From 62059cf7c6db350f57b556ee9d528de1ff1270a1 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 23 Nov 2007 12:13:59 +0000 Subject: [PATCH] * modules/ssl/ssl_engine_log.c (ssl_log_cxerror): New function, factored out from ssl_callback_SSLVerify. * modules/ssl/ssl_private: Add prototype. * modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Use it. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@597651 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 24 ++++------------------ modules/ssl/ssl_engine_log.c | 35 +++++++++++++++++++++++++++++++++ modules/ssl/ssl_private.h | 10 ++++++++++ 3 files changed, 49 insertions(+), 20 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 5da75c1c98..b3fcbe9df8 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1256,26 +1256,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* * Log verification information */ - if (s->loglevel >= APLOG_DEBUG) { - X509 *cert = X509_STORE_CTX_get_current_cert(ctx); - char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); - char *iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); - - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn, - "Certificate Verification: " - "depth: %d, subject: %s, issuer: %s", - errdepth, - sname ? sname : "-unknown-", - iname ? iname : "-unknown-"); - - if (sname) { - modssl_free(sname); - } - - if (iname) { - modssl_free(iname); - } - } + ssl_log_cxerror(APLOG_MARK, APLOG_DEBUG, 0, conn, + X509_STORE_CTX_get_current_cert(ctx), + "Certificate Verification, depth %d", + errdepth); /* * Check for optionally acceptable non-verifiable issuer situation diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index d573a7312c..b3ca90df2e 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -107,3 +107,38 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) ERR_get_error(); } } + +void ssl_log_cxerror(const char *file, int line, int level, + apr_status_t rv, conn_rec *c, X509 *cert, + const char *format, ...) +{ + va_list ap; + char buf[HUGE_STRING_LEN]; + char *sname, *iname; + + if (c->base_server->loglevel < level) { + /* Bail early since the rest of this function is expensive. */ + return; + } + + sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); + iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); + + va_start(ap, format); + apr_vsnprintf(buf, sizeof buf, format, ap); + va_end(ap); + + ap_log_cerror(file, line, level, rv, c, + "%s [peer subject: %s, issuer: %s]", + buf, + sname ? sname : "-unknown-", + iname ? iname : "-unknown-"); + + if (sname) { + modssl_free(sname); + } + + if (iname) { + modssl_free(iname); + } +} diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 4d30dafe4d..e1c0515e57 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -679,6 +679,16 @@ int ssl_mutex_off(server_rec *); void ssl_die(void); void ssl_log_ssl_error(const char *, int, int, server_rec *); +/* ssl_log_cxerror is a wrapper for ap_log_cerror which takes the peer + * certificate as an additional argument and appends details of that + * cert to the log message. All other arguments interpreted exactly + * as ap_log_cerror. */ +void ssl_log_cxerror(const char *file, int line, int level, + apr_status_t rv, conn_rec *c, X509 *cert, + const char *format, ...) + __attribute__((format(printf,7,8))); + + /** Variables */ /* Register variables for the lifetime of the process pool 'p'. */ -- 2.40.0