httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jerenkra...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_engine_log.c ssl_engine_pphrase.c
Date Wed, 15 May 2002 23:10:34 GMT
jerenkrantz    02/05/15 16:10:34

  Modified:    modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c
                        ssl_engine_io.c ssl_engine_kernel.c
                        ssl_engine_log.c ssl_engine_pphrase.c
  Log:
  Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new
  ssl_log_ssl_error() function that wraps ap_log_error instead.
  
  This begins the migration from ssl_log() -> ap_log_error().  Divorcing
  ourselves from the SSL_ADD_SSLERR option is required to make the next
  pass easier.
  
  Revision  Changes    Path
  1.65      +16 -8     httpd-2.0/modules/ssl/mod_ssl.c
  
  Index: mod_ssl.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
  retrieving revision 1.64
  retrieving revision 1.65
  diff -u -r1.64 -r1.65
  --- mod_ssl.c	30 Apr 2002 17:10:12 -0000	1.64
  +++ mod_ssl.c	15 May 2002 23:10:33 -0000	1.65
  @@ -327,8 +327,9 @@
        * so we can detach later.
        */
       if (!(ssl = SSL_new(mctx->ssl_ctx))) {
  -        ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +        ssl_log(c->base_server, SSL_LOG_ERROR,
                   "Unable to create a new SSL connection from the SSL context");
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
   
           c->aborted = 1;
   
  @@ -340,8 +341,9 @@
       if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
                                       MD5_DIGESTSIZE*2))
       {
  -        ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +        ssl_log(c->base_server, SSL_LOG_ERROR,
                   "Unable to set session id context to `%s'", vhost_md5);
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
   
           c->aborted = 1;
   
  @@ -408,8 +410,9 @@
           if (sslconn->is_proxy) {
               if ((n = SSL_connect(filter->pssl)) <= 0) {
                   ssl_log(c->base_server,
  -                        SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
  +                        SSL_LOG_ERROR|SSL_ADD_ERRNO,
                           "SSL Proxy connect failed");
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
                   return ssl_abort(filter, c);
               }
   
  @@ -450,15 +453,17 @@
               {
                   if (errno > 0) {
                       ssl_log(c->base_server,
  -                            SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
  +                            SSL_LOG_ERROR|SSL_ADD_ERRNO,
                               "SSL handshake interrupted by system "
                               "[Hint: Stop button pressed in browser?!]");
  +                    ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
                   }
                   else {
                       ssl_log(c->base_server,
  -                            SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
  +                            SSL_LOG_INFO|SSL_ADD_ERRNO,
                               "Spurious SSL handshake interrupt [Hint: "
                               "Usually just one of those OpenSSL confusions!?]");
  +                    ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
                   }
               }
               else {
  @@ -466,10 +471,11 @@
                    * Ok, anything else is a fatal error
                    */
                   ssl_log(c->base_server,
  -                        SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
  +                        SSL_LOG_ERROR|SSL_ADD_ERRNO,
                           "SSL handshake failed (server %s, client %s)",
                           ssl_util_vhostid(c->pool, c->base_server),
                           c->remote_ip ? c->remote_ip : "unknown");
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
               }
   
               return ssl_abort(filter, c);
  @@ -494,19 +500,21 @@
                    * optional_no_ca doesn't appear to work as advertised
                    * in 1.x
                    */
  -                ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                ssl_log(c->base_server, SSL_LOG_ERROR,
                           "SSL client authentication failed, "
                           "accepting certificate based on "
                           "\"SSLVerifyClient optional_no_ca\" configuration");
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
               }
               else {
                   const char *error = sslconn->verify_error ?
                       sslconn->verify_error :
                       X509_verify_cert_error_string(verify_result);
   
  -                ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                ssl_log(c->base_server, SSL_LOG_ERROR,
                           "SSL client authentication failed: %s",
                           error ? error : "unknown");
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
   
                   return ssl_abort(filter, c);
               }
  
  
  
  1.116     +1 -0      httpd-2.0/modules/ssl/mod_ssl.h
  
  Index: mod_ssl.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
  retrieving revision 1.115
  retrieving revision 1.116
  diff -u -r1.115 -r1.116
  --- mod_ssl.h	9 Apr 2002 15:53:09 -0000	1.115
  +++ mod_ssl.h	15 May 2002 23:10:33 -0000	1.116
  @@ -707,6 +707,7 @@
   void         ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
   void         ssl_log(server_rec *, int, const char *, ...);
   void         ssl_die(void);
  +void         ssl_log_ssl_error(const char *, int, int, server_rec *);
   
   /*  Variables  */
   void         ssl_var_register(void);
  
  
  
  1.95      +16 -8     httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.94
  retrieving revision 1.95
  diff -u -r1.94 -r1.95
  --- ssl_engine_init.c	2 Apr 2002 21:57:31 -0000	1.94
  +++ ssl_engine_init.c	15 May 2002 23:10:33 -0000	1.95
  @@ -549,9 +549,10 @@
                                              mctx->auth.ca_cert_file,
                                              mctx->auth.ca_cert_path))
           {
  -            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +            ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                       "Unable to configure verify locations "
                       "for client authentication");
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
               ssl_die();
           }
   
  @@ -604,8 +605,9 @@
               suite);
   
       if (!SSL_CTX_set_cipher_list(ctx, suite)) {
  -        ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +        ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "Unable to configure permitted SSL ciphers");
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
           ssl_die();
       }
   }
  @@ -631,9 +633,10 @@
                                 (char *)mctx->crl_path);
   
       if (!mctx->crl) {
  -        ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +        ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "Unable to configure X.509 CRL storage "
                   "for certificate revocation");
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
           ssl_die();
       }
   }
  @@ -730,14 +733,16 @@
   
       ptr = asn1->cpData;
       if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) {
  -        ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +        ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "Unable to import %s server certificate", type);
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
           ssl_die();
       }
   
       if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
  -        ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +        ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "Unable to configure %s server certificate", type);
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
           ssl_die();
       }
   
  @@ -768,14 +773,16 @@
       ptr = asn1->cpData;
       if (!(pkey = d2i_PrivateKey(pkey_type, NULL, &ptr, asn1->nData)))
       {
  -        ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +        ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "Unable to import %s server private key", type);
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
           ssl_die();
       }
   
       if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
  -        ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +        ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "Unable to configure %s server private key", type);
  +        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
           ssl_die();
       }
   
  @@ -788,8 +795,9 @@
   
           if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
               EVP_PKEY_copy_parameters(pubkey, pkey);
  -            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
  +            ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                       "Copying DSA parameters from private key to certificate");
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
           }
       }
   
  
  
  
  1.74      +6 -3      httpd-2.0/modules/ssl/ssl_engine_io.c
  
  Index: ssl_engine_io.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_io.c,v
  retrieving revision 1.73
  retrieving revision 1.74
  diff -u -r1.73 -r1.74
  --- ssl_engine_io.c	7 Apr 2002 06:32:21 -0000	1.73
  +++ ssl_engine_io.c	15 May 2002 23:10:33 -0000	1.74
  @@ -502,8 +502,9 @@
                * Log SSL errors
                */
               conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
  -            ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +            ssl_log(c->base_server, SSL_LOG_ERROR,
                       "SSL error on reading data");
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
           }
       }
   
  @@ -534,8 +535,9 @@
                * Log SSL errors
                */
               conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
  -            ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +            ssl_log(c->base_server, SSL_LOG_ERROR,
                       "SSL error on writing data");
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
           }
           /*
            * XXX - Just trying to reflect the behaviour in 
  @@ -763,9 +765,10 @@
       switch (status) {
         case HTTP_BAD_REQUEST:
               /* log the situation */
  -            ssl_log(f->c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +            ssl_log(f->c->base_server, SSL_LOG_ERROR,
                       "SSL handshake failed: HTTP spoken on HTTPS port; "
                       "trying to send HTML error page");
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
   
               /* fake the request line */
               bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
  
  
  
  1.68      +6 -3      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.67
  retrieving revision 1.68
  diff -u -r1.67 -r1.68
  --- ssl_engine_kernel.c	5 Apr 2002 02:31:04 -0000	1.67
  +++ ssl_engine_kernel.c	15 May 2002 23:10:33 -0000	1.68
  @@ -411,9 +411,10 @@
   
           /* configure new state */
           if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
  -            ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR,
  +            ssl_log(r->server, SSL_LOG_WARN,
                       "Unable to reconfigure (per-directory) "
                       "permitted SSL ciphers");
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
   
               if (cipher_list_old) {
                   sk_SSL_CIPHER_free(cipher_list_old);
  @@ -600,9 +601,10 @@
           cert_store = X509_STORE_new();
   
           if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
  -            ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +            ssl_log(r->server, SSL_LOG_ERROR,
                       "Unable to reconfigure verify locations "
                       "for client authentication");
  +            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
   
               X509_STORE_free(cert_store);
   
  @@ -756,8 +758,9 @@
                                          (char *)ssl);
   
               if (!modssl_X509_verify_cert(&cert_store_ctx)) {
  -                ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, 
  +                ssl_log(r->server, SSL_LOG_ERROR,
                           "Re-negotiation verification step failed");
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
               }
   
               SSL_set_verify_result(ssl, cert_store_ctx.error);
  
  
  
  1.19      +24 -0     httpd-2.0/modules/ssl/ssl_engine_log.c
  
  Index: ssl_engine_log.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_log.c,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- ssl_engine_log.c	30 Apr 2002 03:47:31 -0000	1.18
  +++ ssl_engine_log.c	15 May 2002 23:10:33 -0000	1.19
  @@ -321,3 +321,27 @@
       exit(1);
   }
   
  +/*
  + * Prints the SSL library error information.
  + */
  +void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
  +{
  +    unsigned long e;
  +
  +    while ((e = ERR_get_error())) {
  +        char *err, *annotation;
  +        err = ERR_error_string(e, NULL);
  +        annotation = ssl_log_annotation(err);
  +
  +        if (annotation) {
  +            ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
  +                         "SSL Library Error: %ld %s %s",
  +                         e, err, annotation); 
  +        }
  +        else {
  +            ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
  +                         "SSL Library Error: %ld %s",
  +                         e, err); 
  +        }
  +    }
  +}
  
  
  
  1.37      +17 -8     httpd-2.0/modules/ssl/ssl_engine_pphrase.c
  
  Index: ssl_engine_pphrase.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_pphrase.c,v
  retrieving revision 1.36
  retrieving revision 1.37
  diff -u -r1.36 -r1.37
  --- ssl_engine_pphrase.c	1 May 2002 19:28:52 -0000	1.36
  +++ ssl_engine_pphrase.c	15 May 2002 23:10:33 -0000	1.37
  @@ -230,8 +230,9 @@
                   ssl_die();
               }
               if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
  -                ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                ssl_log(s, SSL_LOG_ERROR,
                           "Init: Unable to read server certificate from file %s", szPath);
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
                   ssl_die();
               }
   
  @@ -242,8 +243,9 @@
               at = ssl_util_algotypeof(pX509Cert, NULL);
               an = ssl_util_algotypestr(at);
               if (algoCert & at) {
  -                ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                ssl_log(s, SSL_LOG_ERROR,
                           "Init: Multiple %s server certificates not allowed", an);
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
                   ssl_die();
               }
               algoCert |= at;
  @@ -409,8 +411,9 @@
                   }
   #ifdef WIN32
                   if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
  -                    ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                    ssl_log(s, SSL_LOG_ERROR,
                               "Init: PassPhraseDialog BuiltIn not supported in server private
key from file %s", szPath);
  +                    ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
                       ssl_die();
                   }
   #endif /* WIN32 */
  @@ -422,12 +425,14 @@
                       if (nPassPhraseDialogCur && pkey_mtime &&
                           !(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
                       {
  -                        ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                        ssl_log(pServ, SSL_LOG_ERROR,
                                   "Init: Unable read passphrase "
                                   "[Hint: key introduced or changed before restart?]");
  +                        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
                       }
                       else {
  -                        ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key
not found");
  +                        ssl_log(pServ, SSL_LOG_ERROR, "Init: Private key not found");
  +                        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
                       }
                       if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
                             || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
{
  @@ -436,7 +441,9 @@
                       }
                   }
                   else {
  -                    ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
  +                    ssl_log(pServ, SSL_LOG_ERROR, "Init: Pass phrase incorrect");
  +                    ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
  +
                       if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
                             || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
{
                           apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
  @@ -447,8 +454,9 @@
               }
   
               if (pPrivateKey == NULL) {
  -                ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                ssl_log(s, SSL_LOG_ERROR,
                           "Init: Unable to read server private key from file %s [Hint: Perhaps
it is in a separate file?  See SSLCertificateKeyFile]", szPath);
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
                   ssl_die();
               }
   
  @@ -459,8 +467,9 @@
               at = ssl_util_algotypeof(NULL, pPrivateKey);
               an = ssl_util_algotypestr(at);
               if (algoKey & at) {
  -                ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                ssl_log(s, SSL_LOG_ERROR,
                           "Init: Multiple %s server private keys not allowed", an);
  +                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
                   ssl_die();
               }
               algoKey |= at;
  
  
  

Mime
View raw message