diff options
Diffstat (limited to 'nss_engine_log.c')
| -rw-r--r-- | nss_engine_log.c | 323 |
1 files changed, 323 insertions, 0 deletions
diff --git a/nss_engine_log.c b/nss_engine_log.c new file mode 100644 index 0000000..f3f1566 --- /dev/null +++ b/nss_engine_log.c @@ -0,0 +1,323 @@ +/* Copyright 2001-2004 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* _________________________________________________________________ +** +** Logfile Support +** _________________________________________________________________ +*/ + +#include "mod_nss.h" +#include "prerror.h" + +#define NSPR_ERROR_BASE PR_NSPR_ERROR_BASE +#define NSPR_MAX_ERROR (PR_MAX_ERROR - 1) +#define LIBSEC_ERROR_BASE -8192 +#define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 144) +#define LIBSSL_ERROR_BASE -12288 +#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) + +typedef struct l_error_t { + int errorNumber; + const char *errorString; +} l_error_t; + +l_error_t libsec_errors[] = { + { 0, "I/O Error" }, + { 1, "Library Failure" }, + { 2, "Bad data was received" }, + { 3, "Security library: output length error" }, + { 4, "Security library has experienced an input length error" }, + { 5, "Security library: invalid arguments" }, + { 6, "Certificate contains invalid encryption or signature algorithm" }, + { 7, "Security library: invalid AVA" }, + { 8, "Certificate contains an invalid time value" }, + { 9, "Certificate is improperly DER encoded" }, + { 10, "Certificate has invalid signature" }, + { 11, "Certificate has expired" }, + { 12, "Certificate has been revoked" }, + { 13, "Certificate is signed by an unknown issuer" }, + { 14, "Invalid public key in certificate" }, + { 15, "The security password entered is incorrect" }, + { 16, "SEC_ERROR_UNUSED" }, + { 17, "Security library: no nodelock" }, + { 18, "Problem using certificate or key database" }, + { 19, "Out of Memory" }, + { 20, "Certificate is signed by an untrusted issuer" }, + { 21, "Peer's certificate has been marked as not trusted" }, + { 22, "Certificate already exists in your database" }, + { 23, "Downloaded certificate's name duplicates one already in your database" }, + { 24, "Error adding certificate to database" }, + { 25, "Error refiling the key for this certificate" }, + { 26, "The private key for this certificate cannot be found in key database" }, + { 27, "This certificate is valid" }, + { 28, "This certificate is not valid" }, + { 29, "Cert Library: No Response" }, + { 30, "The certificate issuer's certificate has expired. Check your system date and time" }, + { 31, "The CRL for the certificate's issuer has expired. Update it or check your system date and time" }, + { 32, "The CRL for the certificate's issuer has an invalid signature" }, + { 33, "New CRL has an invalid format" }, + { 34, "Certificate extension value is invalid" }, + { 35, "Certificate extension not found" }, + { 36, "Issuer certificate is invalid" }, + { 37, "Certificate path length constraint is invalid" }, + { 38, "Certificate usages field is invalid" }, + { 39, "**Internal ONLY module**" }, + { 40, "The key does not support the requested operation" }, + { 41, "Certificate contains unknown critical extension" }, + { 42, "New CRL is not later than the current one" }, + { 43, "Not encrypted or signed: you do not yet have an email certificate" }, + { 44, "Not encrypted: you do not have certificates for each of the recipients" }, + { 45, "Cannot decrypt: you are not a recipient, or matching certificate and private key not found" }, + { 46, "Cannot decrypt: key encryption algorithm does not match your certificate" }, + { 47, "Signature verification failed: no signer found, too many signers found, or improper or corrupted data" }, + { 48, "Unsupported or unknown key algorithm" }, + { 49, "Cannot decrypt: encrypted using a disallowed algorithm or key size" }, + { 50, "XP_Fortezza card has not been properly initialized. Please remove it and return it to your issuer" }, + { 51, "XP_No Fortezza cards Found" }, + { 52, "XP_No Fortezza card selected" }, + { 53, "XP_Please select a personality to get more info on" }, + { 54, "XP_Personality not found" }, + { 55, "XP_No more information on that Personality" }, + { 56, "XP_Invalid Pin" }, + { 57, "XP_Couldn't initialize Fortezza personalities" }, + { 58, "No KRL for this site's certificate has been found" }, + { 59, "The KRL for this site's certificate has expired" }, + { 60, "The KRL for this site's certificate has an invalid signature" }, + { 61, "The key for this site's certificate has been revoked" }, + { 62, "New KRL has an invalid format" }, + { 63, "security library: need random data" }, + { 64, "security library: no security module can perform the requested operation" }, + { 65, "The security card or token does not exist, needs to be initialized, or has been removed" }, + { 66, "security library: read-only database" }, + { 67, "No slot or token was selected" }, + { 68, "A certificate with the same nickname already exists" }, + { 69, "A key with the same nickname already exists" }, + { 70, "error while creating safe object" }, + { 71, "error while creating baggage object" }, + { 72, "Couldn't remove the principal" }, + { 73, "Couldn't delete the privilege" }, + { 74, "This principal doesn't have a certificate" }, + { 75, "Required algorithm is not allowed" }, + { 76, "Error attempting to export certificates" }, + { 77, "Error attempting to import certificates" }, + { 78, "Unable to import. Decoding error. File not valid" }, + { 79, "Unable to import. Invalid MAC. Incorrect password or corrupt file" }, + { 80, "Unable to import. MAC algorithm not supported" }, + { 81, "SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE" }, + { 82, "Unable to import. File structure is corrupt." }, + { 83, "Unable to import. Encryption algorithm not supported." }, + { 84, "Unable to import. File version not supported." }, + { 85, "SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT" }, + { 86, "Unable to import. Same nickname already exists in database." }, + { 87, "The user pressed cancel." }, + { 88, "Not imported, already in database." }, + { 89, "Message not sent." }, + { 90, "Certificate key usage inadequate for attempted operation." }, + { 91, "Certificate type not approved for application." }, + { 92, "Address in signing certificate does not match address in message headers." }, + { 93, "Unable to import. Error attempting to import private key." }, + { 94, "Unable to import. Error attempting to import certificate chain." }, + { 95, "Unable to export. Unable to locate certificate or key by nickname." }, + { 96, "Unable to export. Private Key could not be located and exported." }, + { 97, "Unable to export. Unable to write the export file." }, + { 98, "Unable to import. Unable to read the import file." }, + { 99, "Unable to export. Key database corrupt or deleted." }, + { 100, "Unable to generate public/private key pair." }, + { 101, "Password entered is invalid. Please pick a different one." }, + { 102, "Old password entered incorrectly. Please try again." }, + { 103, "Certificate nickname already in use." }, + { 104, "Peer FORTEZZA chain has a non-FORTEZZA Certificate." }, + { 105, "A sensitive key cannot be moved to the slot where it is needed." }, + { 106, "Invalid module name." }, + { 107, "Invalid module path/filename" }, + { 108, "Unable to add module" }, + { 109, "Unable to delete module" }, + { 110, "New KRL is not later than the current one." }, + { 111, "New CKL has different issuer than current CKL. Delete current CKL" }, + { 112, "The Certifying Authority for this certificate is not permitted to issue a certificate with this name" }, + { 113, "The key revocation list for this certificate is not yet valid" }, + { 114, "The certificate revocation list for this certificate is not yet valid" }, + { 115, "The requested certificate could not be found" }, + { 116, "The signer's certificate could not be found" }, + { 117, "The location for the certificate status server has invalid format" }, + { 118, "The OCSP response cannot be fully decoded; it is of an unknown type" }, + { 119, "The OCSP server returned unexpected/invalid HTTP data" }, + { 120, "The OCSP server found the request to be corrupted or improperly formed" }, + { 121, "The OCSP server experienced an internal error" }, + { 122, "The OCSP server suggests trying again later" }, + { 123, "The OCSP server requires a signature on this request" }, + { 124, "The OCSP server has refused this request as unauthorized" }, + { 125, "The OCSP server returned an unrecognizable status" }, + { 126, "The OCSP server has no status for the certificate" }, + { 127, "You must enable OCSP before performing this operation" }, + { 128, "You must set the OCSP default responder before performing this operation" }, + { 129, "The response from the OCSP server was corrupted or improperly formed" }, + { 130, "The signer of the OCSP response is not authorized to give status for this certificate" }, + { 131, "The OCSP response is not yet valid (contains a date in the future)" }, + { 132, "The OCSP response contains out-of-date information" }, + { 133, "SEC_ERROR_DIGEST_NOT_FOUND - Digest not found in S/MIME message." }, + { 134, "SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE - Unsupported or unknown message type in S/MIME message." }, + { 135, "SEC_ERROR_MODULE_STUCK - PK11 module is stuck." }, + { 136, "SEC_ERROR_BAD_TEMPLATE - Bad template found when decoding DER." }, + { 137, "SEC_ERROR_CRL_NOT_FOUND" }, + { 138, "SEC_ERROR_REUSED_ISSUER_AND_SERIAL" }, + { 139, "SEC_ERROR_BUSY" }, + { 140, "SEC_ERROR_EXTRA_INPUT" }, + { 141, "SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE" }, + { 142, "SEC_ERROR_UNSUPPORTED_EC_POINT_FORM" }, + { 143, "SEC_ERROR_UNRECOGNIZED_OID" }, + { 144, "SEC_ERROR_OCSP_INVALID_SIGNING_CERT - OCSP signer certificate not found, not trusted or invalid." } +}; + +l_error_t libssl_errors[] = { + { 0, "Client does not support high-grade encryption" }, + { 1, "Client requires high-grade encryption which is not supported" }, + { 2, "No common encryption algorithm(s) with client" }, + { 3, "Unable to find the certificate or key necessary for authentication" }, + { 4, "Unable to communicate securely wih peer: peer's certificate was rejected" }, + { 5, "Unused SSL error #5" }, + { 6, "Protocol error" }, + { 7, "Protocol error" }, + { 8, "Unsupported certificate type" }, + { 9, "Client is using unsupported SSL version" }, + { 10, "Unused SSL error #10" }, + { 11, "The public key in the server's own certificate does not match its private key" }, + { 12, "Requested domain name does not match the server's certificate" }, + { 13, "SSL_ERROR_POST_WARNING" }, + { 14, "peer only supports SSL version 2, which is locally disabled" }, + { 15, "SSL has received a record with an incorrect Message Authentication Code" }, + { 16, "SSL has received an error indicating an incorrect Message Authentication Code" }, + { 17, "SSL client cannot verify your certificate" }, + { 18, "The server has rejected your certificate as revoked" }, + { 19, "The server has rejected your certificate as expired" }, + { 20, "Cannot connect: SSL is disabled" }, + { 21, "Cannot connect: SSL peer is in another Fortezza domain" }, + { 22, "An unknown SSL cipher suite has been requested" }, + { 23, "No cipher suites are present and enabled in this program" }, + { 24, "SSL received a record with bad block padding" }, + { 25, "SSL received a record that exceeded the maximum permissible length" }, + { 26, "SSL attempted to send a record that exceeded the maximum permissible length" }, + { 27, "SSL received a malformed Hello Request handshake message" }, + { 28, "SSL received a malformed Client Hello handshake message" }, + { 29, "SSL received a malformed Server Hello handshake message" }, + { 30, "SSL received a malformed Certificate handshake message" }, + { 31, "SSL received a malformed Server Key Exchange handshake message" }, + { 32, "SSL received a malformed Certificate Request handshake message" }, + { 33, "SSL received a malformed Server Hello Done handshake message" }, + { 34, "SSL received a malformed Certificate Verify handshake message" }, + { 35, "SSL received a malformed Client Key Exchange handshake message" }, + { 36, "SSL received a malformed Finished handshake message" }, + { 37, "SSL received a malformed Change Cipher Spec record" }, + { 38, "SSL received a malformed Alert record" }, + { 39, "SSL received a malformed Handshake record" }, + { 40, "SSL received a malformed Application Data record" }, + { 41, "SSL received an unexpected Hello Request handshake message" }, + { 42, "SSL received an unexpected Client Hello handshake message" }, + { 43, "SSL received an unexpected Server Hello handshake message" }, + { 44, "SSL received an unexpected Certificate handshake message" }, + { 45, "SSL received an unexpected Server Key Exchange handshake message" }, + { 46, "SSL received an unexpected Certificate Request handshake message" }, + { 47, "SSL received an unexpected Server Hello Done handshake message" }, + { 48, "SSL received an unexpected Certificate Verify handshake message" }, + { 49, "SSL received an unexpected Cllient Key Exchange handshake message" }, + { 50, "SSL received an unexpected Finished handshake message" }, + { 51, "SSL received an unexpected Change Cipher Spec record" }, + { 52, "SSL received an unexpected Alert record" }, + { 53, "SSL received an unexpected Handshake record" }, + { 54, "SSL received an unexpected Application Data record" }, + { 55, "SSL received a record with an unknown content type" }, + { 56, "SSL received a handshake message with an unknown message type" }, + { 57, "SSL received an alert record with an unknown alert description" }, + { 58, "SSL peer has closed the connection" }, + { 59, "SSL peer was not expecting a handshake message it received" }, + { 60, "SSL peer was unable to succesfully decompress an SSL record it received" }, + { 61, "SSL peer was unable to negotiate an acceptable set of security parameters" }, + { 62, "SSL peer rejected a handshake message for unacceptable content" }, + { 63, "SSL peer does not support certificates of the type it received" }, + { 64, "SSL peer had some unspecified issue with the certificate it received" }, + { 65, "SSL experienced a failure of its random number generator" }, + { 66, "Unable to digitally sign data required to verify your certificate" }, + { 67, "SSL was unable to extract the public key from the peer's certificate" }, + { 68, "Unspecified failure while processing SSL Server Key Exchange handshake" }, + { 69, "Unspecified failure while processing SSL Client Key Exchange handshake" }, + { 70, "Bulk data encryption algorithm failed in selected cipher suite" }, + { 71, "Bulk data decryption algorithm failed in selected cipher suite" }, + { 72, "Attempt to write encrypted data to underlying socket failed" }, + { 73, "MD5 digest function failed" }, + { 74, "SHA-1 digest function failed" }, + { 75, "MAC computation failed" }, + { 76, "Failure to create Symmetric Key context" }, + { 77, "Failure to unwrap the Symmetric key in Client Key Exchange message" }, + { 78, "SSL Server attempted to use domestic-grade public key with export cipher suite" }, + { 79, "PKCS11 code failed to translate an IV into a param" }, + { 80, "Failed to initialize the selected cipher suite" }, + { 81, "Failed to generate session keys for SSL session" }, + { 82, "Server has no key for the attempted key exchange algorithm" }, + { 83, "PKCS#11 token was inserted or removed while operation was in progress" }, + { 84, "No PKCS#11 token could be found to do a required operation" }, + { 85, "Cannot communicate securely with peer: no common compression algorithm(s)" }, + { 86, "Cannot initiate another SSL handshake until current handshake is complete" }, + { 87, "Received incorrect handshakes hash values from peer" }, + { 88, "The certificate provided cannot be used with the selected key exchange algorithm" }, + { 89, "There are no trusted Certificate Authorities for signing SSL client certificates" }, + { 90, "Client's SSL session ID not found in server's session cache" }, + { 91, "Peer was unable to decrypt an SSL record it received" }, + { 92, "Peer received an SSL record that was longer than is permitted" }, + { 93, "Peer does not recognize and trust the CA that issued your certificate" }, + { 94, "Peer received a valid certificate, but access was denied" }, + { 95, "Peer could not decode an SSL handshake message" }, + { 96, "Peer reports failure of signature verification or key exchange" }, + { 97, "Peer reports negotiation not in compliance with export regulations" }, + { 98, "Peer reports incompatible or unsupported protocol version" }, + { 99, "Server requires ciphers more secure than those supported by client" }, + { 100, "Peer reports it experienced an internal error" }, + { 101, "Peer user canceled handshake" }, + { 102, "Peer does not permit renegotiation of SSL security parameters" } +}; + +void ssl_die(void) +{ + /* + * This is used for fatal errors and here + * it is common module practice to really + * exit from the complete program. + */ + exit(1); +} + +void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) +{ + const char *err; + PRInt32 error; + + error = PR_GetError(); + + if ((error >= NSPR_ERROR_BASE) && (error <= NSPR_MAX_ERROR)) { + return; // We aren't logging NSPR errors + } else if ((error >= LIBSEC_ERROR_BASE) && + (error <= LIBSEC_MAX_ERROR)) { + err = libsec_errors[error-LIBSEC_ERROR_BASE].errorString; + } else if ((error >= LIBSSL_ERROR_BASE) && + (error <= LIBSSL_MAX_ERROR)) { + err = libssl_errors[error-LIBSSL_ERROR_BASE].errorString; + } else { + err = "Unknown"; + } + + ap_log_error(file, line, level, 0, s, + "SSL Library Error: %d %s", + error, err); +} |