ZEKE_HIDDEN
struct zktool_vxid_pool *zktool_vxid_factory(apr_pool_t *pool)
{
struct zktool_vxid_pool *vp = NULL;
apr_status_t st;
st = apr_pool_userdata_get((void**)&vp,"LIBZEKE:zktool_vxid",pool);
if(st != APR_SUCCESS || !vp) {
vp = apr_palloc(pool,VXID_SIZEOF(*vp));
assert(vp != NULL);
vp->magic = ZKTOOL_VXID_MAGIC;
vp->p = pool;
VXID(vp).base = &vxid_base;
VXID(vp).chunk = &vxid_chunk;
#ifdef ZEKE_USE_THREADS
vp->busy = 0;
vp->waiter = 0;
assert(apr_thread_mutex_create(&vp->mutex,APR_THREAD_MUTEX_DEFAULT,pool) == APR_SUCCESS);
assert(apr_thread_cond_create(&vp->cond,pool) == APR_SUCCESS);
#endif
assert(apr_pool_userdata_setn(vp,"LIBZEKE:zktool_vxid",NULL,pool) == APR_SUCCESS);
}
zktool_vxid_get(vp);
return vp;
}
int ml_session_load(lua_State* L)
{
if (ap_session_load)
{
apr_status_t status;
request_rec *r = CHECK_REQUEST_OBJECT(1);
session_rec *sess = NULL;
status = apr_pool_userdata_get((void**)&sess, "ml_session", r->pool);
if (status == APR_SUCCESS)
{
if (sess == NULL)
{
status = ap_session_load(r, &sess);
if (status != APR_SUCCESS)
return ml_push_status(L, status);
status = apr_pool_userdata_setn(sess, "ml_session", NULL, r->pool);
if (status != APR_SUCCESS)
return ml_push_status(L, status);
}
lua_pushboolean(L, sess != NULL);
return 1;
}
return ml_push_status(L, status);
}
return 0;
}
static const char *mag_name_attrs(cmd_parms *parms, void *mconfig,
const char *w)
{
struct mag_config *cfg = (struct mag_config *)mconfig;
void *tmp_na;
size_t size = 0;
char *p;
int c;
if (!cfg->name_attributes) {
size = sizeof(struct mag_name_attributes)
+ (sizeof(struct mag_na_map) * 16);
} else if (cfg->name_attributes->map_count % 16 == 0) {
size = sizeof(struct mag_name_attributes)
+ (sizeof(struct mag_na_map)
* (cfg->name_attributes->map_count + 16));
}
if (size) {
tmp_na = realloc(cfg->name_attributes, size);
if (!tmp_na) apr_pool_abort_get(cfg->pool)(ENOMEM);
if (cfg->name_attributes) {
size_t empty = (sizeof(struct mag_na_map) * 16);
memset(tmp_na + size - empty, 0, empty);
} else {
memset(tmp_na, 0, size);
}
cfg->name_attributes = (struct mag_name_attributes *)tmp_na;
apr_pool_userdata_setn(cfg, GSS_NAME_ATTR_USERDATA,
mag_name_attrs_cleanup, cfg->pool);
}
p = strchr(w, ' ');
if (p == NULL) {
if (strcmp(w, "json") == 0) {
cfg->name_attributes->output_json = true;
} else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
"Invalid Name Attributes value [%s].", w);
}
return NULL;
}
c = cfg->name_attributes->map_count;
cfg->name_attributes->map[c].env_name = apr_pstrndup(cfg->pool, w, p-w);
p++;
cfg->name_attributes->map[c].attr_name = apr_pstrdup(cfg->pool, p);
cfg->name_attributes->map_count += 1;
return NULL;
}
/* similar to authenticate a basic user, here the authentication is done for the user
who opted for a secure SSPI authentication */
int authenticate_sspi_user(request_rec *r)
{
sspi_auth_ctx ctx;
const char *current_auth;
int res;
/* is SSPI authentication supported? */
current_auth = ap_auth_type(r);
if (!current_auth || strcasecmp(current_auth, "SSPI")) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, SSPILOGNO(00001) "Entering authenticate_sspi_user()");
#ifdef _DEBUG
if (sspiModuleInfo.currentlyDebugging == FALSE) {
sspiModuleInfo.currentlyDebugging = TRUE;
DebugBreak();
}
#endif /* def _DEBUG */
/* securezeromemory is needed so that the password is no longer present in the memory
this is needed otherwise someone else can read the decrypted password */
SecureZeroMemory(&ctx, sizeof (ctx));
ctx.r = r;
ctx.crec = get_sspi_config_rec(r);
if (!ctx.crec->sspi_on) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, SSPILOGNO(00007)
"access to %s declined, reason: SSPIAuth is off",
r->uri);
return DECLINED;
}
/* checking all the different conditons */
if (sspiModuleInfo.supportsSSPI == FALSE) {
if (ctx.crec->sspi_authoritative) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, SSPILOGNO(00002)
"access to %s failed, reason: SSPI support is not available",
r->uri);
return HTTP_INTERNAL_SERVER_ERROR;
} else {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, SSPILOGNO(00008)
"access to %s declined, reason: SSPIAuth support is not available",
r->uri);
return DECLINED;
}
}
/* checking all the different conditons */
if (ctx.crec->sspi_package_basic == NULL) {
ctx.crec->sspi_package_basic = ctx.crec->sspi_packages;
if (ctx.crec->sspi_package_basic == NULL) {
ctx.crec->sspi_package_basic = sspiModuleInfo.defaultPackage;
}
}
if (ctx.crec->sspi_packages == NULL) {
ctx.crec->sspi_packages = ctx.crec->sspi_package_basic;
}
apr_pool_userdata_get(&ctx.scr, sspiModuleInfo.userDataKeyString, r->connection->pool);
if (ctx.scr == NULL) {
ctx.scr = apr_pcalloc(r->connection->pool, sizeof(sspi_connection_rec));
apr_pool_userdata_setn(ctx.scr, sspiModuleInfo.userDataKeyString, cleanup_sspi_connection,
r->connection->pool);
}
else if (ie_post_needs_reauth(&ctx)) {
// Internet Explorer wants to re authenticate, not POST
ctx.scr->username = NULL;
if (ctx.scr->server_context.dwLower ||
ctx.scr->server_context.dwUpper) {
sspiModuleInfo.functable->DeleteSecurityContext(&ctx.scr->server_context);
ctx.scr->server_context.dwLower = 0;
ctx.scr->server_context.dwUpper = 0;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"SSPI: starting IE re authentication");
}
}
if (ctx.scr->username == NULL) {
if (res = get_sspi_header(&ctx)) {
if (!ie_post_empty(&ctx) &&
ctx.crec->sspi_optional) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"SSPI: Optional auth exercised phase 1");
ctx.r->user = "******";
ctx.r->ap_auth_type = "Basic";
return OK;
}
return res;
}
if ((! ctx.scr->have_credentials) &&
(res = obtain_credentials(&ctx))) {
if (!ie_post_empty(&ctx) &&
ctx.crec->sspi_optional) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"SSPI: Optional auth exercised phase 2");
ctx.r->user = "******";
ctx.r->ap_auth_type = "Basic";
return OK;
}
return res;
}
if (ctx.hdr.authtype == typeSSPI) {
if (res = accept_security_context(&ctx)) {
if (!ie_post_empty(&ctx) &&
ctx.crec->sspi_optional) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"SSPI: Optional auth exercised phase 3");
ctx.r->user = "******";
ctx.r->ap_auth_type = "Basic";
return OK;
}
return res;
}
} else if (ctx.hdr.authtype == typeBasic) {
res = check_cleartext_auth(&ctx);
/* don't forget to clean up open user password */
SecureZeroMemory(&ctx.hdr, sizeof(ctx.hdr));
if (res) {
return res;
}
}
/* we should stick with per-request auth - per connection can cause
* problems with POSTing and would be difficult to code such that different
* configs were allowed on the same connection (eg. CGI that referred to
* images in another directory. */
if (ctx.crec->sspi_per_request_auth) {
apr_pool_cleanup_kill(r->connection->pool, ctx.scr, cleanup_sspi_connection);
apr_pool_cleanup_register(r->pool, ctx.scr, cleanup_sspi_connection, apr_pool_cleanup_null);
}
}
if (res = set_connection_details(&ctx)) {
return res;
}
/* logging */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, SSPILOGNO(00009)
"Authenticated user: %s", r->user);
return OK;
}
static int ssl_need_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey)
{
serf_ssl_context_t *ctx = SSL_get_app_data(ssl);
apr_status_t status;
if (ctx->cached_cert) {
*cert = ctx->cached_cert;
*pkey = ctx->cached_cert_pw;
return 1;
}
while (ctx->cert_callback) {
const char *cert_path;
apr_file_t *cert_file;
BIO *bio;
PKCS12 *p12;
int i;
int retrying_success = 0;
if (ctx->cert_file_success) {
status = APR_SUCCESS;
cert_path = ctx->cert_file_success;
ctx->cert_file_success = NULL;
retrying_success = 1;
} else {
status = ctx->cert_callback(ctx->cert_userdata, &cert_path);
}
if (status || !cert_path) {
break;
}
/* Load the x.509 cert file stored in PKCS12 */
status = apr_file_open(&cert_file, cert_path, APR_READ, APR_OS_DEFAULT,
ctx->pool);
if (status) {
continue;
}
bio = BIO_new(&bio_file_method);
bio->ptr = cert_file;
ctx->cert_path = cert_path;
p12 = d2i_PKCS12_bio(bio, NULL);
apr_file_close(cert_file);
i = PKCS12_parse(p12, NULL, pkey, cert, NULL);
if (i == 1) {
PKCS12_free(p12);
ctx->cached_cert = *cert;
ctx->cached_cert_pw = *pkey;
if (!retrying_success && ctx->cert_cache_pool) {
const char *c;
c = apr_pstrdup(ctx->cert_cache_pool, ctx->cert_path);
apr_pool_userdata_setn(c, "serf:ssl:cert",
apr_pool_cleanup_null,
ctx->cert_cache_pool);
}
return 1;
}
else {
int err = ERR_get_error();
ERR_clear_error();
if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 &&
ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) {
if (ctx->cert_pw_callback) {
const char *password;
if (ctx->cert_pw_success) {
status = APR_SUCCESS;
password = ctx->cert_pw_success;
ctx->cert_pw_success = NULL;
} else {
status = ctx->cert_pw_callback(ctx->cert_pw_userdata,
ctx->cert_path,
&password);
}
if (!status && password) {
i = PKCS12_parse(p12, password, pkey, cert, NULL);
if (i == 1) {
PKCS12_free(p12);
ctx->cached_cert = *cert;
ctx->cached_cert_pw = *pkey;
if (!retrying_success && ctx->cert_cache_pool) {
const char *c;
c = apr_pstrdup(ctx->cert_cache_pool,
ctx->cert_path);
apr_pool_userdata_setn(c, "serf:ssl:cert",
apr_pool_cleanup_null,
ctx->cert_cache_pool);
}
if (!retrying_success && ctx->cert_pw_cache_pool) {
const char *c;
c = apr_pstrdup(ctx->cert_pw_cache_pool,
password);
apr_pool_userdata_setn(c, "serf:ssl:certpw",
apr_pool_cleanup_null,
ctx->cert_pw_cache_pool);
}
return 1;
}
}
}
PKCS12_free(p12);
return 0;
}
else {
printf("OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err),
ERR_GET_FUNC(err),
ERR_GET_REASON(err));
PKCS12_free(p12);
}
}
}
return 0;
}
