| bed98ff9 |
1 | #include "httpd.h" |
| 2 | #include "http_config.h" |
| 7193eb01 |
3 | #include "http_conf_globals.h" |
| bed98ff9 |
4 | #include "http_log.h" |
| 7193eb01 |
5 | #include "http_protocol.h" |
| 6 | #include "http_request.h" |
| 7 | #include "http_core.h" |
| bed98ff9 |
8 | #include "ap_config.h" |
| 4e1ae1cd |
9 | #include <krb5.h> |
| bed98ff9 |
10 | |
| 7193eb01 |
11 | #if defined(sun) |
| bed98ff9 |
12 | #include <sys/ioccom.h> |
| 7193eb01 |
13 | #endif /* sun */ |
| bed98ff9 |
14 | #include <stropts.h> |
| bed98ff9 |
15 | #include <afs/venus.h> |
| 7193eb01 |
16 | #include <afs/auth.h> |
| 17 | #include <rx/rxkad.h> |
| 18 | |
| 58bbdc54 |
19 | #define KEYTAB "/home/drh/keytab.umweb.drhtest" |
| 20 | #define KEYTAB_PRINCIPAL "umweb/drhtest" |
| 4e1ae1cd |
21 | |
| 58bbdc54 |
22 | #define TKT_LIFE 10*60*60 |
| 23 | #define SLEEP_TIME 5*60 /* should be TKT_LIFE */ |
| 24 | |
| 25 | #define AFS_CELL "umich.edu" /* NB: lower case */ |
| 26 | |
| 27 | #define K5PATH "FILE:/tmp/waklog.creds.k5" |
| 28 | #define K4PATH "/tmp/waklog.creds.k4" |
| 7193eb01 |
29 | |
| 313dde40 |
30 | module waklog_module; |
| bed98ff9 |
31 | |
| 32 | struct ClearToken { |
| 33 | long AuthHandle; |
| 34 | char HandShakeKey[ 8 ]; |
| 35 | long ViceId; |
| 36 | long BeginTimestamp; |
| 37 | long EndTimestamp; |
| 38 | }; |
| 39 | |
| 313dde40 |
40 | typedef struct { |
| 4e1ae1cd |
41 | int configured; |
| 42 | int protect; |
| 43 | char *keytab; |
| 7193eb01 |
44 | char *keytab_principal; |
| 403921ef |
45 | char *afs_cell; |
| 313dde40 |
46 | } waklog_host_config; |
| 47 | |
| 7193eb01 |
48 | typedef struct { |
| 49 | struct ktc_token token; |
| 50 | } waklog_child_config; |
| 58bbdc54 |
51 | waklog_child_config child; |
| 52 | |
| e21f34f0 |
53 | |
| 313dde40 |
54 | static void * |
| 55 | waklog_create_dir_config( pool *p, char *path ) |
| 56 | { |
| 57 | waklog_host_config *cfg; |
| 58 | |
| 59 | cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config )); |
| 60 | cfg->configured = 0; |
| 61 | cfg->protect = 0; |
| 58bbdc54 |
62 | cfg->keytab = KEYTAB; |
| 63 | cfg->keytab_principal = KEYTAB_PRINCIPAL; |
| 64 | cfg->afs_cell = AFS_CELL; |
| 313dde40 |
65 | |
| 66 | return( cfg ); |
| 67 | } |
| 68 | |
| 69 | |
| 70 | static void * |
| 71 | waklog_create_server_config( pool *p, server_rec *s ) |
| 72 | { |
| 73 | waklog_host_config *cfg; |
| 74 | |
| 75 | cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config )); |
| 76 | cfg->configured = 0; |
| 77 | cfg->protect = 0; |
| 58bbdc54 |
78 | cfg->keytab = KEYTAB; |
| 79 | cfg->keytab_principal = KEYTAB_PRINCIPAL; |
| 80 | cfg->afs_cell = AFS_CELL; |
| 313dde40 |
81 | |
| 82 | return( cfg ); |
| 83 | } |
| 84 | |
| 85 | |
| 313dde40 |
86 | static const char * |
| 87 | set_waklog_protect( cmd_parms *params, void *mconfig, int flag ) |
| 88 | { |
| 89 | waklog_host_config *cfg; |
| 90 | |
| 91 | if ( params->path == NULL ) { |
| 92 | cfg = (waklog_host_config *) ap_get_module_config( |
| 93 | params->server->module_config, &waklog_module ); |
| 94 | } else { |
| 95 | cfg = (waklog_host_config *)mconfig; |
| 96 | } |
| 97 | |
| 98 | cfg->protect = flag; |
| 99 | cfg->configured = 1; |
| 100 | return( NULL ); |
| 101 | } |
| 102 | |
| 103 | |
| 4e1ae1cd |
104 | static const char * |
| 105 | set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file ) |
| 106 | { |
| 107 | waklog_host_config *cfg; |
| 108 | |
| 109 | if ( params->path == NULL ) { |
| 110 | cfg = (waklog_host_config *) ap_get_module_config( |
| 111 | params->server->module_config, &waklog_module ); |
| 112 | } else { |
| 113 | cfg = (waklog_host_config *)mconfig; |
| 114 | } |
| 115 | |
| 3ed1e28a |
116 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server, |
| 117 | "mod_waklog: using keytab: %s", file ); |
| 118 | |
| 4e1ae1cd |
119 | cfg->keytab = file; |
| 120 | cfg->configured = 1; |
| 121 | return( NULL ); |
| 122 | } |
| 123 | |
| 124 | |
| 58bbdc54 |
125 | static const char * |
| 126 | set_waklog_use_keytab_principal( cmd_parms *params, void *mconfig, char *file ) |
| b74fad73 |
127 | { |
| 58bbdc54 |
128 | waklog_host_config *cfg; |
| 7193eb01 |
129 | |
| 58bbdc54 |
130 | if ( params->path == NULL ) { |
| 131 | cfg = (waklog_host_config *) ap_get_module_config( |
| 132 | params->server->module_config, &waklog_module ); |
| 133 | } else { |
| 134 | cfg = (waklog_host_config *)mconfig; |
| 7193eb01 |
135 | } |
| 136 | |
| 58bbdc54 |
137 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server, |
| 138 | "mod_waklog: using keytab_principal: %s", file ); |
| 139 | |
| 140 | cfg->keytab_principal = file; |
| 141 | cfg->configured = 1; |
| 142 | return( NULL ); |
| 143 | } |
| 144 | |
| 145 | |
| 146 | static const char * |
| 147 | set_waklog_use_afs_cell( cmd_parms *params, void *mconfig, char *file ) |
| 148 | { |
| 149 | waklog_host_config *cfg; |
| 150 | |
| 151 | if ( params->path == NULL ) { |
| 152 | cfg = (waklog_host_config *) ap_get_module_config( |
| 153 | params->server->module_config, &waklog_module ); |
| 154 | } else { |
| 155 | cfg = (waklog_host_config *)mconfig; |
| 156 | } |
| 157 | |
| 158 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server, |
| 159 | "mod_waklog: using afs_cell: %s", file ); |
| 160 | |
| 161 | cfg->afs_cell = file; |
| 162 | cfg->configured = 1; |
| 163 | return( NULL ); |
| 164 | } |
| 165 | |
| 166 | |
| 167 | static void |
| 168 | waklog_child_init( server_rec *s, pool *p ) |
| 169 | { |
| 170 | |
| 171 | memset( &child.token, 0, sizeof( struct ktc_token ) ); |
| 7193eb01 |
172 | |
| b74fad73 |
173 | setpag(); |
| 7193eb01 |
174 | |
| b74fad73 |
175 | return; |
| 176 | } |
| 177 | |
| 178 | |
| 313dde40 |
179 | command_rec waklog_cmds[ ] = |
| 180 | { |
| 181 | { "WaklogProtected", set_waklog_protect, |
| 182 | NULL, RSRC_CONF | ACCESS_CONF, FLAG, |
| 183 | "enable waklog on a location or directory basis" }, |
| 184 | |
| 58bbdc54 |
185 | { "WaklogUseKeytabPath", set_waklog_use_keytab, |
| 186 | NULL, RSRC_CONF, TAKE1, |
| 187 | "Use the supplied keytab rather than the default" }, |
| 188 | |
| 189 | { "WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal, |
| 190 | NULL, RSRC_CONF, TAKE1, |
| 191 | "Use the supplied keytab principal rather than the default" }, |
| 192 | |
| 193 | { "WaklogUseAFSCell", set_waklog_use_afs_cell, |
| 4e1ae1cd |
194 | NULL, RSRC_CONF, TAKE1, |
| 58bbdc54 |
195 | "Use the supplied AFS cell rather than the default" }, |
| 4e1ae1cd |
196 | |
| 313dde40 |
197 | { NULL } |
| 198 | }; |
| 199 | |
| 200 | |
| bed98ff9 |
201 | static void |
| e2df6441 |
202 | token_cleanup( void *data ) |
| bed98ff9 |
203 | { |
| 204 | request_rec *r = (request_rec *)data; |
| bed98ff9 |
205 | |
| 58bbdc54 |
206 | if ( child.token.ticketLen ) { |
| 207 | memset( &child.token, 0, sizeof( struct ktc_token ) ); |
| bed98ff9 |
208 | |
| 7193eb01 |
209 | ktc_ForgetAllTokens(); |
| bed98ff9 |
210 | |
| 7193eb01 |
211 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 58bbdc54 |
212 | "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() ); |
| 7193eb01 |
213 | } |
| b74fad73 |
214 | return; |
| bed98ff9 |
215 | } |
| 216 | |
| 217 | |
| 4e1ae1cd |
218 | static int |
| e2df6441 |
219 | waklog_kinit( server_rec *s ) |
| 4e1ae1cd |
220 | { |
| 221 | krb5_error_code kerror; |
| e2df6441 |
222 | krb5_context kcontext = NULL; |
| 223 | krb5_principal kprinc = NULL; |
| 4e1ae1cd |
224 | krb5_get_init_creds_opt kopts; |
| 7193eb01 |
225 | krb5_creds v5creds; |
| e2df6441 |
226 | krb5_ccache kccache = NULL; |
| 227 | krb5_keytab keytab = NULL; |
| 4e1ae1cd |
228 | char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ]; |
| e21f34f0 |
229 | waklog_host_config *cfg; |
| 4e1ae1cd |
230 | |
| e21f34f0 |
231 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s, |
| e2df6441 |
232 | "mod_waklog: waklog_kinit called" ); |
| 4e1ae1cd |
233 | |
| 58bbdc54 |
234 | cfg = (waklog_host_config *) ap_get_module_config( s->module_config, |
| 235 | &waklog_module ); |
| 236 | |
| e21f34f0 |
237 | if (( kerror = krb5_init_context( &kcontext ))) { |
| 238 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 239 | (char *)error_message( kerror )); |
| 4e1ae1cd |
240 | |
| e2df6441 |
241 | goto cleanup; |
| e21f34f0 |
242 | } |
| 4e1ae1cd |
243 | |
| e21f34f0 |
244 | /* use the path */ |
| 245 | if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) { |
| 246 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 247 | (char *)error_message( kerror )); |
| 4e1ae1cd |
248 | |
| e2df6441 |
249 | goto cleanup; |
| e21f34f0 |
250 | } |
| 4e1ae1cd |
251 | |
| 58bbdc54 |
252 | if (( kerror = krb5_parse_name( kcontext, cfg->keytab_principal, &kprinc ))) { |
| e21f34f0 |
253 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 254 | (char *)error_message( kerror )); |
| 7193eb01 |
255 | |
| e2df6441 |
256 | goto cleanup; |
| e21f34f0 |
257 | } |
| 7193eb01 |
258 | |
| e21f34f0 |
259 | krb5_get_init_creds_opt_init( &kopts ); |
| 58bbdc54 |
260 | krb5_get_init_creds_opt_set_tkt_life( &kopts, TKT_LIFE ); |
| e21f34f0 |
261 | krb5_get_init_creds_opt_set_renew_life( &kopts, 0 ); |
| 262 | krb5_get_init_creds_opt_set_forwardable( &kopts, 1 ); |
| 263 | krb5_get_init_creds_opt_set_proxiable( &kopts, 0 ); |
| 7193eb01 |
264 | |
| 58bbdc54 |
265 | /* keytab from config */ |
| 266 | strncpy( ktbuf, cfg->keytab, sizeof( ktbuf ) - 1 ); |
| 7193eb01 |
267 | |
| e21f34f0 |
268 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s, |
| e2df6441 |
269 | "mod_waklog: waklog_kinit using: %s", ktbuf ); |
| 7193eb01 |
270 | |
| e21f34f0 |
271 | if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) { |
| 272 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 273 | (char *)error_message( kerror )); |
| 7193eb01 |
274 | |
| e2df6441 |
275 | goto cleanup; |
| e21f34f0 |
276 | } |
| 7193eb01 |
277 | |
| e21f34f0 |
278 | /* get the krbtgt */ |
| 279 | if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds, |
| 403921ef |
280 | kprinc, keytab, 0, NULL, &kopts ))) { |
| 7193eb01 |
281 | |
| e21f34f0 |
282 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 283 | (char *)error_message( kerror )); |
| 7193eb01 |
284 | |
| e2df6441 |
285 | goto cleanup; |
| e21f34f0 |
286 | } |
| 7193eb01 |
287 | |
| e21f34f0 |
288 | if (( kerror = krb5_verify_init_creds( kcontext, &v5creds, |
| 289 | kprinc, keytab, NULL, NULL )) != 0 ) { |
| 7193eb01 |
290 | |
| e21f34f0 |
291 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 292 | (char *)error_message( kerror )); |
| 7193eb01 |
293 | |
| e2df6441 |
294 | goto cleanup; |
| e21f34f0 |
295 | } |
| 7193eb01 |
296 | |
| e21f34f0 |
297 | if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) { |
| 298 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 299 | (char *)error_message( kerror )); |
| 7193eb01 |
300 | |
| e2df6441 |
301 | goto cleanup; |
| e21f34f0 |
302 | } |
| 7193eb01 |
303 | |
| e2df6441 |
304 | kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds ); |
| 305 | krb5_free_cred_contents( kcontext, &v5creds ); |
| 306 | if ( kerror != 0 ) { |
| e21f34f0 |
307 | ap_log_error( APLOG_MARK, APLOG_ERR, s, |
| 308 | (char *)error_message( kerror )); |
| 7193eb01 |
309 | |
| e2df6441 |
310 | goto cleanup; |
| e21f34f0 |
311 | } |
| 7193eb01 |
312 | |
| e21f34f0 |
313 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s, |
| e2df6441 |
314 | "mod_waklog: waklog_kinit success" ); |
| 315 | |
| 316 | cleanup: |
| 317 | if ( keytab ) |
| 318 | (void)krb5_kt_close( kcontext, keytab ); |
| 319 | if ( kprinc ) |
| 320 | krb5_free_principal( kcontext, kprinc ); |
| 321 | if ( kccache ) |
| 322 | krb5_cc_close( kcontext, kccache ); |
| 323 | if ( kcontext ) |
| 324 | krb5_free_context( kcontext ); |
| e21f34f0 |
325 | |
| 326 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s, |
| e2df6441 |
327 | "mod_waklog: waklog_kinit: exiting" ); |
| 7193eb01 |
328 | |
| 329 | return( 0 ); |
| 330 | } |
| 331 | |
| 332 | |
| 333 | static void |
| 334 | waklog_aklog( request_rec *r ) |
| 335 | { |
| 336 | int rc; |
| 58bbdc54 |
337 | char buf[ 2048 ]; |
| 7193eb01 |
338 | const char *k4path = NULL; |
| 339 | const char *k5path = NULL; |
| 340 | krb5_error_code kerror; |
| e2df6441 |
341 | krb5_context kcontext = NULL; |
| 7193eb01 |
342 | krb5_creds increds; |
| 343 | krb5_creds *v5credsp = NULL; |
| e2df6441 |
344 | krb5_ccache kccache = NULL; |
| 403921ef |
345 | struct ktc_principal server = { "afs", "", "" }; |
| 7193eb01 |
346 | struct ktc_principal client; |
| 347 | struct ktc_token token; |
| 403921ef |
348 | waklog_host_config *cfg; |
| 58bbdc54 |
349 | int buflen; |
| 7193eb01 |
350 | |
| 351 | k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" ); |
| 352 | k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" ); |
| 353 | |
| 354 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 355 | "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path ); |
| 356 | |
| 357 | if ( !k5path || !k4path ) { |
| 358 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 359 | "mod_waklog: waklog_aklog giving up" ); |
| e2df6441 |
360 | goto cleanup; |
| 4e1ae1cd |
361 | } |
| 362 | |
| 7193eb01 |
363 | /* |
| 364 | ** Get/build creds from file/tgs, then see if we need to SetToken |
| 365 | */ |
| 366 | |
| 367 | if (( kerror = krb5_init_context( &kcontext ))) { |
| 368 | /* Authentication Required ( kerberos error ) */ |
| 4e1ae1cd |
369 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 370 | (char *)error_message( kerror )); |
| 7193eb01 |
371 | |
| e2df6441 |
372 | goto cleanup; |
| 4e1ae1cd |
373 | } |
| 374 | |
| 7193eb01 |
375 | memset( (char *)&increds, 0, sizeof(increds)); |
| 4e1ae1cd |
376 | |
| 403921ef |
377 | cfg = (waklog_host_config *) ap_get_module_config( |
| 378 | r->server->module_config, &waklog_module ); |
| 379 | |
| 380 | /* afs/<cell> or afs */ |
| 381 | strncpy( buf, "afs", sizeof( buf ) - 1 ); |
| 58bbdc54 |
382 | if ( strcmp( cfg->afs_cell, AFS_CELL ) ) { |
| 403921ef |
383 | strncat( buf, "/" , sizeof( buf ) - strlen( buf ) - 1 ); |
| 384 | strncat( buf, cfg->afs_cell, sizeof( buf ) - strlen( buf ) - 1 ); |
| 385 | } |
| 386 | |
| 7193eb01 |
387 | /* set server part */ |
| 403921ef |
388 | if (( kerror = krb5_parse_name( kcontext, buf, &increds.server ))) { |
| 4e1ae1cd |
389 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 390 | (char *)error_message( kerror )); |
| 391 | |
| e2df6441 |
392 | goto cleanup; |
| 4e1ae1cd |
393 | } |
| 394 | |
| 7193eb01 |
395 | if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) { |
| 396 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 397 | (char *)error_message( kerror )); |
| 398 | |
| e2df6441 |
399 | goto cleanup; |
| 7193eb01 |
400 | } |
| 4e1ae1cd |
401 | |
| 7193eb01 |
402 | /* set client part */ |
| 403 | krb5_cc_get_principal( kcontext, kccache, &increds.client ); |
| 4e1ae1cd |
404 | |
| 7193eb01 |
405 | increds.times.endtime = 0; |
| 406 | /* Ask for DES since that is what V4 understands */ |
| 407 | increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; |
| 408 | |
| 409 | /* get the V5 credentials */ |
| 410 | if (( kerror = krb5_get_credentials( kcontext, 0, kccache, |
| 411 | &increds, &v5credsp ) ) ) { |
| 403921ef |
412 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 413 | "mod_waklog: krb5_get_credentials: %s", error_message( kerror )); |
| e2df6441 |
414 | goto cleanup; |
| 4e1ae1cd |
415 | } |
| 416 | |
| 58bbdc54 |
417 | /* don't overflor */ |
| 418 | if ( v5credsp->ticket.length >= 344 ) { /* from krb524d.c */ |
| 403921ef |
419 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 58bbdc54 |
420 | "mod_waklog: ticket size (%d) to big to fake", v5credsp->ticket.length ); |
| e2df6441 |
421 | goto cleanup; |
| 4e1ae1cd |
422 | } |
| 423 | |
| 7193eb01 |
424 | /* assemble the token */ |
| 58bbdc54 |
425 | memset( &token, 0, sizeof( struct ktc_token ) ); |
| 426 | |
| 427 | token.startTime = v5credsp->times.starttime ? v5credsp->times.starttime : v5credsp->times.authtime; |
| 7193eb01 |
428 | token.endTime = v5credsp->times.endtime; |
| 58bbdc54 |
429 | memmove( &token.sessionKey, v5credsp->keyblock.contents, v5credsp->keyblock.length ); |
| 430 | token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5; |
| 431 | token.ticketLen = v5credsp->ticket.length; |
| 432 | memmove( token.ticket, v5credsp->ticket.data, token.ticketLen ); |
| 7193eb01 |
433 | |
| 58bbdc54 |
434 | /* make sure we have to do this */ |
| 435 | if ( child.token.kvno != token.kvno || |
| 436 | child.token.ticketLen != token.ticketLen || |
| 437 | (memcmp( &child.token.sessionKey, &token.sessionKey, |
| 438 | sizeof( token.sessionKey ) )) || |
| 439 | (memcmp( child.token.ticket, token.ticket, token.ticketLen )) ) { |
| 440 | |
| 8258901d |
441 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 442 | "mod_waklog: client: %s", buf ); |
| 7193eb01 |
443 | |
| 444 | /* build the name */ |
| 58bbdc54 |
445 | memmove( buf, v5credsp->client->data[0].data, v5credsp->client->data[0].length ); |
| 446 | buf[ v5credsp->client->data[0].length ] = '\0'; |
| 447 | if ( v5credsp->client->length > 1 ) { |
| 8258901d |
448 | strncat( buf, ".", sizeof( buf ) - strlen( buf ) - 1 ); |
| 58bbdc54 |
449 | buflen = strlen( buf ); |
| 450 | memmove( buf + buflen, v5credsp->client->data[1].data, v5credsp->client->data[1].length ); |
| 451 | buf[ buflen + v5credsp->client->data[1].length ] = '\0'; |
| 7193eb01 |
452 | } |
| 453 | |
| 454 | /* assemble the client */ |
| 403921ef |
455 | strncpy( client.name, buf, sizeof( client.name ) - 1 ); |
| 456 | strncpy( client.instance, "", sizeof( client.instance) - 1 ); |
| 58bbdc54 |
457 | memmove( buf, v5credsp->client->realm.data, v5credsp->client->realm.length ); |
| 458 | buf[ v5credsp->client->realm.length ] = '\0'; |
| 459 | strncpy( client.cell, buf, sizeof( client.cell ) - 1 ); |
| 403921ef |
460 | |
| 58bbdc54 |
461 | /* assemble the server's cell */ |
| 403921ef |
462 | strncpy( server.cell, cfg->afs_cell , sizeof( server.cell ) - 1 ); |
| 7193eb01 |
463 | |
| 464 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 465 | "mod_waklog: server: name=%s, instance=%s, cell=%s", |
| 466 | server.name, server.instance, server.cell ); |
| 467 | |
| 468 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 469 | "mod_waklog: client: name=%s, instance=%s, cell=%s", |
| 470 | client.name, client.instance, client.cell ); |
| 471 | |
| 472 | /* use the path */ |
| 473 | krb_set_tkt_string( (char *)k4path ); |
| 474 | |
| 475 | /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */ |
| 476 | write( 2, "", 0 ); |
| 477 | |
| 478 | if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) { |
| 58bbdc54 |
479 | ap_log_error( APLOG_MARK, APLOG_ERR, r->server, |
| 7193eb01 |
480 | "mod_waklog: settoken returned %d", rc ); |
| 58bbdc54 |
481 | goto cleanup; |
| 7193eb01 |
482 | } |
| 483 | |
| 484 | /* save this */ |
| 58bbdc54 |
485 | memmove( &child.token, &token, sizeof( struct ktc_token ) ); |
| 7193eb01 |
486 | |
| 487 | /* we'll need to unlog when this connection is done. */ |
| e2df6441 |
488 | ap_register_cleanup( r->pool, (void *)r, token_cleanup, ap_null_cleanup ); |
| 7193eb01 |
489 | } |
| 490 | |
| e2df6441 |
491 | cleanup: |
| 492 | if ( v5credsp ) |
| 493 | krb5_free_cred_contents( kcontext, v5credsp ); |
| 494 | if ( increds.client ) |
| 495 | krb5_free_principal( kcontext, increds.client ); |
| 496 | if ( increds.server ) |
| 497 | krb5_free_principal( kcontext, increds.server ); |
| 498 | if ( kccache ) |
| 499 | krb5_cc_close( kcontext, kccache ); |
| 500 | if ( kcontext ) |
| 501 | krb5_free_context( kcontext ); |
| 3ed1e28a |
502 | |
| 7193eb01 |
503 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 504 | "mod_waklog: finished with waklog_aklog" ); |
| 505 | |
| e2df6441 |
506 | return; |
| 507 | |
| 4e1ae1cd |
508 | } |
| 509 | |
| e21f34f0 |
510 | static int |
| 511 | waklog_child_routine( void *s, child_info *pinfo ) |
| 512 | { |
| e21f34f0 |
513 | if ( !getuid() ) { |
| 132ef613 |
514 | ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, |
| e21f34f0 |
515 | "mod_waklog: waklog_child_routine called as root" ); |
| 516 | |
| 517 | /* this was causing the credential file to get owned by root */ |
| 518 | setgid(ap_group_id); |
| 519 | setuid(ap_user_id); |
| 520 | } |
| 521 | |
| 522 | while( 1 ) { |
| e2df6441 |
523 | waklog_kinit( s ); |
| 58bbdc54 |
524 | sleep( SLEEP_TIME ); |
| e21f34f0 |
525 | } |
| 526 | |
| 527 | } |
| 528 | |
| 529 | |
| 530 | static void |
| 531 | waklog_init( server_rec *s, pool *p ) |
| 532 | { |
| 533 | extern char *version; |
| 534 | int pid; |
| 535 | |
| 536 | ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s, |
| 537 | "mod_waklog: version %s initialized.", version ); |
| 538 | |
| 539 | pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always, |
| 540 | NULL, NULL, NULL ); |
| 541 | |
| 132ef613 |
542 | ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, |
| e21f34f0 |
543 | "mod_waklog: ap_bspawn_child: %d.", pid ); |
| 544 | } |
| 545 | |
| 4e1ae1cd |
546 | |
| bed98ff9 |
547 | static int |
| 7193eb01 |
548 | waklog_phase0( request_rec *r ) |
| bed98ff9 |
549 | { |
| 313dde40 |
550 | waklog_host_config *cfg; |
| 551 | |
| 7193eb01 |
552 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 553 | "mod_waklog: phase0 called" ); |
| 554 | |
| 313dde40 |
555 | /* directory config? */ |
| 556 | cfg = (waklog_host_config *)ap_get_module_config( |
| 557 | r->per_dir_config, &waklog_module); |
| bed98ff9 |
558 | |
| 313dde40 |
559 | /* server config? */ |
| 560 | if ( !cfg->configured ) { |
| 7193eb01 |
561 | cfg = (waklog_host_config *)ap_get_module_config( |
| 562 | r->server->module_config, &waklog_module); |
| 313dde40 |
563 | } |
| 564 | |
| 7193eb01 |
565 | if ( !cfg->protect ) { |
| 4e1ae1cd |
566 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 7193eb01 |
567 | "mod_waklog: phase0 declining" ); |
| 568 | return( DECLINED ); |
| 569 | } |
| 4e1ae1cd |
570 | |
| 7193eb01 |
571 | /* do this only if we are still unauthenticated */ |
| 58bbdc54 |
572 | if ( !child.token.ticketLen ) { |
| 4e1ae1cd |
573 | |
| e21f34f0 |
574 | /* set our environment variables */ |
| 575 | ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH ); |
| 576 | ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH ); |
| 3ed1e28a |
577 | |
| 7193eb01 |
578 | /* stuff the credentials into the kernel */ |
| 579 | waklog_aklog( r ); |
| 4e1ae1cd |
580 | } |
| 7193eb01 |
581 | |
| 582 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 583 | "mod_waklog: phase0 returning" ); |
| 584 | return DECLINED; |
| 585 | } |
| 4e1ae1cd |
586 | |
| 1e18ef7d |
587 | |
| 7193eb01 |
588 | static int |
| 589 | waklog_phase7( request_rec *r ) |
| 590 | { |
| 591 | waklog_host_config *cfg; |
| 1e18ef7d |
592 | |
| 7193eb01 |
593 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 594 | "mod_waklog: phase7 called" ); |
| 1e18ef7d |
595 | |
| 7193eb01 |
596 | /* directory config? */ |
| 597 | cfg = (waklog_host_config *)ap_get_module_config( |
| 598 | r->per_dir_config, &waklog_module); |
| 1e18ef7d |
599 | |
| 7193eb01 |
600 | /* server config? */ |
| 601 | if ( !cfg->configured ) { |
| 602 | cfg = (waklog_host_config *)ap_get_module_config( |
| 603 | r->server->module_config, &waklog_module); |
| bed98ff9 |
604 | } |
| 605 | |
| 7193eb01 |
606 | if ( !cfg->protect ) { |
| 607 | return( DECLINED ); |
| bed98ff9 |
608 | } |
| 609 | |
| 7193eb01 |
610 | /* stuff the credentials into the kernel */ |
| 611 | waklog_aklog( r ); |
| bed98ff9 |
612 | |
| 7193eb01 |
613 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, |
| 614 | "mod_waklog: phase7 returning" ); |
| bed98ff9 |
615 | |
| 7193eb01 |
616 | return DECLINED; |
| bed98ff9 |
617 | } |
| 618 | |
| 7193eb01 |
619 | static void |
| 620 | waklog_new_connection( conn_rec *c ) { |
| 621 | ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server, |
| 58bbdc54 |
622 | "mod_waklog: new_connection called: pid: %d", getpid() ); |
| 7193eb01 |
623 | return; |
| 624 | } |
| bed98ff9 |
625 | |
| 313dde40 |
626 | module MODULE_VAR_EXPORT waklog_module = { |
| bed98ff9 |
627 | STANDARD_MODULE_STUFF, |
| 313dde40 |
628 | waklog_init, /* module initializer */ |
| 629 | waklog_create_dir_config, /* create per-dir config structures */ |
| bed98ff9 |
630 | NULL, /* merge per-dir config structures */ |
| 313dde40 |
631 | waklog_create_server_config, /* create per-server config structures */ |
| bed98ff9 |
632 | NULL, /* merge per-server config structures */ |
| 313dde40 |
633 | waklog_cmds, /* table of config file commands */ |
| bed98ff9 |
634 | NULL, /* [#8] MIME-typed-dispatched handlers */ |
| 635 | NULL, /* [#1] URI to filename translation */ |
| 636 | NULL, /* [#4] validate user id from request */ |
| 637 | NULL, /* [#5] check if the user is ok _here_ */ |
| 638 | NULL, /* [#3] check access by host address */ |
| 639 | NULL, /* [#6] determine MIME type */ |
| 7193eb01 |
640 | waklog_phase7, /* [#7] pre-run fixups */ |
| bed98ff9 |
641 | NULL, /* [#9] log a transaction */ |
| 313dde40 |
642 | NULL, /* [#2] header parser */ |
| 643 | waklog_child_init, /* child_init */ |
| bed98ff9 |
644 | NULL, /* child_exit */ |
| 7193eb01 |
645 | waklog_phase0 /* [#0] post read-request */ |
| bed98ff9 |
646 | #ifdef EAPI |
| 647 | ,NULL, /* EAPI: add_module */ |
| 648 | NULL, /* EAPI: remove_module */ |
| 649 | NULL, /* EAPI: rewrite_command */ |
| 7193eb01 |
650 | waklog_new_connection /* EAPI: new_connection */ |
| bed98ff9 |
651 | #endif |
| 652 | }; |
HCoop / hcoop / debian / libapache-mod-waklog.git / blame