2 #include "http_config.h"
3 #include "http_conf_globals.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
12 #include <sys/ioccom.h>
15 #include <afs/venus.h>
19 #define KEYTAB "/home/drh/keytab.umweb.drhtest"
20 #define KEYTAB_PRINCIPAL "umweb/drhtest"
22 #define TKT_LIFE 10*60*60
23 #define SLEEP_TIME 5*60 /* should be TKT_LIFE */
25 #define AFS_CELL "umich.edu" /* NB: lower case */
27 #define K5PATH "FILE:/tmp/waklog.creds.k5"
28 #define K4PATH "/tmp/waklog.creds.k4"
34 char HandShakeKey
[ 8 ];
44 char *keytab_principal
;
49 struct ktc_token token
;
50 } waklog_child_config
;
51 waklog_child_config child
;
55 waklog_create_dir_config( pool
*p
, char *path
)
57 waklog_host_config
*cfg
;
59 cfg
= (waklog_host_config
*)ap_pcalloc( p
, sizeof( waklog_host_config
));
63 cfg
->keytab_principal
= KEYTAB_PRINCIPAL
;
64 cfg
->afs_cell
= AFS_CELL
;
71 waklog_create_server_config( pool
*p
, server_rec
*s
)
73 waklog_host_config
*cfg
;
75 cfg
= (waklog_host_config
*)ap_pcalloc( p
, sizeof( waklog_host_config
));
79 cfg
->keytab_principal
= KEYTAB_PRINCIPAL
;
80 cfg
->afs_cell
= AFS_CELL
;
83 ap_set_module_config( s
->module_config
, &waklog_module
, cfg
);
91 set_waklog_protect( cmd_parms
*params
, void *mconfig
, int flag
)
93 waklog_host_config
*cfg
;
95 if ( params
->path
== NULL
) {
96 cfg
= (waklog_host_config
*) ap_get_module_config(
97 params
->server
->module_config
, &waklog_module
);
99 cfg
= (waklog_host_config
*)mconfig
;
109 set_waklog_use_keytab( cmd_parms
*params
, void *mconfig
, char *file
)
111 waklog_host_config
*cfg
;
113 if ( params
->path
== NULL
) {
114 cfg
= (waklog_host_config
*) ap_get_module_config(
115 params
->server
->module_config
, &waklog_module
);
117 cfg
= (waklog_host_config
*)mconfig
;
120 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
121 "mod_waklog: using keytab: %s", file
);
130 set_waklog_use_keytab_principal( cmd_parms
*params
, void *mconfig
, char *file
)
132 waklog_host_config
*cfg
;
134 if ( params
->path
== NULL
) {
135 cfg
= (waklog_host_config
*) ap_get_module_config(
136 params
->server
->module_config
, &waklog_module
);
138 cfg
= (waklog_host_config
*)mconfig
;
141 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
142 "mod_waklog: using keytab_principal: %s", file
);
144 cfg
->keytab_principal
= file
;
151 set_waklog_use_afs_cell( cmd_parms
*params
, void *mconfig
, char *file
)
153 waklog_host_config
*cfg
;
155 if ( params
->path
== NULL
) {
156 cfg
= (waklog_host_config
*) ap_get_module_config(
157 params
->server
->module_config
, &waklog_module
);
159 cfg
= (waklog_host_config
*)mconfig
;
162 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
163 "mod_waklog: using afs_cell: %s", file
);
165 cfg
->afs_cell
= file
;
172 waklog_child_init( server_rec
*s
, pool
*p
)
175 memset( &child
.token
, 0, sizeof( struct ktc_token
) );
183 command_rec waklog_cmds
[ ] =
185 { "WaklogProtected", set_waklog_protect
,
186 NULL
, RSRC_CONF
| ACCESS_CONF
, FLAG
,
187 "enable waklog on a location or directory basis" },
189 { "WaklogUseKeytabPath", set_waklog_use_keytab
,
190 NULL
, RSRC_CONF
, TAKE1
,
191 "Use the supplied keytab rather than the default" },
193 { "WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal
,
194 NULL
, RSRC_CONF
, TAKE1
,
195 "Use the supplied keytab principal rather than the default" },
197 { "WaklogUseAFSCell", set_waklog_use_afs_cell
,
198 NULL
, RSRC_CONF
, TAKE1
,
199 "Use the supplied AFS cell rather than the default" },
206 token_cleanup( void *data
)
208 request_rec
*r
= (request_rec
*)data
;
210 if ( child
.token
.ticketLen
) {
211 memset( &child
.token
, 0, sizeof( struct ktc_token
) );
213 ktc_ForgetAllTokens();
215 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
216 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() );
223 waklog_kinit( server_rec
*s
)
225 krb5_error_code kerror
;
226 krb5_context kcontext
= NULL
;
227 krb5_principal kprinc
= NULL
;
228 krb5_get_init_creds_opt kopts
;
230 krb5_ccache kccache
= NULL
;
231 krb5_keytab keytab
= NULL
;
232 char ktbuf
[ MAX_KEYTAB_NAME_LEN
+ 1 ];
233 waklog_host_config
*cfg
;
235 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
236 "mod_waklog: waklog_kinit called" );
238 cfg
= (waklog_host_config
*) ap_get_module_config( s
->module_config
,
241 if (( kerror
= krb5_init_context( &kcontext
))) {
242 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
243 (char *)error_message( kerror
));
249 if (( kerror
= krb5_cc_resolve( kcontext
, K5PATH
, &kccache
)) != 0 ) {
250 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
251 (char *)error_message( kerror
));
256 if (( kerror
= krb5_parse_name( kcontext
, cfg
->keytab_principal
, &kprinc
))) {
257 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
258 (char *)error_message( kerror
));
263 krb5_get_init_creds_opt_init( &kopts
);
264 krb5_get_init_creds_opt_set_tkt_life( &kopts
, TKT_LIFE
);
265 krb5_get_init_creds_opt_set_renew_life( &kopts
, 0 );
266 krb5_get_init_creds_opt_set_forwardable( &kopts
, 1 );
267 krb5_get_init_creds_opt_set_proxiable( &kopts
, 0 );
269 /* keytab from config */
270 strncpy( ktbuf
, cfg
->keytab
, sizeof( ktbuf
) - 1 );
272 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
273 "mod_waklog: waklog_kinit using: %s", ktbuf
);
275 if (( kerror
= krb5_kt_resolve( kcontext
, ktbuf
, &keytab
)) != 0 ) {
276 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
277 (char *)error_message( kerror
));
283 if (( kerror
= krb5_get_init_creds_keytab( kcontext
, &v5creds
,
284 kprinc
, keytab
, 0, NULL
, &kopts
))) {
286 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
287 (char *)error_message( kerror
));
292 if (( kerror
= krb5_verify_init_creds( kcontext
, &v5creds
,
293 kprinc
, keytab
, NULL
, NULL
)) != 0 ) {
295 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
296 (char *)error_message( kerror
));
301 if (( kerror
= krb5_cc_initialize( kcontext
, kccache
, kprinc
)) != 0 ) {
302 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
303 (char *)error_message( kerror
));
308 kerror
= krb5_cc_store_cred( kcontext
, kccache
, &v5creds
);
309 krb5_free_cred_contents( kcontext
, &v5creds
);
311 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
312 (char *)error_message( kerror
));
317 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
318 "mod_waklog: waklog_kinit success" );
322 (void)krb5_kt_close( kcontext
, keytab
);
324 krb5_free_principal( kcontext
, kprinc
);
326 krb5_cc_close( kcontext
, kccache
);
328 krb5_free_context( kcontext
);
330 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
331 "mod_waklog: waklog_kinit: exiting" );
338 waklog_aklog( request_rec
*r
)
342 const char *k4path
= NULL
;
343 const char *k5path
= NULL
;
344 krb5_error_code kerror
;
345 krb5_context kcontext
= NULL
;
347 krb5_creds
*v5credsp
= NULL
;
348 krb5_ccache kccache
= NULL
;
349 struct ktc_principal server
= { "afs", "", "" };
350 struct ktc_principal client
;
351 struct ktc_token token
;
352 waklog_host_config
*cfg
;
355 k5path
= ap_table_get( r
->subprocess_env
, "KRB5CCNAME" );
356 k4path
= ap_table_get( r
->subprocess_env
, "KRBTKFILE" );
358 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
359 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path
, k4path
);
361 if ( !k5path
|| !k4path
) {
362 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
363 "mod_waklog: waklog_aklog giving up" );
368 ** Get/build creds from file/tgs, then see if we need to SetToken
371 if (( kerror
= krb5_init_context( &kcontext
))) {
372 /* Authentication Required ( kerberos error ) */
373 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
374 (char *)error_message( kerror
));
379 memset( (char *)&increds
, 0, sizeof(increds
));
381 cfg
= (waklog_host_config
*) ap_get_module_config(
382 r
->server
->module_config
, &waklog_module
);
384 /* afs/<cell> or afs */
385 strncpy( buf
, "afs", sizeof( buf
) - 1 );
386 if ( strcmp( cfg
->afs_cell
, AFS_CELL
) ) {
387 strncat( buf
, "/" , sizeof( buf
) - strlen( buf
) - 1 );
388 strncat( buf
, cfg
->afs_cell
, sizeof( buf
) - strlen( buf
) - 1 );
391 /* set server part */
392 if (( kerror
= krb5_parse_name( kcontext
, buf
, &increds
.server
))) {
393 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
394 (char *)error_message( kerror
));
399 if (( kerror
= krb5_cc_resolve( kcontext
, k5path
, &kccache
)) != 0 ) {
400 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
401 (char *)error_message( kerror
));
406 /* set client part */
407 krb5_cc_get_principal( kcontext
, kccache
, &increds
.client
);
409 increds
.times
.endtime
= 0;
410 /* Ask for DES since that is what V4 understands */
411 increds
.keyblock
.enctype
= ENCTYPE_DES_CBC_CRC
;
413 /* get the V5 credentials */
414 if (( kerror
= krb5_get_credentials( kcontext
, 0, kccache
,
415 &increds
, &v5credsp
) ) ) {
416 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
417 "mod_waklog: krb5_get_credentials: %s", error_message( kerror
));
422 if ( v5credsp
->ticket
.length
>= 344 ) { /* from krb524d.c */
423 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
424 "mod_waklog: ticket size (%d) to big to fake", v5credsp
->ticket
.length
);
428 /* assemble the token */
429 memset( &token
, 0, sizeof( struct ktc_token
) );
431 token
.startTime
= v5credsp
->times
.starttime
? v5credsp
->times
.starttime
: v5credsp
->times
.authtime
;
432 token
.endTime
= v5credsp
->times
.endtime
;
433 memmove( &token
.sessionKey
, v5credsp
->keyblock
.contents
, v5credsp
->keyblock
.length
);
434 token
.kvno
= RXKAD_TKT_TYPE_KERBEROS_V5
;
435 token
.ticketLen
= v5credsp
->ticket
.length
;
436 memmove( token
.ticket
, v5credsp
->ticket
.data
, token
.ticketLen
);
438 /* make sure we have to do this */
439 if ( child
.token
.kvno
!= token
.kvno
||
440 child
.token
.ticketLen
!= token
.ticketLen
||
441 (memcmp( &child
.token
.sessionKey
, &token
.sessionKey
,
442 sizeof( token
.sessionKey
) )) ||
443 (memcmp( child
.token
.ticket
, token
.ticket
, token
.ticketLen
)) ) {
445 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
446 "mod_waklog: client: %s", buf
);
449 memmove( buf
, v5credsp
->client
->data
[0].data
, v5credsp
->client
->data
[0].length
);
450 buf
[ v5credsp
->client
->data
[0].length
] = '\0';
451 if ( v5credsp
->client
->length
> 1 ) {
452 strncat( buf
, ".", sizeof( buf
) - strlen( buf
) - 1 );
453 buflen
= strlen( buf
);
454 memmove( buf
+ buflen
, v5credsp
->client
->data
[1].data
, v5credsp
->client
->data
[1].length
);
455 buf
[ buflen
+ v5credsp
->client
->data
[1].length
] = '\0';
458 /* assemble the client */
459 strncpy( client
.name
, buf
, sizeof( client
.name
) - 1 );
460 strncpy( client
.instance
, "", sizeof( client
.instance
) - 1 );
461 memmove( buf
, v5credsp
->client
->realm
.data
, v5credsp
->client
->realm
.length
);
462 buf
[ v5credsp
->client
->realm
.length
] = '\0';
463 strncpy( client
.cell
, buf
, sizeof( client
.cell
) - 1 );
465 /* assemble the server's cell */
466 strncpy( server
.cell
, cfg
->afs_cell
, sizeof( server
.cell
) - 1 );
468 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
469 "mod_waklog: server: name=%s, instance=%s, cell=%s",
470 server
.name
, server
.instance
, server
.cell
);
472 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
473 "mod_waklog: client: name=%s, instance=%s, cell=%s",
474 client
.name
, client
.instance
, client
.cell
);
477 krb_set_tkt_string( (char *)k4path
);
479 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
482 if ( ( rc
= ktc_SetToken( &server
, &token
, &client
, 0 ) ) ) {
483 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
484 "mod_waklog: settoken returned %d", rc
);
489 memmove( &child
.token
, &token
, sizeof( struct ktc_token
) );
491 /* we'll need to unlog when this connection is done. */
492 ap_register_cleanup( r
->pool
, (void *)r
, token_cleanup
, ap_null_cleanup
);
497 krb5_free_cred_contents( kcontext
, v5credsp
);
498 if ( increds
.client
)
499 krb5_free_principal( kcontext
, increds
.client
);
500 if ( increds
.server
)
501 krb5_free_principal( kcontext
, increds
.server
);
503 krb5_cc_close( kcontext
, kccache
);
505 krb5_free_context( kcontext
);
507 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
508 "mod_waklog: finished with waklog_aklog" );
515 waklog_child_routine( void *s
, child_info
*pinfo
)
518 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
519 "mod_waklog: waklog_child_routine called as root" );
521 /* this was causing the credential file to get owned by root */
535 waklog_init( server_rec
*s
, pool
*p
)
537 extern char *version
;
540 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, s
,
541 "mod_waklog: version %s initialized.", version
);
543 pid
= ap_bspawn_child( p
, waklog_child_routine
, s
, kill_always
,
546 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
547 "mod_waklog: ap_bspawn_child: %d.", pid
);
552 waklog_phase0( request_rec
*r
)
554 waklog_host_config
*cfg
;
556 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
557 "mod_waklog: phase0 called" );
559 /* directory config? */
560 cfg
= (waklog_host_config
*)ap_get_module_config(
561 r
->per_dir_config
, &waklog_module
);
564 if ( !cfg
->configured
) {
565 cfg
= (waklog_host_config
*)ap_get_module_config(
566 r
->server
->module_config
, &waklog_module
);
569 if ( !cfg
->protect
) {
570 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
571 "mod_waklog: phase0 declining" );
575 /* do this only if we are still unauthenticated */
576 if ( !child
.token
.ticketLen
) {
578 /* set our environment variables */
579 ap_table_set( r
->subprocess_env
, "KRB5CCNAME", K5PATH
);
580 ap_table_set( r
->subprocess_env
, "KRBTKFILE", K4PATH
);
582 /* stuff the credentials into the kernel */
586 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
587 "mod_waklog: phase0 returning" );
593 waklog_phase7( request_rec
*r
)
595 waklog_host_config
*cfg
;
597 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
598 "mod_waklog: phase7 called" );
600 /* directory config? */
601 cfg
= (waklog_host_config
*)ap_get_module_config(
602 r
->per_dir_config
, &waklog_module
);
605 if ( !cfg
->configured
) {
606 cfg
= (waklog_host_config
*)ap_get_module_config(
607 r
->server
->module_config
, &waklog_module
);
610 if ( !cfg
->protect
) {
614 /* stuff the credentials into the kernel */
617 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
618 "mod_waklog: phase7 returning" );
624 waklog_new_connection( conn_rec
*c
) {
625 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, c
->server
,
626 "mod_waklog: new_connection called: pid: %d", getpid() );
630 module MODULE_VAR_EXPORT waklog_module
= {
631 STANDARD_MODULE_STUFF
,
632 waklog_init
, /* module initializer */
633 waklog_create_dir_config
, /* create per-dir config structures */
634 NULL
, /* merge per-dir config structures */
635 waklog_create_server_config
, /* create per-server config structures */
636 NULL
, /* merge per-server config structures */
637 waklog_cmds
, /* table of config file commands */
638 NULL
, /* [#8] MIME-typed-dispatched handlers */
639 NULL
, /* [#1] URI to filename translation */
640 NULL
, /* [#4] validate user id from request */
641 NULL
, /* [#5] check if the user is ok _here_ */
642 NULL
, /* [#3] check access by host address */
643 NULL
, /* [#6] determine MIME type */
644 waklog_phase7
, /* [#7] pre-run fixups */
645 NULL
, /* [#9] log a transaction */
646 NULL
, /* [#2] header parser */
647 waklog_child_init
, /* child_init */
648 NULL
, /* child_exit */
649 waklog_phase0
/* [#0] post read-request */
651 ,NULL
, /* EAPI: add_module */
652 NULL
, /* EAPI: remove_module */
653 NULL
, /* EAPI: rewrite_command */
654 waklog_new_connection
/* EAPI: new_connection */