| 1 | #include "httpd.h" |
| 2 | #include "http_config.h" |
| 3 | #include "http_conf_globals.h" |
| 4 | #include "http_log.h" |
| 5 | #include "http_protocol.h" |
| 6 | #include "http_request.h" |
| 7 | #include "http_core.h" |
| 8 | #include "ap_config.h" |
| 9 | #include <krb5.h> |
| 10 | |
| 11 | #if defined(sun) |
| 12 | #include <sys/ioccom.h> |
| 13 | #endif /* sun */ |
| 14 | #include <stropts.h> |
| 15 | #include <kerberosIV/krb.h> |
| 16 | #include <kerberosIV/des.h> |
| 17 | #include <afs/venus.h> |
| 18 | #include <afs/auth.h> |
| 19 | #include <rx/rxkad.h> |
| 20 | |
| 21 | #include <asm/bitops.h> |
| 22 | #include <sys/shm.h> |
| 23 | |
| 24 | #define KEYTAB_PATH "/home/drh/keytab.umweb.drhtest" |
| 25 | #define PRINCIPAL "umweb/drhtest" |
| 26 | #define AFS "afs" |
| 27 | #define IN_TKT_SERVICE "krbtgt/UMICH.EDU" |
| 28 | |
| 29 | #define K5PATH "FILE:/tmp/waklog.creds.k5" |
| 30 | #define K4PATH "/tmp/waklog.creds.k4" |
| 31 | |
| 32 | module waklog_module; |
| 33 | |
| 34 | struct ClearToken { |
| 35 | long AuthHandle; |
| 36 | char HandShakeKey[ 8 ]; |
| 37 | long ViceId; |
| 38 | long BeginTimestamp; |
| 39 | long EndTimestamp; |
| 40 | }; |
| 41 | |
| 42 | typedef struct { |
| 43 | int configured; |
| 44 | int protect; |
| 45 | char *keytab; |
| 46 | char *keytab_principal; |
| 47 | char *afs_instance; |
| 48 | } waklog_host_config; |
| 49 | |
| 50 | typedef struct { |
| 51 | krb5_timestamp endtime; /* time krbtgt expires */ |
| 52 | int getting_tgt; /* TAS flag, protecting above */ |
| 53 | } waklog_mod_config; |
| 54 | waklog_mod_config *mod = NULL; |
| 55 | |
| 56 | int shmid = -1; |
| 57 | |
| 58 | typedef struct { |
| 59 | struct ktc_token token; |
| 60 | } waklog_child_config; |
| 61 | waklog_child_config *child = NULL; |
| 62 | |
| 63 | static void * |
| 64 | waklog_create_dir_config( pool *p, char *path ) |
| 65 | { |
| 66 | waklog_host_config *cfg; |
| 67 | |
| 68 | cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config )); |
| 69 | cfg->configured = 0; |
| 70 | cfg->protect = 0; |
| 71 | cfg->keytab = 0; |
| 72 | cfg->keytab_principal = 0; |
| 73 | cfg->afs_instance = 0; |
| 74 | |
| 75 | return( cfg ); |
| 76 | } |
| 77 | |
| 78 | |
| 79 | static void * |
| 80 | waklog_create_server_config( pool *p, server_rec *s ) |
| 81 | { |
| 82 | waklog_host_config *cfg; |
| 83 | |
| 84 | cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config )); |
| 85 | cfg->configured = 0; |
| 86 | cfg->protect = 0; |
| 87 | cfg->keytab = 0; |
| 88 | cfg->keytab_principal = 0; |
| 89 | cfg->afs_instance = 0; |
| 90 | |
| 91 | return( cfg ); |
| 92 | } |
| 93 | |
| 94 | |
| 95 | static void |
| 96 | waklog_init( server_rec *s, pool *p ) |
| 97 | { |
| 98 | extern char *version; |
| 99 | static key_t shmkey = IPC_PRIVATE; |
| 100 | struct shmid_ds shmbuf; |
| 101 | |
| 102 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s, |
| 103 | "mod_waklog: version %s initialized.", version ); |
| 104 | |
| 105 | if ( mod == NULL ) { |
| 106 | if (( shmid = shmget( shmkey, sizeof( waklog_mod_config ), |
| 107 | IPC_CREAT | SHM_R | SHM_W )) == -1 ) { |
| 108 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 109 | "mod_waklog: shmget failed" ); |
| 110 | exit ( -1 ); |
| 111 | } |
| 112 | |
| 113 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s, |
| 114 | "mod_waklog: waklog_init: created shared memory segment %d", shmid ); |
| 115 | |
| 116 | if (( mod = (waklog_mod_config *) shmat( shmid, 0, 0 ) ) == |
| 117 | (waklog_mod_config *) -1 ) { |
| 118 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 119 | "mod_waklog: shmat failed" ); |
| 120 | /* we'll exit after removing the segment */ |
| 121 | |
| 122 | } else { |
| 123 | if ( shmctl( shmid, IPC_STAT, &shmbuf ) != 0 ) { |
| 124 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 125 | "mod_waklog: shmctl failed to stat" ); |
| 126 | |
| 127 | } else { |
| 128 | shmbuf.shm_perm.uid = ap_user_id; |
| 129 | shmbuf.shm_perm.gid = ap_group_id; |
| 130 | |
| 131 | if ( shmctl( shmid, IPC_SET, &shmbuf ) != 0 ) { |
| 132 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 133 | "mod_waklog: shmctl failed to set" ); |
| 134 | } |
| 135 | } |
| 136 | |
| 137 | } |
| 138 | |
| 139 | if ( shmctl( shmid, IPC_RMID, NULL ) != 0 ) { |
| 140 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 141 | "mod_waklog: shmctl failed to remove" ); |
| 142 | } |
| 143 | |
| 144 | if ( mod == (waklog_mod_config *) -1 ) { |
| 145 | exit ( -1 ); |
| 146 | } |
| 147 | } |
| 148 | |
| 149 | mod->endtime = 0; |
| 150 | mod->getting_tgt = 0; |
| 151 | |
| 152 | return; |
| 153 | } |
| 154 | |
| 155 | |
| 156 | static const char * |
| 157 | set_waklog_protect( cmd_parms *params, void *mconfig, int flag ) |
| 158 | { |
| 159 | waklog_host_config *cfg; |
| 160 | |
| 161 | if ( params->path == NULL ) { |
| 162 | cfg = (waklog_host_config *) ap_get_module_config( |
| 163 | params->server->module_config, &waklog_module ); |
| 164 | } else { |
| 165 | cfg = (waklog_host_config *)mconfig; |
| 166 | } |
| 167 | |
| 168 | cfg->protect = flag; |
| 169 | cfg->configured = 1; |
| 170 | return( NULL ); |
| 171 | } |
| 172 | |
| 173 | |
| 174 | static const char * |
| 175 | set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file ) |
| 176 | { |
| 177 | waklog_host_config *cfg; |
| 178 | |
| 179 | if ( params->path == NULL ) { |
| 180 | cfg = (waklog_host_config *) ap_get_module_config( |
| 181 | params->server->module_config, &waklog_module ); |
| 182 | } else { |
| 183 | cfg = (waklog_host_config *)mconfig; |
| 184 | } |
| 185 | |
| 186 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server, |
| 187 | "mod_waklog: using keytab: %s", file ); |
| 188 | |
| 189 | cfg->keytab = file; |
| 190 | cfg->configured = 1; |
| 191 | return( NULL ); |
| 192 | } |
| 193 | |
| 194 | |
| 195 | static void |
| 196 | waklog_child_init( server_rec *s, pool *p ) |
| 197 | { |
| 198 | |
| 199 | if ( child == NULL ) { |
| 200 | child = (waklog_child_config *) ap_palloc( p, sizeof( waklog_child_config ) ); |
| 201 | } |
| 202 | |
| 203 | memset( &child->token, 0, sizeof( struct ktc_token ) ); |
| 204 | |
| 205 | setpag(); |
| 206 | |
| 207 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s, |
| 208 | "mod_waklog: waklog_child_init: child: 0x%08x", child ); |
| 209 | |
| 210 | return; |
| 211 | } |
| 212 | |
| 213 | |
| 214 | command_rec waklog_cmds[ ] = |
| 215 | { |
| 216 | { "WaklogProtected", set_waklog_protect, |
| 217 | NULL, RSRC_CONF | ACCESS_CONF, FLAG, |
| 218 | "enable waklog on a location or directory basis" }, |
| 219 | |
| 220 | { "WaklogUseKeytab", set_waklog_use_keytab, |
| 221 | NULL, RSRC_CONF, TAKE1, |
| 222 | "Use the supplied keytab file rather than the user's TGT" }, |
| 223 | |
| 224 | { NULL } |
| 225 | }; |
| 226 | |
| 227 | |
| 228 | static void |
| 229 | pioctl_cleanup( void *data ) |
| 230 | { |
| 231 | request_rec *r = (request_rec *)data; |
| 232 | |
| 233 | if ( child->token.ticketLen ) { |
| 234 | memset( &child->token, 0, sizeof( struct ktc_token ) ); |
| 235 | |
| 236 | ktc_ForgetAllTokens(); |
| 237 | |
| 238 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 239 | "mod_waklog: ktc_ForgetAllTokens succeeded" ); |
| 240 | } |
| 241 | return; |
| 242 | } |
| 243 | |
| 244 | |
| 245 | static int |
| 246 | waklog_ktinit( request_rec *r, char *keytab_path ) |
| 247 | { |
| 248 | krb5_error_code kerror; |
| 249 | krb5_context kcontext; |
| 250 | krb5_principal kprinc; |
| 251 | krb5_get_init_creds_opt kopts; |
| 252 | krb5_creds v5creds; |
| 253 | CREDENTIALS v4creds; |
| 254 | krb5_ccache kccache; |
| 255 | krb5_keytab keytab = 0; |
| 256 | char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ]; |
| 257 | krb5_timestamp now; |
| 258 | |
| 259 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 260 | "mod_waklog: waklog_ktinit called" ); |
| 261 | |
| 262 | /* set our environment variables */ |
| 263 | ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH ); |
| 264 | ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH ); |
| 265 | |
| 266 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 267 | "mod_waklog: KRB5CCNAME: %s, KRBTKFILE: %s", K5PATH, K4PATH ); |
| 268 | |
| 269 | #define SOON 300 |
| 270 | |
| 271 | /* will we need another tgt soon? */ |
| 272 | now = time( NULL ); |
| 273 | if ( !mod->getting_tgt && mod->endtime < now + SOON ) { |
| 274 | |
| 275 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 276 | "mod_waklog: mod->endtime: %u, now: %u", mod->endtime, now ); |
| 277 | |
| 278 | /* |
| 279 | ** Only one process will get into the critical region below and |
| 280 | ** replace the soon-to-be-expired credential; the rest will just |
| 281 | ** use the still-good credential until the new one shows up. |
| 282 | ** |
| 283 | ** The TAS flag will stop other processes from entering the |
| 284 | ** first half of the conditional above, and the critical region |
| 285 | ** below will not exit until mod->endtime has been updated to |
| 286 | ** reflect that of the new credentials (or fail). |
| 287 | ** |
| 288 | ** (While it is possible for all child processes to get past the |
| 289 | ** first half of the conditional above, and then for one |
| 290 | ** process to get into the critical region below and run to the |
| 291 | ** end (clearing the TAS flag), a fair scheduler would not |
| 292 | ** do this; but even so, it really wouldn't kill us if ALL of |
| 293 | ** the child processes got credentials, anyway. |
| 294 | */ |
| 295 | if ( !test_and_set_bit( 0, &mod->getting_tgt ) ) { |
| 296 | |
| 297 | if (( kerror = krb5_init_context( &kcontext ))) { |
| 298 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 299 | (char *)error_message( kerror )); |
| 300 | |
| 301 | goto cleanup1; |
| 302 | } |
| 303 | |
| 304 | /* use the path */ |
| 305 | if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) { |
| 306 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 307 | (char *)error_message( kerror )); |
| 308 | |
| 309 | goto cleanup2; |
| 310 | } |
| 311 | |
| 312 | if (( kerror = krb5_parse_name( kcontext, PRINCIPAL, &kprinc ))) { |
| 313 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 314 | (char *)error_message( kerror )); |
| 315 | |
| 316 | goto cleanup3; |
| 317 | } |
| 318 | |
| 319 | krb5_get_init_creds_opt_init( &kopts ); |
| 320 | krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 ); |
| 321 | krb5_get_init_creds_opt_set_renew_life( &kopts, 0 ); |
| 322 | krb5_get_init_creds_opt_set_forwardable( &kopts, 1 ); |
| 323 | krb5_get_init_creds_opt_set_proxiable( &kopts, 0 ); |
| 324 | |
| 325 | /* which keytab should we use? */ |
| 326 | strcpy( ktbuf, keytab_path ? keytab_path : KEYTAB_PATH ); |
| 327 | |
| 328 | if ( strlen( ktbuf ) > MAX_KEYTAB_NAME_LEN ) { |
| 329 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 330 | "server configuration error" ); |
| 331 | |
| 332 | goto cleanup4; |
| 333 | } |
| 334 | |
| 335 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 336 | "mod_waklog: waklog_ktinit using: %s", ktbuf ); |
| 337 | |
| 338 | if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) { |
| 339 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 340 | (char *)error_message( kerror )); |
| 341 | |
| 342 | goto cleanup4; |
| 343 | } |
| 344 | |
| 345 | /* get the krbtgt */ |
| 346 | if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds, |
| 347 | kprinc, keytab, 0, IN_TKT_SERVICE, &kopts ))) { |
| 348 | |
| 349 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 350 | (char *)error_message( kerror )); |
| 351 | |
| 352 | goto cleanup5; |
| 353 | } |
| 354 | |
| 355 | if (( kerror = krb5_verify_init_creds( kcontext, &v5creds, |
| 356 | kprinc, keytab, NULL, NULL )) != 0 ) { |
| 357 | |
| 358 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 359 | (char *)error_message( kerror )); |
| 360 | |
| 361 | goto cleanup6; |
| 362 | } |
| 363 | |
| 364 | if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) { |
| 365 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 366 | (char *)error_message( kerror )); |
| 367 | |
| 368 | goto cleanup6; |
| 369 | } |
| 370 | |
| 371 | if (( kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds )) != 0 ) { |
| 372 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 373 | (char *)error_message( kerror )); |
| 374 | |
| 375 | goto cleanup6; |
| 376 | } |
| 377 | |
| 378 | /* convert K5 => K4 */ |
| 379 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 380 | "mod_waklog: before krb524_convert_creds" ); |
| 381 | |
| 382 | if (( kerror = krb524_convert_creds_kdc( kcontext, |
| 383 | &v5creds, &v4creds )) != 0 ) { |
| 384 | |
| 385 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 386 | (char *)error_message( kerror )); |
| 387 | |
| 388 | goto cleanup6; |
| 389 | } |
| 390 | |
| 391 | /* use the path */ |
| 392 | krb_set_tkt_string( (char *)K4PATH ); |
| 393 | |
| 394 | /* initialize ticket cache */ |
| 395 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 396 | "mod_waklog: before in_tkt" ); |
| 397 | |
| 398 | if (( kerror = in_tkt( v4creds.pname, v4creds.pinst )) != KSUCCESS ) { |
| 399 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 400 | (char *)error_message( kerror )); |
| 401 | |
| 402 | goto cleanup6; |
| 403 | } |
| 404 | |
| 405 | /* stash, ticket, session key, etc for future use */ |
| 406 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 407 | "mod_waklog: before krb_save_credentials" ); |
| 408 | |
| 409 | if (( kerror = krb_save_credentials( v4creds.service, |
| 410 | v4creds.instance, |
| 411 | v4creds.realm, |
| 412 | v4creds.session, |
| 413 | v4creds.lifetime, |
| 414 | v4creds.kvno, |
| 415 | &(v4creds.ticket_st), |
| 416 | v4creds.issue_date )) != 0 ) { |
| 417 | |
| 418 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 419 | (char *)error_message( kerror )); |
| 420 | |
| 421 | goto cleanup6; |
| 422 | } |
| 423 | |
| 424 | /* save this */ |
| 425 | mod->endtime = v5creds.times.endtime; |
| 426 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 427 | "mod_waklog: mod->endtime: %u, mod->getting_tgt: %d", |
| 428 | mod->endtime, mod->getting_tgt ); |
| 429 | |
| 430 | cleanup6: krb5_free_cred_contents( kcontext, &v5creds ); |
| 431 | cleanup5: (void)krb5_kt_close( kcontext, keytab ); |
| 432 | cleanup4: krb5_free_principal( kcontext, kprinc ); |
| 433 | cleanup3: krb5_cc_close( kcontext, kccache ); |
| 434 | cleanup2: krb5_free_context( kcontext ); |
| 435 | |
| 436 | /* exit the critical region */ |
| 437 | cleanup1: mod->getting_tgt = 0; |
| 438 | } |
| 439 | |
| 440 | } |
| 441 | |
| 442 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 443 | "mod_waklog: waklog_ktinit: exiting" ); |
| 444 | |
| 445 | return( 0 ); |
| 446 | } |
| 447 | |
| 448 | |
| 449 | static void |
| 450 | waklog_aklog( request_rec *r ) |
| 451 | { |
| 452 | int rc; |
| 453 | char buf[ 1024 ]; |
| 454 | const char *k4path = NULL; |
| 455 | const char *k5path = NULL; |
| 456 | krb5_error_code kerror; |
| 457 | krb5_context kcontext; |
| 458 | krb5_creds increds; |
| 459 | krb5_creds *v5credsp = NULL; |
| 460 | CREDENTIALS v4creds; |
| 461 | krb5_ccache kccache; |
| 462 | struct ktc_principal server = { "afs", "", "umich.edu" }; |
| 463 | struct ktc_principal client; |
| 464 | struct ktc_token token; |
| 465 | |
| 466 | k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" ); |
| 467 | k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" ); |
| 468 | |
| 469 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 470 | "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path ); |
| 471 | |
| 472 | if ( !k5path || !k4path ) { |
| 473 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 474 | "mod_waklog: waklog_aklog giving up" ); |
| 475 | return; |
| 476 | } |
| 477 | |
| 478 | /* |
| 479 | ** Get/build creds from file/tgs, then see if we need to SetToken |
| 480 | */ |
| 481 | |
| 482 | if (( kerror = krb5_init_context( &kcontext ))) { |
| 483 | /* Authentication Required ( kerberos error ) */ |
| 484 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 485 | (char *)error_message( kerror )); |
| 486 | |
| 487 | return; |
| 488 | } |
| 489 | |
| 490 | memset( (char *)&increds, 0, sizeof(increds)); |
| 491 | |
| 492 | /* set server part */ |
| 493 | if (( kerror = krb5_parse_name( kcontext, AFS, &increds.server ))) { |
| 494 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 495 | (char *)error_message( kerror )); |
| 496 | |
| 497 | return; |
| 498 | } |
| 499 | |
| 500 | if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) { |
| 501 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 502 | (char *)error_message( kerror )); |
| 503 | |
| 504 | return; |
| 505 | } |
| 506 | |
| 507 | /* set client part */ |
| 508 | krb5_cc_get_principal( kcontext, kccache, &increds.client ); |
| 509 | |
| 510 | increds.times.endtime = 0; |
| 511 | /* Ask for DES since that is what V4 understands */ |
| 512 | increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; |
| 513 | |
| 514 | /* get the V5 credentials */ |
| 515 | if (( kerror = krb5_get_credentials( kcontext, 0, kccache, |
| 516 | &increds, &v5credsp ) ) ) { |
| 517 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 518 | "mod_waklog: krb5_get_credentials: %s", krb_err_txt[ kerror ] ); |
| 519 | return; |
| 520 | } |
| 521 | |
| 522 | /* get the V4 credentials */ |
| 523 | if (( kerror = krb524_convert_creds_kdc( kcontext, v5credsp, &v4creds ) ) ) { |
| 524 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 525 | "mod_waklog: krb524_convert_creds_kdc: %s", krb_err_txt[ kerror ] ); |
| 526 | return; |
| 527 | } |
| 528 | |
| 529 | /* assemble the token */ |
| 530 | token.kvno = v4creds.kvno; |
| 531 | token.startTime = v4creds.issue_date; |
| 532 | token.endTime = v5credsp->times.endtime; |
| 533 | memmove( &token.sessionKey, v4creds.session, 8 ); |
| 534 | token.ticketLen = v4creds.ticket_st.length ; |
| 535 | memmove( token.ticket, v4creds.ticket_st.dat, token.ticketLen ); |
| 536 | |
| 537 | /* make sure we have to do this */ |
| 538 | if ( child->token.kvno != token.kvno || |
| 539 | child->token.ticketLen != token.ticketLen || |
| 540 | memcmp( &child->token.sessionKey, &token.sessionKey, |
| 541 | sizeof( token.sessionKey ) ) || |
| 542 | memcmp( child->token.ticket, token.ticket, token.ticketLen ) ) { |
| 543 | |
| 544 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 545 | "mod_waklog: %s.%s@%s", v4creds.service, v4creds.instance, |
| 546 | v4creds.realm ); |
| 547 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 548 | "mod_waklog: %d %d %d", v4creds.lifetime, v4creds.kvno, |
| 549 | v4creds.issue_date ); |
| 550 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 551 | "mod_waklog: %s %s", v4creds.pname, v4creds.pinst ); |
| 552 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 553 | "mod_waklog: %d", v4creds.ticket_st.length ); |
| 554 | |
| 555 | /* build the name */ |
| 556 | strcpy( buf, v4creds.pname ); |
| 557 | if ( v4creds.pinst[ 0 ] ) { |
| 558 | strcat( buf, "." ); |
| 559 | strcat( buf, v4creds.pinst ); |
| 560 | } |
| 561 | |
| 562 | /* assemble the client */ |
| 563 | strncpy( client.name, buf, MAXKTCNAMELEN - 1 ); |
| 564 | strcpy( client.instance, "" ); |
| 565 | strncpy( client.cell, v4creds.realm, MAXKTCNAMELEN - 1 ); |
| 566 | |
| 567 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 568 | "mod_waklog: server: name=%s, instance=%s, cell=%s", |
| 569 | server.name, server.instance, server.cell ); |
| 570 | |
| 571 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 572 | "mod_waklog: client: name=%s, instance=%s, cell=%s", |
| 573 | client.name, client.instance, client.cell ); |
| 574 | |
| 575 | /* use the path */ |
| 576 | krb_set_tkt_string( (char *)k4path ); |
| 577 | |
| 578 | /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */ |
| 579 | write( 2, "", 0 ); |
| 580 | |
| 581 | if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) { |
| 582 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 583 | "mod_waklog: settoken returned %d", rc ); |
| 584 | } |
| 585 | |
| 586 | /* save this */ |
| 587 | memmove( &child->token, &token, sizeof( struct ktc_token ) ); |
| 588 | |
| 589 | /* we'll need to unlog when this connection is done. */ |
| 590 | ap_register_cleanup( r->pool, (void *)r, pioctl_cleanup, ap_null_cleanup ); |
| 591 | } |
| 592 | |
| 593 | krb5_free_cred_contents( kcontext, v5credsp ); |
| 594 | krb5_free_principal( kcontext, increds.client ); |
| 595 | krb5_cc_close( kcontext, kccache ); |
| 596 | krb5_free_context( kcontext ); |
| 597 | |
| 598 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 599 | "mod_waklog: finished with waklog_aklog" ); |
| 600 | |
| 601 | } |
| 602 | |
| 603 | |
| 604 | static int |
| 605 | waklog_phase0( request_rec *r ) |
| 606 | { |
| 607 | waklog_host_config *cfg; |
| 608 | |
| 609 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 610 | "mod_waklog: phase0 called" ); |
| 611 | |
| 612 | /* directory config? */ |
| 613 | cfg = (waklog_host_config *)ap_get_module_config( |
| 614 | r->per_dir_config, &waklog_module); |
| 615 | |
| 616 | /* server config? */ |
| 617 | if ( !cfg->configured ) { |
| 618 | cfg = (waklog_host_config *)ap_get_module_config( |
| 619 | r->server->module_config, &waklog_module); |
| 620 | } |
| 621 | |
| 622 | if ( !cfg->protect ) { |
| 623 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 624 | "mod_waklog: phase0 declining" ); |
| 625 | return( DECLINED ); |
| 626 | } |
| 627 | |
| 628 | /* do this only if we are still unauthenticated */ |
| 629 | if ( !child->token.ticketLen ) { |
| 630 | |
| 631 | /* authenticate using keytab file */ |
| 632 | waklog_ktinit( r , cfg->keytab ); |
| 633 | |
| 634 | /* stuff the credentials into the kernel */ |
| 635 | waklog_aklog( r ); |
| 636 | } |
| 637 | |
| 638 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 639 | "mod_waklog: phase0 returning" ); |
| 640 | return DECLINED; |
| 641 | } |
| 642 | |
| 643 | |
| 644 | static int |
| 645 | waklog_phase7( request_rec *r ) |
| 646 | { |
| 647 | waklog_host_config *cfg; |
| 648 | |
| 649 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 650 | "mod_waklog: phase7 called" ); |
| 651 | |
| 652 | /* directory config? */ |
| 653 | cfg = (waklog_host_config *)ap_get_module_config( |
| 654 | r->per_dir_config, &waklog_module); |
| 655 | |
| 656 | /* server config? */ |
| 657 | if ( !cfg->configured ) { |
| 658 | cfg = (waklog_host_config *)ap_get_module_config( |
| 659 | r->server->module_config, &waklog_module); |
| 660 | } |
| 661 | |
| 662 | if ( !cfg->protect ) { |
| 663 | return( DECLINED ); |
| 664 | } |
| 665 | |
| 666 | /* stuff the credentials into the kernel */ |
| 667 | waklog_aklog( r ); |
| 668 | |
| 669 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 670 | "mod_waklog: phase7 returning" ); |
| 671 | |
| 672 | return DECLINED; |
| 673 | } |
| 674 | |
| 675 | static void |
| 676 | waklog_new_connection( conn_rec *c ) { |
| 677 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server, |
| 678 | "mod_waklog: new_connection called: conn_rec: 0x%08x pid: %d", c, getpid() ); |
| 679 | return; |
| 680 | } |
| 681 | |
| 682 | module MODULE_VAR_EXPORT waklog_module = { |
| 683 | STANDARD_MODULE_STUFF, |
| 684 | waklog_init, /* module initializer */ |
| 685 | waklog_create_dir_config, /* create per-dir config structures */ |
| 686 | NULL, /* merge per-dir config structures */ |
| 687 | waklog_create_server_config, /* create per-server config structures */ |
| 688 | NULL, /* merge per-server config structures */ |
| 689 | waklog_cmds, /* table of config file commands */ |
| 690 | NULL, /* [#8] MIME-typed-dispatched handlers */ |
| 691 | NULL, /* [#1] URI to filename translation */ |
| 692 | NULL, /* [#4] validate user id from request */ |
| 693 | NULL, /* [#5] check if the user is ok _here_ */ |
| 694 | NULL, /* [#3] check access by host address */ |
| 695 | NULL, /* [#6] determine MIME type */ |
| 696 | waklog_phase7, /* [#7] pre-run fixups */ |
| 697 | NULL, /* [#9] log a transaction */ |
| 698 | NULL, /* [#2] header parser */ |
| 699 | waklog_child_init, /* child_init */ |
| 700 | NULL, /* child_exit */ |
| 701 | waklog_phase0 /* [#0] post read-request */ |
| 702 | #ifdef EAPI |
| 703 | ,NULL, /* EAPI: add_module */ |
| 704 | NULL, /* EAPI: remove_module */ |
| 705 | NULL, /* EAPI: rewrite_command */ |
| 706 | waklog_new_connection /* EAPI: new_connection */ |
| 707 | #endif |
| 708 | }; |