Google Git
Sign in
apache / httpd / 5422fe57879e6867ad06b52ba861ded9b7dd0b91 / . / modules / ssl / ssl_engine_log.c
blob: 0e1c53a852dbfe3f5d51d3acb17ad0a500e55969 [file] [log] [blame]
/* _ _
** _ __ ___ ___ __| | ___ ___| | mod_ssl
** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
** |_____|
** ssl_engine_log.c
** Logging Facility
*/
/* ====================================================================
* Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials
* provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by
* Ralf S. Engelschall <rse@engelschall.com> for use in the
* mod_ssl project (http://www.modssl.org/)."
*
* 4. The names "mod_ssl" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* rse@engelschall.com.
*
* 5. Products derived from this software may not be called "mod_ssl"
* nor may "mod_ssl" appear in their names without prior
* written permission of Ralf S. Engelschall.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by
* Ralf S. Engelschall <rse@engelschall.com> for use in the
* mod_ssl project (http://www.modssl.org/)."
*
* THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
* HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
/* ``The difference between a computer
industry job and open-source software
hacking is about 30 hours a week.''
-- Ralf S. Engelschall */
#include "mod_ssl.h"
/* _________________________________________________________________
**
** Logfile Support
** _________________________________________________________________
*/
/*
* Open the SSL logfile
*/
void ssl_log_open(server_rec *s_main, server_rec *s, pool *p)
{
char *szLogFile;
SSLSrvConfigRec *sc_main = mySrvConfig(s_main);
SSLSrvConfigRec *sc = mySrvConfig(s);
piped_log *pl;
/*
* Short-circuit for inherited logfiles in order to save
* filedescriptors in mass-vhost situation. Be careful, this works
* fine because the close happens implicitly by the pool facility.
*/
if ( s != s_main
&& sc_main->fileLogFile != NULL
&& ( (sc->szLogFile == NULL)
|| ( sc->szLogFile != NULL
&& sc_main->szLogFile != NULL
&& strEQ(sc->szLogFile, sc_main->szLogFile)))) {
sc->fileLogFile = sc_main->fileLogFile;
}
else if (sc->szLogFile != NULL) {
if (strEQ(sc->szLogFile, "/dev/null"))
return;
else if (sc->szLogFile[0] == '|') {
szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile+1);
if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open reliable pipe to SSL logfile filter %s", szLogFile);
ssl_die();
}
sc->fileLogFile = ap_pfdopen(p, ap_piped_log_write_fd(pl), "a");
setbuf(sc->fileLogFile, NULL);
}
else {
szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile);
if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSL logfile %s", szLogFile);
ssl_die();
}
setbuf(sc->fileLogFile, NULL);
}
}
return;
}
static struct {
int nLevel;
char *szLevel;
} ssl_log_level2string[] = {
{ SSL_LOG_ERROR, "error" },
{ SSL_LOG_WARN, "warn" },
{ SSL_LOG_INFO, "info" },
{ SSL_LOG_TRACE, "trace" },
{ SSL_LOG_DEBUG, "debug" },
{ 0, NULL }
};
static struct {
char *cpPattern;
char *cpAnnotation;
} ssl_log_annotate[] = {
{ "*envelope*bad*decrypt*", "wrong pass phrase!?" },
{ "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" },
{ "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" },
{ "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" },
{ "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" },
{ "*peer did not return a certificate*", "No CAs known to server for verification?" },
{ "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" },
{ "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" },
{ "*bad password read*", "You entered an incorrect pass phrase!?" },
{ "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" },
{ NULL, NULL }
};
static char *ssl_log_annotation(char *error)
{
char *errstr;
int i;
errstr = NULL;
for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) {
if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) {
errstr = ssl_log_annotate[i].cpAnnotation;
break;
}
}
return errstr;
}
BOOL ssl_log_applies(server_rec *s, int level)
{
SSLSrvConfigRec *sc;
sc = mySrvConfig(s);
if ( sc->fileLogFile == NULL
&& !(level & SSL_LOG_ERROR))
return FALSE;
if ( level > sc->nLogLevel
&& !(level & SSL_LOG_ERROR))
return FALSE;
return TRUE;
}
void ssl_log(server_rec *s, int level, const char *msg, ...)
{
char tstr[80];
char lstr[20];
char vstr[1024];
char str[1024];
char nstr[2];
int timz;
struct tm *t;
va_list ap;
int add;
int i;
char *astr;
int safe_errno;
unsigned long e;
SSLSrvConfigRec *sc;
char *cpE;
char *cpA;
/* initialization */
va_start(ap, msg);
safe_errno = errno;
sc = mySrvConfig(s);
/* strip out additional flags */
add = (level & ~SSL_LOG_MASK);
level = (level & SSL_LOG_MASK);
/* reduce flags when not reasonable in context */
if (add & SSL_ADD_ERRNO && errno == 0)
add &= ~SSL_ADD_ERRNO;
if (add & SSL_ADD_SSLERR && ERR_peek_error() == 0)
add &= ~SSL_ADD_SSLERR;
/* we log only levels below, except for errors */
if ( sc->fileLogFile == NULL
&& !(level & SSL_LOG_ERROR))
return;
if ( level > sc->nLogLevel
&& !(level & SSL_LOG_ERROR))
return;
/* determine the time entry string */
if (add & SSL_NO_TIMESTAMP)
tstr[0] = NUL;
else {
t = ap_get_gmtoff(&timz);
strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t);
i = strlen(tstr);
ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid());
}
/* determine whether newline should be written */
if (add & SSL_NO_NEWLINE)
nstr[0] = NUL;
else {
nstr[0] = '\n';
nstr[1] = NUL;
}
/* determine level name */
lstr[0] = NUL;
if (!(add & SSL_NO_LEVELID)) {
for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) {
if (ssl_log_level2string[i].nLevel == level) {
ap_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel);
break;
}
}
for (i = strlen(lstr); i <= 7; i++)
lstr[i] = ' ';
lstr[i] = NUL;
}
/* create custom message */
ap_vsnprintf(vstr, sizeof(vstr), msg, ap);
/* write out SSLog message */
if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR))
astr = " (System and " SSL_LIBRARY_NAME " library errors follow)";
else if (add & SSL_ADD_ERRNO)
astr = " (System error follows)";
else if (add & SSL_ADD_SSLERR)
astr = " (" SSL_LIBRARY_NAME " library error follows)";
else
astr = "";
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
ap_snprintf(str, sizeof(str), "%s%s%s%s%s", tstr, lstr, vstr, astr, nstr);
fprintf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
"mod_ssl: %s%s", vstr, astr);
/* write out additional attachment messages */
if (add & SSL_ADD_ERRNO) {
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
ap_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s",
tstr, lstr, strerror(safe_errno), safe_errno, nstr);
fprintf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
"System: %s (errno: %d)",
strerror(safe_errno), safe_errno);
}
if (add & SSL_ADD_SSLERR) {
while ((e = ERR_get_error())) {
cpE = ERR_error_string(e, NULL);
cpA = ssl_log_annotation(cpE);
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s",
tstr, lstr, SSL_LIBRARY_NAME, cpE,
cpA != NULL ? " [Hint: " : "",
cpA != NULL ? cpA : "", cpA != NULL ? "]" : "",
nstr);
fprintf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
"%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE,
cpA != NULL ? " [Hint: " : "",
cpA != NULL ? cpA : "", cpA != NULL ? "]" : "");
}
}
/* make sure the next log starts from a clean base */
/* ERR_clear_error(); */
/* cleanup and return */
if (sc->fileLogFile != NULL)
fflush(sc->fileLogFile);
errno = safe_errno;
va_end(ap);
return;
}
void ssl_die(void)
{
/*
* This is used for fatal errors and here
* it is common module practice to really
* exit from the complete program.
*/
exit(1);
}