA != NULL ? cpA : "", cpA != NULL ? "]" : ""); + } + } + /* make sure the next log starts from a clean base */ + /* ERR_clear_error(); */ + + /* cleanup and return */ + if (sc->fileLogFile != NULL) + fflush(sc->fileLogFile); + errno = safe_errno; + va_end(ap); + return; +} + +void ssl_die(void) +{ + /* + * This is used for fatal errors and here + * it is common module practice to really + * exit from the complete program. + */ + exit(1); +} + |