2 #include "http_config.h"
3 #include "http_conf_globals.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
12 #include <sys/ioccom.h>
15 #include <kerberosIV/krb.h>
16 #include <kerberosIV/des.h>
17 #include <afs/venus.h>
21 #include <asm/bitops.h>
24 #define KEYTAB_PATH "/home/drh/keytab.umweb.drhtest"
25 #define PRINCIPAL "umweb/drhtest"
27 #define K5PATH "FILE:/tmp/waklog.creds.k5"
28 #define K4PATH "/tmp/waklog.creds.k4"
34 char HandShakeKey
[ 8 ];
44 char *keytab_principal
;
49 struct ktc_token token
;
50 } waklog_child_config
;
51 waklog_child_config
*child
= NULL
;
55 waklog_create_dir_config( pool
*p
, char *path
)
57 waklog_host_config
*cfg
;
59 cfg
= (waklog_host_config
*)ap_pcalloc( p
, sizeof( waklog_host_config
));
63 cfg
->keytab_principal
= 0;
64 cfg
->afs_cell
= "umich.edu";
71 waklog_create_server_config( pool
*p
, server_rec
*s
)
73 waklog_host_config
*cfg
;
75 cfg
= (waklog_host_config
*)ap_pcalloc( p
, sizeof( waklog_host_config
));
79 cfg
->keytab_principal
= 0;
80 cfg
->afs_cell
= "umich.edu";
87 set_waklog_protect( cmd_parms
*params
, void *mconfig
, int flag
)
89 waklog_host_config
*cfg
;
91 if ( params
->path
== NULL
) {
92 cfg
= (waklog_host_config
*) ap_get_module_config(
93 params
->server
->module_config
, &waklog_module
);
95 cfg
= (waklog_host_config
*)mconfig
;
105 set_waklog_use_keytab( cmd_parms
*params
, void *mconfig
, char *file
)
107 waklog_host_config
*cfg
;
109 if ( params
->path
== NULL
) {
110 cfg
= (waklog_host_config
*) ap_get_module_config(
111 params
->server
->module_config
, &waklog_module
);
113 cfg
= (waklog_host_config
*)mconfig
;
116 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
117 "mod_waklog: using keytab: %s", file
);
126 waklog_child_init( server_rec
*s
, pool
*p
)
129 if ( child
== NULL
) {
130 child
= (waklog_child_config
*) ap_palloc( p
, sizeof( waklog_child_config
) );
133 memset( &child
->token
, 0, sizeof( struct ktc_token
) );
141 command_rec waklog_cmds
[ ] =
143 { "WaklogProtected", set_waklog_protect
,
144 NULL
, RSRC_CONF
| ACCESS_CONF
, FLAG
,
145 "enable waklog on a location or directory basis" },
147 { "WaklogUseKeytab", set_waklog_use_keytab
,
148 NULL
, RSRC_CONF
, TAKE1
,
149 "Use the supplied keytab file rather than the user's TGT" },
156 token_cleanup( void *data
)
158 request_rec
*r
= (request_rec
*)data
;
160 if ( child
->token
.ticketLen
) {
161 memset( &child
->token
, 0, sizeof( struct ktc_token
) );
163 ktc_ForgetAllTokens();
165 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
166 "mod_waklog: ktc_ForgetAllTokens succeeded" );
173 waklog_kinit( server_rec
*s
)
175 krb5_error_code kerror
;
176 krb5_context kcontext
= NULL
;
177 krb5_principal kprinc
= NULL
;
178 krb5_get_init_creds_opt kopts
;
181 krb5_ccache kccache
= NULL
;
182 krb5_keytab keytab
= NULL
;
183 char ktbuf
[ MAX_KEYTAB_NAME_LEN
+ 1 ];
184 waklog_host_config
*cfg
;
186 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
187 "mod_waklog: waklog_kinit called" );
189 if (( kerror
= krb5_init_context( &kcontext
))) {
190 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
191 (char *)error_message( kerror
));
197 if (( kerror
= krb5_cc_resolve( kcontext
, K5PATH
, &kccache
)) != 0 ) {
198 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
199 (char *)error_message( kerror
));
204 if (( kerror
= krb5_parse_name( kcontext
, PRINCIPAL
, &kprinc
))) {
205 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
206 (char *)error_message( kerror
));
211 krb5_get_init_creds_opt_init( &kopts
);
212 krb5_get_init_creds_opt_set_tkt_life( &kopts
, 10*60*60 );
213 krb5_get_init_creds_opt_set_renew_life( &kopts
, 0 );
214 krb5_get_init_creds_opt_set_forwardable( &kopts
, 1 );
215 krb5_get_init_creds_opt_set_proxiable( &kopts
, 0 );
217 cfg
= (waklog_host_config
*) ap_get_module_config( s
->module_config
,
220 /* which keytab should we use? */
221 strncpy( ktbuf
, cfg
->keytab
? cfg
->keytab
: KEYTAB_PATH
, sizeof( ktbuf
) - 1 );
223 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
224 "mod_waklog: waklog_kinit using: %s", ktbuf
);
226 if (( kerror
= krb5_kt_resolve( kcontext
, ktbuf
, &keytab
)) != 0 ) {
227 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
228 (char *)error_message( kerror
));
234 if (( kerror
= krb5_get_init_creds_keytab( kcontext
, &v5creds
,
235 kprinc
, keytab
, 0, NULL
, &kopts
))) {
237 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
238 (char *)error_message( kerror
));
243 if (( kerror
= krb5_verify_init_creds( kcontext
, &v5creds
,
244 kprinc
, keytab
, NULL
, NULL
)) != 0 ) {
246 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
247 (char *)error_message( kerror
));
252 if (( kerror
= krb5_cc_initialize( kcontext
, kccache
, kprinc
)) != 0 ) {
253 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
254 (char *)error_message( kerror
));
259 kerror
= krb5_cc_store_cred( kcontext
, kccache
, &v5creds
);
260 krb5_free_cred_contents( kcontext
, &v5creds
);
262 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
263 (char *)error_message( kerror
));
268 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
269 "mod_waklog: waklog_kinit success" );
273 (void)krb5_kt_close( kcontext
, keytab
);
275 krb5_free_principal( kcontext
, kprinc
);
277 krb5_cc_close( kcontext
, kccache
);
279 krb5_free_context( kcontext
);
281 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
282 "mod_waklog: waklog_kinit: exiting" );
289 waklog_aklog( request_rec
*r
)
293 const char *k4path
= NULL
;
294 const char *k5path
= NULL
;
295 krb5_error_code kerror
;
296 krb5_context kcontext
= NULL
;
298 krb5_creds
*v5credsp
= NULL
;
300 krb5_ccache kccache
= NULL
;
301 struct ktc_principal server
= { "afs", "", "" };
302 struct ktc_principal client
;
303 struct ktc_token token
;
304 waklog_host_config
*cfg
;
306 k5path
= ap_table_get( r
->subprocess_env
, "KRB5CCNAME" );
307 k4path
= ap_table_get( r
->subprocess_env
, "KRBTKFILE" );
309 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
310 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path
, k4path
);
312 if ( !k5path
|| !k4path
) {
313 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
314 "mod_waklog: waklog_aklog giving up" );
319 ** Get/build creds from file/tgs, then see if we need to SetToken
322 if (( kerror
= krb5_init_context( &kcontext
))) {
323 /* Authentication Required ( kerberos error ) */
324 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
325 (char *)error_message( kerror
));
330 krb524_init_ets(kcontext
);
332 memset( (char *)&increds
, 0, sizeof(increds
));
334 cfg
= (waklog_host_config
*) ap_get_module_config(
335 r
->server
->module_config
, &waklog_module
);
337 /* afs/<cell> or afs */
338 strncpy( buf
, "afs", sizeof( buf
) - 1 );
339 if ( strcmp( cfg
->afs_cell
, "umich.edu" ) ) {
340 strncat( buf
, "/" , sizeof( buf
) - strlen( buf
) - 1 );
341 strncat( buf
, cfg
->afs_cell
, sizeof( buf
) - strlen( buf
) - 1 );
344 /* set server part */
345 if (( kerror
= krb5_parse_name( kcontext
, buf
, &increds
.server
))) {
346 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
347 (char *)error_message( kerror
));
352 if (( kerror
= krb5_cc_resolve( kcontext
, k5path
, &kccache
)) != 0 ) {
353 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
354 (char *)error_message( kerror
));
359 /* set client part */
360 krb5_cc_get_principal( kcontext
, kccache
, &increds
.client
);
362 increds
.times
.endtime
= 0;
363 /* Ask for DES since that is what V4 understands */
364 increds
.keyblock
.enctype
= ENCTYPE_DES_CBC_CRC
;
366 /* get the V5 credentials */
367 if (( kerror
= krb5_get_credentials( kcontext
, 0, kccache
,
368 &increds
, &v5credsp
) ) ) {
369 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
370 "mod_waklog: krb5_get_credentials: %s", error_message( kerror
));
374 /* get the V4 credentials */
375 if (( kerror
= krb524_convert_creds_kdc( kcontext
, v5credsp
, &v4creds
) ) ) {
376 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
377 "mod_waklog: krb524_convert_creds_kdc: %s", error_message( kerror
));
381 /* assemble the token */
382 token
.kvno
= v4creds
.kvno
;
383 token
.startTime
= v4creds
.issue_date
;
384 token
.endTime
= v5credsp
->times
.endtime
;
385 memmove( &token
.sessionKey
, v4creds
.session
, 8 );
386 token
.ticketLen
= v4creds
.ticket_st
.length
;
387 memmove( token
.ticket
, v4creds
.ticket_st
.dat
, token
.ticketLen
);
389 /* make sure we have to do this */
390 if ( child
->token
.kvno
!= token
.kvno
||
391 child
->token
.ticketLen
!= token
.ticketLen
||
392 memcmp( &child
->token
.sessionKey
, &token
.sessionKey
,
393 sizeof( token
.sessionKey
) ) ||
394 memcmp( child
->token
.ticket
, token
.ticket
, token
.ticketLen
) ) {
396 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
397 "mod_waklog: %s.%s@%s", v4creds
.service
, v4creds
.instance
,
399 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
400 "mod_waklog: %d %d %d", v4creds
.lifetime
, v4creds
.kvno
,
401 v4creds
.issue_date
);
402 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
403 "mod_waklog: %s %s", v4creds
.pname
, v4creds
.pinst
);
404 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
405 "mod_waklog: %d", v4creds
.ticket_st
.length
);
408 strncpy( buf
, v4creds
.pname
, sizeof( buf
) - 1 );
409 if ( v4creds
.pinst
[ 0 ] ) {
410 strncat( buf
, ".", sizeof( buf
) - strlen( buf
) - 1 );
411 strncat( buf
, v4creds
.pinst
, sizeof( buf
) - strlen( buf
) - 1 );
414 /* assemble the client */
415 strncpy( client
.name
, buf
, sizeof( client
.name
) - 1 );
416 strncpy( client
.instance
, "", sizeof( client
.instance
) - 1 );
417 strncpy( client
.cell
, v4creds
.realm
, sizeof( client
.cell
) - 1 );
419 strncpy( server
.cell
, cfg
->afs_cell
, sizeof( server
.cell
) - 1 );
421 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
422 "mod_waklog: server: name=%s, instance=%s, cell=%s",
423 server
.name
, server
.instance
, server
.cell
);
425 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
426 "mod_waklog: client: name=%s, instance=%s, cell=%s",
427 client
.name
, client
.instance
, client
.cell
);
430 krb_set_tkt_string( (char *)k4path
);
432 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
435 if ( ( rc
= ktc_SetToken( &server
, &token
, &client
, 0 ) ) ) {
436 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
437 "mod_waklog: settoken returned %d", rc
);
441 memmove( &child
->token
, &token
, sizeof( struct ktc_token
) );
443 /* we'll need to unlog when this connection is done. */
444 ap_register_cleanup( r
->pool
, (void *)r
, token_cleanup
, ap_null_cleanup
);
449 krb5_free_cred_contents( kcontext
, v5credsp
);
450 if ( increds
.client
)
451 krb5_free_principal( kcontext
, increds
.client
);
452 if ( increds
.server
)
453 krb5_free_principal( kcontext
, increds
.server
);
455 krb5_cc_close( kcontext
, kccache
);
457 krb5_free_context( kcontext
);
459 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
460 "mod_waklog: finished with waklog_aklog" );
467 waklog_child_routine( void *s
, child_info
*pinfo
)
470 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
471 "mod_waklog: waklog_child_routine called as root" );
473 /* this was causing the credential file to get owned by root */
480 sleep( 300 /* 10*60*60 - 5*60 */ );
487 waklog_init( server_rec
*s
, pool
*p
)
489 extern char *version
;
492 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, s
,
493 "mod_waklog: version %s initialized.", version
);
495 pid
= ap_bspawn_child( p
, waklog_child_routine
, s
, kill_always
,
498 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
499 "mod_waklog: ap_bspawn_child: %d.", pid
);
504 waklog_phase0( request_rec
*r
)
506 waklog_host_config
*cfg
;
508 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
509 "mod_waklog: phase0 called" );
511 /* directory config? */
512 cfg
= (waklog_host_config
*)ap_get_module_config(
513 r
->per_dir_config
, &waklog_module
);
516 if ( !cfg
->configured
) {
517 cfg
= (waklog_host_config
*)ap_get_module_config(
518 r
->server
->module_config
, &waklog_module
);
521 if ( !cfg
->protect
) {
522 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
523 "mod_waklog: phase0 declining" );
527 /* do this only if we are still unauthenticated */
528 if ( !child
->token
.ticketLen
) {
530 /* set our environment variables */
531 ap_table_set( r
->subprocess_env
, "KRB5CCNAME", K5PATH
);
532 ap_table_set( r
->subprocess_env
, "KRBTKFILE", K4PATH
);
534 /* stuff the credentials into the kernel */
538 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
539 "mod_waklog: phase0 returning" );
545 waklog_phase7( request_rec
*r
)
547 waklog_host_config
*cfg
;
549 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
550 "mod_waklog: phase7 called" );
552 /* directory config? */
553 cfg
= (waklog_host_config
*)ap_get_module_config(
554 r
->per_dir_config
, &waklog_module
);
557 if ( !cfg
->configured
) {
558 cfg
= (waklog_host_config
*)ap_get_module_config(
559 r
->server
->module_config
, &waklog_module
);
562 if ( !cfg
->protect
) {
566 /* stuff the credentials into the kernel */
569 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
570 "mod_waklog: phase7 returning" );
576 waklog_new_connection( conn_rec
*c
) {
577 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, c
->server
,
578 "mod_waklog: new_connection called: conn_rec: 0x%08x pid: %d", c
, getpid() );
582 module MODULE_VAR_EXPORT waklog_module
= {
583 STANDARD_MODULE_STUFF
,
584 waklog_init
, /* module initializer */
585 waklog_create_dir_config
, /* create per-dir config structures */
586 NULL
, /* merge per-dir config structures */
587 waklog_create_server_config
, /* create per-server config structures */
588 NULL
, /* merge per-server config structures */
589 waklog_cmds
, /* table of config file commands */
590 NULL
, /* [#8] MIME-typed-dispatched handlers */
591 NULL
, /* [#1] URI to filename translation */
592 NULL
, /* [#4] validate user id from request */
593 NULL
, /* [#5] check if the user is ok _here_ */
594 NULL
, /* [#3] check access by host address */
595 NULL
, /* [#6] determine MIME type */
596 waklog_phase7
, /* [#7] pre-run fixups */
597 NULL
, /* [#9] log a transaction */
598 NULL
, /* [#2] header parser */
599 waklog_child_init
, /* child_init */
600 NULL
, /* child_exit */
601 waklog_phase0
/* [#0] post read-request */
603 ,NULL
, /* EAPI: add_module */
604 NULL
, /* EAPI: remove_module */
605 NULL
, /* EAPI: rewrite_command */
606 waklog_new_connection
/* EAPI: new_connection */