2 #include "http_config.h"
3 #include "http_conf_globals.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
12 #include <sys/ioccom.h>
15 #include <afs/venus.h>
19 #define KEYTAB "/home/drh/keytab.umweb.drhtest"
20 #define KEYTAB_PRINCIPAL "umweb/drhtest"
22 #define TKT_LIFE 10*60*60
23 #define SLEEP_TIME 5*60 /* should be TKT_LIFE */
25 #define AFS_CELL "umich.edu" /* NB: lower case */
27 #define K5PATH "FILE:/tmp/waklog.creds.k5"
28 #define K4PATH "/tmp/waklog.creds.k4"
34 char HandShakeKey
[ 8 ];
44 char *keytab_principal
;
49 struct ktc_token token
;
50 } waklog_child_config
;
51 waklog_child_config child
;
55 waklog_create_server_config( pool
*p
, server_rec
*s
)
57 waklog_host_config
*cfg
;
59 cfg
= (waklog_host_config
*)ap_pcalloc( p
, sizeof( waklog_host_config
));
63 cfg
->keytab_principal
= KEYTAB_PRINCIPAL
;
64 cfg
->afs_cell
= AFS_CELL
;
71 set_waklog_protect( cmd_parms
*params
, void *mconfig
, int flag
)
73 waklog_host_config
*cfg
;
75 if ( params
->path
== NULL
) {
76 cfg
= (waklog_host_config
*) ap_get_module_config(
77 params
->server
->module_config
, &waklog_module
);
79 cfg
= (waklog_host_config
*)mconfig
;
89 set_waklog_use_keytab( cmd_parms
*params
, void *mconfig
, char *file
)
91 waklog_host_config
*cfg
;
93 if ( params
->path
== NULL
) {
94 cfg
= (waklog_host_config
*) ap_get_module_config(
95 params
->server
->module_config
, &waklog_module
);
97 cfg
= (waklog_host_config
*)mconfig
;
100 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
101 "mod_waklog: using keytab: %s", file
);
110 set_waklog_use_keytab_principal( cmd_parms
*params
, void *mconfig
, char *file
)
112 waklog_host_config
*cfg
;
114 if ( params
->path
== NULL
) {
115 cfg
= (waklog_host_config
*) ap_get_module_config(
116 params
->server
->module_config
, &waklog_module
);
118 cfg
= (waklog_host_config
*)mconfig
;
121 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
122 "mod_waklog: using keytab_principal: %s", file
);
124 cfg
->keytab_principal
= file
;
131 set_waklog_use_afs_cell( cmd_parms
*params
, void *mconfig
, char *file
)
133 waklog_host_config
*cfg
;
135 if ( params
->path
== NULL
) {
136 cfg
= (waklog_host_config
*) ap_get_module_config(
137 params
->server
->module_config
, &waklog_module
);
139 cfg
= (waklog_host_config
*)mconfig
;
142 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
143 "mod_waklog: using afs_cell: %s", file
);
145 cfg
->afs_cell
= file
;
152 waklog_child_init( server_rec
*s
, pool
*p
)
155 memset( &child
.token
, 0, sizeof( struct ktc_token
) );
163 command_rec waklog_cmds
[ ] =
165 { "WaklogProtected", set_waklog_protect
,
166 NULL
, RSRC_CONF
| ACCESS_CONF
, FLAG
,
167 "enable waklog on a location or directory basis" },
169 { "WaklogUseKeytabPath", set_waklog_use_keytab
,
170 NULL
, RSRC_CONF
, TAKE1
,
171 "Use the supplied keytab rather than the default" },
173 { "WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal
,
174 NULL
, RSRC_CONF
, TAKE1
,
175 "Use the supplied keytab principal rather than the default" },
177 { "WaklogUseAFSCell", set_waklog_use_afs_cell
,
178 NULL
, RSRC_CONF
, TAKE1
,
179 "Use the supplied AFS cell rather than the default" },
186 token_cleanup( void *data
)
188 request_rec
*r
= (request_rec
*)data
;
190 if ( child
.token
.ticketLen
) {
191 memset( &child
.token
, 0, sizeof( struct ktc_token
) );
193 ktc_ForgetAllTokens();
195 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
196 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() );
203 waklog_kinit( server_rec
*s
)
205 krb5_error_code kerror
;
206 krb5_context kcontext
= NULL
;
207 krb5_principal kprinc
= NULL
;
208 krb5_get_init_creds_opt kopts
;
210 krb5_ccache kccache
= NULL
;
211 krb5_keytab keytab
= NULL
;
212 char ktbuf
[ MAX_KEYTAB_NAME_LEN
+ 1 ];
213 waklog_host_config
*cfg
;
215 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
216 "mod_waklog: waklog_kinit called" );
218 cfg
= (waklog_host_config
*) ap_get_module_config( s
->module_config
,
221 if (( kerror
= krb5_init_context( &kcontext
))) {
222 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
223 (char *)error_message( kerror
));
229 if (( kerror
= krb5_cc_resolve( kcontext
, K5PATH
, &kccache
)) != 0 ) {
230 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
231 (char *)error_message( kerror
));
236 if (( kerror
= krb5_parse_name( kcontext
, cfg
->keytab_principal
, &kprinc
))) {
237 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
238 (char *)error_message( kerror
));
243 krb5_get_init_creds_opt_init( &kopts
);
244 krb5_get_init_creds_opt_set_tkt_life( &kopts
, TKT_LIFE
);
245 krb5_get_init_creds_opt_set_renew_life( &kopts
, 0 );
246 krb5_get_init_creds_opt_set_forwardable( &kopts
, 1 );
247 krb5_get_init_creds_opt_set_proxiable( &kopts
, 0 );
249 /* keytab from config */
250 strncpy( ktbuf
, cfg
->keytab
, sizeof( ktbuf
) - 1 );
252 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
253 "mod_waklog: waklog_kinit using: %s", ktbuf
);
255 if (( kerror
= krb5_kt_resolve( kcontext
, ktbuf
, &keytab
)) != 0 ) {
256 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
257 (char *)error_message( kerror
));
263 if (( kerror
= krb5_get_init_creds_keytab( kcontext
, &v5creds
,
264 kprinc
, keytab
, 0, NULL
, &kopts
))) {
266 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
267 (char *)error_message( kerror
));
272 if (( kerror
= krb5_verify_init_creds( kcontext
, &v5creds
,
273 kprinc
, keytab
, NULL
, NULL
)) != 0 ) {
275 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
276 (char *)error_message( kerror
));
281 if (( kerror
= krb5_cc_initialize( kcontext
, kccache
, kprinc
)) != 0 ) {
282 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
283 (char *)error_message( kerror
));
288 kerror
= krb5_cc_store_cred( kcontext
, kccache
, &v5creds
);
289 krb5_free_cred_contents( kcontext
, &v5creds
);
291 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
292 (char *)error_message( kerror
));
297 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
298 "mod_waklog: waklog_kinit success" );
302 (void)krb5_kt_close( kcontext
, keytab
);
304 krb5_free_principal( kcontext
, kprinc
);
306 krb5_cc_close( kcontext
, kccache
);
308 krb5_free_context( kcontext
);
310 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
311 "mod_waklog: waklog_kinit: exiting" );
318 waklog_aklog( request_rec
*r
)
322 const char *k4path
= NULL
;
323 const char *k5path
= NULL
;
324 krb5_error_code kerror
;
325 krb5_context kcontext
= NULL
;
327 krb5_creds
*v5credsp
= NULL
;
328 krb5_ccache kccache
= NULL
;
329 struct ktc_principal server
= { "afs", "", "" };
330 struct ktc_principal client
;
331 struct ktc_token token
;
332 waklog_host_config
*cfg
;
335 k5path
= ap_table_get( r
->subprocess_env
, "KRB5CCNAME" );
336 k4path
= ap_table_get( r
->subprocess_env
, "KRBTKFILE" );
338 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
339 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path
, k4path
);
341 if ( !k5path
|| !k4path
) {
342 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
343 "mod_waklog: waklog_aklog giving up" );
348 ** Get/build creds from file/tgs, then see if we need to SetToken
351 if (( kerror
= krb5_init_context( &kcontext
))) {
352 /* Authentication Required ( kerberos error ) */
353 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
354 (char *)error_message( kerror
));
359 memset( (char *)&increds
, 0, sizeof(increds
));
361 cfg
= (waklog_host_config
*) ap_get_module_config(
362 r
->server
->module_config
, &waklog_module
);
364 /* afs/<cell> or afs */
365 strncpy( buf
, "afs", sizeof( buf
) - 1 );
366 if ( strcmp( cfg
->afs_cell
, AFS_CELL
) ) {
367 strncat( buf
, "/" , sizeof( buf
) - strlen( buf
) - 1 );
368 strncat( buf
, cfg
->afs_cell
, sizeof( buf
) - strlen( buf
) - 1 );
371 /* set server part */
372 if (( kerror
= krb5_parse_name( kcontext
, buf
, &increds
.server
))) {
373 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
374 (char *)error_message( kerror
));
379 if (( kerror
= krb5_cc_resolve( kcontext
, k5path
, &kccache
)) != 0 ) {
380 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
381 (char *)error_message( kerror
));
386 /* set client part */
387 krb5_cc_get_principal( kcontext
, kccache
, &increds
.client
);
389 increds
.times
.endtime
= 0;
390 /* Ask for DES since that is what V4 understands */
391 increds
.keyblock
.enctype
= ENCTYPE_DES_CBC_CRC
;
393 /* get the V5 credentials */
394 if (( kerror
= krb5_get_credentials( kcontext
, 0, kccache
,
395 &increds
, &v5credsp
) ) ) {
396 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
397 "mod_waklog: krb5_get_credentials: %s", error_message( kerror
));
402 if ( v5credsp
->ticket
.length
>= 344 ) { /* from krb524d.c */
403 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
404 "mod_waklog: ticket size (%d) to big to fake", v5credsp
->ticket
.length
);
408 /* assemble the token */
409 memset( &token
, 0, sizeof( struct ktc_token
) );
411 token
.startTime
= v5credsp
->times
.starttime
? v5credsp
->times
.starttime
: v5credsp
->times
.authtime
;
412 token
.endTime
= v5credsp
->times
.endtime
;
413 memmove( &token
.sessionKey
, v5credsp
->keyblock
.contents
, v5credsp
->keyblock
.length
);
414 token
.kvno
= RXKAD_TKT_TYPE_KERBEROS_V5
;
415 token
.ticketLen
= v5credsp
->ticket
.length
;
416 memmove( token
.ticket
, v5credsp
->ticket
.data
, token
.ticketLen
);
418 /* make sure we have to do this */
419 if ( child
.token
.kvno
!= token
.kvno
||
420 child
.token
.ticketLen
!= token
.ticketLen
||
421 (memcmp( &child
.token
.sessionKey
, &token
.sessionKey
,
422 sizeof( token
.sessionKey
) )) ||
423 (memcmp( child
.token
.ticket
, token
.ticket
, token
.ticketLen
)) ) {
425 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
426 "mod_waklog: client: %s", buf
);
429 memmove( buf
, v5credsp
->client
->data
[0].data
, v5credsp
->client
->data
[0].length
);
430 buf
[ v5credsp
->client
->data
[0].length
] = '\0';
431 if ( v5credsp
->client
->length
> 1 ) {
432 strncat( buf
, ".", sizeof( buf
) - strlen( buf
) - 1 );
433 buflen
= strlen( buf
);
434 memmove( buf
+ buflen
, v5credsp
->client
->data
[1].data
, v5credsp
->client
->data
[1].length
);
435 buf
[ buflen
+ v5credsp
->client
->data
[1].length
] = '\0';
438 /* assemble the client */
439 strncpy( client
.name
, buf
, sizeof( client
.name
) - 1 );
440 strncpy( client
.instance
, "", sizeof( client
.instance
) - 1 );
441 memmove( buf
, v5credsp
->client
->realm
.data
, v5credsp
->client
->realm
.length
);
442 buf
[ v5credsp
->client
->realm
.length
] = '\0';
443 strncpy( client
.cell
, buf
, sizeof( client
.cell
) - 1 );
445 /* assemble the server's cell */
446 strncpy( server
.cell
, cfg
->afs_cell
, sizeof( server
.cell
) - 1 );
448 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
449 "mod_waklog: server: name=%s, instance=%s, cell=%s",
450 server
.name
, server
.instance
, server
.cell
);
452 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
453 "mod_waklog: client: name=%s, instance=%s, cell=%s",
454 client
.name
, client
.instance
, client
.cell
);
457 krb_set_tkt_string( (char *)k4path
);
459 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
462 if ( ( rc
= ktc_SetToken( &server
, &token
, &client
, 0 ) ) ) {
463 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
464 "mod_waklog: settoken returned %d", rc
);
469 memmove( &child
.token
, &token
, sizeof( struct ktc_token
) );
471 /* we'll need to unlog when this connection is done. */
472 ap_register_cleanup( r
->pool
, (void *)r
, token_cleanup
, ap_null_cleanup
);
477 krb5_free_cred_contents( kcontext
, v5credsp
);
478 if ( increds
.client
)
479 krb5_free_principal( kcontext
, increds
.client
);
480 if ( increds
.server
)
481 krb5_free_principal( kcontext
, increds
.server
);
483 krb5_cc_close( kcontext
, kccache
);
485 krb5_free_context( kcontext
);
487 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
488 "mod_waklog: finished with waklog_aklog" );
495 waklog_child_routine( void *s
, child_info
*pinfo
)
498 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
499 "mod_waklog: waklog_child_routine called as root" );
501 /* this was causing the credential file to get owned by root */
515 waklog_init( server_rec
*s
, pool
*p
)
517 extern char *version
;
520 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, s
,
521 "mod_waklog: version %s initialized.", version
);
523 pid
= ap_bspawn_child( p
, waklog_child_routine
, s
, kill_always
,
526 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
527 "mod_waklog: ap_bspawn_child: %d.", pid
);
532 waklog_phase0( request_rec
*r
)
534 waklog_host_config
*cfg
;
536 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
537 "mod_waklog: phase0 called" );
539 /* directory config? */
540 cfg
= (waklog_host_config
*)ap_get_module_config(
541 r
->per_dir_config
, &waklog_module
);
544 if ( !cfg
->configured
) {
545 cfg
= (waklog_host_config
*)ap_get_module_config(
546 r
->server
->module_config
, &waklog_module
);
549 if ( !cfg
->protect
) {
550 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
551 "mod_waklog: phase0 declining" );
555 /* do this only if we are still unauthenticated */
556 if ( !child
.token
.ticketLen
) {
558 /* set our environment variables */
559 ap_table_set( r
->subprocess_env
, "KRB5CCNAME", K5PATH
);
560 ap_table_set( r
->subprocess_env
, "KRBTKFILE", K4PATH
);
562 /* stuff the credentials into the kernel */
566 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
567 "mod_waklog: phase0 returning" );
573 waklog_phase7( request_rec
*r
)
575 waklog_host_config
*cfg
;
577 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
578 "mod_waklog: phase7 called" );
580 /* directory config? */
581 cfg
= (waklog_host_config
*)ap_get_module_config(
582 r
->per_dir_config
, &waklog_module
);
585 if ( !cfg
->configured
) {
586 cfg
= (waklog_host_config
*)ap_get_module_config(
587 r
->server
->module_config
, &waklog_module
);
590 if ( !cfg
->protect
) {
594 /* stuff the credentials into the kernel */
597 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
598 "mod_waklog: phase7 returning" );
604 waklog_new_connection( conn_rec
*c
) {
605 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, c
->server
,
606 "mod_waklog: new_connection called: pid: %d", getpid() );
610 module MODULE_VAR_EXPORT waklog_module
= {
611 STANDARD_MODULE_STUFF
,
612 waklog_init
, /* module initializer */
613 NULL
, /* create per-dir config structures */
614 NULL
, /* merge per-dir config structures */
615 waklog_create_server_config
, /* create per-server config structures */
616 NULL
, /* merge per-server config structures */
617 waklog_cmds
, /* table of config file commands */
618 NULL
, /* [#8] MIME-typed-dispatched handlers */
619 NULL
, /* [#1] URI to filename translation */
620 NULL
, /* [#4] validate user id from request */
621 NULL
, /* [#5] check if the user is ok _here_ */
622 NULL
, /* [#3] check access by host address */
623 NULL
, /* [#6] determine MIME type */
624 waklog_phase7
, /* [#7] pre-run fixups */
625 NULL
, /* [#9] log a transaction */
626 NULL
, /* [#2] header parser */
627 waklog_child_init
, /* child_init */
628 NULL
, /* child_exit */
629 waklog_phase0
/* [#0] post read-request */
631 ,NULL
, /* EAPI: add_module */
632 NULL
, /* EAPI: remove_module */
633 NULL
, /* EAPI: rewrite_command */
634 waklog_new_connection
/* EAPI: new_connection */