From 7d6bd86673e6b3d36e2eb0a2fd50b1c9892c31ba Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Thu, 3 Jun 2010 22:57:00 +0000 Subject: [PATCH] Introduce SSLLOG_MARK for use with ssl_log_ssl_error(). This will allow to redefine APLOG_MARK later. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@951194 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/mod_ssl.c | 4 ++-- modules/ssl/ssl_engine_init.c | 26 +++++++++++++------------- modules/ssl/ssl_engine_io.c | 14 +++++++------- modules/ssl/ssl_engine_kernel.c | 8 ++++---- modules/ssl/ssl_engine_ocsp.c | 16 ++++++++-------- modules/ssl/ssl_engine_pphrase.c | 14 +++++++------- modules/ssl/ssl_private.h | 1 + modules/ssl/ssl_util.c | 2 +- modules/ssl/ssl_util_ocsp.c | 4 ++-- 9 files changed, 45 insertions(+), 44 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 4ae3b06cfd..01f8d8aee1 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -417,7 +417,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to create a new SSL connection from the SSL " "context"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server); c->aborted = 1; @@ -432,7 +432,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to set session id context to '%s'", vhost_md5); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server); c->aborted = 1; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index a0bcc4dd4b..34ea6f47a2 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -97,7 +97,7 @@ static int ssl_tmp_key_init_rsa(server_rec *s, ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Failed to generate temporary " "%d bit RSA private key", bits); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); return !OK; } @@ -270,7 +270,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, } else { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "FIPS mode failed"); - ssl_log_ssl_error(APLOG_MARK, APLOG_EMERG, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ssl_die(); } } @@ -363,7 +363,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Failed to load Crypto Device API `%s'", mc->szCryptoDevice); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -375,7 +375,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Failed to enable Crypto Device API `%s'", mc->szCryptoDevice); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, @@ -440,7 +440,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s, ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to initialize TLS servername extension " "callback (incompatible OpenSSL version?)"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -631,7 +631,7 @@ static void ssl_init_ctx_verify(server_rec *s, ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to configure verify locations " "for client authentication"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -691,7 +691,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to configure permitted SSL ciphers"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } } @@ -720,7 +720,7 @@ static void ssl_init_ctx_crl(server_rec *s, ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to configure X.509 CRL storage " "for certificate revocation"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } } @@ -837,14 +837,14 @@ static int ssl_server_import_cert(server_rec *s, if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to import %s server certificate", type); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to configure %s server certificate", type); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -893,14 +893,14 @@ static int ssl_server_import_key(server_rec *s, { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to import %s server private key", type); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to configure %s server private key", type); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -915,7 +915,7 @@ static int ssl_server_import_key(server_rec *s, EVP_PKEY_copy_parameters(pubkey, pkey); ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Copying DSA parameters from private key to certificate"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); EVP_PKEY_free(pubkey); } } diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index f5d7e7d5ac..8d281ee66c 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -721,7 +721,7 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, */ ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c, "SSL library error %d reading data", ssl_err); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c)); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, mySrvFromConn(c)); } if (inctx->rc == APR_SUCCESS) { @@ -828,7 +828,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, */ ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c, "SSL library error %d writing data", ssl_err); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c)); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, mySrvFromConn(c)); } if (outctx->rc == APR_SUCCESS) { outctx->rc = APR_EGENERAL; @@ -898,7 +898,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, "SSL handshake failed: HTTP spoken on HTTPS port; " "trying to send HTML error page"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server); sslconn->non_ssl_request = 1; ssl_io_filter_disable(sslconn, f); @@ -1085,7 +1085,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL Proxy connect failed"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server); /* ensure that the SSL structures etc are freed, etc: */ ssl_filter_io_shutdown(filter_ctx, c, 1); return MODSSL_ERROR_BAD_GATEWAY; @@ -1180,7 +1180,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) "SSL library error %d in handshake " "(server %s)", ssl_err, ssl_util_vhostid(c->pool, server)); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server); } if (inctx->rc == APR_SUCCESS) { @@ -1216,7 +1216,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) "accepting certificate based on " "\"SSLVerifyClient optional_no_ca\" " "configuration"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server); } else { const char *error = sslconn->verify_error ? @@ -1226,7 +1226,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL client authentication failed: %s", error ? error : "unknown"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server); ssl_filter_io_shutdown(filter_ctx, c, 1); return APR_ECONNABORTED; diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index a5e3c62943..9bd0373c9a 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -414,7 +414,7 @@ int ssl_hook_Access(request_rec *r) ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "Unable to reconfigure (per-directory) " "permitted SSL ciphers"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); if (cipher_list_old) { sk_SSL_CIPHER_free(cipher_list_old); @@ -733,7 +733,7 @@ int ssl_hook_Access(request_rec *r) if (!modssl_X509_verify_cert(&cert_store_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Re-negotiation verification step failed"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); } SSL_set_verify_result(ssl, cert_store_ctx.error); @@ -790,7 +790,7 @@ int ssl_hook_Access(request_rec *r) if (SSL_get_state(ssl) != SSL_ST_OK) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Re-negotiation request failed"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); r->connection->keepalive = AP_CONN_CLOSE; return HTTP_FORBIDDEN; @@ -1352,7 +1352,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* * Log verification information */ - ssl_log_cxerror(APLOG_MARK, APLOG_DEBUG, 0, conn, + ssl_log_cxerror(SSLLOG_MARK, APLOG_DEBUG, 0, conn, X509_STORE_CTX_get_current_cert(ctx), "Certificate Verification, depth %d", errdepth); diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c index e5946287a6..b0a16b4251 100644 --- a/modules/ssl/ssl_engine_ocsp.c +++ b/modules/ssl/ssl_engine_ocsp.c @@ -110,7 +110,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert, *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer); if (!*certid || !OCSP_request_add0_id(req, *certid)) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "could not retrieve certificate id"); return NULL; @@ -164,7 +164,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, if (rc == V_OCSP_CERTSTATUS_GOOD) { basicResponse = OCSP_response_get1_basic(response); if (!basicResponse) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "could not retrieve OCSP basic response"); rc = V_OCSP_CERTSTATUS_UNKNOWN; @@ -182,7 +182,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, if (rc == V_OCSP_CERTSTATUS_GOOD) { /* TODO: allow flags configuration. */ if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "failed to verify the OCSP response"); rc = V_OCSP_CERTSTATUS_UNKNOWN; @@ -196,8 +196,8 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, rc = OCSP_resp_find_status(basicResponse, certID, &status, &reason, NULL, &thisup, &nextup); if (rc != 1) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); - ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert, + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); + ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert, "failed to retrieve OCSP response status"); rc = V_OCSP_CERTSTATUS_UNKNOWN; } @@ -215,8 +215,8 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, int vrc = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE); if (vrc != 1) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); - ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert, + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); + ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert, "OCSP response outside validity period"); rc = V_OCSP_CERTSTATUS_UNKNOWN; } @@ -229,7 +229,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, status == V_OCSP_CERTSTATUS_GOOD ? "good" : (status == V_OCSP_CERTSTATUS_REVOKED ? "revoked" : "unknown"); - ssl_log_cxerror(APLOG_MARK, level, 0, c, cert, + ssl_log_cxerror(SSLLOG_MARK, level, 0, c, cert, "OCSP validation completed, " "certificate status: %s (%d, %d)", result, status, reason); diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index c0f14d038e..c7fc5de65e 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -218,7 +218,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Unable to read server certificate from" " file %s", szPath); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } } @@ -232,7 +232,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Multiple %s server certificates not " "allowed", an); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } algoCert |= at; @@ -426,12 +426,12 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) "Init: Unable to read pass phrase " "[Hint: key introduced or changed " "before restart?]"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, pServ); } else { ap_log_error(APLOG_MARK, APLOG_ERR, 0, pServ, "Init: Private key not found"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, pServ); } if (writetty) { apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n"); @@ -441,7 +441,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) else { ap_log_error(APLOG_MARK, APLOG_ERR, 0, pServ, "Init: Pass phrase incorrect"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, pServ); if (writetty) { apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n"); @@ -456,7 +456,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) "Init: Unable to read server private key from " "file %s [Hint: Perhaps it is in a separate file? " " See SSLCertificateKeyFile]", szPath); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } @@ -470,7 +470,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Multiple %s server private keys not " "allowed", an); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_die(); } algoKey |= at; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 53bc80391a..eea6233155 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -749,6 +749,7 @@ void ssl_log_cxerror(const char *file, int line, int level, const char *format, ...) __attribute__((format(printf,7,8))); +#define SSLLOG_MARK __FILE__,__LINE__ /** Variables */ diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index 912e8bb642..4ae479994a 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -295,7 +295,7 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7) if (!p7) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, "Can't read PKCS7 object %s", pkcs7); - ssl_log_ssl_error(APLOG_MARK, APLOG_CRIT, s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_CRIT, s); exit(1); } diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index 35583913b8..f171060caf 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -262,7 +262,7 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, * bio. */ response = d2i_OCSP_RESPONSE_bio(bio, NULL); if (response == NULL) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c)); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c)); ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "failed to decode OCSP response data"); } @@ -281,7 +281,7 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, bio = serialize_request(request, uri); if (bio == NULL) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c)); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, mySrvFromConn(c)); ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "could not serialize OCSP request"); return NULL; -- 2.50.1