From 149dc897e89a0fc84eeb6e5bb607567d36e87181 Mon Sep 17 00:00:00 2001 From: Justin Erenkrantz Date: Wed, 15 May 2002 23:10:33 +0000 Subject: [PATCH] Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new ssl_log_ssl_error() function that wraps ap_log_error instead. This begins the migration from ssl_log() -> ap_log_error(). Divorcing ourselves from the SSL_ADD_SSLERR option is required to make the next pass easier. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95122 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/mod_ssl.c | 24 ++++++++++++++++-------- modules/ssl/mod_ssl.h | 1 + modules/ssl/ssl_engine_init.c | 24 ++++++++++++++++-------- modules/ssl/ssl_engine_io.c | 9 ++++++--- modules/ssl/ssl_engine_kernel.c | 9 ++++++--- modules/ssl/ssl_engine_log.c | 24 ++++++++++++++++++++++++ modules/ssl/ssl_engine_pphrase.c | 25 +++++++++++++++++-------- 7 files changed, 86 insertions(+), 30 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 64e366d165..4fc7bf5561 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -327,8 +327,9 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd) * so we can detach later. */ if (!(ssl = SSL_new(mctx->ssl_ctx))) { - ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR, "Unable to create a new SSL connection from the SSL context"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); c->aborted = 1; @@ -340,8 +341,9 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd) if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5, MD5_DIGESTSIZE*2)) { - ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR, "Unable to set session id context to `%s'", vhost_md5); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); c->aborted = 1; @@ -408,8 +410,9 @@ int ssl_hook_process_connection(SSLFilterRec *filter) if (sslconn->is_proxy) { if ((n = SSL_connect(filter->pssl)) <= 0) { ssl_log(c->base_server, - SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO, + SSL_LOG_ERROR|SSL_ADD_ERRNO, "SSL Proxy connect failed"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); return ssl_abort(filter, c); } @@ -450,15 +453,17 @@ int ssl_hook_process_connection(SSLFilterRec *filter) { if (errno > 0) { ssl_log(c->base_server, - SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO, + SSL_LOG_ERROR|SSL_ADD_ERRNO, "SSL handshake interrupted by system " "[Hint: Stop button pressed in browser?!]"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); } else { ssl_log(c->base_server, - SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO, + SSL_LOG_INFO|SSL_ADD_ERRNO, "Spurious SSL handshake interrupt [Hint: " "Usually just one of those OpenSSL confusions!?]"); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); } } else { @@ -466,10 +471,11 @@ int ssl_hook_process_connection(SSLFilterRec *filter) * Ok, anything else is a fatal error */ ssl_log(c->base_server, - SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO, + SSL_LOG_ERROR|SSL_ADD_ERRNO, "SSL handshake failed (server %s, client %s)", ssl_util_vhostid(c->pool, c->base_server), c->remote_ip ? c->remote_ip : "unknown"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); } return ssl_abort(filter, c); @@ -494,19 +500,21 @@ int ssl_hook_process_connection(SSLFilterRec *filter) * optional_no_ca doesn't appear to work as advertised * in 1.x */ - ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR, "SSL client authentication failed, " "accepting certificate based on " "\"SSLVerifyClient optional_no_ca\" configuration"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); } else { const char *error = sslconn->verify_error ? sslconn->verify_error : X509_verify_cert_error_string(verify_result); - ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR, "SSL client authentication failed: %s", error ? error : "unknown"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); return ssl_abort(filter, c); } diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 9420244eed..7a0b561e0a 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -707,6 +707,7 @@ int ssl_mutex_off(server_rec *); void ssl_log_open(server_rec *, server_rec *, apr_pool_t *); void ssl_log(server_rec *, int, const char *, ...); void ssl_die(void); +void ssl_log_ssl_error(const char *, int, int, server_rec *); /* Variables */ void ssl_var_register(void); diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 648ab2b12f..b046ac0249 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -549,9 +549,10 @@ static void ssl_init_ctx_verify(server_rec *s, mctx->auth.ca_cert_file, mctx->auth.ca_cert_path)) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to configure verify locations " "for client authentication"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -604,8 +605,9 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, suite); if (!SSL_CTX_set_cipher_list(ctx, suite)) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to configure permitted SSL ciphers"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } } @@ -631,9 +633,10 @@ static void ssl_init_ctx_crl(server_rec *s, (char *)mctx->crl_path); if (!mctx->crl) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to configure X.509 CRL storage " "for certificate revocation"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } } @@ -730,14 +733,16 @@ static int ssl_server_import_cert(server_rec *s, ptr = asn1->cpData; if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to import %s server certificate", type); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to configure %s server certificate", type); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -768,14 +773,16 @@ static int ssl_server_import_key(server_rec *s, ptr = asn1->cpData; if (!(pkey = d2i_PrivateKey(pkey_type, NULL, &ptr, asn1->nData))) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to import %s server private key", type); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to configure %s server private key", type); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -788,8 +795,9 @@ static int ssl_server_import_key(server_rec *s, if (pubkey && EVP_PKEY_missing_parameters(pubkey)) { EVP_PKEY_copy_parameters(pubkey, pkey); - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, + ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Copying DSA parameters from private key to certificate"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); } } diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 1d5497de6d..880af86a3f 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -502,8 +502,9 @@ static int ssl_io_hook_read(SSL *ssl, char *buf, int len) * Log SSL errors */ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); - ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR, "SSL error on reading data"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); } } @@ -534,8 +535,9 @@ static int ssl_io_hook_write(SSL *ssl, unsigned char *buf, int len) * Log SSL errors */ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); - ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR, "SSL error on writing data"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); } /* * XXX - Just trying to reflect the behaviour in @@ -763,9 +765,10 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, switch (status) { case HTTP_BAD_REQUEST: /* log the situation */ - ssl_log(f->c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(f->c->base_server, SSL_LOG_ERROR, "SSL handshake failed: HTTP spoken on HTTPS port; " "trying to send HTML error page"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server); /* fake the request line */ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index d34f2f26ac..da8719b9dc 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -411,9 +411,10 @@ int ssl_hook_Access(request_rec *r) /* configure new state */ if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) { - ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR, + ssl_log(r->server, SSL_LOG_WARN, "Unable to reconfigure (per-directory) " "permitted SSL ciphers"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server); if (cipher_list_old) { sk_SSL_CIPHER_free(cipher_list_old); @@ -600,9 +601,10 @@ int ssl_hook_Access(request_rec *r) cert_store = X509_STORE_new(); if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) { - ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(r->server, SSL_LOG_ERROR, "Unable to reconfigure verify locations " "for client authentication"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server); X509_STORE_free(cert_store); @@ -756,8 +758,9 @@ int ssl_hook_Access(request_rec *r) (char *)ssl); if (!modssl_X509_verify_cert(&cert_store_ctx)) { - ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation verification step failed"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server); } SSL_set_verify_result(ssl, cert_store_ctx.error); diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 6050502731..d7f51cf2a7 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -321,3 +321,27 @@ void ssl_die(void) exit(1); } +/* + * Prints the SSL library error information. + */ +void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) +{ + unsigned long e; + + while ((e = ERR_get_error())) { + char *err, *annotation; + err = ERR_error_string(e, NULL); + annotation = ssl_log_annotation(err); + + if (annotation) { + ap_log_error(file, line, level|APLOG_NOERRNO, 0, s, + "SSL Library Error: %ld %s %s", + e, err, annotation); + } + else { + ap_log_error(file, line, level|APLOG_NOERRNO, 0, s, + "SSL Library Error: %ld %s", + e, err); + } + } +} diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index 6103d4db39..f8a972cc1f 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -230,8 +230,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) ssl_die(); } if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(s, SSL_LOG_ERROR, "Init: Unable to read server certificate from file %s", szPath); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -242,8 +243,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) at = ssl_util_algotypeof(pX509Cert, NULL); an = ssl_util_algotypestr(at); if (algoCert & at) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(s, SSL_LOG_ERROR, "Init: Multiple %s server certificates not allowed", an); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } algoCert |= at; @@ -409,8 +411,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) } #ifdef WIN32 if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(s, SSL_LOG_ERROR, "Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } #endif /* WIN32 */ @@ -422,12 +425,14 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) if (nPassPhraseDialogCur && pkey_mtime && !(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */ { - ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(pServ, SSL_LOG_ERROR, "Init: Unable read passphrase " "[Hint: key introduced or changed before restart?]"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ); } else { - ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found"); + ssl_log(pServ, SSL_LOG_ERROR, "Init: Private key not found"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ); } if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { @@ -436,7 +441,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) } } else { - ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect"); + ssl_log(pServ, SSL_LOG_ERROR, "Init: Pass phrase incorrect"); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ); + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n"); @@ -447,8 +454,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) } if (pPrivateKey == NULL) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(s, SSL_LOG_ERROR, "Init: Unable to read server private key from file %s [Hint: Perhaps it is in a separate file? See SSLCertificateKeyFile]", szPath); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -459,8 +467,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) at = ssl_util_algotypeof(NULL, pPrivateKey); an = ssl_util_algotypestr(at); if (algoKey & at) { - ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(s, SSL_LOG_ERROR, "Init: Multiple %s server private keys not allowed", an); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } algoKey |= at; -- 2.40.0