Example #1
0
ZEKE_HIDDEN
struct zktool_vxid_pool *zktool_vxid_factory(apr_pool_t *pool)
{
  struct zktool_vxid_pool *vp = NULL;
  apr_status_t st;

  st = apr_pool_userdata_get((void**)&vp,"LIBZEKE:zktool_vxid",pool);
  if(st != APR_SUCCESS || !vp) {
    vp = apr_palloc(pool,VXID_SIZEOF(*vp));
    assert(vp != NULL);
    vp->magic = ZKTOOL_VXID_MAGIC;
    vp->p = pool;
    VXID(vp).base = &vxid_base;
    VXID(vp).chunk = &vxid_chunk;
#ifdef ZEKE_USE_THREADS
    vp->busy = 0;
    vp->waiter = 0;
    assert(apr_thread_mutex_create(&vp->mutex,APR_THREAD_MUTEX_DEFAULT,pool) == APR_SUCCESS);
    assert(apr_thread_cond_create(&vp->cond,pool) == APR_SUCCESS);
#endif
    assert(apr_pool_userdata_setn(vp,"LIBZEKE:zktool_vxid",NULL,pool) == APR_SUCCESS);
  }
  zktool_vxid_get(vp);
  return vp;
}
Example #2
0
int ml_session_load(lua_State* L)
{
  if (ap_session_load)
  {
    apr_status_t status;
    request_rec *r = CHECK_REQUEST_OBJECT(1);
    session_rec *sess = NULL;
    status = apr_pool_userdata_get((void**)&sess, "ml_session", r->pool);
    if (status == APR_SUCCESS)
    {
      if (sess == NULL)
      {
        status = ap_session_load(r, &sess);
        if (status != APR_SUCCESS)
          return ml_push_status(L, status);
        status = apr_pool_userdata_setn(sess, "ml_session", NULL, r->pool);
        if (status != APR_SUCCESS)
          return ml_push_status(L, status);
      }
      lua_pushboolean(L, sess != NULL);
      return 1;
    }
    return ml_push_status(L, status);
  }
  return 0;
}
static const char *mag_name_attrs(cmd_parms *parms, void *mconfig,
                                  const char *w)
{
    struct mag_config *cfg = (struct mag_config *)mconfig;
    void *tmp_na;
    size_t size = 0;
    char *p;
    int c;

    if (!cfg->name_attributes) {
        size = sizeof(struct mag_name_attributes)
                + (sizeof(struct mag_na_map) * 16);
    } else if (cfg->name_attributes->map_count % 16 == 0) {
        size = sizeof(struct mag_name_attributes)
                + (sizeof(struct mag_na_map)
                    * (cfg->name_attributes->map_count + 16));
    }
    if (size) {
        tmp_na = realloc(cfg->name_attributes, size);
        if (!tmp_na) apr_pool_abort_get(cfg->pool)(ENOMEM);

        if (cfg->name_attributes) {
            size_t empty = (sizeof(struct mag_na_map) * 16);
            memset(tmp_na + size - empty, 0, empty);
        } else {
            memset(tmp_na, 0, size);
        }
        cfg->name_attributes = (struct mag_name_attributes *)tmp_na;
        apr_pool_userdata_setn(cfg, GSS_NAME_ATTR_USERDATA,
                               mag_name_attrs_cleanup, cfg->pool);
    }

    p = strchr(w, ' ');
    if (p == NULL) {
        if (strcmp(w, "json") == 0) {
            cfg->name_attributes->output_json = true;
        } else {
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
                         "Invalid Name Attributes value [%s].", w);
        }
        return NULL;
    }

    c = cfg->name_attributes->map_count;
    cfg->name_attributes->map[c].env_name = apr_pstrndup(cfg->pool, w, p-w);
    p++;
    cfg->name_attributes->map[c].attr_name = apr_pstrdup(cfg->pool, p);
    cfg->name_attributes->map_count += 1;

    return NULL;
}
/* similar to authenticate a basic user, here the authentication is done for the user
   who opted for a secure SSPI authentication */
int authenticate_sspi_user(request_rec *r) 
{
	sspi_auth_ctx ctx;
    const char *current_auth;
	int res;

  	/* is SSPI authentication supported? */
	current_auth = ap_auth_type(r);
	if (!current_auth || strcasecmp(current_auth, "SSPI")) {
		return DECLINED;
	}

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, SSPILOGNO(00001) "Entering authenticate_sspi_user()");

#ifdef _DEBUG
	if (sspiModuleInfo.currentlyDebugging == FALSE) {
		sspiModuleInfo.currentlyDebugging = TRUE;
		DebugBreak();
	}
#endif /* def _DEBUG */

	/* securezeromemory is needed so that the password is no longer present in the memory
	   this is needed otherwise someone else can read the decrypted password */
	SecureZeroMemory(&ctx, sizeof (ctx));

	ctx.r = r;
    ctx.crec = get_sspi_config_rec(r);

	if (!ctx.crec->sspi_on) {

	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, SSPILOGNO(00007)
		    "access to %s declined, reason: SSPIAuth is off",
		    r->uri);

		return DECLINED;
	}

	/* checking all the different conditons */
	if (sspiModuleInfo.supportsSSPI == FALSE) {
		if (ctx.crec->sspi_authoritative) {

			ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, SSPILOGNO(00002)
				"access to %s failed, reason: SSPI support is not available",
				r->uri);

			return HTTP_INTERNAL_SERVER_ERROR;
		} else {

	        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, SSPILOGNO(00008)
		        "access to %s declined, reason: SSPIAuth support is not available",
		        r->uri);

			return DECLINED;
		}
	}

	/* checking all the different conditons */
	if (ctx.crec->sspi_package_basic == NULL) {
		ctx.crec->sspi_package_basic = ctx.crec->sspi_packages;

		if (ctx.crec->sspi_package_basic == NULL) {
			ctx.crec->sspi_package_basic = sspiModuleInfo.defaultPackage;
		}
	}

	if (ctx.crec->sspi_packages == NULL) {
		ctx.crec->sspi_packages = ctx.crec->sspi_package_basic;
	}

	apr_pool_userdata_get(&ctx.scr, sspiModuleInfo.userDataKeyString, r->connection->pool);

	if (ctx.scr == NULL) {
		ctx.scr = apr_pcalloc(r->connection->pool, sizeof(sspi_connection_rec));
		apr_pool_userdata_setn(ctx.scr, sspiModuleInfo.userDataKeyString, cleanup_sspi_connection, 
			r->connection->pool);
	}
	else if (ie_post_needs_reauth(&ctx)) {
		// Internet Explorer wants to re authenticate, not POST
		ctx.scr->username = NULL;

		if (ctx.scr->server_context.dwLower ||
				ctx.scr->server_context.dwUpper) {
			sspiModuleInfo.functable->DeleteSecurityContext(&ctx.scr->server_context);
			ctx.scr->server_context.dwLower = 0;
			ctx.scr->server_context.dwUpper = 0;
			
			ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
				"SSPI:	starting IE re authentication");
		}
	}

	if (ctx.scr->username == NULL) {

		if (res = get_sspi_header(&ctx)) {
			if (!ie_post_empty(&ctx) &&
				ctx.crec->sspi_optional) {
				ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
					"SSPI: Optional auth exercised phase 1");
				ctx.r->user = "******";
				ctx.r->ap_auth_type = "Basic";
				return OK;
			}
			return res;
		}

		if ((! ctx.scr->have_credentials) && 
			(res = obtain_credentials(&ctx))) {
			if (!ie_post_empty(&ctx) &&
				ctx.crec->sspi_optional) {
				ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
					"SSPI: Optional auth exercised phase 2");
				ctx.r->user = "******";
				ctx.r->ap_auth_type = "Basic";
				return OK;
			}
			return res;
		}

		if (ctx.hdr.authtype == typeSSPI) {

			if (res = accept_security_context(&ctx)) {
				if (!ie_post_empty(&ctx) &&
					ctx.crec->sspi_optional) {
					ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
						"SSPI: Optional auth exercised phase 3");
					ctx.r->user = "******";
					ctx.r->ap_auth_type = "Basic";
					return OK;
				}
				return res;
			}
		} else if (ctx.hdr.authtype == typeBasic) {
			res = check_cleartext_auth(&ctx);
			/* don't forget to clean up open user password */
			SecureZeroMemory(&ctx.hdr, sizeof(ctx.hdr));
			if (res) {
				return res;
			}
		}

		/* we should stick with per-request auth - per connection can cause 
		* problems with POSTing and would be difficult to code such that different
		* configs were allowed on the same connection (eg. CGI that referred to 
		* images in another directory. */
		if (ctx.crec->sspi_per_request_auth) {
			apr_pool_cleanup_kill(r->connection->pool, ctx.scr, cleanup_sspi_connection);
			apr_pool_cleanup_register(r->pool, ctx.scr, cleanup_sspi_connection, apr_pool_cleanup_null);
		}
	}

	if (res = set_connection_details(&ctx)) {
		return res;
	}
	/* logging */
	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, SSPILOGNO(00009)
		"Authenticated user: %s", r->user);

	return OK;
}
Example #5
0
static int ssl_need_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey)
{
    serf_ssl_context_t *ctx = SSL_get_app_data(ssl);
    apr_status_t status;

    if (ctx->cached_cert) {
        *cert = ctx->cached_cert;
        *pkey = ctx->cached_cert_pw;
        return 1;
    }

    while (ctx->cert_callback) {
        const char *cert_path;
        apr_file_t *cert_file;
        BIO *bio;
        PKCS12 *p12;
        int i;
        int retrying_success = 0;

        if (ctx->cert_file_success) {
            status = APR_SUCCESS;
            cert_path = ctx->cert_file_success;
            ctx->cert_file_success = NULL;
            retrying_success = 1;
        } else {
            status = ctx->cert_callback(ctx->cert_userdata, &cert_path);
        }

        if (status || !cert_path) {
          break;
        }

        /* Load the x.509 cert file stored in PKCS12 */
        status = apr_file_open(&cert_file, cert_path, APR_READ, APR_OS_DEFAULT,
                               ctx->pool);

        if (status) {
            continue;
        }

        bio = BIO_new(&bio_file_method);
        bio->ptr = cert_file;

        ctx->cert_path = cert_path;
        p12 = d2i_PKCS12_bio(bio, NULL);
        apr_file_close(cert_file);

        i = PKCS12_parse(p12, NULL, pkey, cert, NULL);

        if (i == 1) {
            PKCS12_free(p12);
            ctx->cached_cert = *cert;
            ctx->cached_cert_pw = *pkey;
            if (!retrying_success && ctx->cert_cache_pool) {
                const char *c;

                c = apr_pstrdup(ctx->cert_cache_pool, ctx->cert_path);

                apr_pool_userdata_setn(c, "serf:ssl:cert",
                                       apr_pool_cleanup_null,
                                       ctx->cert_cache_pool);
            }
            return 1;
        }
        else {
            int err = ERR_get_error();
            ERR_clear_error();
            if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 &&
                ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) {
                if (ctx->cert_pw_callback) {
                    const char *password;

                    if (ctx->cert_pw_success) {
                        status = APR_SUCCESS;
                        password = ctx->cert_pw_success;
                        ctx->cert_pw_success = NULL;
                    } else {
                        status = ctx->cert_pw_callback(ctx->cert_pw_userdata,
                                                       ctx->cert_path,
                                                       &password);
                    }

                    if (!status && password) {
                        i = PKCS12_parse(p12, password, pkey, cert, NULL);
                        if (i == 1) {
                            PKCS12_free(p12);
                            ctx->cached_cert = *cert;
                            ctx->cached_cert_pw = *pkey;
                            if (!retrying_success && ctx->cert_cache_pool) {
                                const char *c;

                                c = apr_pstrdup(ctx->cert_cache_pool,
                                                ctx->cert_path);

                                apr_pool_userdata_setn(c, "serf:ssl:cert",
                                                       apr_pool_cleanup_null,
                                                       ctx->cert_cache_pool);
                            }
                            if (!retrying_success && ctx->cert_pw_cache_pool) {
                                const char *c;

                                c = apr_pstrdup(ctx->cert_pw_cache_pool,
                                                password);

                                apr_pool_userdata_setn(c, "serf:ssl:certpw",
                                                       apr_pool_cleanup_null,
                                                       ctx->cert_pw_cache_pool);
                            }
                            return 1;
                        }
                    }
                }
                PKCS12_free(p12);
                return 0;
            }
            else {
                printf("OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err),
                       ERR_GET_FUNC(err),
                       ERR_GET_REASON(err));
                PKCS12_free(p12);
            }
        }
    }

    return 0;
}