HCoop / hcoop / zz_old / modwaklog.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Memory leak cleanup
[hcoop/zz_old/modwaklog.git] / mod_waklog.c
1 #include "httpd.h"
2 #include "http_config.h"
3 #include "http_conf_globals.h"
4 #include "http_log.h"
5 #include "http_protocol.h"
6 #include "http_request.h"
7 #include "http_core.h"
8 #include "ap_config.h"
9 #include <krb5.h>
10
11 #if defined(sun)
12 #include <sys/ioccom.h>
13 #endif /* sun */
14 #include <stropts.h>
15 #include <kerberosIV/krb.h>
16 #include <kerberosIV/des.h>
17 #include <afs/venus.h>
18 #include <afs/auth.h>
19 #include <rx/rxkad.h>
20
21 #include <asm/bitops.h>
22 #include <sys/shm.h>
23
24 #define KEYTAB_PATH "/home/drh/keytab.umweb.drhtest"
25 #define PRINCIPAL "umweb/drhtest"
26 #define AFS "afs"
27 #define IN_TKT_SERVICE "krbtgt/UMICH.EDU"
28
29 #define K5PATH "FILE:/tmp/waklog.creds.k5"
30 #define K4PATH "/tmp/waklog.creds.k4"
31
32 module waklog_module;
33
34 struct ClearToken {
35 long AuthHandle;
36 char HandShakeKey[ 8 ];
37 long ViceId;
38 long BeginTimestamp;
39 long EndTimestamp;
40 };
41
42 typedef struct {
43 int configured;
44 int protect;
45 char *keytab;
46 char *keytab_principal;
47 char *afs_instance;
48 } waklog_host_config;
49
50 typedef struct {
51 struct ktc_token token;
52 } waklog_child_config;
53 waklog_child_config *child = NULL;
54
55
56 static void *
57 waklog_create_dir_config( pool *p, char *path )
58 {
59 waklog_host_config *cfg;
60
61 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
62 cfg->configured = 0;
63 cfg->protect = 0;
64 cfg->keytab = 0;
65 cfg->keytab_principal = 0;
66 cfg->afs_instance = 0;
67
68 return( cfg );
69 }
70
71
72 static void *
73 waklog_create_server_config( pool *p, server_rec *s )
74 {
75 waklog_host_config *cfg;
76
77 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
78 cfg->configured = 0;
79 cfg->protect = 0;
80 cfg->keytab = 0;
81 cfg->keytab_principal = 0;
82 cfg->afs_instance = 0;
83
84 return( cfg );
85 }
86
87
88 static const char *
89 set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
90 {
91 waklog_host_config *cfg;
92
93 if ( params->path == NULL ) {
94 cfg = (waklog_host_config *) ap_get_module_config(
95 params->server->module_config, &waklog_module );
96 } else {
97 cfg = (waklog_host_config *)mconfig;
98 }
99
100 cfg->protect = flag;
101 cfg->configured = 1;
102 return( NULL );
103 }
104
105
106 static const char *
107 set_waklog_use_keytab( cmd_parms *params, void *mconfig, char *file )
108 {
109 waklog_host_config *cfg;
110
111 if ( params->path == NULL ) {
112 cfg = (waklog_host_config *) ap_get_module_config(
113 params->server->module_config, &waklog_module );
114 } else {
115 cfg = (waklog_host_config *)mconfig;
116 }
117
118 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, params->server,
119 "mod_waklog: using keytab: %s", file );
120
121 cfg->keytab = file;
122 cfg->configured = 1;
123 return( NULL );
124 }
125
126
127 static void
128 waklog_child_init( server_rec *s, pool *p )
129 {
130
131 if ( child == NULL ) {
132 child = (waklog_child_config *) ap_palloc( p, sizeof( waklog_child_config ) );
133 }
134
135 memset( &child->token, 0, sizeof( struct ktc_token ) );
136
137 setpag();
138
139 return;
140 }
141
142
143 command_rec waklog_cmds[ ] =
144 {
145 { "WaklogProtected", set_waklog_protect,
146 NULL, RSRC_CONF | ACCESS_CONF, FLAG,
147 "enable waklog on a location or directory basis" },
148
149 { "WaklogUseKeytab", set_waklog_use_keytab,
150 NULL, RSRC_CONF, TAKE1,
151 "Use the supplied keytab file rather than the user's TGT" },
152
153 { NULL }
154 };
155
156
157 static void
158 token_cleanup( void *data )
159 {
160 request_rec *r = (request_rec *)data;
161
162 if ( child->token.ticketLen ) {
163 memset( &child->token, 0, sizeof( struct ktc_token ) );
164
165 ktc_ForgetAllTokens();
166
167 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
168 "mod_waklog: ktc_ForgetAllTokens succeeded" );
169 }
170 return;
171 }
172
173
174 static int
175 waklog_kinit( server_rec *s )
176 {
177 krb5_error_code kerror;
178 krb5_context kcontext = NULL;
179 krb5_principal kprinc = NULL;
180 krb5_get_init_creds_opt kopts;
181 krb5_creds v5creds;
182 CREDENTIALS v4creds;
183 krb5_ccache kccache = NULL;
184 krb5_keytab keytab = NULL;
185 char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
186 waklog_host_config *cfg;
187
188 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
189 "mod_waklog: waklog_kinit called" );
190
191 if (( kerror = krb5_init_context( &kcontext ))) {
192 ap_log_error( APLOG_MARK, APLOG_ERR, s,
193 (char *)error_message( kerror ));
194
195 goto cleanup;
196 }
197
198 /* use the path */
199 if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
200 ap_log_error( APLOG_MARK, APLOG_ERR, s,
201 (char *)error_message( kerror ));
202
203 goto cleanup;
204 }
205
206 if (( kerror = krb5_parse_name( kcontext, PRINCIPAL, &kprinc ))) {
207 ap_log_error( APLOG_MARK, APLOG_ERR, s,
208 (char *)error_message( kerror ));
209
210 goto cleanup;
211 }
212
213 krb5_get_init_creds_opt_init( &kopts );
214 krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 );
215 krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
216 krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
217 krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
218
219 cfg = (waklog_host_config *) ap_get_module_config( s->module_config,
220 &waklog_module );
221
222 /* which keytab should we use? */
223 strcpy( ktbuf, cfg->keytab ? cfg->keytab : KEYTAB_PATH );
224
225 if ( strlen( ktbuf ) > MAX_KEYTAB_NAME_LEN ) {
226 ap_log_error( APLOG_MARK, APLOG_ERR, s,
227 "server configuration error" );
228
229 goto cleanup;
230 }
231
232 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
233 "mod_waklog: waklog_kinit using: %s", ktbuf );
234
235 if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
236 ap_log_error( APLOG_MARK, APLOG_ERR, s,
237 (char *)error_message( kerror ));
238
239 goto cleanup;
240 }
241
242 /* get the krbtgt */
243 if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
244 kprinc, keytab, 0, IN_TKT_SERVICE, &kopts ))) {
245
246 ap_log_error( APLOG_MARK, APLOG_ERR, s,
247 (char *)error_message( kerror ));
248
249 goto cleanup;
250 }
251
252 if (( kerror = krb5_verify_init_creds( kcontext, &v5creds,
253 kprinc, keytab, NULL, NULL )) != 0 ) {
254
255 ap_log_error( APLOG_MARK, APLOG_ERR, s,
256 (char *)error_message( kerror ));
257
258 goto cleanup;
259 }
260
261 if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
262 ap_log_error( APLOG_MARK, APLOG_ERR, s,
263 (char *)error_message( kerror ));
264
265 goto cleanup;
266 }
267
268 kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds );
269 krb5_free_cred_contents( kcontext, &v5creds );
270 if ( kerror != 0 ) {
271 ap_log_error( APLOG_MARK, APLOG_ERR, s,
272 (char *)error_message( kerror ));
273
274 goto cleanup;
275 }
276
277 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
278 "mod_waklog: waklog_kinit success" );
279
280 cleanup:
281 if ( keytab )
282 (void)krb5_kt_close( kcontext, keytab );
283 if ( kprinc )
284 krb5_free_principal( kcontext, kprinc );
285 if ( kccache )
286 krb5_cc_close( kcontext, kccache );
287 if ( kcontext )
288 krb5_free_context( kcontext );
289
290 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, s,
291 "mod_waklog: waklog_kinit: exiting" );
292
293 return( 0 );
294 }
295
296
297 static void
298 waklog_aklog( request_rec *r )
299 {
300 int rc;
301 char buf[ 1024 ];
302 const char *k4path = NULL;
303 const char *k5path = NULL;
304 krb5_error_code kerror;
305 krb5_context kcontext = NULL;
306 krb5_creds increds;
307 krb5_creds *v5credsp = NULL;
308 CREDENTIALS v4creds;
309 krb5_ccache kccache = NULL;
310 struct ktc_principal server = { "afs", "", "umich.edu" };
311 struct ktc_principal client;
312 struct ktc_token token;
313
314 k5path = ap_table_get( r->subprocess_env, "KRB5CCNAME" );
315 k4path = ap_table_get( r->subprocess_env, "KRBTKFILE" );
316
317 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
318 "mod_waklog: waklog_aklog called: k5path: %s, k4path: %s", k5path, k4path );
319
320 if ( !k5path || !k4path ) {
321 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
322 "mod_waklog: waklog_aklog giving up" );
323 goto cleanup;
324 }
325
326 /*
327 ** Get/build creds from file/tgs, then see if we need to SetToken
328 */
329
330 if (( kerror = krb5_init_context( &kcontext ))) {
331 /* Authentication Required ( kerberos error ) */
332 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
333 (char *)error_message( kerror ));
334
335 goto cleanup;
336 }
337
338 memset( (char *)&increds, 0, sizeof(increds));
339
340 /* set server part */
341 if (( kerror = krb5_parse_name( kcontext, AFS, &increds.server ))) {
342 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
343 (char *)error_message( kerror ));
344
345 goto cleanup;
346 }
347
348 if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
349 ap_log_error( APLOG_MARK, APLOG_ERR, r->server,
350 (char *)error_message( kerror ));
351
352 goto cleanup;
353 }
354
355 /* set client part */
356 krb5_cc_get_principal( kcontext, kccache, &increds.client );
357
358 increds.times.endtime = 0;
359 /* Ask for DES since that is what V4 understands */
360 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
361
362 /* get the V5 credentials */
363 if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
364 &increds, &v5credsp ) ) ) {
365 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
366 "mod_waklog: krb5_get_credentials: %s", krb_err_txt[ kerror ] );
367 goto cleanup;
368 }
369
370 /* get the V4 credentials */
371 if (( kerror = krb524_convert_creds_kdc( kcontext, v5credsp, &v4creds ) ) ) {
372 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
373 "mod_waklog: krb524_convert_creds_kdc: %s", krb_err_txt[ kerror ] );
374 goto cleanup;
375 }
376
377 /* assemble the token */
378 token.kvno = v4creds.kvno;
379 token.startTime = v4creds.issue_date;
380 token.endTime = v5credsp->times.endtime;
381 memmove( &token.sessionKey, v4creds.session, 8 );
382 token.ticketLen = v4creds.ticket_st.length ;
383 memmove( token.ticket, v4creds.ticket_st.dat, token.ticketLen );
384
385 /* make sure we have to do this */
386 if ( child->token.kvno != token.kvno ||
387 child->token.ticketLen != token.ticketLen ||
388 memcmp( &child->token.sessionKey, &token.sessionKey,
389 sizeof( token.sessionKey ) ) ||
390 memcmp( child->token.ticket, token.ticket, token.ticketLen ) ) {
391
392 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
393 "mod_waklog: %s.%s@%s", v4creds.service, v4creds.instance,
394 v4creds.realm );
395 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
396 "mod_waklog: %d %d %d", v4creds.lifetime, v4creds.kvno,
397 v4creds.issue_date );
398 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
399 "mod_waklog: %s %s", v4creds.pname, v4creds.pinst );
400 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
401 "mod_waklog: %d", v4creds.ticket_st.length );
402
403 /* build the name */
404 strcpy( buf, v4creds.pname );
405 if ( v4creds.pinst[ 0 ] ) {
406 strcat( buf, "." );
407 strcat( buf, v4creds.pinst );
408 }
409
410 /* assemble the client */
411 strncpy( client.name, buf, MAXKTCNAMELEN - 1 );
412 strcpy( client.instance, "" );
413 strncpy( client.cell, v4creds.realm, MAXKTCNAMELEN - 1 );
414
415 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
416 "mod_waklog: server: name=%s, instance=%s, cell=%s",
417 server.name, server.instance, server.cell );
418
419 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
420 "mod_waklog: client: name=%s, instance=%s, cell=%s",
421 client.name, client.instance, client.cell );
422
423 /* use the path */
424 krb_set_tkt_string( (char *)k4path );
425
426 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
427 write( 2, "", 0 );
428
429 if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
430 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
431 "mod_waklog: settoken returned %d", rc );
432 }
433
434 /* save this */
435 memmove( &child->token, &token, sizeof( struct ktc_token ) );
436
437 /* we'll need to unlog when this connection is done. */
438 ap_register_cleanup( r->pool, (void *)r, token_cleanup, ap_null_cleanup );
439 }
440
441 cleanup:
442 if ( v5credsp )
443 krb5_free_cred_contents( kcontext, v5credsp );
444 if ( increds.client )
445 krb5_free_principal( kcontext, increds.client );
446 if ( increds.server )
447 krb5_free_principal( kcontext, increds.server );
448 if ( kccache )
449 krb5_cc_close( kcontext, kccache );
450 if ( kcontext )
451 krb5_free_context( kcontext );
452
453 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
454 "mod_waklog: finished with waklog_aklog" );
455
456 return;
457
458 }
459
460 static int
461 waklog_child_routine( void *s, child_info *pinfo )
462 {
463 if ( !getuid() ) {
464 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
465 "mod_waklog: waklog_child_routine called as root" );
466
467 /* this was causing the credential file to get owned by root */
468 setgid(ap_group_id);
469 setuid(ap_user_id);
470 }
471
472 while( 1 ) {
473 waklog_kinit( s );
474 sleep( 300 /* 10*60*60 - 5*60 */ );
475 }
476
477 }
478
479
480 static void
481 waklog_init( server_rec *s, pool *p )
482 {
483 extern char *version;
484 int pid;
485
486 ap_log_error( APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s,
487 "mod_waklog: version %s initialized.", version );
488
489 pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
490 NULL, NULL, NULL );
491
492 ap_log_error( APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
493 "mod_waklog: ap_bspawn_child: %d.", pid );
494 }
495
496
497 static int
498 waklog_phase0( request_rec *r )
499 {
500 waklog_host_config *cfg;
501
502 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
503 "mod_waklog: phase0 called" );
504
505 /* directory config? */
506 cfg = (waklog_host_config *)ap_get_module_config(
507 r->per_dir_config, &waklog_module);
508
509 /* server config? */
510 if ( !cfg->configured ) {
511 cfg = (waklog_host_config *)ap_get_module_config(
512 r->server->module_config, &waklog_module);
513 }
514
515 if ( !cfg->protect ) {
516 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
517 "mod_waklog: phase0 declining" );
518 return( DECLINED );
519 }
520
521 /* do this only if we are still unauthenticated */
522 if ( !child->token.ticketLen ) {
523
524 /* set our environment variables */
525 ap_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
526 ap_table_set( r->subprocess_env, "KRBTKFILE", K4PATH );
527
528 /* stuff the credentials into the kernel */
529 waklog_aklog( r );
530 }
531
532 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
533 "mod_waklog: phase0 returning" );
534 return DECLINED;
535 }
536
537
538 static int
539 waklog_phase7( request_rec *r )
540 {
541 waklog_host_config *cfg;
542
543 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
544 "mod_waklog: phase7 called" );
545
546 /* directory config? */
547 cfg = (waklog_host_config *)ap_get_module_config(
548 r->per_dir_config, &waklog_module);
549
550 /* server config? */
551 if ( !cfg->configured ) {
552 cfg = (waklog_host_config *)ap_get_module_config(
553 r->server->module_config, &waklog_module);
554 }
555
556 if ( !cfg->protect ) {
557 return( DECLINED );
558 }
559
560 /* stuff the credentials into the kernel */
561 waklog_aklog( r );
562
563 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
564 "mod_waklog: phase7 returning" );
565
566 return DECLINED;
567 }
568
569 static void
570 waklog_new_connection( conn_rec *c ) {
571 ap_log_error( APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, c->server,
572 "mod_waklog: new_connection called: conn_rec: 0x%08x pid: %d", c, getpid() );
573 return;
574 }
575
576 module MODULE_VAR_EXPORT waklog_module = {
577 STANDARD_MODULE_STUFF,
578 waklog_init, /* module initializer */
579 waklog_create_dir_config, /* create per-dir config structures */
580 NULL, /* merge per-dir config structures */
581 waklog_create_server_config, /* create per-server config structures */
582 NULL, /* merge per-server config structures */
583 waklog_cmds, /* table of config file commands */
584 NULL, /* [#8] MIME-typed-dispatched handlers */
585 NULL, /* [#1] URI to filename translation */
586 NULL, /* [#4] validate user id from request */
587 NULL, /* [#5] check if the user is ok _here_ */
588 NULL, /* [#3] check access by host address */
589 NULL, /* [#6] determine MIME type */
590 waklog_phase7, /* [#7] pre-run fixups */
591 NULL, /* [#9] log a transaction */
592 NULL, /* [#2] header parser */
593 waklog_child_init, /* child_init */
594 NULL, /* child_exit */
595 waklog_phase0 /* [#0] post read-request */
596 #ifdef EAPI
597 ,NULL, /* EAPI: add_module */
598 NULL, /* EAPI: remove_module */
599 NULL, /* EAPI: rewrite_command */
600 waklog_new_connection /* EAPI: new_connection */
601 #endif
602 };
Unnamed repository; edit this file 'description' to name the repository.