/* _ _ ** _ __ ___ ___ __| | ___ ___| | mod_ssl ** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL ** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org ** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org ** |_____| ** ssl_engine_log.c ** Logging Facility */ /* ==================================================================== * Copyright (c) 1998-2006 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following * disclaimer in the documentation and/or other materials * provided with the distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by * Ralf S. Engelschall for use in the * mod_ssl project (http://www.modssl.org/)." * * 4. The names "mod_ssl" must not be used to endorse or promote * products derived from this software without prior written * permission. For written permission, please contact * rse@engelschall.com. * * 5. Products derived from this software may not be called "mod_ssl" * nor may "mod_ssl" appear in their names without prior * written permission of Ralf S. Engelschall. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by * Ralf S. Engelschall for use in the * mod_ssl project (http://www.modssl.org/)." * * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ /* ``The difference between a computer industry job and open-source software hacking is about 30 hours a week.'' -- Ralf S. Engelschall */ #include "mod_ssl.h" /* _________________________________________________________________ ** ** Logfile Support ** _________________________________________________________________ */ /* * Open the SSL logfile */ void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) { char *szLogFile; SSLSrvConfigRec *sc_main = mySrvConfig(s_main); SSLSrvConfigRec *sc = mySrvConfig(s); piped_log *pl; char *cp; /* * Short-circuit for inherited logfiles in order to save * filedescriptors in mass-vhost situation. Be careful, this works * fine because the close happens implicitly by the pool facility. */ if ( s != s_main && sc_main->fileLogFile != NULL && ( (sc->szLogFile == NULL) || ( sc->szLogFile != NULL && sc_main->szLogFile != NULL && strEQ(sc->szLogFile, sc_main->szLogFile)))) { sc->fileLogFile = sc_main->fileLogFile; } else if (sc->szLogFile != NULL) { if (strEQ(sc->szLogFile, "/dev/null")) return; else if (sc->szLogFile[0] == '|') { cp = sc->szLogFile+1; while (*cp == ' ' || *cp == '\t') cp++; szLogFile = ssl_util_server_root_relative(p, "log", cp); if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open reliable pipe to SSL logfile filter %s", szLogFile); ssl_die(); } sc->fileLogFile = ap_pfdopen(p, ap_piped_log_write_fd(pl), "a"); setbuf(sc->fileLogFile, NULL); } else { szLogFile = ssl_util_server_root_relative(p, "log", sc->szLogFile); if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSL logfile %s", szLogFile); ssl_die(); } setbuf(sc->fileLogFile, NULL); } } return; } static struct { int nLevel; char *szLevel; } ssl_log_level2string[] = { { SSL_LOG_ERROR, "error" }, { SSL_LOG_WARN, "warn" }, { SSL_LOG_INFO, "info" }, { SSL_LOG_TRACE, "trace" }, { SSL_LOG_DEBUG, "debug" }, { 0, NULL } }; static struct { char *cpPattern; char *cpAnnotation; } ssl_log_annotate[] = { { "*envelope*bad*decrypt*", "wrong pass phrase!?" }, { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" }, { "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" }, { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" }, { "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" }, { "*peer did not return a certificate*", "No CAs known to server for verification?" }, { "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" }, { "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" }, { "*bad password read*", "You entered an incorrect pass phrase!?" }, { "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" }, { NULL, NULL } }; static char *ssl_log_annotation(char *error) { char *errstr; int i; errstr = NULL; for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) { if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) { errstr = ssl_log_annotate[i].cpAnnotation; break; } } return errstr; } BOOL ssl_log_applies(server_rec *s, int level) { SSLSrvConfigRec *sc; sc = mySrvConfig(s); if ( sc->fileLogFile == NULL && !(level & SSL_LOG_ERROR)) return FALSE; if ( level > sc->nLogLevel && !(level & SSL_LOG_ERROR)) return FALSE; return TRUE; } void ssl_log(server_rec *s, int level, const char *msg, ...) { char tstr[80]; char lstr[20]; char vstr[1024]; char str[1024]; char nstr[2]; int timz; struct tm *t; va_list ap; int add; int i; char *astr; int safe_errno; unsigned long e; SSLSrvConfigRec *sc; char *cpE; char *cpA; /* initialization */ va_start(ap, msg); safe_errno = errno; sc = mySrvConfig(s); /* strip out additional flags */ add = (level & ~SSL_LOG_MASK); level = (level & SSL_LOG_MASK); /* reduce flags when not reasonable in context */ if (add & SSL_ADD_ERRNO && errno == 0) add &= ~SSL_ADD_ERRNO; if (add & SSL_ADD_SSLERR && ERR_peek_error() == 0) add &= ~SSL_ADD_SSLERR; /* we log only levels below, except for errors */ if ( sc->fileLogFile == NULL && !(level & SSL_LOG_ERROR)) return; if ( level > sc->nLogLevel && !(level & SSL_LOG_ERROR)) return; /* determine the time entry string */ if (add & SSL_NO_TIMESTAMP) tstr[0] = NUL; else { t = ap_get_gmtoff(&timz); strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t); i = strlen(tstr); ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid()); } /* determine whether newline should be written */ if (add & SSL_NO_NEWLINE) nstr[0] = NUL; else { nstr[0] = '\n'; nstr[1] = NUL; } /* determine level name */ lstr[0] = NUL; if (!(add & SSL_NO_LEVELID)) { for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) { if (ssl_log_level2string[i].nLevel == level) { ap_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel); break; } } for (i = strlen(lstr); i <= 7; i++) lstr[i] = ' '; lstr[i] = NUL; } /* create custom message */ ap_vsnprintf(vstr, sizeof(vstr), msg, ap); /* write out SSLog message */ if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR)) astr = " (System and " SSL_LIBRARY_NAME " library errors follow)"; else if (add & SSL_ADD_ERRNO) astr = " (System error follows)"; else if (add & SSL_ADD_SSLERR) astr = " (" SSL_LIBRARY_NAME " library error follows)"; else astr = ""; if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { ap_snprintf(str, sizeof(str), "%s%s%s%s%s", tstr, lstr, vstr, astr, nstr); fprintf(sc->fileLogFile, "%s", str); } if (level & SSL_LOG_ERROR) ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, "mod_ssl: %s%s", vstr, astr); /* write out additional attachment messages */ if (add & SSL_ADD_ERRNO) { if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { ap_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s", tstr, lstr, strerror(safe_errno), safe_errno, nstr); fprintf(sc->fileLogFile, "%s", str); } if (level & SSL_LOG_ERROR) ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, "System: %s (errno: %d)", strerror(safe_errno), safe_errno); } if (add & SSL_ADD_SSLERR) { while ((e = ERR_get_error())) { cpE = ERR_error_string(e, NULL); cpA = ssl_log_annotation(cpE); if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s", tstr, lstr, SSL_LIBRARY_NAME, cpE, cpA != NULL ? " [Hint: " : "", cpA != NULL ? cpA : "", cpA != NULL ? "]" : "", nstr); fprintf(sc->fileLogFile, "%s", str); } if (level & SSL_LOG_ERROR) ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, "%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE, cpA != NULL ? " [Hint: " : "", cpA != NULL ? cpA : "", cpA != NULL ? "]" : ""); } } /* make sure the next log starts from a clean base */ /* ERR_clear_error(); */ /* cleanup and return */ if (sc->fileLogFile != NULL) fflush(sc->fileLogFile); errno = safe_errno; va_end(ap); return; } void ssl_die(void) { /* * This is used for fatal errors and here * it is common module practice to really * exit from the complete program. */ exit(1); }