void mag_attempt_session(request_rec *req,
struct mag_config *cfg, struct mag_conn *mc)
{
session_rec *sess = NULL;
char *sessval = NULL;
struct databuf plainbuf = { 0 };
struct databuf cipherbuf = { 0 };
struct databuf ctxbuf = { 0 };
apr_status_t rc;
/* we save the session only if the authentication is established */
if (!mc->established) return;
rc = mag_session_load(req, &sess);
if (rc != OK || sess == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
"Sessions not available, can't send cookies!");
return;
}
if (!cfg->mag_skey) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
"Session key not available, generating new one.");
rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, NULL);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to create sealing key!");
return;
}
}
sessval = apr_psprintf(req->pool, "%ld:%s:%s",
(long)mc->expiration, mc->user_name, mc->gss_name);
if (!sessval) return;
plainbuf.length = strlen(sessval) + 1;
plainbuf.value = (unsigned char *)sessval;
rc = SEAL_BUFFER(req->pool, cfg->mag_skey, &plainbuf, &cipherbuf);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to seal session data!");
return;
}
ctxbuf.length = apr_base64_encode_len(cipherbuf.length);
ctxbuf.value = apr_pcalloc(req->pool, ctxbuf.length);
if (!ctxbuf.value) return;
ctxbuf.length = apr_base64_encode((char *)ctxbuf.value,
(char *)cipherbuf.value,
cipherbuf.length);
rc = mag_session_set(req, sess, MAG_BEARER_KEY, (char *)ctxbuf.value);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to set session data!");
return;
}
}
void mag_check_session(request_rec *req,
struct mag_config *cfg, struct mag_conn **conn)
{
struct mag_conn *mc;
apr_status_t rc;
session_rec *sess = NULL;
const char *sessval = NULL;
int declen;
struct databuf ctxbuf = { 0 };
struct databuf cipherbuf = { 0 };
char *next, *last;
time_t expiration;
rc = mag_session_load(req, &sess);
if (rc != OK || sess == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
"Sessions not available, no cookies!");
return;
}
mc = *conn;
if (!mc) {
mc = apr_pcalloc(req->pool, sizeof(struct mag_conn));
if (!mc) return;
mc->parent = req->pool;
*conn = mc;
}
rc = mag_session_get(req, sess, MAG_BEARER_KEY, &sessval);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to get session data!");
return;
}
if (!sessval) {
/* no session established, just return */
return;
}
if (!cfg->mag_skey) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
"Session key not available, no cookies!");
/* we do not have a key, just return */
return;
}
/* decode it */
declen = apr_base64_decode_len(sessval);
cipherbuf.value = apr_palloc(req->pool, declen);
if (!cipherbuf.value) return;
cipherbuf.length = (int)apr_base64_decode((char *)cipherbuf.value, sessval);
rc = UNSEAL_BUFFER(req->pool, cfg->mag_skey, &cipherbuf, &ctxbuf);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to unseal session data!");
return;
}
/* get time */
next = apr_strtok((char *)ctxbuf.value, ":", &last);
expiration = (time_t)apr_atoi64(next);
if (expiration < time(NULL)) {
/* credentials fully expired, return nothing */
return;
}
/* user name is next */
next = apr_strtok(NULL, ":", &last);
mc->user_name = apr_pstrdup(mc->parent, next);
if (!mc->user_name) return;
/* gssapi name (often a principal) is last.
* (because it may contain the separator as a valid char we
* just read last as is, without further tokenizing */
mc->gss_name = apr_pstrdup(mc->parent, last);
if (!mc->gss_name) return;
/* OK we have a valid token */
mc->established = true;
}
void mag_check_session(struct mag_req_cfg *cfg, struct mag_conn **conn)
{
request_rec *req = cfg->req;
struct mag_conn *mc;
apr_status_t rc;
session_rec *sess = NULL;
const char *sessval = NULL;
int declen;
struct databuf ctxbuf = { 0 };
struct databuf cipherbuf = { 0 };
GSSSessionData_t *gsessdata;
time_t expiration;
rc = mag_session_load(req, &sess);
if (rc != OK || sess == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
"Sessions not available, no cookies!");
return;
}
mc = *conn;
if (!mc) {
*conn = mc = mag_new_conn_ctx(req->pool);
mc->is_preserved = true;
}
rc = mag_session_get(req, sess, MAG_BEARER_KEY, &sessval);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to get session data!");
return;
}
if (!sessval) {
/* no session established, just return */
return;
}
if (!cfg->mag_skey) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
"Session key not available, no cookies!");
/* we do not have a key, just return */
return;
}
/* decode it */
declen = apr_base64_decode_len(sessval);
cipherbuf.value = apr_palloc(req->pool, declen);
if (!cipherbuf.value) return;
cipherbuf.length = (int)apr_base64_decode((char *)cipherbuf.value, sessval);
rc = UNSEAL_BUFFER(req->pool, cfg->mag_skey, &cipherbuf, &ctxbuf);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to unseal session data!");
return;
}
gsessdata = decode_GSSSessionData(ctxbuf.value, ctxbuf.length);
if (!gsessdata) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to unpack session data!");
return;
}
/* booleans */
if (gsessdata->established != 0) mc->established = true;
if (gsessdata->delegated != 0) mc->delegated = true;
/* get time */
expiration = gsessdata->expiration;
if (expiration < time(NULL)) {
/* credentials fully expired, return nothing */
mc->established = false;
goto done;
}
/* user name */
mc->user_name = apr_pstrndup(mc->pool,
(char *)gsessdata->username.buf,
gsessdata->username.size);
if (!mc->user_name) goto done;
/* gssapi name */
mc->gss_name = apr_pstrndup(mc->pool,
(char *)gsessdata->gssname.buf,
gsessdata->gssname.size);
if (!mc->gss_name) goto done;
mc->basic_hash.length = gsessdata->basichash.size;
mc->basic_hash.value = apr_palloc(mc->pool, mc->basic_hash.length);
memcpy(mc->basic_hash.value,
gsessdata->basichash.buf, gsessdata->basichash.size);
/* ccname */
mc->ccname = apr_pstrndup(mc->pool,
(char *)gsessdata->ccname.buf,
gsessdata->ccname.size);
if (!mc->ccname) goto done;
/* OK we have a valid token */
mc->established = true;
done:
ASN_STRUCT_FREE(asn_DEF_GSSSessionData, gsessdata);
}
void mag_attempt_session(struct mag_req_cfg *cfg, struct mag_conn *mc)
{
request_rec *req = cfg->req;
session_rec *sess = NULL;
struct databuf plainbuf = { 0 };
struct databuf cipherbuf = { 0 };
struct databuf ctxbuf = { 0 };
GSSSessionData_t gsessdata = { 0 };
apr_status_t rc;
bool ret;
/* we save the session only if the authentication is established */
if (!mc->established) return;
rc = mag_session_load(req, &sess);
if (rc != OK || sess == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
"Sessions not available, can't send cookies!");
return;
}
if (!cfg->mag_skey) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
"Session key not available, aborting.");
return;
}
gsessdata.established = mc->established?1:0;
gsessdata.delegated = mc->delegated?1:0;
if (sess->expiry != 0) {
mc->expiration = mc->expiration < apr_time_sec(sess->expiry) ?
mc->expiration : apr_time_sec(sess->expiry);
}
gsessdata.expiration = mc->expiration;
if (OCTET_STRING_fromString(&gsessdata.username, mc->user_name) != 0)
goto done;
if (OCTET_STRING_fromString(&gsessdata.gssname, mc->gss_name) != 0)
goto done;
if (OCTET_STRING_fromBuf(&gsessdata.basichash,
(const char *)mc->basic_hash.value,
mc->basic_hash.length) != 0)
goto done;
/* NULL ccname here just means default ccache */
if (mc->ccname &&
OCTET_STRING_fromString(&gsessdata.ccname, mc->ccname) != 0) {
goto done;
}
ret = encode_GSSSessionData(req->pool, &gsessdata,
&plainbuf.value, &plainbuf.length);
if (ret == false) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to pack session data!");
goto done;
}
rc = SEAL_BUFFER(req->pool, cfg->mag_skey, &plainbuf, &cipherbuf);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to seal session data!");
goto done;
}
ctxbuf.length = apr_base64_encode_len(cipherbuf.length);
ctxbuf.value = apr_pcalloc(req->pool, ctxbuf.length);
if (!ctxbuf.value) goto done;
ctxbuf.length = apr_base64_encode((char *)ctxbuf.value,
(char *)cipherbuf.value,
cipherbuf.length);
rc = mag_session_set(req, sess, MAG_BEARER_KEY, (char *)ctxbuf.value);
if (rc != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
"Failed to set session data!");
}
done:
ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GSSSessionData, &gsessdata);
}
