diff options
| author | Simo Sorce <simo@redhat.com> | 2014-07-07 11:42:57 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2014-07-10 06:52:55 -0400 |
| commit | 6e86569afd4812f5674810ab66ee67fd5251d538 (patch) | |
| tree | 323f97ff9402d5cef5f33503e3136d95982d591c /src/mod_auth_gssapi.c | |
| parent | 63dbb99337d0423253cb1ead0dcc3da54af5d13e (diff) | |
| download | mod_auth_gssapi-6e86569afd4812f5674810ab66ee67fd5251d538.tar.gz mod_auth_gssapi-6e86569afd4812f5674810ab66ee67fd5251d538.tar.xz mod_auth_gssapi-6e86569afd4812f5674810ab66ee67fd5251d538.zip | |
Add permanent session keys support
Keys (encryption+MAC) can now be stored in apache configuration.
The key must be a base64 encoded blob of original length of 32 bytes
(16 bytes for encryption and 16 for the MAC key)
The format is:
key:<base64 blob>
Diffstat (limited to 'src/mod_auth_gssapi.c')
| -rw-r--r-- | src/mod_auth_gssapi.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 7e8df96..ec78e82 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -346,6 +346,47 @@ static const char *mag_use_sess(cmd_parms *parms, void *mconfig, int on) return NULL; } +static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + struct databuf keys; + unsigned char *val; + apr_status_t rc; + const char *k; + int l; + + if (strncmp(w, "key:", 4) != 0) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Invalid key format, expected prefix 'key:'"); + return NULL; + } + k = w + 4; + + l = apr_base64_decode_len(k); + val = apr_palloc(parms->temp_pool, l); + if (!val) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Failed to get memory to decode key"); + return NULL; + } + + keys.length = (int)apr_base64_decode_binary(val, k); + keys.value = (unsigned char *)val; + + if (keys.length != 32) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Invalid key lenght, expected 32 got %d", keys.length); + return NULL; + } + + rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); + if (rc != OK) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Failed to import sealing key!"); + } + return NULL; +} + static const char *mag_cred_store(cmd_parms *parms, void *mconfig, const char *w) { @@ -401,6 +442,8 @@ static const command_rec mag_commands[] = { "Authentication is bound to the TCP connection"), AP_INIT_FLAG("GssapiUseSessions", mag_use_sess, NULL, OR_AUTHCFG, "Authentication uses mod_sessions to hold status"), + AP_INIT_RAW_ARGS("GssapiSessionKey", mag_sess_key, NULL, OR_AUTHCFG, + "Key Used to seal session data."), AP_INIT_ITERATE("GssapiCredStore", mag_cred_store, NULL, OR_AUTHCFG, "Credential Store"), { NULL } |