diff options
Diffstat (limited to 'src/mod_auth_gssapi.c')
-rw-r--r-- | src/mod_auth_gssapi.c | 53 |
1 files changed, 51 insertions, 2 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 240d47a..668470f 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -47,6 +47,7 @@ module AP_MODULE_DECLARE_DATA auth_gssapi_module; APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); struct mag_config { + apr_pool_t *pool; bool ssl_only; bool map_to_local; bool gss_conn_ctx; @@ -218,6 +219,8 @@ static void mag_check_session(request_rec *req, } if (!cfg->mag_skey) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req, + "Session key not available, no cookies!"); /* we do not have a key, just return */ return; } @@ -273,13 +276,15 @@ static void mag_attempt_session(request_rec *req, if (!mc->established) return; rc = mag_session_load(req, &sess); if (rc != OK || sess == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req, "Sessions not available, can't send cookies!"); return; } if (!cfg->mag_skey) { - rc = SEAL_KEY_CREATE(&cfg->mag_skey); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req, + "Session key not available, generating new one."); + rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, NULL); if (rc != OK) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "Failed to create sealing key!"); @@ -524,6 +529,7 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir) cfg = (struct mag_config *)apr_pcalloc(p, sizeof(struct mag_config)); if (!cfg) return NULL; + cfg->pool = p; return cfg; } @@ -556,6 +562,47 @@ static const char *mag_use_sess(cmd_parms *parms, void *mconfig, int on) return NULL; } +static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + struct databuf keys; + unsigned char *val; + apr_status_t rc; + const char *k; + int l; + + if (strncmp(w, "key:", 4) != 0) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Invalid key format, expected prefix 'key:'"); + return NULL; + } + k = w + 4; + + l = apr_base64_decode_len(k); + val = apr_palloc(parms->temp_pool, l); + if (!val) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Failed to get memory to decode key"); + return NULL; + } + + keys.length = (int)apr_base64_decode_binary(val, k); + keys.value = (unsigned char *)val; + + if (keys.length != 32) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Invalid key lenght, expected 32 got %d", keys.length); + return NULL; + } + + rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); + if (rc != OK) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Failed to import sealing key!"); + } + return NULL; +} + static const char *mag_cred_store(cmd_parms *parms, void *mconfig, const char *w) { @@ -611,6 +658,8 @@ static const command_rec mag_commands[] = { "Authentication is bound to the TCP connection"), AP_INIT_FLAG("GssapiUseSessions", mag_use_sess, NULL, OR_AUTHCFG, "Authentication uses mod_sessions to hold status"), + AP_INIT_RAW_ARGS("GssapiSessionKey", mag_sess_key, NULL, OR_AUTHCFG, + "Key Used to seal session data."), AP_INIT_ITERATE("GssapiCredStore", mag_cred_store, NULL, OR_AUTHCFG, "Credential Store"), { NULL } |