/* Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

/*                      _             _

 *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl

 * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL

 * | | | | | | (_) | (_| |   \__ \__ \ |

 * |_| |_| |_|\___/ \__,_|___|___/___/_|

 *                      |_____|

 *  ssl_engine_log.c

 *  Logging Facility

 */

                             /* ``The difference between a computer

                                  industry job and open-source software

                                  hacking is about 30 hours a week.''

                                         -- Ralf S. Engelschall     */

#include "ssl_private.h"

/*  _________________________________________________________________

**

**  Logfile Support

**  _________________________________________________________________

*/

static const struct {

    const char *cpPattern;

    const char *cpAnnotation;

} ssl_log_annotate[] = {

    { "*envelope*bad*decrypt*", "wrong pass phrase!?" },

    { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" },

    { "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" },

    { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" },

    { "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" },

    { "*peer did not return a certificate*", "No CAs known to server for verification?" },

    { "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" },

    { "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" },

    { "*bad password read*", "You entered an incorrect pass phrase!?" },

    { "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" },

    { NULL, NULL }

};

static const char *ssl_log_annotation(const char *error)

{

    int i = 0;

    while (ssl_log_annotate[i].cpPattern != NULL

           && ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) != 0)

        i++;

    return ssl_log_annotate[i].cpAnnotation;

}

apr_status_t ssl_die(server_rec *s)

{

    if (s != NULL && s->is_virtual && s->error_fname != NULL)

        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02311)

                     "Fatal error initialising mod_ssl, exiting. "

                     "See %s for more information",

                     ap_server_root_relative(s->process->pool,

                                             s->error_fname));

    else

        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02312)

                     "Fatal error initialising mod_ssl, exiting.");

    return APR_EGENERAL;

}

/*

 * Prints the SSL library error information.

 */

void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)

{

    unsigned long e;

    const char *data;

    int flags;

    while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {

        const char *annotation;

        char err[256];

        if (!(flags & ERR_TXT_STRING)) {

            data = NULL;

        }

        ERR_error_string_n(e, err, sizeof err);

        annotation = ssl_log_annotation(err);

        ap_log_error(file, line, APLOG_MODULE_INDEX, level, 0, s,

                     "SSL Library Error: %s%s%s%s%s%s",

                     /* %s */

                     err,

                     /* %s%s%s */

                     data ? " (" : "", data ? data : "", data ? ")" : "",

                     /* %s%s */

                     annotation ? " -- " : "",

                     annotation ? annotation : "");

        /* Pop the error off the stack: */

        ERR_get_error();

    }

}

static void ssl_log_cert_error(const char *file, int line, int level,

                               apr_status_t rv, const server_rec *s,

                               const conn_rec *c, const request_rec *r,

                               apr_pool_t *p, X509 *cert, const char *format,

                               va_list ap)

{

    char buf[HUGE_STRING_LEN];

    int msglen, n;

    char *name;

    apr_vsnprintf(buf, sizeof buf, format, ap);

    msglen = strlen(buf);

    if (cert) {

        BIO *bio = BIO_new(BIO_s_mem());

        if (bio) {

            /*

             * Limit the maximum length of the subject and issuer DN strings

             * in the log message. 300 characters should always be sufficient

             * for holding both the timestamp, module name, pid etc. stuff

             * at the beginning of the line and the trailing information about

             * serial, notbefore and notafter.

             */

            int maxdnlen = (HUGE_STRING_LEN - msglen - 300) / 2;

            BIO_puts(bio, " [subject: ");

            name = modssl_X509_NAME_to_string(p, X509_get_subject_name(cert),

                                              maxdnlen);

            if (!strIsEmpty(name)) {

                BIO_puts(bio, name);

            } else {

                BIO_puts(bio, "-empty-");

            }

            BIO_puts(bio, " / issuer: ");

            name = modssl_X509_NAME_to_string(p, X509_get_issuer_name(cert),

                                              maxdnlen);

            if (!strIsEmpty(name)) {

                BIO_puts(bio, name);

            } else {

                BIO_puts(bio, "-empty-");

            }

            BIO_puts(bio, " / serial: ");

            if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1)

                BIO_puts(bio, "(ERROR)");

            BIO_puts(bio, " / notbefore: ");

            ASN1_TIME_print(bio, X509_get_notBefore(cert));

            BIO_puts(bio, " / notafter: ");

            ASN1_TIME_print(bio, X509_get_notAfter(cert));

            BIO_puts(bio, "]");

            n = BIO_read(bio, buf + msglen, sizeof buf - msglen - 1);

            if (n > 0)

               buf[msglen + n] = '\0';

            BIO_free(bio);

        }

    }

    else {

        apr_snprintf(buf + msglen, sizeof buf - msglen,

                     " [certificate: -not available-]");

    }

    if (r) {

        ap_log_rerror(file, line, APLOG_MODULE_INDEX, level, rv, r, "%s", buf);

    }

    else if (c) {

        ap_log_cerror(file, line, APLOG_MODULE_INDEX, level, rv, c, "%s", buf);

    }

    else if (s) {

        ap_log_error(file, line, APLOG_MODULE_INDEX, level, rv, s, "%s", buf);

    }

}

/*

 * Wrappers for ap_log_error/ap_log_cerror/ap_log_rerror which log additional

 * details of the X509 cert. For ssl_log_xerror, a pool needs to be passed in

 * as well (for temporary allocation of the cert's subject/issuer name strings,

 * in the other cases we use the connection and request pool, respectively).

 */

void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv,

                    apr_pool_t *ptemp, server_rec *s, X509 *cert,

                    const char *fmt, ...)

{

    if (APLOG_IS_LEVEL(s,level)) {

       va_list ap;

       va_start(ap, fmt);

       ssl_log_cert_error(file, line, level, rv, s, NULL, NULL, ptemp,

                          cert, fmt, ap);

       va_end(ap);

    }

}

void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv,

                     conn_rec *c, X509 *cert, const char *fmt, ...)

{

    if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) {

       va_list ap;

       va_start(ap, fmt);

       ssl_log_cert_error(file, line, level, rv, NULL, c, NULL, c->pool,

                          cert, fmt, ap);

       va_end(ap);

    }

}

void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv,

                     request_rec *r, X509 *cert, const char *fmt, ...)

{

    if (APLOG_R_IS_LEVEL(r,level)) {

       va_list ap;

       va_start(ap, fmt);

       ssl_log_cert_error(file, line, level, rv, NULL, NULL, r, r->pool,

                          cert, fmt, ap);

       va_end(ap);

    }

}