2 #include "http_config.h"
3 #include "http_conf_globals.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
12 #include <sys/ioccom.h>
16 #include <kerberosIV/krb.h>
17 #include <kerberosIV/des.h>
19 #include <afs/venus.h>
24 #include <asm/bitops.h>
28 #define KEYTAB "/home/drh/keytab.umweb.drhtest"
29 #define KEYTAB_PRINCIPAL "umweb/drhtest"
31 #define TKT_LIFE 10*60*60
32 #define SLEEP_TIME 5*60 /* should be TKT_LIFE */
34 #define AFS_CELL "umich.edu" /* NB: lower case */
36 #define K5PATH "FILE:/tmp/waklog.creds.k5"
37 #define K4PATH "/tmp/waklog.creds.k4"
43 char HandShakeKey
[ 8 ];
53 char *keytab_principal
;
58 struct ktc_token token
;
59 } waklog_child_config
;
60 waklog_child_config child
;
64 waklog_create_dir_config( pool
*p
, char *path
)
66 waklog_host_config
*cfg
;
68 cfg
= (waklog_host_config
*)ap_pcalloc( p
, sizeof( waklog_host_config
));
72 cfg
->keytab_principal
= KEYTAB_PRINCIPAL
;
73 cfg
->afs_cell
= AFS_CELL
;
80 waklog_create_server_config( pool
*p
, server_rec
*s
)
82 waklog_host_config
*cfg
;
84 cfg
= (waklog_host_config
*)ap_pcalloc( p
, sizeof( waklog_host_config
));
88 cfg
->keytab_principal
= KEYTAB_PRINCIPAL
;
89 cfg
->afs_cell
= AFS_CELL
;
96 set_waklog_protect( cmd_parms
*params
, void *mconfig
, int flag
)
98 waklog_host_config
*cfg
;
100 if ( params
->path
== NULL
) {
101 cfg
= (waklog_host_config
*) ap_get_module_config(
102 params
->server
->module_config
, &waklog_module
);
104 cfg
= (waklog_host_config
*)mconfig
;
114 set_waklog_use_keytab( cmd_parms
*params
, void *mconfig
, char *file
)
116 waklog_host_config
*cfg
;
118 if ( params
->path
== NULL
) {
119 cfg
= (waklog_host_config
*) ap_get_module_config(
120 params
->server
->module_config
, &waklog_module
);
122 cfg
= (waklog_host_config
*)mconfig
;
125 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
126 "mod_waklog: using keytab: %s", file
);
135 set_waklog_use_keytab_principal( cmd_parms
*params
, void *mconfig
, char *file
)
137 waklog_host_config
*cfg
;
139 if ( params
->path
== NULL
) {
140 cfg
= (waklog_host_config
*) ap_get_module_config(
141 params
->server
->module_config
, &waklog_module
);
143 cfg
= (waklog_host_config
*)mconfig
;
146 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
147 "mod_waklog: using keytab_principal: %s", file
);
149 cfg
->keytab_principal
= file
;
156 set_waklog_use_afs_cell( cmd_parms
*params
, void *mconfig
, char *file
)
158 waklog_host_config
*cfg
;
160 if ( params
->path
== NULL
) {
161 cfg
= (waklog_host_config
*) ap_get_module_config(
162 params
->server
->module_config
, &waklog_module
);
164 cfg
= (waklog_host_config
*)mconfig
;
167 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, params
->server
,
168 "mod_waklog: using afs_cell: %s", file
);
170 cfg
->afs_cell
= file
;
177 waklog_child_init( server_rec
*s
, pool
*p
)
180 memset( &child
.token
, 0, sizeof( struct ktc_token
) );
188 command_rec waklog_cmds
[ ] =
190 { "WaklogProtected", set_waklog_protect
,
191 NULL
, RSRC_CONF
| ACCESS_CONF
, FLAG
,
192 "enable waklog on a location or directory basis" },
194 { "WaklogUseKeytabPath", set_waklog_use_keytab
,
195 NULL
, RSRC_CONF
, TAKE1
,
196 "Use the supplied keytab rather than the default" },
198 { "WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal
,
199 NULL
, RSRC_CONF
, TAKE1
,
200 "Use the supplied keytab principal rather than the default" },
202 { "WaklogUseAFSCell", set_waklog_use_afs_cell
,
203 NULL
, RSRC_CONF
, TAKE1
,
204 "Use the supplied AFS cell rather than the default" },
211 token_cleanup( void *data
)
213 request_rec
*r
= (request_rec
*)data
;
215 if ( child
.token
.ticketLen
) {
216 memset( &child
.token
, 0, sizeof( struct ktc_token
) );
218 ktc_ForgetAllTokens();
220 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
221 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() );
228 waklog_kinit( server_rec
*s
)
230 krb5_error_code kerror
;
231 krb5_context kcontext
= NULL
;
232 krb5_principal kprinc
= NULL
;
233 krb5_get_init_creds_opt kopts
;
235 krb5_ccache kccache
= NULL
;
236 krb5_keytab keytab
= NULL
;
237 char ktbuf
[ MAX_KEYTAB_NAME_LEN
+ 1 ];
238 waklog_host_config
*cfg
;
240 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
241 "mod_waklog: waklog_kinit called" );
243 cfg
= (waklog_host_config
*) ap_get_module_config( s
->module_config
,
246 if (( kerror
= krb5_init_context( &kcontext
))) {
247 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
248 (char *)error_message( kerror
));
254 if (( kerror
= krb5_cc_resolve( kcontext
, K5PATH
, &kccache
)) != 0 ) {
255 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
256 (char *)error_message( kerror
));
261 if (( kerror
= krb5_parse_name( kcontext
, cfg
->keytab_principal
, &kprinc
))) {
262 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
263 (char *)error_message( kerror
));
268 krb5_get_init_creds_opt_init( &kopts
);
269 krb5_get_init_creds_opt_set_tkt_life( &kopts
, TKT_LIFE
);
270 krb5_get_init_creds_opt_set_renew_life( &kopts
, 0 );
271 krb5_get_init_creds_opt_set_forwardable( &kopts
, 1 );
272 krb5_get_init_creds_opt_set_proxiable( &kopts
, 0 );
274 /* keytab from config */
275 strncpy( ktbuf
, cfg
->keytab
, sizeof( ktbuf
) - 1 );
277 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
278 "mod_waklog: waklog_kinit using: %s", ktbuf
);
280 if (( kerror
= krb5_kt_resolve( kcontext
, ktbuf
, &keytab
)) != 0 ) {
281 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
282 (char *)error_message( kerror
));
288 if (( kerror
= krb5_get_init_creds_keytab( kcontext
, &v5creds
,
289 kprinc
, keytab
, 0, NULL
, &kopts
))) {
291 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
292 (char *)error_message( kerror
));
297 if (( kerror
= krb5_verify_init_creds( kcontext
, &v5creds
,
298 kprinc
, keytab
, NULL
, NULL
)) != 0 ) {
300 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
301 (char *)error_message( kerror
));
306 if (( kerror
= krb5_cc_initialize( kcontext
, kccache
, kprinc
)) != 0 ) {
307 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
308 (char *)error_message( kerror
));
313 kerror
= krb5_cc_store_cred( kcontext
, kccache
, &v5creds
);
314 krb5_free_cred_contents( kcontext
, &v5creds
);
316 ap_log_error( APLOG_MARK
, APLOG_ERR
, s
,
317 (char *)error_message( kerror
));
322 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
323 "mod_waklog: waklog_kinit success" );
327 (void)krb5_kt_close( kcontext
, keytab
);
329 krb5_free_principal( kcontext
, kprinc
);
331 krb5_cc_close( kcontext
, kccache
);
333 krb5_free_context( kcontext
);
335 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, s
,
336 "mod_waklog: waklog_kinit: exiting" );
343 waklog_aklog( request_rec
*r
)
347 const char *k4path
= NULL
;
348 const char *k5path
= NULL
;
349 krb5_error_code kerror
;
350 krb5_context kcontext
= NULL
;
352 krb5_creds
*v5credsp
= NULL
;
353 krb5_ccache kccache
= NULL
;
354 struct ktc_principal server
= { "afs", "", "" };
355 struct ktc_principal client
;
356 struct ktc_token token
;
357 waklog_host_config
*cfg
;
360 k5path
= ap_table_get( r
->subprocess_env
, "KRB5CCNAME" );
361 k4path
= ap_table_get( r
->subprocess_env
, "KRBTKFILE" );
363 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
364 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path
, k4path
);
366 if ( !k5path
|| !k4path
) {
367 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
368 "mod_waklog: waklog_aklog giving up" );
373 ** Get/build creds from file/tgs, then see if we need to SetToken
376 if (( kerror
= krb5_init_context( &kcontext
))) {
377 /* Authentication Required ( kerberos error ) */
378 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
379 (char *)error_message( kerror
));
384 memset( (char *)&increds
, 0, sizeof(increds
));
386 cfg
= (waklog_host_config
*) ap_get_module_config(
387 r
->server
->module_config
, &waklog_module
);
389 /* afs/<cell> or afs */
390 strncpy( buf
, "afs", sizeof( buf
) - 1 );
391 if ( strcmp( cfg
->afs_cell
, AFS_CELL
) ) {
392 strncat( buf
, "/" , sizeof( buf
) - strlen( buf
) - 1 );
393 strncat( buf
, cfg
->afs_cell
, sizeof( buf
) - strlen( buf
) - 1 );
396 /* set server part */
397 if (( kerror
= krb5_parse_name( kcontext
, buf
, &increds
.server
))) {
398 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
399 (char *)error_message( kerror
));
404 if (( kerror
= krb5_cc_resolve( kcontext
, k5path
, &kccache
)) != 0 ) {
405 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
406 (char *)error_message( kerror
));
411 /* set client part */
412 krb5_cc_get_principal( kcontext
, kccache
, &increds
.client
);
414 increds
.times
.endtime
= 0;
415 /* Ask for DES since that is what V4 understands */
416 increds
.keyblock
.enctype
= ENCTYPE_DES_CBC_CRC
;
418 /* get the V5 credentials */
419 if (( kerror
= krb5_get_credentials( kcontext
, 0, kccache
,
420 &increds
, &v5credsp
) ) ) {
421 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
422 "mod_waklog: krb5_get_credentials: %s", error_message( kerror
));
427 if ( v5credsp
->ticket
.length
>= 344 ) { /* from krb524d.c */
428 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
429 "mod_waklog: ticket size (%d) to big to fake", v5credsp
->ticket
.length
);
433 /* assemble the token */
434 memset( &token
, 0, sizeof( struct ktc_token
) );
436 token
.startTime
= v5credsp
->times
.starttime
? v5credsp
->times
.starttime
: v5credsp
->times
.authtime
;
437 token
.endTime
= v5credsp
->times
.endtime
;
438 memmove( &token
.sessionKey
, v5credsp
->keyblock
.contents
, v5credsp
->keyblock
.length
);
439 token
.kvno
= RXKAD_TKT_TYPE_KERBEROS_V5
;
440 token
.ticketLen
= v5credsp
->ticket
.length
;
441 memmove( token
.ticket
, v5credsp
->ticket
.data
, token
.ticketLen
);
443 /* make sure we have to do this */
444 if ( child
.token
.kvno
!= token
.kvno
||
445 child
.token
.ticketLen
!= token
.ticketLen
||
446 (memcmp( &child
.token
.sessionKey
, &token
.sessionKey
,
447 sizeof( token
.sessionKey
) )) ||
448 (memcmp( child
.token
.ticket
, token
.ticket
, token
.ticketLen
)) ) {
450 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
451 "mod_waklog: client: %s", buf
);
454 memmove( buf
, v5credsp
->client
->data
[0].data
, v5credsp
->client
->data
[0].length
);
455 buf
[ v5credsp
->client
->data
[0].length
] = '\0';
456 if ( v5credsp
->client
->length
> 1 ) {
457 strncat( buf
, ".", sizeof( buf
) - strlen( buf
) - 1 );
458 buflen
= strlen( buf
);
459 memmove( buf
+ buflen
, v5credsp
->client
->data
[1].data
, v5credsp
->client
->data
[1].length
);
460 buf
[ buflen
+ v5credsp
->client
->data
[1].length
] = '\0';
463 /* assemble the client */
464 strncpy( client
.name
, buf
, sizeof( client
.name
) - 1 );
465 strncpy( client
.instance
, "", sizeof( client
.instance
) - 1 );
466 memmove( buf
, v5credsp
->client
->realm
.data
, v5credsp
->client
->realm
.length
);
467 buf
[ v5credsp
->client
->realm
.length
] = '\0';
468 strncpy( client
.cell
, buf
, sizeof( client
.cell
) - 1 );
470 /* assemble the server's cell */
471 strncpy( server
.cell
, cfg
->afs_cell
, sizeof( server
.cell
) - 1 );
473 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
474 "mod_waklog: server: name=%s, instance=%s, cell=%s",
475 server
.name
, server
.instance
, server
.cell
);
477 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
478 "mod_waklog: client: name=%s, instance=%s, cell=%s",
479 client
.name
, client
.instance
, client
.cell
);
482 krb_set_tkt_string( (char *)k4path
);
484 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
487 if ( ( rc
= ktc_SetToken( &server
, &token
, &client
, 0 ) ) ) {
488 ap_log_error( APLOG_MARK
, APLOG_ERR
, r
->server
,
489 "mod_waklog: settoken returned %d", rc
);
494 memmove( &child
.token
, &token
, sizeof( struct ktc_token
) );
496 /* we'll need to unlog when this connection is done. */
497 ap_register_cleanup( r
->pool
, (void *)r
, token_cleanup
, ap_null_cleanup
);
502 krb5_free_cred_contents( kcontext
, v5credsp
);
503 if ( increds
.client
)
504 krb5_free_principal( kcontext
, increds
.client
);
505 if ( increds
.server
)
506 krb5_free_principal( kcontext
, increds
.server
);
508 krb5_cc_close( kcontext
, kccache
);
510 krb5_free_context( kcontext
);
512 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
513 "mod_waklog: finished with waklog_aklog" );
520 waklog_child_routine( void *s
, child_info
*pinfo
)
523 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
524 "mod_waklog: waklog_child_routine called as root" );
526 /* this was causing the credential file to get owned by root */
540 waklog_init( server_rec
*s
, pool
*p
)
542 extern char *version
;
545 ap_log_error( APLOG_MARK
, APLOG_INFO
|APLOG_NOERRNO
, s
,
546 "mod_waklog: version %s initialized.", version
);
548 pid
= ap_bspawn_child( p
, waklog_child_routine
, s
, kill_always
,
551 ap_log_error( APLOG_MARK
, APLOG_ERR
|APLOG_NOERRNO
, s
,
552 "mod_waklog: ap_bspawn_child: %d.", pid
);
557 waklog_phase0( request_rec
*r
)
559 waklog_host_config
*cfg
;
561 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
562 "mod_waklog: phase0 called" );
564 /* directory config? */
565 cfg
= (waklog_host_config
*)ap_get_module_config(
566 r
->per_dir_config
, &waklog_module
);
569 if ( !cfg
->configured
) {
570 cfg
= (waklog_host_config
*)ap_get_module_config(
571 r
->server
->module_config
, &waklog_module
);
574 if ( !cfg
->protect
) {
575 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
576 "mod_waklog: phase0 declining" );
580 /* do this only if we are still unauthenticated */
581 if ( !child
.token
.ticketLen
) {
583 /* set our environment variables */
584 ap_table_set( r
->subprocess_env
, "KRB5CCNAME", K5PATH
);
585 ap_table_set( r
->subprocess_env
, "KRBTKFILE", K4PATH
);
587 /* stuff the credentials into the kernel */
591 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
592 "mod_waklog: phase0 returning" );
598 waklog_phase7( request_rec
*r
)
600 waklog_host_config
*cfg
;
602 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
603 "mod_waklog: phase7 called" );
605 /* directory config? */
606 cfg
= (waklog_host_config
*)ap_get_module_config(
607 r
->per_dir_config
, &waklog_module
);
610 if ( !cfg
->configured
) {
611 cfg
= (waklog_host_config
*)ap_get_module_config(
612 r
->server
->module_config
, &waklog_module
);
615 if ( !cfg
->protect
) {
619 /* stuff the credentials into the kernel */
622 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, r
->server
,
623 "mod_waklog: phase7 returning" );
629 waklog_new_connection( conn_rec
*c
) {
630 ap_log_error( APLOG_MARK
, APLOG_NOERRNO
|APLOG_ERR
, c
->server
,
631 "mod_waklog: new_connection called: pid: %d", getpid() );
635 module MODULE_VAR_EXPORT waklog_module
= {
636 STANDARD_MODULE_STUFF
,
637 waklog_init
, /* module initializer */
638 waklog_create_dir_config
, /* create per-dir config structures */
639 NULL
, /* merge per-dir config structures */
640 waklog_create_server_config
, /* create per-server config structures */
641 NULL
, /* merge per-server config structures */
642 waklog_cmds
, /* table of config file commands */
643 NULL
, /* [#8] MIME-typed-dispatched handlers */
644 NULL
, /* [#1] URI to filename translation */
645 NULL
, /* [#4] validate user id from request */
646 NULL
, /* [#5] check if the user is ok _here_ */
647 NULL
, /* [#3] check access by host address */
648 NULL
, /* [#6] determine MIME type */
649 waklog_phase7
, /* [#7] pre-run fixups */
650 NULL
, /* [#9] log a transaction */
651 NULL
, /* [#2] header parser */
652 waklog_child_init
, /* child_init */
653 NULL
, /* child_exit */
654 waklog_phase0
/* [#0] post read-request */
656 ,NULL
, /* EAPI: add_module */
657 NULL
, /* EAPI: remove_module */
658 NULL
, /* EAPI: rewrite_command */
659 waklog_new_connection
/* EAPI: new_connection */