static int get_days_remaining(ASN1_UTCTIME *tm)
{
apr_time_t then, now = apr_time_now();
apr_time_exp_t exp = {0};
int diff;
/* Fail if the time isn't a valid ASN.1 UTCTIME; RFC3280 mandates
* that the seconds digits are present even though ASN.1
* doesn't. */
if (tm->length < 11 || !ASN1_UTCTIME_check(tm))
return 0;
exp.tm_year = DIGIT2NUM(tm->data);
exp.tm_mon = DIGIT2NUM(tm->data + 2) - 1;
exp.tm_mday = DIGIT2NUM(tm->data + 4) + 1;
exp.tm_hour = DIGIT2NUM(tm->data + 6);
exp.tm_min = DIGIT2NUM(tm->data + 8);
exp.tm_sec = DIGIT2NUM(tm->data + 10);
if (exp.tm_year <= 50)
exp.tm_year += 100;
if (apr_time_exp_gmt_get(&then, &exp) != APR_SUCCESS)
return 0;
diff = (int)((apr_time_sec(then) - apr_time_sec(now)) / (60*60*24));
return diff > 0 ? diff : 0;
}
static apr_status_t call_port_getn(int port, port_event_t list[],
unsigned int max, unsigned int *nget,
apr_interval_time_t timeout)
{
struct timespec tv, *tvptr;
int ret;
apr_status_t rv = APR_SUCCESS;
if (timeout < 0) {
tvptr = NULL;
}
else {
tv.tv_sec = (long) apr_time_sec(timeout);
tv.tv_nsec = (long) apr_time_usec(timeout) * 1000;
tvptr = &tv;
}
list[0].portev_user = (void *)-1; /* so we can double check that an
* event was returned
*/
ret = port_getn(port, list, max, nget, tvptr);
/* Note: 32-bit port_getn() on Solaris 10 x86 returns large negative
* values instead of 0 when returning immediately.
*/
if (ret == -1) {
rv = apr_get_netos_error();
switch(rv) {
case EINTR:
case ETIME:
if (*nget > 0 && list[0].portev_user != (void *)-1) {
/* This confusing API can return an event at the same time
* that it reports EINTR or ETIME. If that occurs, just
* report the event. With EINTR, nget can be > 0 without
* any event, so check that portev_user was filled in.
*
* (Maybe it will be simplified; see thread
* http://mail.opensolaris.org
* /pipermail/networking-discuss/2009-August/011979.html
* This code will still work afterwards.)
*/
rv = APR_SUCCESS;
break;
}
if (rv == ETIME) {
rv = APR_TIMEUP;
}
/* fall-through */
default:
*nget = 0;
}
}
else if (*nget == 0) {
rv = APR_TIMEUP;
}
return rv;
}
cache_t *lru_cache_load(void *arg, inip_file_t *fd, char *grp, data_attr_t *da, int timeout)
{
cache_t *c;
cache_lru_t *cp;
int dt;
if (grp == NULL) grp = "cache-lru";
//** Create the default structure
c = lru_cache_create(arg, da, timeout);
cp = (cache_lru_t *)c->fn.priv;
cache_lock(c);
cp->max_bytes = inip_get_integer(fd, grp, "max_bytes", cp->max_bytes);
cp->dirty_fraction = inip_get_double(fd, grp, "dirty_fraction", cp->dirty_fraction);
cp->dirty_bytes_trigger = cp->dirty_fraction * cp->max_bytes;
c->default_page_size = inip_get_integer(fd, grp, "default_page_size", c->default_page_size);
dt = inip_get_integer(fd, grp, "dirty_max_wait", apr_time_sec(cp->dirty_max_wait));
cp->dirty_max_wait = apr_time_make(dt, 0);
c->max_fetch_fraction = inip_get_double(fd, grp, "max_fetch_fraction", c->max_fetch_fraction);
c->max_fetch_size = c->max_fetch_fraction * cp->max_bytes;
c->write_temp_overflow_fraction = inip_get_double(fd, grp, "write_temp_overflow_fraction", c->write_temp_overflow_fraction);
c->write_temp_overflow_size = c->write_temp_overflow_fraction * cp->max_bytes;
c->n_ppages = inip_get_integer(fd, grp, "ppages", c->n_ppages);
log_printf(0, "COP size=" XOT "\n", c->write_temp_overflow_size);
cache_unlock(c);
return(c);
}
static char * test_jwt_parse(apr_pool_t *pool) {
// from http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20
// 3.1. Example JWT
char *s = apr_pstrdup(pool,
"eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9" \
".eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ" \
".dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk");
apr_jwt_t *jwt = NULL;
TST_ASSERT("apr_jwt_parse", apr_jwt_parse(pool, s, &jwt, NULL, NULL));
TST_ASSERT_STR("header.alg", jwt->header.alg, "HS256");
TST_ASSERT_STR("header.enc", jwt->header.enc, NULL);
TST_ASSERT_STR("header.kid", jwt->header.kid, NULL);
TST_ASSERT_STR("payload.iss", jwt->payload.iss, "joe");
TST_ASSERT_LONG("payload.exp", (long)apr_time_sec(jwt->payload.exp), 1300819380L);
char *str_key = "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow";
char *raw_key = NULL;
int raw_key_len = apr_jwt_base64url_decode(pool, &raw_key, str_key, 1);
TST_ASSERT("apr_jws_verify_hmac", apr_jws_verify_hmac(pool, jwt, raw_key, raw_key_len));
s[5] = '.';
TST_ASSERT("corrupted header (1) apr_jwt_parse", apr_jwt_parse(pool, s, &jwt, NULL, NULL) == FALSE);
s[0] = '\0';
TST_ASSERT("corrupted header (2) apr_jwt_parse", apr_jwt_parse(pool, s, &jwt, NULL, NULL) == FALSE);
return 0;
}
/*
* Create the required structures in the shared memory segment.
* The following stuff goes to the shared memory:
* a) Cookie Name
* b) Cookie Value
* c) First URL (which is later used for redirection)
*
* Note that it is important to save the unparsed URI here, so that URL encoding is preserved.
* If we used the parsed URI here, we'd open up ourselves to a HTTP Response Splitting attack
* through CR/LF injection.
*
* Function "searches" for free space within the shm section, and creates a new shm structure,
* containing all relevant information a mod_but session requires.
*
* Writes SHM offset of newly generated session to shmoffset.
*
* Returns:
* STATUS_OK and SHM offset in shmoffset
* STATUS_ESHM if out of SHM space
* STATUS_EHACKING if hacking is detected
* STATUS_ERROR for all other internal errors
*/
apr_status_t
create_new_shm_session(request_rec *r, char *sid, int *shmoffset)
{
mod_but_server_t *config = ap_get_module_config(r->server->module_config, &but_module);
int i;
for (i = 0; i < MOD_BUT_SESSION_COUNT; i++) {
mod_but_cookie *c = apr_rmm_addr_get(cs_rmm, off[i]);
ERRLOG_INFO("Existing session name [%s] and value [%s]", c->session_name, c->session_value);
if (!apr_strnatcmp(c->session_name, "empty")) {
ERRLOG_INFO("Setting-up new SHM session at offset [%d]", i);
apr_cpystrn(c->session_name, config->cookie_name, sizeof(c->session_name));
apr_cpystrn(c->session_value, sid, sizeof(c->session_value));
/* Store r->unparsed_uri to prevent HTTP Response Splitting attacks */
apr_cpystrn(c->session_firsturl, r->unparsed_uri, sizeof(c->session_firsturl));
c->session_create_time = (int)apr_time_sec(apr_time_now());
c->session_last_access_time = c->session_create_time;
c->link_to_cookiestore=-1;
c->logon_state = 0;
c->auth_strength = 0;
apr_cpystrn(c->service_list, config->service_list_cookie_value, sizeof(c->service_list));
ERRLOG_CRIT("Session original URL is [%s]", c->session_firsturl);
ERRLOG_INFO("Session name [%s] value [%s] ctime [%ds]", c->session_name, c->session_value, c->session_create_time);
*shmoffset = i;
return STATUS_OK;
}
}
ERRLOG_INFO("No empty session slot found; all SHM used up");
return STATUS_ESHM;
}
static apr_status_t setUserInDb(apr_dbm_t *userDbm,
const char *user,
const char *password,
yubiauth_dir_cfg *cfg,
request_rec *r)
{
char *timeAuthenticated = NULL;
char *dbToken = NULL; //This is used to store pw:date
char *userKey = NULL;
apr_datum_t key, value;
apr_status_t rv;
/* Built up some combination of token:time */
timeAuthenticated = apr_psprintf(r->pool, "%" APR_TIME_T_FMT, (apr_time_t) (apr_time_sec(apr_time_now())));
dbToken = apr_pstrcat(r->pool, password, ":", timeAuthenticated, NULL);
/* store OTP:time combo with username as key in DB */
userKey = getDbKey(user, cfg, r);
key = string2datum(userKey, r);
value = string2datum(dbToken, r);
/* Pump user into db, store un, cookie value, creation date,
* let this expire sometime
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "Writing key: %s and value: %s to db",
key.dptr, value.dptr);
rv = apr_dbm_store(userDbm, key, value);
if (rv != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, LOG_PREFIX "Error writing to db ... with key: %s and value: %s",
key.dptr, value.dptr);
}
/* Spit back, so we can decide wheather s.th. went wrong or not */
return rv;
}
static char * test_proto_authorization_request(request_rec *r) {
oidc_provider_t provider;
provider.issuer = "https://idp.example.com";
provider.authorization_endpoint_url = "https://idp.example.com/authorize";
provider.scope = "openid";
provider.client_id = "client_id";
provider.response_type = "code";
provider.auth_request_params = NULL;
const char *redirect_uri = "https://www.example.com/protected/";
const char *state = "12345";
json_t * proto_state = json_object();
json_object_set_new(proto_state, "nonce", json_string("anonce"));
json_object_set_new(proto_state, "original_url", json_string("https://localhost/protected/index.php"));
json_object_set_new(proto_state, "original_method", json_string("get"));
json_object_set_new(proto_state, "issuer", json_string(provider.issuer));
json_object_set_new(proto_state, "response_type", json_string(provider.response_type));
json_object_set_new(proto_state, "timestamp", json_integer(apr_time_sec(apr_time_now())));
TST_ASSERT("oidc_proto_authorization_request (1)",
oidc_proto_authorization_request(r, &provider, NULL, redirect_uri, state, proto_state, NULL, NULL) == HTTP_MOVED_TEMPORARILY);
TST_ASSERT_STR("oidc_proto_authorization_request (2)",
apr_table_get(r->headers_out, "Location"),
"https://idp.example.com/authorize?response_type=code&scope=openid&client_id=client_id&state=12345&redirect_uri=https%3A%2F%2Fwww.example.com%2Fprotected%2F&nonce=anonce");
return 0;
}
apr_status_t insert_update_sessionid(mem_t *s, sessionidinfo_t *sessionid)
{
apr_status_t rv;
sessionidinfo_t *ou;
int ident;
sessionid->id = 0;
s->storage->ap_slotmem_lock(s->slotmem);
rv = s->storage->ap_slotmem_do(s->slotmem, insert_update, &sessionid, s->p);
if (sessionid->id != 0 && rv == APR_SUCCESS) {
s->storage->ap_slotmem_unlock(s->slotmem);
return APR_SUCCESS; /* updated */
}
/* we have to insert it */
rv = s->storage->ap_slotmem_alloc(s->slotmem, &ident, (void **) &ou);
if (rv != APR_SUCCESS) {
s->storage->ap_slotmem_unlock(s->slotmem);
return rv;
}
memcpy(ou, sessionid, sizeof(sessionidinfo_t));
ou->id = ident;
s->storage->ap_slotmem_unlock(s->slotmem);
ou->updatetime = apr_time_sec(apr_time_now());
return APR_SUCCESS;
}
void
cleaning_shm_from_expired_session(request_rec *r)
{
mod_but_server_t *config = ap_get_module_config(r->server->module_config, &but_module);
int y;
for (y = 0; y < MOD_BUT_SESSION_COUNT; y++) {
mod_but_cookie *c = apr_rmm_addr_get(cs_rmm, off[y]);
apr_time_t curtime = apr_time_now();
int tnow = (int)apr_time_sec(curtime);
int tcreate = c->session_create_time;
int tlastaccess = c->session_last_access_time;
if (!apr_strnatcmp(c->session_name, config->cookie_name)) {
if ((tnow - tcreate) > config->session_timeout) {
ERRLOG_INFO("(SHM) Cleanup Task A: Delta between tnow and tcreate %d at shmoffset %d", tnow-tcreate, y);
mod_but_delete_session(y, r);
} else {
if ((tnow - tlastaccess) > config->session_inactivity_timeout) {
ERRLOG_INFO("(SHM) Cleanup Task B: Delta between tnow and tlastaccess %d at shmoffset %d", tnow-tlastaccess, y);
mod_but_delete_session(y, r);
}
}
}
}
}
/*
* Provide information for "status" logic
*/
static void advertise_info(request_rec *r)
{
server_rec *s = main_server;
/* Find the VirtualHost (Server) that does the Advertise */
while (s) {
void *sconf = s->module_config;
mod_advertise_config *mconf = ap_get_module_config(sconf, &advertise_module);
ap_rprintf(r, "Server: %s ", s->server_hostname);
if (s->is_virtual && s->addrs) {
server_addr_rec *srec = s->addrs;
ap_rprintf(r, "VirtualHost: %s:%d", srec->virthost, srec->host_port);
}
if (mconf->ma_advertise_server != NULL) {
ap_rprintf(r, " Advertising on Group %s Port %d ", mconf->ma_advertise_adrs, mconf->ma_advertise_port);
ap_rprintf(r, "for %s://%s:%d every %d seconds<br/>",
mconf->ma_advertise_srvm, mconf->ma_advertise_srvs,
mconf-> ma_advertise_srvp,
apr_time_sec(mconf->ma_advertise_freq)
);
} else {
ap_rputs("<br/>", r);
}
s = s->next;
}
}
static void test_exp_lt(CuTest *tc)
{
apr_status_t rv;
apr_time_exp_t xt;
time_t posix_secs = (time_t)apr_time_sec(now);
struct tm *posix_exp = localtime(&posix_secs);
rv = apr_time_exp_lt(&xt, now);
if (rv == APR_ENOTIMPL) {
CuNotImpl(tc, "apr_time_exp_lt");
}
CuAssertTrue(tc, rv == APR_SUCCESS);
#define CHK_FIELD(f) \
CuAssert(tc, "Mismatch in " #f, posix_exp->f == xt.f)
CHK_FIELD(tm_sec);
CHK_FIELD(tm_min);
CHK_FIELD(tm_hour);
CHK_FIELD(tm_mday);
CHK_FIELD(tm_mon);
CHK_FIELD(tm_year);
CHK_FIELD(tm_wday);
CHK_FIELD(tm_yday);
CHK_FIELD(tm_isdst);
#undef CHK_FIELD
}
/*
* save a session to cache/cookie
*/
apr_byte_t oidc_session_save(request_rec *r, oidc_session_t *z,
apr_byte_t first_time) {
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
apr_byte_t rc = FALSE;
const char *p_tb_id = oidc_util_get_provided_token_binding_id(r);
if (z->state != NULL) {
oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user);
json_object_set_new(z->state, OIDC_SESSION_EXPIRY_KEY,
json_integer(apr_time_sec(z->expiry)));
if ((first_time) && (p_tb_id != NULL)) {
oidc_debug(r,
"Provided Token Binding ID environment variable found; adding its value to the session state");
oidc_session_set(r, z, OIDC_SESSION_PROVIDED_TOKEN_BINDING_KEY,
p_tb_id);
}
}
if (c->session_type == OIDC_SESSION_TYPE_SERVER_CACHE)
/* store the session in the cache */
rc = oidc_session_save_cache(r, z, first_time);
/* if we get here we configured client-cookie or saving in the cache failed */
if ((c->session_type == OIDC_SESSION_TYPE_CLIENT_COOKIE)
|| ((rc == FALSE) && oidc_cfg_session_cache_fallback_to_cookie(r)))
/* store the session in a self-contained cookie */
rc = oidc_session_save_cookie(r, z, first_time);
return rc;
}
/* do a HTTP/1.1 age calculation */
CACHE_DECLARE(apr_int64_t) ap_cache_current_age(cache_info *info,
const apr_time_t age_value,
apr_time_t now)
{
apr_time_t apparent_age, corrected_received_age, response_delay,
corrected_initial_age, resident_time, current_age,
age_value_usec;
age_value_usec = apr_time_from_sec(age_value);
/* Perform an HTTP/1.1 age calculation. (RFC2616 13.2.3) */
apparent_age = MAX(0, info->response_time - info->date);
corrected_received_age = MAX(apparent_age, age_value_usec);
response_delay = info->response_time - info->request_time;
corrected_initial_age = corrected_received_age + response_delay;
resident_time = now - info->response_time;
current_age = corrected_initial_age + resident_time;
if (current_age < 0) {
current_age = 0;
}
return apr_time_sec(current_age);
}
static apr_status_t proc_mutex_posix_create(apr_proc_mutex_t *new_mutex,
const char *fname)
{
sem_t *psem;
char semname[31];
apr_time_t now;
unsigned long sec;
unsigned long usec;
new_mutex->interproc = apr_palloc(new_mutex->pool,
sizeof(*new_mutex->interproc));
/*
* This bogusness is to follow what appears to be the
* lowest common denominator in Posix semaphore naming:
* - start with '/'
* - be at most 14 chars
* - be unique and not match anything on the filesystem
*
* Because of this, we ignore fname, and try our
* own naming system. We tuck the name away, since it might
* be useful for debugging. to make this as robust as possible,
* we initially try something larger (and hopefully more unique)
* and gracefully fail down to the LCD above.
*
* NOTE: Darwin (Mac OS X) seems to be the most restrictive
* implementation. Versions previous to Darwin 6.2 had the 14
* char limit, but later rev's allow up to 31 characters.
*
* FIXME: There is a small window of opportunity where
* instead of getting a new semaphore descriptor, we get
* a previously obtained one. This can happen if the requests
* are made at the "same time" and in the small span of time between
* the sem_open and the sem_unlink. Use of O_EXCL does not
* help here however...
*
*/
now = apr_time_now();
sec = apr_time_sec(now);
usec = apr_time_usec(now);
apr_snprintf(semname, sizeof(semname), "/ApR.%lxZ%lx", sec, usec);
psem = sem_open(semname, O_CREAT, 0644, 1);
if ((psem == (sem_t *)SEM_FAILED) && (errno == ENAMETOOLONG)) {
/* Oh well, good try */
semname[13] = '\0';
psem = sem_open(semname, O_CREAT, 0644, 1);
}
if (psem == (sem_t *)SEM_FAILED) {
return errno;
}
/* Ahhh. The joys of Posix sems. Predelete it... */
sem_unlink(semname);
new_mutex->psem_interproc = psem;
new_mutex->fname = apr_pstrdup(new_mutex->pool, semname);
apr_pool_cleanup_register(new_mutex->pool, (void *)new_mutex,
apr_proc_mutex_cleanup,
apr_pool_cleanup_null);
return APR_SUCCESS;
}
/*
* access token expires
*/
void oidc_session_set_access_token_expires(request_rec *r, oidc_session_t *z,
const int expires_in) {
if (expires_in != -1) {
oidc_session_set(r, z, OIDC_SESSION_KEY_ACCESSTOKEN_EXPIRES,
apr_psprintf(r->pool, "%" APR_TIME_T_FMT,
apr_time_sec(apr_time_now()) + expires_in));
}
}
static void fcgi_write_response(mapcache_context_fcgi *ctx, mapcache_http_response *response)
{
if(response->code != 200) {
printf("Status: %ld %s\r\n",response->code, err_msg(response->code));
}
if(response->headers && !apr_is_empty_table(response->headers)) {
const apr_array_header_t *elts = apr_table_elts(response->headers);
int i;
for(i=0; i<elts->nelts; i++) {
apr_table_entry_t entry = APR_ARRAY_IDX(elts,i,apr_table_entry_t);
printf("%s: %s\r\n", entry.key, entry.val);
}
}
if(response->mtime) {
char *datestr;
char *if_modified_since = getenv("HTTP_IF_MODIFIED_SINCE");
datestr = apr_palloc(ctx->ctx.pool, APR_RFC822_DATE_LEN);
apr_rfc822_date(datestr, response->mtime);
printf("Last-Modified: %s\r\n", datestr);
if(if_modified_since) {
apr_time_t ims_time;
apr_int64_t ims,mtime;
mtime = apr_time_sec(response->mtime);
ims_time = apr_date_parse_http(if_modified_since);
ims = apr_time_sec(ims_time);
if(ims >= mtime) {
printf("Status: 304 Not Modified\r\n");
/*
* "The 304 response MUST NOT contain a message-body"
* https://tools.ietf.org/html/rfc2616#section-10.3.5
*/
printf("\r\n");
return;
}
}
}
if(response->data) {
printf("Content-Length: %ld\r\n\r\n", response->data->size);
fwrite((char*)response->data->buf, response->data->size,1,stdout);
}
}
/**
* waits on a condition variable, directly using OS interfaces.
*
* This function does not implement interruptability and thread state
* functionality, thus the caller of this function have to handle it.
*/
int os_cond_timedwait(hycond_t *cond, osmutex_t *mutex, I_64 ms, IDATA nano)
{
int r = 0;
if (!ms && !nano) {
r = pthread_cond_wait(cond, mutex);
} else {
// the main point here is to translate time from ms:nano
// format into sec:nano format (acceptable by pthread)
apr_time_t now = apr_time_now();
// translate 'now' into: seconds + nanos
I_64 Nsec = apr_time_sec(now);
I_64 Nnsec = (apr_time_usec(now) % APR_USEC_PER_SEC) * ((1000*1000*1000) / APR_USEC_PER_SEC);
// translate delay method parameters ('ms' and 'nano') into:
// seconds + nanos (taking care about overflow)
I_64 Dsec = (ms / 1000) + (nano / (1000 * 1000 * 1000));
I_64 Dnsec = (ms % 1000) * (1000 * 1000) + (nano % (1000 * 1000 * 1000));
Dsec = Dsec + (Dnsec / (1000 * 1000 * 1000));
Dnsec = Dnsec % (1000 * 1000 * 1000);
// calculating result sec:nanos values
// (taking care about overflow as well)
I_64 Rsec = Dsec + Nsec + (Dnsec + Nnsec) / (1000 * 1000 * 1000);
I_64 Rnsec = (Dnsec + Nnsec) % (1000 * 1000 * 1000);
// wrap the resulting wake up time (absolute time) into struct
// acceptable by pthread_cond_timedwait()
struct timespec wakeup_time;
// final boundary checks: pthread struct sec is 32 bit
if (Rsec <= 0x7FFFFFFF) {
wakeup_time.tv_sec = Rsec;
} else {
wakeup_time.tv_sec = 0x7FFFFFFF;
}
// final boundary checks: pthread struct nanos is 32 bit as well
if (Rnsec <= 0x7FFFFFFF) {
wakeup_time.tv_nsec = Rnsec;
} else {
wakeup_time.tv_nsec = 0x7FFFFFFF;
}
r = pthread_cond_timedwait(cond, mutex, &wakeup_time);
}
if (r == ETIMEDOUT)
r = TM_ERROR_TIMEOUT;
else if (r == EINTR)
r = TM_ERROR_INTERRUPT;
return r;
}
APR_DECLARE(apr_status_t) apr_file_mtime_set(const char *fname,
apr_time_t mtime,
apr_pool_t *pool)
{
apr_status_t status;
apr_finfo_t finfo;
status = apr_stat(&finfo, fname, APR_FINFO_ATIME, pool);
if (status) {
return status;
}
#ifdef HAVE_UTIMES
{
struct timeval tvp[2];
tvp[0].tv_sec = apr_time_sec(finfo.atime);
tvp[0].tv_usec = apr_time_usec(finfo.atime);
tvp[1].tv_sec = apr_time_sec(mtime);
tvp[1].tv_usec = apr_time_usec(mtime);
if (utimes(fname, tvp) == -1) {
return errno;
}
}
#elif defined(HAVE_UTIME)
{
struct utimbuf buf;
buf.actime = (time_t) (finfo.atime / APR_USEC_PER_SEC);
buf.modtime = (time_t) (mtime / APR_USEC_PER_SEC);
if (utime(fname, &buf) == -1) {
return errno;
}
}
#else
return APR_ENOTIMPL;
#endif
return APR_SUCCESS;
}
static int passwordExpired(const char *user,
apr_time_t lookedUpDate,
apr_time_t timeout,
request_rec *r)
{
if ((apr_time_sec(apr_time_now())) > (lookedUpDate + timeout)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "Session expired for user %s", user);
return TRUE;
}
return FALSE;
}
static zend_stat_t*
php_apache_sapi_get_stat(void)
{
php_struct *ctx = SG(server_context);
#ifdef PHP_WIN32
ctx->finfo.st_uid = 0;
ctx->finfo.st_gid = 0;
#else
ctx->finfo.st_uid = ctx->r->finfo.user;
ctx->finfo.st_gid = ctx->r->finfo.group;
#endif
ctx->finfo.st_dev = ctx->r->finfo.device;
ctx->finfo.st_ino = ctx->r->finfo.inode;
#if defined(NETWARE) && defined(CLIB_STAT_PATCH)
ctx->finfo.st_atime.tv_sec = apr_time_sec(ctx->r->finfo.atime);
ctx->finfo.st_mtime.tv_sec = apr_time_sec(ctx->r->finfo.mtime);
ctx->finfo.st_ctime.tv_sec = apr_time_sec(ctx->r->finfo.ctime);
#else
ctx->finfo.st_atime = apr_time_sec(ctx->r->finfo.atime);
ctx->finfo.st_mtime = apr_time_sec(ctx->r->finfo.mtime);
ctx->finfo.st_ctime = apr_time_sec(ctx->r->finfo.ctime);
#endif
ctx->finfo.st_size = ctx->r->finfo.size;
ctx->finfo.st_nlink = ctx->r->finfo.nlink;
return &ctx->finfo;
}
void util_ldap_url_node_display(request_rec *r, util_ald_cache_t *cache, void *n)
{
util_url_node_t *node = n;
char date_str[APR_CTIME_LEN];
const char *type_str;
util_ald_cache_t *cache_node;
int x;
for (x=0;x<3;x++) {
switch (x) {
case 0:
cache_node = node->search_cache;
type_str = "Searches";
break;
case 1:
cache_node = node->compare_cache;
type_str = "Compares";
break;
case 2:
default:
cache_node = node->dn_compare_cache;
type_str = "DN Compares";
break;
}
if (cache_node->marktime) {
apr_ctime(date_str, cache_node->marktime);
}
else
date_str[0] = 0;
ap_rprintf(r,
"<tr valign='top'>"
"<td nowrap>%s (%s)</td>"
"<td nowrap>%ld</td>"
"<td nowrap>%ld</td>"
"<td nowrap>%ld</td>"
"<td nowrap>%" APR_TIME_T_FMT "</td>"
"<td nowrap>%ld</td>"
"<td nowrap>%s</td>"
"</tr>",
node->url,
type_str,
cache_node->size,
cache_node->maxentries,
cache_node->numentries,
apr_time_sec(cache_node->ttl),
cache_node->fullmark,
date_str);
}
}
/**
* Insert(alloc) and update a domain record in the shared table
* @param pointer to the shared table.
* @param domain domain to store in the shared table.
* @return APR_SUCCESS if all went well
*
*/
static apr_status_t insert_update(void* mem, void **data, int id, apr_pool_t *pool)
{
domaininfo_t *in = (domaininfo_t *)*data;
domaininfo_t *ou = (domaininfo_t *)mem;
if (strcmp(in->JVMRoute, ou->JVMRoute) == 0 && strcmp(in->balancer, ou->balancer) == 0) {
memcpy(ou, in, sizeof(domaininfo_t));
ou->id = id;
ou->updatetime = apr_time_sec(apr_time_now());
*data = ou;
return APR_SUCCESS;
}
return APR_NOTFOUND;
}
/**
* Insert(alloc) and update a sessionid record in the shared table
* @param pointer to the shared table.
* @param sessionid sessionid to store in the shared table.
* @return APR_SUCCESS if all went well
*
*/
static apr_status_t insert_update(void* mem, void **data, int id, apr_pool_t *pool)
{
sessionidinfo_t *in = (sessionidinfo_t *)*data;
sessionidinfo_t *ou = (sessionidinfo_t *)mem;
if (strcmp(in->sessionid, ou->sessionid) == 0) {
memcpy(ou, in, sizeof(sessionidinfo_t));
ou->id = id;
ou->updatetime = apr_time_sec(apr_time_now());
*data = ou;
return APR_SUCCESS;
}
return APR_NOTFOUND;
}
static apr_interval_time_t sb_get_uptime()
{
apr_time_t nowtime;
apr_interval_time_t up_time;
if (!ap_extended_status)
return 0;
nowtime = apr_time_now();
up_time = (apr_uint32_t)apr_time_sec(nowtime - ap_scoreboard_image->global->restart_time);
return up_time;
}
/*
* store a name/value pair in Redis
*/
static apr_byte_t oidc_cache_redis_set(request_rec *r, const char *section,
const char *key, const char *value, apr_time_t expiry) {
oidc_debug(r, "enter, section=\"%s\", key=\"%s\"", section, key);
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
oidc_cache_cfg_redis_t *context = (oidc_cache_cfg_redis_t *) cfg->cache_cfg;
redisReply *reply = NULL;
/* grab the global lock */
if (oidc_cache_mutex_lock(r, context->mutex) == FALSE)
return FALSE;
/* see if we should be clearing this entry */
if (value == NULL) {
/* delete it */
reply = oidc_cache_redis_command(r, context, "DEL %s",
oidc_cache_redis_get_key(r->pool, section, key));
if (reply == NULL) {
oidc_cache_mutex_unlock(r, context->mutex);
return FALSE;
}
freeReplyObject(reply);
} else {
/* calculate the timeout from now */
apr_uint32_t timeout = apr_time_sec(expiry - apr_time_now());
/* store it */
reply = oidc_cache_redis_command(r, context, "SETEX %s %d %s",
oidc_cache_redis_get_key(r->pool, section, key), timeout,
value);
if (reply == NULL) {
oidc_cache_mutex_unlock(r, context->mutex);
return FALSE;
}
freeReplyObject(reply);
}
/* release the global lock */
oidc_cache_mutex_unlock(r, context->mutex);
return TRUE;
}
/** Explode time to human readable form. */
log4cxx_status_t explode( apr_time_exp_t * result, log4cxx_time_t input ) const
{
apr_status_t stat;
// APR 1.1 and early mishandles microseconds on dates
// before 1970, APR bug 32520
if (LOG4CXX_UNLIKELY(input < 0 && apr_time_usec(input) < 0)) {
apr_time_t floorTime = (apr_time_sec(input) -1) * APR_USEC_PER_SEC;
stat = apr_time_exp_lt(result, floorTime);
result->tm_usec = (int) (input - floorTime);
} else {
stat = apr_time_exp_lt( result, input );
}
return stat;
}
/*
* check to see if dynamically registered JSON client metadata is valid and has not expired
*/
static apr_byte_t oidc_metadata_client_is_valid(request_rec *r,
json_t *j_client, const char *issuer) {
/* get a handle to the client_id we need to use for this provider */
json_t *j_client_id = json_object_get(j_client, "client_id");
if ((j_client_id == NULL) || (!json_is_string(j_client_id))) {
oidc_error(r,
"client (%s) JSON metadata did not contain a \"client_id\" string",
issuer);
return FALSE;
}
/* get a handle to the client_secret we need to use for this provider */
json_t *j_client_secret = json_object_get(j_client, "client_secret");
if ((j_client_secret == NULL) || (!json_is_string(j_client_secret))) {
oidc_warn(r,
"client (%s) JSON metadata did not contain a \"client_secret\" string",
issuer);
//return FALSE;
}
/* the expiry timestamp from the JSON object */
json_t *expires_at = json_object_get(j_client, "client_secret_expires_at");
if ((expires_at == NULL) || (!json_is_integer(expires_at))) {
oidc_debug(r,
"client (%s) metadata did not contain a \"client_secret_expires_at\" setting",
issuer);
/* assume that it never expires */
return TRUE;
}
/* see if it is unrestricted */
if (json_integer_value(expires_at) == 0) {
oidc_debug(r,
"client (%s) metadata never expires (client_secret_expires_at=0)",
issuer);
return TRUE;
}
/* check if the value >= now */
if (apr_time_sec(apr_time_now()) > json_integer_value(expires_at)) {
oidc_warn(r, "client (%s) secret expired", issuer);
return FALSE;
}
oidc_debug(r, "client (%s) metadata is valid", issuer);
return TRUE;
}
/*
* Get the unix time with timezone corrections
* given in the config struct.
*/
static int get_now(rotate_config_t *config)
{
apr_time_t tNow = apr_time_now();
int utc_offset = config->utc_offset;
if (config->use_localtime) {
/* Check for our UTC offset before using it, since it might
* change if there's a switch between standard and daylight
* savings time.
*/
apr_time_exp_t lt;
apr_time_exp_lt(<, tNow);
utc_offset = lt.tm_gmtoff;
}
return (int)apr_time_sec(tNow) + utc_offset;
}
/*
* if a nonce was passed in the authorization request (and stored in the browser state),
* check that it matches the nonce value in the id_token payload
*/
static apr_byte_t oidc_proto_validate_nonce(request_rec *r, oidc_cfg *cfg,
oidc_provider_t *provider, const char *nonce, apr_jwt_t *jwt) {
/* see if we have this nonce cached already */
const char *replay = NULL;
cfg->cache->get(r, OIDC_CACHE_SECTION_NONCE, nonce, &replay);
if (replay != NULL) {
oidc_error(r,
"the nonce value (%s) passed in the browser state was found in the cache already; possible replay attack!?",
nonce);
return FALSE;
}
/* get the "nonce" value in the id_token payload */
char *j_nonce = NULL;
apr_jwt_get_string(r->pool, &jwt->payload.value, "nonce", &j_nonce);
if (j_nonce == NULL) {
oidc_error(r,
"id_token JSON payload did not contain a \"nonce\" string");
return FALSE;
}
/* see if the nonce in the id_token matches the one that we sent in the authorization request */
if (apr_strnatcmp(nonce, j_nonce) != 0) {
oidc_error(r,
"the nonce value (%s) in the id_token did not match the one stored in the browser session (%s)",
j_nonce, nonce);
return FALSE;
}
/*
* nonce cache duration (replay prevention window) is the 2x the configured
* slack on the timestamp (+-) for token issuance plus 10 seconds for safety
*/
apr_time_t nonce_cache_duration = apr_time_from_sec(
provider->idtoken_iat_slack * 2 + 10);
/* store it in the cache for the calculated duration */
cfg->cache->set(r, OIDC_CACHE_SECTION_NONCE, nonce, nonce,
apr_time_now() + nonce_cache_duration);
oidc_debug(r,
"nonce \"%s\" validated successfully and is now cached for %" APR_TIME_T_FMT " seconds",
nonce, apr_time_sec(nonce_cache_duration));
return TRUE;
}
static ngx_inline ngx_int_t
ngx_http_modsecurity_save_headers_out(ngx_http_request_t *r)
{
ngx_http_modsecurity_ctx_t *ctx;
ngx_http_upstream_t *upstream;
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
/* r->chunked = ctx->req->chunked; */
ngx_http_clean_header(r);
upstream = r->upstream;
r->upstream = &ngx_http_modsecurity_upstream;
/* case SecServerSignature was used, the "Server: ..." header is added
* here, overwriting the default header supplied by nginx.
*/
if (modsecIsServerSignatureAvailale() != NULL) {
apr_table_add(ctx->req->headers_out, "Server",
modsecIsServerSignatureAvailale());
}
if (apr_table_do(ngx_http_modsecurity_save_headers_out_visitor,
r, ctx->req->headers_out, NULL) == 0) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"ModSecurity: save headers out error");
return NGX_ERROR;
}
r->upstream = upstream;
r->headers_out.status = ctx->req->status;
r->headers_out.status_line.data = (u_char *)ctx->req->status_line;
r->headers_out.status_line.len = ctx->req->status_line ?
ngx_strlen(ctx->req->status_line) : 0;
r->headers_out.content_length_n = ctx->req->clength;
r->headers_out.last_modified_time = apr_time_sec(ctx->req->mtime);
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"ModSecurity: save headers out done");
return NGX_OK;
}
