--- /dev/null
+ * mod_log_config/mod_ssl: moved the log_handlers registered by mod_ssl
+ into mod_log_config itself. These now use the global `ap_ssl_var_lookup()`
+ functions and work for all running SSL modules.
+ The dependency from mod_ssl to mod_log_config and its header is removed.
+ mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR".
+ This change should be fully compatible to all deployed configurations.
+ [Stefan Eissing]
\ No newline at end of file
#include "http_core.h" /* For REMOTE_NAME */
#include "http_log.h"
#include "http_protocol.h"
+#include "http_ssl.h"
#include "util_time.h"
#include "ap_mpm.h"
#include "ap_provider.h"
return apr_itoa(r->pool, num);
}
+static const char *log_ssl_var(request_rec *r, char *a)
+{
+ const char *result;
+
+ /* Any SSL module responsible for the connection/request will provide the value */
+ result = ap_ssl_var_lookup(r->pool, r->server, r->connection, r, a);
+ return (result && result[0])? result : NULL;
+}
+
+static const char *log_ssl_var_short(request_rec *r, char *a)
+{
+ /* Several shortcut names, previously defined and installed in mod_ssl
+ * that lookup SSL variables. */
+ if (!strcasecmp(a, "version"))
+ return log_ssl_var(r, "SSL_PROTOCOL");
+ else if (!strcasecmp(a, "cipher"))
+ return log_ssl_var(r, "SSL_CIPHER");
+ else if (!strcasecmp(a, "subjectdn") || !strcasecmp(a, "clientcert"))
+ return log_ssl_var(r, "SSL_CLIENT_S_DN");
+ else if (!strcasecmp(a, "issuerdn") || !strcasecmp(a, "cacert"))
+ return log_ssl_var(r, "SSL_CLIENT_I_DN");
+ else if (!strcasecmp(a, "errcode"))
+ /* Copied from mod_ssl for backward compatibility. */
+ return "-";
+ else if (!strcasecmp(a, "errstr"))
+ return log_ssl_var(r, "SSL_CLIENT_VERIFY_ERRSTR");
+ return NULL;
+}
+
/*****************************************************************
*
* Parsing the log format string
log_pfn_register(p, "^ti", log_trailer_in, 0);
log_pfn_register(p, "^to", log_trailer_out, 0);
+
+ /* these used to be part of mod_ssl, but with the introduction
+ * of ap_ssl_var_lookup() they are added here directly so lookups
+ * from all installed SSL modules work.
+ * We keep the old tag names to remain backward compatible. */
+ log_pfn_register(p, "c", log_ssl_var_short, 0);
+ log_pfn_register(p, "x", log_ssl_var, 0);
}
/* reset to default conditions */
apr_pool_cleanup_null);
#endif
- /* Register us to handle mod_log_config %c/%x variables */
- ssl_var_log_config_register(pconf);
-
/* Register to handle mod_status status page generation */
ssl_scache_status_register(pconf);
else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
result = ssl_var_lookup_ssl_cert_verify(p, sslconn);
}
+ else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY_ERRSTR")) {
+ result = sslconn->verify_error;
+ }
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) {
if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, r, xs, var+7);
return result;
}
-/* _________________________________________________________________
-**
-** SSL Extension to mod_log_config
-** _________________________________________________________________
-*/
-
-#include "../../modules/loggers/mod_log_config.h"
-
-static const char *ssl_var_log_handler_c(request_rec *r, char *a);
-static const char *ssl_var_log_handler_x(request_rec *r, char *a);
-
-/*
- * register us for the mod_log_config function registering phase
- * to establish %{...}c and to be able to expand %{...}x variables.
- */
-void ssl_var_log_config_register(apr_pool_t *p)
-{
- APR_OPTIONAL_FN_TYPE(ap_register_log_handler) *log_pfn_register;
-
- log_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_log_handler);
-
- if (log_pfn_register) {
- log_pfn_register(p, "c", ssl_var_log_handler_c, 0);
- log_pfn_register(p, "x", ssl_var_log_handler_x, 0);
- }
- return;
-}
-
-/*
- * implement the %{..}c log function
- * (we are the only function)
- */
-static const char *ssl_var_log_handler_c(request_rec *r, char *a)
-{
- const SSLConnRec *sslconn = ssl_get_effective_config(r->connection);
- const char *result;
-
- if (sslconn == NULL || sslconn->ssl == NULL)
- return NULL;
- result = NULL;
- if (strEQ(a, "version"))
- result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_PROTOCOL");
- else if (strEQ(a, "cipher"))
- result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CIPHER");
- else if (strEQ(a, "subjectdn") || strEQ(a, "clientcert"))
- result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_S_DN");
- else if (strEQ(a, "issuerdn") || strEQ(a, "cacert"))
- result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_I_DN");
- else if (strEQ(a, "errcode"))
- result = "-";
- else if (strEQ(a, "errstr"))
- result = sslconn->verify_error;
- if (result != NULL && result[0] == NUL)
- result = NULL;
- return result;
-}
-
-/*
- * extend the implementation of the %{..}x log function
- * (there can be more functions)
- */
-static const char *ssl_var_log_handler_x(request_rec *r, char *a)
-{
- const char *result;
-
- result = ssl_var_lookup(r->pool, r->server, r->connection, r, a);
- if (result != NULL && result[0] == NUL)
- result = NULL;
- return result;
-}
-
-
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT;
apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
-void ssl_var_log_config_register(apr_pool_t *p);
-
/* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
* allocating from 'p': */
void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
projects / thirdparty / apache / httpd.git / commitdiff
