From: Stefan Eissing Date: Tue, 18 May 2021 14:42:52 +0000 (+0000) Subject: * mod_log_config/mod_ssl: moved the log_handlers registered by mod_ssl X-Git-Tag: 2.5.0-alpha2-ci-test-only~938 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0dbc5ca0769aa35f0b956294b2c85726d3ea6466;p=thirdparty%2Fapache%2Fhttpd.git * mod_log_config/mod_ssl: moved the log_handlers registered by mod_ssl into mod_log_config itself. These now use the global `ap_ssl_var_lookup()` functions and work for all running SSL modules. The dependency from mod_ssl to mod_log_config and its header is removed. mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR". This change should be fully compatible to all deployed configurations. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890003 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/ssl_log_handler_move.txt b/changes-entries/ssl_log_handler_move.txt new file mode 100644 index 00000000000..45340715f2d --- /dev/null +++ b/changes-entries/ssl_log_handler_move.txt @@ -0,0 +1,7 @@ + * mod_log_config/mod_ssl: moved the log_handlers registered by mod_ssl + into mod_log_config itself. These now use the global `ap_ssl_var_lookup()` + functions and work for all running SSL modules. + The dependency from mod_ssl to mod_log_config and its header is removed. + mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR". + This change should be fully compatible to all deployed configurations. + [Stefan Eissing] \ No newline at end of file diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c index 9e6b3a7e1bf..828e23f8b35 100644 --- a/modules/loggers/mod_log_config.c +++ b/modules/loggers/mod_log_config.c @@ -162,6 +162,7 @@ #include "http_core.h" /* For REMOTE_NAME */ #include "http_log.h" #include "http_protocol.h" +#include "http_ssl.h" #include "util_time.h" #include "ap_mpm.h" #include "ap_provider.h" @@ -913,6 +914,35 @@ static const char *log_requests_on_connection(request_rec *r, char *a) return apr_itoa(r->pool, num); } +static const char *log_ssl_var(request_rec *r, char *a) +{ + const char *result; + + /* Any SSL module responsible for the connection/request will provide the value */ + result = ap_ssl_var_lookup(r->pool, r->server, r->connection, r, a); + return (result && result[0])? result : NULL; +} + +static const char *log_ssl_var_short(request_rec *r, char *a) +{ + /* Several shortcut names, previously defined and installed in mod_ssl + * that lookup SSL variables. */ + if (!strcasecmp(a, "version")) + return log_ssl_var(r, "SSL_PROTOCOL"); + else if (!strcasecmp(a, "cipher")) + return log_ssl_var(r, "SSL_CIPHER"); + else if (!strcasecmp(a, "subjectdn") || !strcasecmp(a, "clientcert")) + return log_ssl_var(r, "SSL_CLIENT_S_DN"); + else if (!strcasecmp(a, "issuerdn") || !strcasecmp(a, "cacert")) + return log_ssl_var(r, "SSL_CLIENT_I_DN"); + else if (!strcasecmp(a, "errcode")) + /* Copied from mod_ssl for backward compatibility. */ + return "-"; + else if (!strcasecmp(a, "errstr")) + return log_ssl_var(r, "SSL_CLIENT_VERIFY_ERRSTR"); + return NULL; +} + /***************************************************************** * * Parsing the log format string @@ -1869,6 +1899,13 @@ static int log_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp) log_pfn_register(p, "^ti", log_trailer_in, 0); log_pfn_register(p, "^to", log_trailer_out, 0); + + /* these used to be part of mod_ssl, but with the introduction + * of ap_ssl_var_lookup() they are added here directly so lookups + * from all installed SSL modules work. + * We keep the old tag names to remain backward compatible. */ + log_pfn_register(p, "c", log_ssl_var_short, 0); + log_pfn_register(p, "x", log_ssl_var, 0); } /* reset to default conditions */ diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index c296cc30f11..47a28404561 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -452,9 +452,6 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, apr_pool_cleanup_null); #endif - /* Register us to handle mod_log_config %c/%x variables */ - ssl_var_log_config_register(pconf); - /* Register to handle mod_status status page generation */ ssl_scache_status_register(pconf); diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 197b777a3f9..56b8702aa88 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -486,6 +486,9 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) { result = ssl_var_lookup_ssl_cert_verify(p, sslconn); } + else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY_ERRSTR")) { + result = sslconn->verify_error; + } else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) { if ((xs = SSL_get_peer_certificate(ssl)) != NULL) { result = ssl_var_lookup_ssl_cert(p, r, xs, var+7); @@ -1225,75 +1228,3 @@ static const char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) return result; } -/* _________________________________________________________________ -** -** SSL Extension to mod_log_config -** _________________________________________________________________ -*/ - -#include "../../modules/loggers/mod_log_config.h" - -static const char *ssl_var_log_handler_c(request_rec *r, char *a); -static const char *ssl_var_log_handler_x(request_rec *r, char *a); - -/* - * register us for the mod_log_config function registering phase - * to establish %{...}c and to be able to expand %{...}x variables. - */ -void ssl_var_log_config_register(apr_pool_t *p) -{ - APR_OPTIONAL_FN_TYPE(ap_register_log_handler) *log_pfn_register; - - log_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_log_handler); - - if (log_pfn_register) { - log_pfn_register(p, "c", ssl_var_log_handler_c, 0); - log_pfn_register(p, "x", ssl_var_log_handler_x, 0); - } - return; -} - -/* - * implement the %{..}c log function - * (we are the only function) - */ -static const char *ssl_var_log_handler_c(request_rec *r, char *a) -{ - const SSLConnRec *sslconn = ssl_get_effective_config(r->connection); - const char *result; - - if (sslconn == NULL || sslconn->ssl == NULL) - return NULL; - result = NULL; - if (strEQ(a, "version")) - result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_PROTOCOL"); - else if (strEQ(a, "cipher")) - result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CIPHER"); - else if (strEQ(a, "subjectdn") || strEQ(a, "clientcert")) - result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_S_DN"); - else if (strEQ(a, "issuerdn") || strEQ(a, "cacert")) - result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_I_DN"); - else if (strEQ(a, "errcode")) - result = "-"; - else if (strEQ(a, "errstr")) - result = sslconn->verify_error; - if (result != NULL && result[0] == NUL) - result = NULL; - return result; -} - -/* - * extend the implementation of the %{..}x log function - * (there can be more functions) - */ -static const char *ssl_var_log_handler_x(request_rec *r, char *a) -{ - const char *result; - - result = ssl_var_lookup(r->pool, r->server, r->connection, r, a); - if (result != NULL && result[0] == NUL) - result = NULL; - return result; -} - - diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 83706982ca8..67176652cfb 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -1121,8 +1121,6 @@ const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_r AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT; apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension); -void ssl_var_log_config_register(apr_pool_t *p); - /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl', * allocating from 'p': */ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);