[hcoop/zz_old/modwaklog.git] / mod_waklog.c

#include "httpd.h"
#include "http_config.h"
#include "http_conf_globals.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "http_core.h"
#include "ap_config.h"
#include <krb5.h>

#if defined(sun)
#include <sys/ioccom.h>
#endif /* sun */
#include <stropts.h>
#include <kerberosIV/krb.h>
#include <kerberosIV/des.h>
#include <afs/venus.h>
#include <afs/auth.h>
#include <rx/rxkad.h>

#include <asm/bitops.h>
#include <sys/shm.h>

#define KEYTAB_PATH "/home/drh/keytab.umweb.drhtest"
#define PRINCIPAL "umweb/drhtest"
#define AFS "afs"
#define IN_TKT_SERVICE "krbtgt/UMICH.EDU"

#define K5PATH "FILE:/tmp/waklog.creds.k5"
#define K4PATH "/tmp/waklog.creds.k4"

module waklog_module;

struct ClearToken {
    long AuthHandle;
    char HandShakeKey[ 8 ];
    long ViceId;
    long BeginTimestamp;
    long EndTimestamp;
};

typedef struct {
    int		configured;
    int		protect;
    char	*keytab;
    char	*keytab_principal;
    char	*afs_instance;
} waklog_host_config;

typedef struct {
	struct ktc_token	token;
} waklog_child_config;
waklog_child_config	*child = NULL;


    static void *
waklog_create_dir_config( pool *p, char *path )
{
    waklog_host_config *cfg;

    cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
    cfg->configured = 0;
    cfg->protect = 0;
    cfg->keytab = 0;
    cfg->keytab_principal = 0;
    cfg->afs_instance = 0;

    return( cfg );
}


    static void *
waklog_create_server_config( pool *p, server_rec *s )
{
    waklog_host_config *cfg;

    cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
    cfg->configured = 0;
    cfg->protect = 0;
    cfg->keytab = 0;
    cfg->keytab_principal = 0;
    cfg->afs_instance = 0;

    return( cfg );
}


    static const char *
set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
{
    waklog_host_config          *cfg;

    if ( params->path == NULL ) {
        cfg = (waklog_host_config *) ap_get_module_config(
                params->server->module_config, &waklog_module );
    } else {
        cfg = (waklog_host_config *)mconfig;
    }

    cfg->protect = flag;
    cfg->configured = 1;
    return( NULL );
}


    static const char *
set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file  )
{
    waklog_host_config          *cfg;

    if ( params->path == NULL ) {
        cfg = (waklog_host_config *) ap_get_module_config(
                params->server->module_config, &waklog_module );
    } else {
        cfg = (waklog_host_config *)mconfig;
    }

    ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
	    "mod_waklog: using keytab: %s", file );

    cfg->keytab = file;
    cfg->configured = 1;
    return( NULL );
}


    static void
waklog_child_init( server_rec *s, pool *p )
{

    if ( child  == NULL ) {
	child = (waklog_child_config *) ap_palloc( p, sizeof( waklog_child_config ) );
    }

    memset( &child->token, 0, sizeof( struct ktc_token ) );

    setpag();

    return;
}


command_rec waklog_cmds[ ] =
{
    { "WaklogProtected", set_waklog_protect,
    NULL, RSRC_CONF | ACCESS_CONF, FLAG,
    "enable waklog on a location or directory basis" },

    { "WaklogUseKeytab", set_waklog_use_keytab,
    NULL, RSRC_CONF, TAKE1,
    "Use the supplied keytab file rather than the user's TGT" },

    { NULL }
};


    static void
pioctl_cleanup( void *data )
{
    request_rec		*r = (request_rec *)data;

    if ( child->token.ticketLen ) {
	memset( &child->token, 0, sizeof( struct ktc_token ) );

	ktc_ForgetAllTokens();

	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	    "mod_waklog: ktc_ForgetAllTokens succeeded" );
    }
    return;
}


    static int
waklog_ktinit( server_rec *s )
{
    krb5_error_code		kerror;
    krb5_context		kcontext;
    krb5_principal		kprinc;
    krb5_get_init_creds_opt	kopts;
    krb5_creds			v5creds;
    CREDENTIALS			v4creds;
    krb5_ccache			kccache;
    krb5_keytab			keytab = 0;
    char			ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
    krb5_timestamp		now;
    waklog_host_config		*cfg;

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
	"mod_waklog: waklog_ktinit called" );

    if (( kerror = krb5_init_context( &kcontext ))) {
	ap_log_error( APLOG_MARK, APLOG_ERR, s,
        	(char *)error_message( kerror ));

        goto cleanup1;
    }

    /* use the path */
    if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		(char *)error_message( kerror ));

    	goto cleanup2;
    }

   if (( kerror = krb5_parse_name( kcontext, PRINCIPAL, &kprinc ))) {
	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		(char *)error_message( kerror ));

       	goto cleanup3;
    }

    krb5_get_init_creds_opt_init( &kopts );
    krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 );
    krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
    krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
    krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );

    cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
	    &waklog_module );

    /* which keytab should we use? */
    strcpy( ktbuf, cfg->keytab ? cfg->keytab : KEYTAB_PATH );

    if ( strlen( ktbuf ) > MAX_KEYTAB_NAME_LEN ) {
	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		"server configuration error" );

	goto cleanup4;
    }

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
	    "mod_waklog: waklog_ktinit using: %s", ktbuf );

    if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		(char *)error_message( kerror ));

    	goto cleanup4;
    }

    /* get the krbtgt */
    if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds, 
		kprinc, keytab, 0, IN_TKT_SERVICE, &kopts ))) {

	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		(char *)error_message( kerror ));

    	goto cleanup5;
    }

   if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
    	    kprinc, keytab, NULL, NULL )) != 0 ) {

	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		(char *)error_message( kerror ));

    	goto cleanup6;
    }

    if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		(char *)error_message( kerror ));

    	goto cleanup6;
    }

    if (( kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds )) != 0 ) {
	ap_log_error( APLOG_MARK, APLOG_ERR, s,
		(char *)error_message( kerror ));

    	goto cleanup6;
    }

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
	"mod_waklog: waklog_ktinit success" );

cleanup6: if ( v5creds.client == kprinc ) {
	      v5creds.client = 0;
	  }
	  krb5_free_cred_contents( kcontext, &v5creds );
cleanup5: (void)krb5_kt_close( kcontext, keytab );
cleanup4: krb5_free_principal( kcontext, kprinc );
cleanup3: krb5_cc_close( kcontext, kccache );
cleanup2: krb5_free_context( kcontext );
cleanup1:   

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
	"mod_waklog: waklog_ktinit: exiting" );

    return( 0 );
}


    static void
waklog_aklog( request_rec *r )
{
    int				rc;
    char			buf[ 1024 ];
    const char          	*k4path = NULL;
    const char          	*k5path = NULL;
    krb5_error_code		kerror;
    krb5_context		kcontext;
    krb5_creds			increds;
    krb5_creds			*v5credsp = NULL;
    CREDENTIALS			v4creds;
    krb5_ccache			kccache;
    struct ktc_principal	server = { "afs", "", "umich.edu" };
    struct ktc_principal	client;
    struct ktc_token		token;

    k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
    k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	"mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );

    if ( !k5path || !k4path ) {   
	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: waklog_aklog giving up" );
	return;
    }

    /*
    ** Get/build creds from file/tgs, then see if we need to SetToken
    */

    if (( kerror = krb5_init_context( &kcontext ))) {
	/* Authentication Required ( kerberos error ) */
	ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
		(char *)error_message( kerror ));

	return;
    }

    memset( (char *)&increds, 0, sizeof(increds));

    /* set server part */
    if (( kerror = krb5_parse_name( kcontext, AFS, &increds.server ))) {
	ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
		(char *)error_message( kerror ));

	return;
    }

    if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
    	ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
    		(char *)error_message( kerror ));
    
        return;
    }

    /* set client part */
    krb5_cc_get_principal( kcontext, kccache, &increds.client );

    increds.times.endtime = 0;
    /* Ask for DES since that is what V4 understands */
    increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;

    /* get the V5 credentials */
    if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
		&increds, &v5credsp ) ) ) {
	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	    "mod_waklog: krb5_get_credentials: %s", krb_err_txt[ kerror ] );
	return;
    }

    /* get the V4 credentials */
    if (( kerror = krb524_convert_creds_kdc( kcontext, v5credsp, &v4creds ) ) ) {
	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	    "mod_waklog: krb524_convert_creds_kdc: %s", krb_err_txt[ kerror ] );
	return;
    }

    /* assemble the token */
    token.kvno = v4creds.kvno;
    token.startTime = v4creds.issue_date;
    token.endTime = v5credsp->times.endtime;
    memmove( &token.sessionKey, v4creds.session, 8 );
    token.ticketLen = v4creds.ticket_st.length ;
    memmove( token.ticket, v4creds.ticket_st.dat, token.ticketLen );

    /* make sure we have to do this */
    if ( child->token.kvno != token.kvno ||
	    child->token.ticketLen != token.ticketLen ||
	    memcmp( &child->token.sessionKey, &token.sessionKey,
		    sizeof( token.sessionKey ) ) ||
	    memcmp( child->token.ticket, token.ticket, token.ticketLen ) ) {

	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: %s.%s@%s", v4creds.service, v4creds.instance,
		v4creds.realm );
	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: %d %d %d", v4creds.lifetime, v4creds.kvno,
		v4creds.issue_date );
	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: %s %s", v4creds.pname, v4creds.pinst );
	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: %d", v4creds.ticket_st.length );

	/* build the name */
	strcpy( buf, v4creds.pname );
	if ( v4creds.pinst[ 0 ] ) {
		strcat( buf, "." );
		strcat( buf, v4creds.pinst );
	}

	/* assemble the client */
	strncpy( client.name, buf, MAXKTCNAMELEN - 1 );
	strcpy( client.instance, "" );
	strncpy( client.cell, v4creds.realm, MAXKTCNAMELEN - 1 );

	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: server: name=%s, instance=%s, cell=%s",
		server.name, server.instance, server.cell );

	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: client: name=%s, instance=%s, cell=%s",
		 client.name, client.instance, client.cell );

	/* use the path */
	krb_set_tkt_string( (char *)k4path );

	/* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
	write( 2, "", 0 );

	if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
	    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
		"mod_waklog: settoken returned %d", rc );
	}

	/* save this */
	memmove( &child->token, &token, sizeof( struct ktc_token ) );

	/* we'll need to unlog when this connection is done. */
	ap_register_cleanup( r->pool, (void *)r, pioctl_cleanup, ap_null_cleanup );
    }

    krb5_free_cred_contents( kcontext, v5credsp );
    krb5_free_principal( kcontext, increds.client );
    krb5_cc_close( kcontext, kccache );
    krb5_free_context( kcontext );

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	        "mod_waklog: finished with waklog_aklog" );

}

    static int
waklog_child_routine( void *s, child_info *pinfo )
{
    if ( !getuid() ) {
	ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
		"mod_waklog: waklog_child_routine called as root" );

	/* this was causing the credential file to get owned by root */
	setgid(ap_group_id);
	setuid(ap_user_id);
    }

    while( 1 ) {
	waklog_ktinit( s );
	sleep( 300 /* 10*60*60 - 5*60 */ );
    }

}


    static void
waklog_init( server_rec *s, pool *p )
{
    extern char	*version;
    int pid;

    ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
	    "mod_waklog: version %s initialized.", version );

    pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
	    NULL, NULL, NULL );

    ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
	    "mod_waklog: ap_bspawn_child: %d.", pid );
}


    static int
waklog_phase0( request_rec *r )
{
    waklog_host_config  *cfg;

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	"mod_waklog: phase0 called" );

    /* directory config? */
    cfg = (waklog_host_config *)ap_get_module_config(
            r->per_dir_config, &waklog_module);

    /* server config? */
    if ( !cfg->configured ) {
	cfg = (waklog_host_config *)ap_get_module_config(
	    r->server->module_config, &waklog_module);
    }

    if ( !cfg->protect ) {
	ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	    "mod_waklog: phase0 declining" );
        return( DECLINED );
    }

    /* do this only if we are still unauthenticated */
    if ( !child->token.ticketLen ) {

	/* set our environment variables */
	ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
	ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );

	/* stuff the credentials into the kernel */
	waklog_aklog( r );
    }
    
    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	"mod_waklog: phase0 returning" );
    return DECLINED;
}


    static int
waklog_phase7( request_rec *r )
{
    waklog_host_config	*cfg;

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	"mod_waklog: phase7 called" );

    /* directory config? */
    cfg = (waklog_host_config *)ap_get_module_config(
            r->per_dir_config, &waklog_module);

    /* server config? */
    if ( !cfg->configured ) {
	cfg = (waklog_host_config *)ap_get_module_config(
	    r->server->module_config, &waklog_module);
    }

    if ( !cfg->protect ) {
        return( DECLINED );
    }

    /* stuff the credentials into the kernel */
    waklog_aklog( r );

    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
	"mod_waklog: phase7 returning" );

    return DECLINED;
}

    static void
waklog_new_connection( conn_rec *c ) {
    ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server,
	"mod_waklog: new_connection called: conn_rec: 0x%08x pid: %d", c, getpid() );
    return;
}

module MODULE_VAR_EXPORT waklog_module = {
    STANDARD_MODULE_STUFF, 
    waklog_init,              /* module initializer                  */
    waklog_create_dir_config, /* create per-dir    config structures */
    NULL,                  /* merge  per-dir    config structures */
    waklog_create_server_config, /* create per-server config structures */
    NULL,                  /* merge  per-server config structures */
    waklog_cmds,           /* table of config file commands       */
    NULL,                  /* [#8] MIME-typed-dispatched handlers */
    NULL,                  /* [#1] URI to filename translation    */
    NULL,                  /* [#4] validate user id from request  */
    NULL,                  /* [#5] check if the user is ok _here_ */
    NULL,                  /* [#3] check access by host address   */
    NULL,                  /* [#6] determine MIME type            */
    waklog_phase7,         /* [#7] pre-run fixups                 */
    NULL,                  /* [#9] log a transaction              */
    NULL,                  /* [#2] header parser                  */
    waklog_child_init,     /* child_init                          */
    NULL,                  /* child_exit                          */
    waklog_phase0          /* [#0] post read-request              */
#ifdef EAPI
   ,NULL,                  /* EAPI: add_module                    */
    NULL,                  /* EAPI: remove_module                 */
    NULL,                  /* EAPI: rewrite_command               */
    waklog_new_connection  /* EAPI: new_connection                */
#endif
};
Commit	Line	Data
bed98ff9	1	#include "httpd.h"
bed98ff9	2	#include "http_config.h"
7193eb01	3	#include "http_conf_globals.h"
bed98ff9	4	#include "http_log.h"
7193eb01	5	#include "http_protocol.h"
	6	#include "http_request.h"
	7	#include "http_core.h"
bed98ff9	8	#include "ap_config.h"
4e1ae1cd	9	#include <krb5.h>
bed98ff9	10
7193eb01	11	#if defined(sun)
bed98ff9	12	#include <sys/ioccom.h>
7193eb01	13	#endif /* sun */
bed98ff9	14	#include <stropts.h>
	15	#include <kerberosIV/krb.h>
	16	#include <kerberosIV/des.h>
	17	#include <afs/venus.h>
7193eb01	18	#include <afs/auth.h>
	19	#include <rx/rxkad.h>
	20
	21	#include <asm/bitops.h>
	22	#include <sys/shm.h>
bed98ff9	23
7193eb01	24	#define KEYTAB_PATH "/home/drh/keytab.umweb.drhtest"
	25	#define PRINCIPAL "umweb/drhtest"
	26	#define AFS "afs"
4e1ae1cd	27	#define IN_TKT_SERVICE "krbtgt/UMICH.EDU"
4e1ae1cd	28
7193eb01	29	#define K5PATH "FILE:/tmp/waklog.creds.k5"
	30	#define K4PATH "/tmp/waklog.creds.k4"
	31
313dde40	32	module waklog_module;
bed98ff9	33
	34	struct ClearToken {
	35	long AuthHandle;
	36	char HandShakeKey[ 8 ];
	37	long ViceId;
	38	long BeginTimestamp;
	39	long EndTimestamp;
	40	};
	41
313dde40	42	typedef struct {
4e1ae1cd	43	int configured;
	44	int protect;
	45	char *keytab;
7193eb01	46	char *keytab_principal;
7193eb01	47	char *afs_instance;
313dde40	48	} waklog_host_config;
313dde40	49
7193eb01	50	typedef struct {
	51	struct ktc_token token;
	52	} waklog_child_config;
	53	waklog_child_config *child = NULL;
313dde40	54
e21f34f0	55
313dde40	56	static void *
	57	waklog_create_dir_config( pool p, char path )
	58	{
	59	waklog_host_config *cfg;
	60
	61	cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
	62	cfg->configured = 0;
	63	cfg->protect = 0;
7193eb01	64	cfg->keytab = 0;
	65	cfg->keytab_principal = 0;
	66	cfg->afs_instance = 0;
313dde40	67
	68	return( cfg );
	69	}
	70
	71
	72	static void *
	73	waklog_create_server_config( pool p, server_rec s )
	74	{
	75	waklog_host_config *cfg;
	76
	77	cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
	78	cfg->configured = 0;
	79	cfg->protect = 0;
7193eb01	80	cfg->keytab = 0;
	81	cfg->keytab_principal = 0;
	82	cfg->afs_instance = 0;
313dde40	83
	84	return( cfg );
	85	}
	86
	87
313dde40	88	static const char *
	89	set_waklog_protect( cmd_parms params, void mconfig, int flag )
	90	{
	91	waklog_host_config *cfg;
	92
	93	if ( params->path == NULL ) {
	94	cfg = (waklog_host_config *) ap_get_module_config(
	95	params->server->module_config, &waklog_module );
	96	} else {
	97	cfg = (waklog_host_config *)mconfig;
	98	}
	99
	100	cfg->protect = flag;
	101	cfg->configured = 1;
	102	return( NULL );
	103	}
	104
	105
4e1ae1cd	106	static const char *
	107	set_waklog_use_keytab( cmd_parms params, void mconfig, char *file )
	108	{
	109	waklog_host_config *cfg;
	110
	111	if ( params->path == NULL ) {
	112	cfg = (waklog_host_config *) ap_get_module_config(
	113	params->server->module_config, &waklog_module );
	114	} else {
	115	cfg = (waklog_host_config *)mconfig;
	116	}
	117
3ed1e28a	118	ap_log_error( APLOG_MARK, APLOG_INFO\|APLOG_NOERRNO, params->server,
	119	"mod_waklog: using keytab: %s", file );
	120
4e1ae1cd	121	cfg->keytab = file;
	122	cfg->configured = 1;
	123	return( NULL );
	124	}
	125
	126
b74fad73	127	static void
313dde40	128	waklog_child_init( server_rec s, pool p )
b74fad73	129	{
7193eb01	130
	131	if ( child == NULL ) {
	132	child = (waklog_child_config *) ap_palloc( p, sizeof( waklog_child_config ) );
	133	}
	134
	135	memset( &child->token, 0, sizeof( struct ktc_token ) );
	136
b74fad73	137	setpag();
7193eb01	138
b74fad73	139	return;
	140	}
	141
	142
313dde40	143	command_rec waklog_cmds[ ] =
	144	{
	145	{ "WaklogProtected", set_waklog_protect,
	146	NULL, RSRC_CONF \| ACCESS_CONF, FLAG,
	147	"enable waklog on a location or directory basis" },
	148
4e1ae1cd	149	{ "WaklogUseKeytab", set_waklog_use_keytab,
	150	NULL, RSRC_CONF, TAKE1,
	151	"Use the supplied keytab file rather than the user's TGT" },
	152
313dde40	153	{ NULL }
	154	};
	155
	156
bed98ff9	157	static void
	158	pioctl_cleanup( void *data )
	159	{
	160	request_rec r = (request_rec )data;
bed98ff9	161
7193eb01	162	if ( child->token.ticketLen ) {
7193eb01	163	memset( &child->token, 0, sizeof( struct ktc_token ) );
bed98ff9	164
7193eb01	165	ktc_ForgetAllTokens();
bed98ff9	166
7193eb01	167	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	168	"mod_waklog: ktc_ForgetAllTokens succeeded" );
	169	}
b74fad73	170	return;
bed98ff9	171	}
	172
	173
4e1ae1cd	174	static int
e21f34f0	175	waklog_ktinit( server_rec *s )
4e1ae1cd	176	{
	177	krb5_error_code kerror;
	178	krb5_context kcontext;
	179	krb5_principal kprinc;
4e1ae1cd	180	krb5_get_init_creds_opt kopts;
7193eb01	181	krb5_creds v5creds;
7193eb01	182	CREDENTIALS v4creds;
4e1ae1cd	183	krb5_ccache kccache;
	184	krb5_keytab keytab = 0;
	185	char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
7193eb01	186	krb5_timestamp now;
e21f34f0	187	waklog_host_config *cfg;
4e1ae1cd	188
e21f34f0	189	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, s,
7193eb01	190	"mod_waklog: waklog_ktinit called" );
4e1ae1cd	191
e21f34f0	192	if (( kerror = krb5_init_context( &kcontext ))) {
	193	ap_log_error( APLOG_MARK, APLOG_ERR, s,
	194	(char *)error_message( kerror ));
4e1ae1cd	195
e21f34f0	196	goto cleanup1;
e21f34f0	197	}
4e1ae1cd	198
e21f34f0	199	/* use the path */
	200	if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
	201	ap_log_error( APLOG_MARK, APLOG_ERR, s,
	202	(char *)error_message( kerror ));
4e1ae1cd	203
e21f34f0	204	goto cleanup2;
e21f34f0	205	}
4e1ae1cd	206
e21f34f0	207	if (( kerror = krb5_parse_name( kcontext, PRINCIPAL, &kprinc ))) {
	208	ap_log_error( APLOG_MARK, APLOG_ERR, s,
	209	(char *)error_message( kerror ));
7193eb01	210
e21f34f0	211	goto cleanup3;
e21f34f0	212	}
7193eb01	213
e21f34f0	214	krb5_get_init_creds_opt_init( &kopts );
	215	krb5_get_init_creds_opt_set_tkt_life( &kopts, 106060 );
	216	krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
	217	krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
	218	krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
7193eb01	219
e21f34f0	220	cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
e21f34f0	221	&waklog_module );
7193eb01	222
e21f34f0	223	/* which keytab should we use? */
e21f34f0	224	strcpy( ktbuf, cfg->keytab ? cfg->keytab : KEYTAB_PATH );
7193eb01	225
e21f34f0	226	if ( strlen( ktbuf ) > MAX_KEYTAB_NAME_LEN ) {
	227	ap_log_error( APLOG_MARK, APLOG_ERR, s,
	228	"server configuration error" );
7193eb01	229
e21f34f0	230	goto cleanup4;
e21f34f0	231	}
7193eb01	232
e21f34f0	233	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, s,
e21f34f0	234	"mod_waklog: waklog_ktinit using: %s", ktbuf );
7193eb01	235
e21f34f0	236	if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
	237	ap_log_error( APLOG_MARK, APLOG_ERR, s,
	238	(char *)error_message( kerror ));
7193eb01	239
e21f34f0	240	goto cleanup4;
e21f34f0	241	}
7193eb01	242
e21f34f0	243	/* get the krbtgt */
	244	if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
	245	kprinc, keytab, 0, IN_TKT_SERVICE, &kopts ))) {
7193eb01	246
e21f34f0	247	ap_log_error( APLOG_MARK, APLOG_ERR, s,
e21f34f0	248	(char *)error_message( kerror ));
7193eb01	249
e21f34f0	250	goto cleanup5;
e21f34f0	251	}
7193eb01	252
e21f34f0	253	if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
e21f34f0	254	kprinc, keytab, NULL, NULL )) != 0 ) {
7193eb01	255
e21f34f0	256	ap_log_error( APLOG_MARK, APLOG_ERR, s,
e21f34f0	257	(char *)error_message( kerror ));
7193eb01	258
e21f34f0	259	goto cleanup6;
e21f34f0	260	}
7193eb01	261
e21f34f0	262	if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
	263	ap_log_error( APLOG_MARK, APLOG_ERR, s,
	264	(char *)error_message( kerror ));
7193eb01	265
e21f34f0	266	goto cleanup6;
e21f34f0	267	}
7193eb01	268
e21f34f0	269	if (( kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds )) != 0 ) {
	270	ap_log_error( APLOG_MARK, APLOG_ERR, s,
	271	(char *)error_message( kerror ));
7193eb01	272
e21f34f0	273	goto cleanup6;
e21f34f0	274	}
7193eb01	275
e21f34f0	276	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, s,
	277	"mod_waklog: waklog_ktinit success" );
	278
	279	cleanup6: if ( v5creds.client == kprinc ) {
	280	v5creds.client = 0;
	281	}
	282	krb5_free_cred_contents( kcontext, &v5creds );
	283	cleanup5: (void)krb5_kt_close( kcontext, keytab );
	284	cleanup4: krb5_free_principal( kcontext, kprinc );
	285	cleanup3: krb5_cc_close( kcontext, kccache );
	286	cleanup2: krb5_free_context( kcontext );
	287	cleanup1:
	288
	289	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, s,
7193eb01	290	"mod_waklog: waklog_ktinit: exiting" );
	291
	292	return( 0 );
	293	}
	294
	295
	296	static void
	297	waklog_aklog( request_rec *r )
	298	{
	299	int rc;
	300	char buf[ 1024 ];
	301	const char *k4path = NULL;
	302	const char *k5path = NULL;
	303	krb5_error_code kerror;
	304	krb5_context kcontext;
	305	krb5_creds increds;
	306	krb5_creds *v5credsp = NULL;
	307	CREDENTIALS v4creds;
	308	krb5_ccache kccache;
	309	struct ktc_principal server = { "afs", "", "umich.edu" };
	310	struct ktc_principal client;
	311	struct ktc_token token;
	312
	313	k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
	314	k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );
	315
	316	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	317	"mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );
	318
	319	if ( !k5path \|\| !k4path ) {
	320	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	321	"mod_waklog: waklog_aklog giving up" );
4e1ae1cd	322	return;
	323	}
	324
7193eb01	325	/*
	326	** Get/build creds from file/tgs, then see if we need to SetToken
	327	*/
	328
	329	if (( kerror = krb5_init_context( &kcontext ))) {
	330	/* Authentication Required ( kerberos error ) */
4e1ae1cd	331	ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
4e1ae1cd	332	(char *)error_message( kerror ));
7193eb01	333
4e1ae1cd	334	return;
	335	}
	336
7193eb01	337	memset( (char *)&increds, 0, sizeof(increds));
4e1ae1cd	338
7193eb01	339	/* set server part */
7193eb01	340	if (( kerror = krb5_parse_name( kcontext, AFS, &increds.server ))) {
4e1ae1cd	341	ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
	342	(char *)error_message( kerror ));
	343
	344	return;
	345	}
	346
7193eb01	347	if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
	348	ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
	349	(char *)error_message( kerror ));
	350
	351	return;
	352	}
4e1ae1cd	353
7193eb01	354	/* set client part */
7193eb01	355	krb5_cc_get_principal( kcontext, kccache, &increds.client );
4e1ae1cd	356
7193eb01	357	increds.times.endtime = 0;
	358	/* Ask for DES since that is what V4 understands */
	359	increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
	360
	361	/* get the V5 credentials */
	362	if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
	363	&increds, &v5credsp ) ) ) {
	364	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	365	"mod_waklog: krb5_get_credentials: %s", krb_err_txt[ kerror ] );
4e1ae1cd	366	return;
	367	}
	368
7193eb01	369	/* get the V4 credentials */
	370	if (( kerror = krb524_convert_creds_kdc( kcontext, v5credsp, &v4creds ) ) ) {
	371	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	372	"mod_waklog: krb524_convert_creds_kdc: %s", krb_err_txt[ kerror ] );
4e1ae1cd	373	return;
	374	}
	375
7193eb01	376	/* assemble the token */
	377	token.kvno = v4creds.kvno;
	378	token.startTime = v4creds.issue_date;
	379	token.endTime = v5credsp->times.endtime;
	380	memmove( &token.sessionKey, v4creds.session, 8 );
	381	token.ticketLen = v4creds.ticket_st.length ;
	382	memmove( token.ticket, v4creds.ticket_st.dat, token.ticketLen );
	383
	384	/* make sure we have to do this */
	385	if ( child->token.kvno != token.kvno \|\|
	386	child->token.ticketLen != token.ticketLen \|\|
	387	memcmp( &child->token.sessionKey, &token.sessionKey,
	388	sizeof( token.sessionKey ) ) \|\|
	389	memcmp( child->token.ticket, token.ticket, token.ticketLen ) ) {
	390
	391	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	392	"mod_waklog: %s.%s@%s", v4creds.service, v4creds.instance,
	393	v4creds.realm );
	394	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	395	"mod_waklog: %d %d %d", v4creds.lifetime, v4creds.kvno,
	396	v4creds.issue_date );
	397	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	398	"mod_waklog: %s %s", v4creds.pname, v4creds.pinst );
	399	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	400	"mod_waklog: %d", v4creds.ticket_st.length );
	401
	402	/* build the name */
	403	strcpy( buf, v4creds.pname );
	404	if ( v4creds.pinst[ 0 ] ) {
	405	strcat( buf, "." );
	406	strcat( buf, v4creds.pinst );
	407	}
	408
	409	/* assemble the client */
	410	strncpy( client.name, buf, MAXKTCNAMELEN - 1 );
	411	strcpy( client.instance, "" );
	412	strncpy( client.cell, v4creds.realm, MAXKTCNAMELEN - 1 );
	413
	414	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	415	"mod_waklog: server: name=%s, instance=%s, cell=%s",
	416	server.name, server.instance, server.cell );
	417
	418	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	419	"mod_waklog: client: name=%s, instance=%s, cell=%s",
	420	client.name, client.instance, client.cell );
	421
	422	/* use the path */
	423	krb_set_tkt_string( (char *)k4path );
	424
	425	/* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
	426	write( 2, "", 0 );
	427
	428	if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
	429	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	430	"mod_waklog: settoken returned %d", rc );
	431	}
	432
	433	/* save this */
	434	memmove( &child->token, &token, sizeof( struct ktc_token ) );
	435
	436	/* we'll need to unlog when this connection is done. */
	437	ap_register_cleanup( r->pool, (void *)r, pioctl_cleanup, ap_null_cleanup );
	438	}
	439
440	krb5_free_cred_contents( kcontext, v5credsp );
441	krb5_free_principal( kcontext, increds.client );
4e1ae1cd	442	krb5_cc_close( kcontext, kccache );
4e1ae1cd	443	krb5_free_context( kcontext );
3ed1e28a	444
7193eb01	445	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	446	"mod_waklog: finished with waklog_aklog" );
	447
4e1ae1cd	448	}
4e1ae1cd	449
e21f34f0	450	static int
	451	waklog_child_routine( void s, child_info pinfo )
	452	{
e21f34f0	453	if ( !getuid() ) {
132ef613	454	ap_log_error( APLOG_MARK, APLOG_ERR\|APLOG_NOERRNO, s,
e21f34f0	455	"mod_waklog: waklog_child_routine called as root" );
	456
	457	/* this was causing the credential file to get owned by root */
	458	setgid(ap_group_id);
	459	setuid(ap_user_id);
	460	}
	461
	462	while( 1 ) {
	463	waklog_ktinit( s );
132ef613	464	sleep( 300 /* 106060 - 560 / );
e21f34f0	465	}
	466
	467	}
	468
	469
	470	static void
	471	waklog_init( server_rec s, pool p )
	472	{
	473	extern char *version;
	474	int pid;
	475
	476	ap_log_error( APLOG_MARK, APLOG_INFO\|APLOG_NOERRNO, s,
	477	"mod_waklog: version %s initialized.", version );
	478
	479	pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
	480	NULL, NULL, NULL );
	481
132ef613	482	ap_log_error( APLOG_MARK, APLOG_ERR\|APLOG_NOERRNO, s,
e21f34f0	483	"mod_waklog: ap_bspawn_child: %d.", pid );
	484	}
	485
4e1ae1cd	486
bed98ff9	487	static int
7193eb01	488	waklog_phase0( request_rec *r )
bed98ff9	489	{
313dde40	490	waklog_host_config *cfg;
313dde40	491
7193eb01	492	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	493	"mod_waklog: phase0 called" );
	494
313dde40	495	/* directory config? */
	496	cfg = (waklog_host_config *)ap_get_module_config(
	497	r->per_dir_config, &waklog_module);
bed98ff9	498
313dde40	499	/* server config? */
313dde40	500	if ( !cfg->configured ) {
7193eb01	501	cfg = (waklog_host_config *)ap_get_module_config(
7193eb01	502	r->server->module_config, &waklog_module);
313dde40	503	}
313dde40	504
7193eb01	505	if ( !cfg->protect ) {
4e1ae1cd	506	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
7193eb01	507	"mod_waklog: phase0 declining" );
	508	return( DECLINED );
	509	}
4e1ae1cd	510
7193eb01	511	/* do this only if we are still unauthenticated */
7193eb01	512	if ( !child->token.ticketLen ) {
4e1ae1cd	513
e21f34f0	514	/* set our environment variables */
	515	ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
	516	ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );
3ed1e28a	517
7193eb01	518	/* stuff the credentials into the kernel */
7193eb01	519	waklog_aklog( r );
4e1ae1cd	520	}
7193eb01	521
	522	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
	523	"mod_waklog: phase0 returning" );
	524	return DECLINED;
	525	}
4e1ae1cd	526
1e18ef7d	527
7193eb01	528	static int
	529	waklog_phase7( request_rec *r )
	530	{
	531	waklog_host_config *cfg;
1e18ef7d	532
7193eb01	533	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
7193eb01	534	"mod_waklog: phase7 called" );
1e18ef7d	535
7193eb01	536	/* directory config? */
	537	cfg = (waklog_host_config *)ap_get_module_config(
	538	r->per_dir_config, &waklog_module);
1e18ef7d	539
7193eb01	540	/* server config? */
	541	if ( !cfg->configured ) {
	542	cfg = (waklog_host_config *)ap_get_module_config(
	543	r->server->module_config, &waklog_module);
bed98ff9	544	}
bed98ff9	545
7193eb01	546	if ( !cfg->protect ) {
7193eb01	547	return( DECLINED );
bed98ff9	548	}
bed98ff9	549
7193eb01	550	/* stuff the credentials into the kernel */
7193eb01	551	waklog_aklog( r );
bed98ff9	552
7193eb01	553	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, r->server,
7193eb01	554	"mod_waklog: phase7 returning" );
bed98ff9	555
7193eb01	556	return DECLINED;
bed98ff9	557	}
bed98ff9	558
7193eb01	559	static void
	560	waklog_new_connection( conn_rec *c ) {
	561	ap_log_error( APLOG_MARK, APLOG_NOERRNO\|APLOG_ERR, c->server,
	562	"mod_waklog: new_connection called: conn_rec: 0x%08x pid: %d", c, getpid() );
	563	return;
	564	}
bed98ff9	565
313dde40	566	module MODULE_VAR_EXPORT waklog_module = {
bed98ff9	567	STANDARD_MODULE_STUFF,
313dde40	568	waklog_init, /* module initializer */
313dde40	569	waklog_create_dir_config, /* create per-dir config structures */
bed98ff9	570	NULL, /* merge per-dir config structures */
313dde40	571	waklog_create_server_config, /* create per-server config structures */
bed98ff9	572	NULL, /* merge per-server config structures */
313dde40	573	waklog_cmds, /* table of config file commands */
bed98ff9	574	NULL, /* [#8] MIME-typed-dispatched handlers */
	575	NULL, /* [#1] URI to filename translation */
	576	NULL, /* [#4] validate user id from request */
	577	NULL, /* [#5] check if the user is ok _here_ */
	578	NULL, /* [#3] check access by host address */
	579	NULL, /* [#6] determine MIME type */
7193eb01	580	waklog_phase7, /* [#7] pre-run fixups */
bed98ff9	581	NULL, /* [#9] log a transaction */
313dde40	582	NULL, /* [#2] header parser */
313dde40	583	waklog_child_init, /* child_init */
bed98ff9	584	NULL, /* child_exit */
7193eb01	585	waklog_phase0 /* [#0] post read-request */
bed98ff9	586	#ifdef EAPI
	587	,NULL, /* EAPI: add_module */
	588	NULL, /* EAPI: remove_module */
	589	NULL, /* EAPI: rewrite_command */
7193eb01	590	waklog_new_connection /* EAPI: new_connection */
bed98ff9	591	#endif
bed98ff9	592	};