Exemplo n.º 1
static void ssl_add_version_components(apr_pool_t *p,
                                       server_rec *s)
    char *modver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE");
    char *libver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY");
    char *incver = ssl_var_lookup(p, s, NULL, NULL, 

    ap_add_version_component(p, modver);
    ap_add_version_component(p, libver);

    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                 "%s compiled against Server: %s, Library: %s",
                 modver, AP_SERVER_BASEVERSION, incver);
Exemplo n.º 2
static char *ssl_expr_eval_word(request_rec *r, ssl_expr *node)
    switch (node->node_op) {
        case op_Digit: {
            char *string = (char *)node->node_arg1;
            return string;
        case op_String: {
            char *string = (char *)node->node_arg1;
            return string;
        case op_Var: {
            char *var = (char *)node->node_arg1;
            char *val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
            return (val == NULL ? "" : val);
        case op_Func: {
            char *name = (char *)node->node_arg1;
            ssl_expr *args = (ssl_expr *)node->node_arg2;
            if (strEQ(name, "file"))
                return ssl_expr_eval_func_file(r, (char *)(args->node_arg1));
            else {
                ssl_expr_error = "Internal evaluation error: Unknown function name";
                return "";
        default: {
            ssl_expr_error = "Internal evaluation error: Unknown expression node";
            return FALSE;
Exemplo n.º 3
static const char *expr_func_fn(ap_expr_eval_ctx_t *ctx, const void *data,
                                const char *arg)
    char *var = (char *)arg;

    return var ? ssl_var_lookup(ctx->p, ctx->s, ctx->c, ctx->r, var) : NULL;
Exemplo n.º 4
static int
tls_authentication_signal(request_rec *r)
	struct srv *srv = ap_srv_config_get(r);
	if (!srv->keymat_label || !srv->keymat_len)
		return 0;

	const char *v = ssl_var_lookup(ssl_lookup_args, "SSL_SESSION_RESUMED");
	return !strcasecmp(v, "Initial");
Exemplo n.º 5
static const char *
export_public_key(request_rec *r)
	char *cert = ssl_var_lookup(ssl_lookup_args, "SSL_SERVER_CERT");
	char *pub = ap_x509_pubkey_from_cert(r->pool, cert, strlen(cert));

	if (!pub)
		return NULL;

	apr_table_t *t = r->subprocess_env;
	apr_table_add(t, "SERVER_PUBLIC_KEY", pub);

	fixups_publickey(pub, strlen(pub));

	return pub;
Exemplo n.º 6
	This function parses the http-response headers from a backend system. 
	We want to find out if the response-header has a
	a) Set-Cookie header which should be stored to the session store
	b) Set-Cookie header which is configured as "free" cookie
	c) Set-Cookie header which has a special meaning to us (Auth=ok)
static apr_status_t mod_but_output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in)
	apr_int64_t i;
	int shmoffsetnew;
	char *pshm_offset_number;

	apr_port_t port = 0;
	char *host = NULL;
	char *all_shm_space_used_url = NULL;
	const char *protocol, *ssl_session_id, *ssl_cipher;

	request_rec *r = f->r;
	mod_but_server_t *config = ap_get_module_config(r->server->module_config, &but_module);

	cookie_res *cr = apr_palloc(r->pool, sizeof(cookie_res));
        cr->r = r;
        cr->cookie = NULL;

	apr_int64_t num_set_cookie;

	port = ap_get_server_port (r);
	if ((port != 80) && (port != 443)) {
	/* because of multiple passes through don't use r->hostname() */
		host = (char *)apr_psprintf(r->pool, "%s:%d", ap_get_server_name (r), port);
	} else {
		host = (char *)apr_psprintf(r->pool, "%s", ap_get_server_name (r));

	protocol = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r, apr_pstrdup(r->pool, "SSL_PROTOCOL") );
    	ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: SSL_PROTOCOL [%s]", protocol);

    	ssl_session_id = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r, apr_pstrdup(r->pool, "SSL_SESSION_ID") );
    	ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: SSL_SESSION_ID [%s]", ssl_session_id);

    	ssl_cipher = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r, apr_pstrdup(r->pool, "SSL_CIPHER") );
    	ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: SSL_CIPHER [%s]", ssl_cipher);

		This checks if the response has a Set-Cookie set. There could be

			a) NO Set-Cookie in response-header
			b) LOGON Set-Cookie in response-header
			c) FREE COOKIE in response-header
			d) Other's Cookies in response-header (belonging into session store)


	ap_log_rerror(PC_LOG_INFO, r, "mod_but: Calling apr_table_do(mod_but_analyze_response_headers)");


		Do Header Parsing for all Response Headers. We are looking for

	apr_table_set(r->notes, "NUM_SET_COOKIE", "0");
	apr_table_do(mod_but_analyze_response_headers, cr, r->headers_out, NULL);

		Unsetting all Set-Cookie Headers from Response (All but MOD_BUT_SESSION)
	apr_table_unset(r->headers_out, "Set-Cookie");
	apr_table_unset(r->err_headers_out, "Set-Cookie");
	ap_log_rerror(PC_LOG_CRIT, r, "mod_but: P1: UNSETTING ALL RESPONSE HEADERS");

		Setting FREE Cookies into the Response Header manually
	num_set_cookie = apr_atoi64(apr_table_get(r->notes, "NUM_SET_COOKIE"));
	for (i = 1; i <= num_set_cookie; i++) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: FOR LOOP -- NUM_SET_COOKIE IS [%s]", apr_table_get(r->notes, "NUM_SET_COOKIE"));
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: VALUE IS [%s]", apr_table_get(r->notes, apr_itoa(r->pool, i)));
		apr_table_set(r->headers_out, "Set-Cookie", apr_table_get(r->notes, apr_itoa(r->pool, i)));
		ap_log_rerror(PC_LOG_CRIT, r, "mod_but: P2: SETTING FREE COOKIES INTO THE RESPONSE");

		If apr_table_do detected a LOGON=ok Set-Cookie Header, There will be a r->notes about it. Otherwise
		r->notes is empty.
	if (apr_table_get(r->notes, "LOGON_STATUS") != NULL) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: LOGON STATUS = [%s]", apr_table_get(r->notes, "LOGON_STATUS"));
		i = apr_atoi64(apr_table_get(r->notes, "SHMOFFSET"));
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: VOR renew_mod_but_session in mod_but.c");
		shmoffsetnew = renew_mod_but_session(i, r);

		if (shmoffsetnew == -1)
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with SHM Creation, DECLINED");
			apr_table_unset(r->headers_out, "Set-Cookie");
			apr_table_unset(r->err_headers_out, "Set-Cookie");

			if (apr_strnatcmp(ssl_session_id,"")){
				all_shm_space_used_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->all_shm_space_used_url );
			} else {
				all_shm_space_used_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->all_shm_space_used_url );
			apr_table_setn(r->err_headers_out, "Location", all_shm_space_used_url);
			ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED ALL_SHM_SPACE_USED");
			r->content_type = NULL;
			return OK;

		if (shmoffsetnew == -2)
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with SID Creation, DECLINED");
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: END OF OUTPUT FILTER");
			//return 2400;
			return OK;

		ap_log_rerror(PC_LOG_INFO, r, "mod_but: OUTPUT FILTER: SHMOFFSET BEFORE [%s]", apr_table_get(r->notes, "SHMOFFSET"));

			This is the runtime fix, so that the other stuff will have the correct SHMOFFSET.
			renew_mod_but_session returned the new SHMOFFST we have to put into r->notes
		pshm_offset_number = apr_itoa(r->pool, shmoffsetnew);
		apr_table_set(r->notes, "SHMOFFSET", pshm_offset_number);
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: END OF OUTPUT FILTER");

	if (apr_table_get(r->notes, "CS_SHM") != NULL) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with SHM Cookie Store - ALERT - No space left in SHM Cookiestore to include a processing header");

	ap_log_rerror(PC_LOG_CRIT, r, "mod_but: P3: BEFORE REMOVE OUTPUT FILTER");
        return ap_pass_brigade(f->next, bb_in);
Exemplo n.º 7
static int but_access(request_rec *r)

       // pcre (is session free url)
	   pcre *re = NULL;  					// the regular expression
       const char *error;				// error text for the failed regex compilation
       int error_offset;				// offset of the regex compilation error, if any
       int rc = 0;					// return code of pcre_exec
	   int re_vector[3072];
	   // pcre (session_renew in url)
	   pcre *re6 = NULL;  					// the regular expression
       const char *error6;				// error text for the failed regex compilation
       int error_offset6;				// offset of the regex compilation error, if any
       int rc6 = 0;					// return code of pcre_exec
	   int re_vector6[3072];
	   // firsturl pcre
       pcre *re4 = NULL;  					// the regular expression
       const char *error4;				// error text for the failed regex compilation
       int error_offset4;				// offset of the regex compilation error, if any
       int rc4 = 0;					// return code of pcre_exec
       int re_vector4[3072];

	   //firsturl pcre
       pcre *re5 = NULL;  					// the regular expression
       //const char *error5;				// error text for the failed regex compilation
       //int error_offset5;				// offset of the regex compilation error, if any
       int rc5 = 0;					// return code of pcre_exec
       int re_vector5[3072];

	   // rc = return codes
       static int rc1 = 0;
       apr_status_t rc2 = 0;
       static int rc3 = 0;
	   // shared memory settings
       int shmoffset = 0;
       static apr_rmm_t *cs_rmm = NULL;
       static apr_rmm_off_t *off = NULL;
       cookie_res *cr;
	   // configuration mod_but
       const char *cookie_try;
       char *pshm_offset_number;
       mod_but_cookie *c;
       mod_but_dir_t *dconfig;
       apr_port_t port = 0;
       char *host = NULL;
       char *no_cookie_support_url = NULL;
       char *session_destroy_url = NULL;
       char *all_shm_space_used_url = NULL;
       char *default_url = NULL;
       char *session_expired_url = NULL;
       char *session_inactivity_timeout_url = NULL;
       char *session_firsturl = NULL;
       char *logon_server_url = NULL;
       char *global_logon_server_url = NULL;
       char *global_logon_server_url_1 = NULL;
       char *global_logon_server_url_2 = NULL;
       char *service_list_error_url = NULL;
       char *orig_url_before_logon = NULL;
       char *session_hacking_attempt_url = NULL;

       ap_log_rerror(PC_LOG_CRIT, r, "mod_but: START");
       const char *protocol, *ssl_session_id, *ssl_cipher;

       mod_but_server_t *config = ap_get_module_config(r->server->module_config, &but_module);
       if (config == NULL) {
       		return (int)apr_pstrcat(r->pool, "Illegal server record", NULL, NULL);

	// get per-directory configuration
	dconfig = ap_get_module_config(r->per_dir_config, &but_module);
	if (dconfig == NULL) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: Illegal Directory Config");

    if (!config->enabled) {
    	ap_log_rerror(PC_LOG_INFO, r, "mod_but: mod_but_enabled is not activated");
        return DECLINED;

    ap_log_rerror(PC_LOG_INFO, r, "mod_but: ========= START V1.0 =========== mod_but hook is executed by apache core");
    ap_log_rerror(PC_LOG_INFO, r, "mod_but: Request %s", r->uri);

	port = ap_get_server_port (r);
	if ((port != 80) && (port != 443)) {
	/* because of multiple passes through don't use r->hostname() */
		host = (char *)apr_psprintf(r->pool, "%s:%d", ap_get_server_name (r), port);
	} else {
		host = (char *)apr_psprintf(r->pool, "%s", ap_get_server_name (r));

	protocol = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r, apr_pstrdup(r->pool, "SSL_PROTOCOL") );
    	ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: SSL_PROTOCOL [%s]", protocol);

    	ssl_session_id = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r, apr_pstrdup(r->pool, "SSL_SESSION_ID") );
    	ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: SSL_SESSION_ID [%s]", ssl_session_id);

    	ssl_cipher = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r, apr_pstrdup(r->pool, "SSL_CIPHER") );
    	ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: SSL_CIPHER [%s]", ssl_cipher);

    /****************************** PART 1 *******************************************************

    		Check if mod_but session is required for the requesting URI



    	The var session_free_url implements a regexp for all URL's, for which mod_but does not require a valid session
    if(config->session_free_url != NULL){
    	re = pcre_compile(config->session_free_url, 0, &error, &error_offset, NULL);
	ap_log_rerror(PC_LOG_INFO, r, "mod_but: PCRE FREE URL STRING IS NULL");

    if (re == NULL) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: return code of pcre_compile is NULL");

    rc = pcre_exec(re, NULL, r->uri, strlen(r->uri), 0, 0, re_vector, 3072);

	// BUT-0: session required (goto BUT-1)
    if (rc < 0 && rc != PCRE_ERROR_NOMATCH) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: %s ID is required for this URI = %s", config->cookie_name, r->uri);

    if (rc == 0) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: PCRE output vector too small (%d)", 3072/3-1);
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with the following URI = %s", r->uri);
	return DECLINED;

	// session not required
    if (rc > 0) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: SESSION FREE URL [%s] - [%s]", config->cookie_name, r->uri);


		Renew Session if in URI is defined as RENEW_URI
	if(config->session_renew_url != NULL){
		re6 = pcre_compile(config->session_renew_url, 0, &error6, &error_offset6, NULL);
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: PCRE FREE URL STRING IS NULL");

	if (re6 == NULL) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: return code of pcre_compile is NULL");

	rc6 = pcre_exec(re6, NULL, r->uri, strlen(r->uri), 0, 0, re_vector6, 3072);

	if (rc6 < 0 && rc6 != PCRE_ERROR_NOMATCH) {
		// renew url not found
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: Renew URL is not called");

	if (rc6 == 0) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: PCRE output vector too small (%d)", 3072/3-1);
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with the following URI = %s", r->uri);
		return DECLINED;

	if (rc6 > 0) {
		// renew url found!!
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: RENEW SESSION, because RENEW URL [%s] - [%s]", config->cookie_name, r->uri);
		shmoffset = create_new_mod_but_session(r);
		if (shmoffset == -1)
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with SHM Creation, DECLINED");
			if (config->all_shm_space_used_url == NULL ){
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: MOD_BUT_ALL_SHM_SPACE_USED_URL not configured in httpd.conf");

			if (apr_strnatcmp(ssl_session_id,"")){
				all_shm_space_used_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->all_shm_space_used_url );
			} else {
				all_shm_space_used_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->all_shm_space_used_url );
			apr_table_setn(r->err_headers_out, "Location", all_shm_space_used_url);
			ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED ALL_SHM_SPACE_USED_URL");
			r->content_type = NULL;

		if (shmoffset == -2)
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with SID Creation, DECLINED");

		if (apr_strnatcmp(ssl_session_id,"")){
			default_url = (char *)apr_psprintf(r->pool, "https://%s/", host);
		} else {
			default_url = (char *)apr_psprintf(r->pool, "http://%s/", host);

		apr_table_setn(r->err_headers_out, "Location", default_url);
		ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED DEFAULT_URL");
		r->content_type = NULL;

	ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED RENEW URL");
        return DECLINED;

    /****************************** PART 2 *******************************************************

    		Check of the mod_but session

			a) mod_but session is not sent by client
			b) mod_but session sent is invalid
			c) mod_but session sent is ok

		The code below will only be executed, if the requesting URI requires a mod_but session (status regexp < 0)


		BUT-1 (comming from BUT-0) -> session is required
		Here we will first parse the request headers for
		a) MOD_BUT_SESSION (will be unset, because we don't want to have it in the backend)
		b) FREE COOKIES (will be accepted, if configured in httpd.conf)
		c) OTHER COOKIES (will be unset)

	if (apr_table_get(r->notes, config->cookie_name)) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: GET SESSION FROM r->notes [%s]", apr_table_get(r->notes, config->cookie_name));
	} else {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: DO INITIAL HEADER PARSING r->notes [%s]", apr_table_get(r->notes, config->cookie_name));
		cr = apr_palloc(r->pool, sizeof(cookie_res));
		cr->r = r;
		cr->cookie = NULL;
		apr_table_do(mod_but_analyze_request_headers, cr, r->headers_in, NULL);
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: mod_but_analyze_request_headers finished");

       ap_log_rerror(PC_LOG_INFO, r, "mod_but: SESSION [%s]", apr_table_get(r->notes, config->cookie_name));

       if (apr_table_get(r->notes, config->cookie_name) == NULL) {

       		This is PART 2  a) mod_but session is not sent by client
       		ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE: CLIENT DID NOT SEND MOD_BUT_SESSION)");
		shmoffset = create_new_mod_but_session(r);
		if (shmoffset == -1)
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with SHM Creation, DECLINED");
                        if (config->all_shm_space_used_url == NULL ){
                                ap_log_rerror(PC_LOG_INFO, r, "mod_but: MOD_BUT_ALL_SHM_SPACE_USED_URL not configured in httpd.conf");
                                return HTTP_INTERNAL_SERVER_ERROR;

			if (apr_strnatcmp(ssl_session_id,"")){
				all_shm_space_used_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->all_shm_space_used_url );
			} else {
				all_shm_space_used_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->all_shm_space_used_url );
			apr_table_setn(r->err_headers_out, "Location", all_shm_space_used_url);
			ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED ALL_SHM_SPACE_USED_URL");
			r->content_type = NULL;

		if (shmoffset == -2)
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with SID Creation, DECLINED");

		If client did not send a MOD_BUT session

		return code rc1 of analyze_request_arguments_for_cookie_test(r)
			9900: first client request without __cookie_try in query
			9901: second client request with __cookie_try=1 in query
			9902: third client request with __cookie_try=2 in query
			9903: fouth client request with __cookie_try=3 in query, Redirect to error page
			9904: DECLINED


	    rc1 = analyze_request_arguments_for_cookie_test(r);
	    ap_log_rerror(PC_LOG_CRIT, r, "mod_but: RETURN VALUE OF COOKIE_TEST ROUTINE %d", rc1);
	    cookie_try = NULL;

            ap_log_rerror(PC_LOG_INFO, r, "mod_but: rc1 is %d", rc1);


	    if (rc1 == 9900){
                ap_log_rerror(PC_LOG_INFO, r, "mod_but: rc1 = 9900 aufgerufen");
		//TODO BUT: Use absolute URI for redirection

    re5 = pcre_compile("\r\n", 0, &error4, &error_offset4, NULL);

    if (re5 == NULL) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: return code of pcre_compile is NULL");

    rc5 = pcre_exec(re5, NULL, r->uri, strlen(r->uri), 0, 0, re_vector5, 3072);

    if (rc5 < 0) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: r->uri does not contain CR/LF [%s]", r->uri);
		if (apr_strnatcmp(ssl_session_id,"")){
			cookie_try = (char *)apr_psprintf(r->pool, "https://%s%s?__cookie_try=1", host, r->uri); // uri starts with a "/"
		} else {
			cookie_try = (char *)apr_psprintf(r->pool, "http://%s%s?__cookie_try=1", host, r->uri); // uri starts with a "/"
                apr_table_setn(r->err_headers_out, "Location", cookie_try);
            	r->content_type = NULL;

    if (rc5 < 0 && rc5 != PCRE_ERROR_NOMATCH) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: r->uri does not contain CR/LF [%s]", r->uri);

    if (rc5 == 0) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: PCRE output vector too small (%d)", 3072/3-1);
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with pcre CRLF = %s", r->uri);
	return DECLINED;

	if (rc5 > 0) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: ATTACK!!!! r->uri contains CR/LF [%s]", r->uri);
		apr_table_setn(r->err_headers_out, "Location", "file:///C:\\<script>alert('Hacking?')</script>");
		r->content_type = NULL;


            if (rc1 == 9901){
                ap_log_rerror(PC_LOG_INFO, r, "mod_but: rc1 = 9901 aufgerufen");
		//TODO BUT: Use absolute URI for redirection

		if (apr_strnatcmp(ssl_session_id,"")){
			cookie_try = (char *)apr_psprintf(r->pool, "https://%s%s?__cookie_try=2", host, r->uri); // uri starts with a "/"
		} else {
			cookie_try = (char *)apr_psprintf(r->pool, "http://%s%s?__cookie_try=2", host, r->uri); // uri starts with a "/"
		//cookie_try = (char *)apr_psprintf(r->pool, "%s?__cookie_try=2", r->uri);
		apr_table_setn(r->err_headers_out, "Location", cookie_try);
		ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED COOKIE_TRY=2");
                r->content_type = NULL;
                return HTTP_MOVED_TEMPORARILY;

            if (rc1 == 9902){
                ap_log_rerror(PC_LOG_INFO, r, "mod_but: rc1 = 9902 aufgerufen");
		//TODO BUT: Use absolute URI for redirection

		if (apr_strnatcmp(ssl_session_id,"")){
			cookie_try = (char *)apr_psprintf(r->pool, "https://%s%s?__cookie_try=3", host, r->uri); // uri starts with a "/"
		} else {
			cookie_try = (char *)apr_psprintf(r->pool, "http://%s%s?__cookie_try=3", host, r->uri); // uri starts with a "/"
		//cookie_try = (char *)apr_psprintf(r->pool, "%s?__cookie_try=3", r->uri);
		apr_table_setn(r->err_headers_out, "Location", cookie_try);
		ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED COOKIE_TRY=3");
                r->content_type = NULL;
                return HTTP_MOVED_TEMPORARILY;

            if (rc1 == 9903){

                ap_log_rerror(PC_LOG_INFO, r, "mod_but: rc1 = 9903 aufgerufen");

		if (apr_strnatcmp(ssl_session_id,"")){
			no_cookie_support_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->client_refuses_cookies_url );
		} else {
			no_cookie_support_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->client_refuses_cookies_url );

                apr_table_setn(r->err_headers_out, "Location", no_cookie_support_url);
		ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED NO_COOKIE_SUPPORT_URL");
                r->content_type = NULL;
                return HTTP_MOVED_TEMPORARILY;

        // DECLINED
            if (rc1 == 9904){

                ap_log_rerror(PC_LOG_INFO, r, "mod_but: rc1 = 9904 aufgerufen");
                return DECLINED;

		If we are here, the client has sent a mod_but session (valid or invalid)


	    	Check if Client Cookie is valid (and in SHM)


	    int shm_offset_number = validation_of_client_sent_session(r);
	    ap_log_rerror(PC_LOG_INFO, r, "mod_but: Offset Number is %d", shm_offset_number);

		if (shm_offset_number == -5540){
				In this case, the sent session has reached its time out
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Session timeout reached");
                        if (config->session_expired_url == NULL ){
                                ap_log_rerror(PC_LOG_INFO, r, "mod_but: MOD_BUT_SESSION_TIMEOUT_URL not configured in httpd.conf");
                                return HTTP_INTERNAL_SERVER_ERROR;
			if (apr_strnatcmp(ssl_session_id,"")){
				session_expired_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->session_expired_url );
			} else {
				session_expired_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->session_expired_url );
			apr_table_setn(r->err_headers_out, "Location", session_expired_url);
			ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED SESSION_EXPIRED");
			r->content_type = NULL;

		if (shm_offset_number == -5541){
				In this case, the sent session has reached its inactivity timeout
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Session inactivity timeout reached");
                        if (config->session_inactivity_timeout_url == NULL ){
                                ap_log_rerror(PC_LOG_INFO, r, "mod_but: MOD_BUT_SESSION_INACTIVITY_TIMEOUT_URL not configured in httpd.conf");
                                return HTTP_INTERNAL_SERVER_ERROR;
			if (apr_strnatcmp(ssl_session_id,"")){
				session_inactivity_timeout_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->session_inactivity_timeout_url );
			} else {
				session_inactivity_timeout_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->session_inactivity_timeout_url );
			apr_table_setn(r->err_headers_out, "Location", session_inactivity_timeout_url);
			r->content_type = NULL;

                if (shm_offset_number == -5542){
                                In this case, the sent session was in the history cache
                        ap_log_rerror(PC_LOG_INFO, r, "mod_but: Session found in history");

                        if (config->session_expired_url == NULL ){
                                ap_log_rerror(PC_LOG_INFO, r, "mod_but: MOD_BUT_SESSION_TIMEOUT_URL not configured in httpd.conf");
                                return HTTP_INTERNAL_SERVER_ERROR;
			if (apr_strnatcmp(ssl_session_id,"")){
				session_expired_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->session_expired_url );
			} else {
				session_expired_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->session_expired_url);
                        apr_table_setn(r->err_headers_out, "Location", session_expired_url);
			ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED_SESSION_EXPIRED_URL");
                        r->content_type = NULL;
                        return HTTP_MOVED_TEMPORARILY;

            	if (shm_offset_number == -5543){
                                In this case, the sent session by the client is invalid, guessed, hacked or a shm error on our side
                        ap_log_rerror(PC_LOG_INFO, r, "mod_but: -5543 Invalid Session sent by the client");
                        ap_log_rerror(PC_LOG_INFO, r, "mod_but: config->session_hacking_attempt_url = [%s]", config->session_hacking_attempt_url);
			if (config->session_hacking_attempt_url == NULL ){
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: MOD_BUT_SESSION_HACKING_ATTEMPT_URL not configured in httpd.conf");
			if (apr_strnatcmp(ssl_session_id,"")){
				session_hacking_attempt_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->session_hacking_attempt_url );
			} else {
				session_hacking_attempt_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->session_hacking_attempt_url);
                        apr_table_setn(r->err_headers_out, "Location", session_hacking_attempt_url);
                        r->content_type = NULL;
                        return HTTP_MOVED_TEMPORARILY;

            	if (shm_offset_number < 0){
                                In this case, something went wrong with the return code
                        ap_log_rerror(PC_LOG_INFO, r, "mod_but: CRITICAL ERROR shm_offset_number < 0 ");
                        if (config->session_hacking_attempt_url == NULL ){
                                ap_log_rerror(PC_LOG_INFO, r, "mod_but: MOD_BUT_SESSION_HACKING_ATTEMPT_URL not configured in httpd.conf");
                                return HTTP_INTERNAL_SERVER_ERROR;
			if (apr_strnatcmp(ssl_session_id,"")){
				session_hacking_attempt_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->session_hacking_attempt_url );
			} else {
				session_hacking_attempt_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->session_hacking_attempt_url);
                        apr_table_setn(r->err_headers_out, "Location", session_hacking_attempt_url);
                        r->content_type = NULL;
                        return HTTP_MOVED_TEMPORARILY;

			If we are here, the client has sent a valid mod_but session

		ap_log_rerror(PC_LOG_INFO, r, "mod_but: CLIENT SENT VALID MOD_BUT_SESSION");
		ap_log_rerror(PC_LOG_CRIT, r, "mod_but: CLIENT SENT VALID MOD_BUT SESSION");

			We will first check, if the requesting URI asks for the session destroy function
			This implements the "logout" functionality.


		rc2 = analyze_request_uri_for_session_destroy(r);

		if (rc2 == 8800){
			ap_log_rerror(PC_LOG_INFO, r, "mod_but.c: destroy pattern was not in URI = %s", r->uri);
        if (rc2 == 8801){
			ap_log_rerror(PC_LOG_INFO, r, "mod_but.c: Problems with the following URI = %s", r->uri);
		if (rc2 == 8802){
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: SESSION will be destroyed");
			delete_mod_but_session(shm_offset_number, r);

			if (apr_strnatcmp(ssl_session_id,"")){
				session_destroy_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->session_destroy_url);
			} else {
				session_destroy_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->session_destroy_url);
			apr_table_setn(r->err_headers_out, "Location", session_destroy_url);
			r->content_type = NULL;

			If we are here, the requesting URI does not want to be destroyed and we analyze
			the request for the cookie_tests. If we are still in the cookie test phase, we have to give the client
			the Original URI (from the first request) as redirect
		pshm_offset_number = apr_itoa(r->pool, shm_offset_number);
		if (pshm_offset_number == NULL ){
               		ap_log_rerror(PC_LOG_INFO, r, "mod_but: pshm_offset_number is null!!!");
                        return HTTP_INTERNAL_SERVER_ERROR;
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: WRITE APR: r->notes SHMOFFSET [%s]", pshm_offset_number);
		apr_table_set(r->notes, "SHMOFFSET", pshm_offset_number);

		ap_log_rerror(PC_LOG_INFO, r, "mod_but: VOR analyze_request_arguments_for_cookie_test");
		rc1 = analyze_request_arguments_for_cookie_test(r);
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: NACH analyze_request_arguments_for_cookie_test");
	    	cs_rmm = find_cs_rmm();
		off = find_cs_rmm_off();
		c = apr_rmm_addr_get(cs_rmm, off[shm_offset_number]);

		// cookie is sent by the client, it is a valid session and the requesting URL contains a COOKIE TRY parameter
		if ((rc1 == 9901)||(rc1 == 9902)||(rc1 == 9903)){
            if (c->session_firsturl == NULL ){
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: c->session_firsturl is empty");
                	return HTTP_INTERNAL_SERVER_ERROR;

    ap_log_rerror(PC_LOG_CRIT, r, "mod_but: CLIENT SESSION IS VALID AND COOKIE_TRY IN URL"); 
    re4 = pcre_compile("\r\n", 0, &error4, &error_offset4, NULL);

    if (re4 == NULL) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: return code of pcre_compile is NULL");

    rc4 = pcre_exec(re4, NULL, r->uri, strlen(r->uri), 0, 0, re_vector4, 3072);
    ap_log_rerror(PC_LOG_CRIT, r, "mod_but: Rc4 contains %d",rc4); 

    if (rc4 < 0) {
        ap_log_rerror(PC_LOG_CRIT, r, "mod_but: r->uri does not contain CR/LF [%s]", r->uri);

        if (apr_strnatcmp(ssl_session_id,"")){
                session_firsturl = (char *)apr_psprintf(r->pool, "https://%s%s", host, c->session_firsturl);
        } else {
                session_firsturl = (char *)apr_psprintf(r->pool, "http://%s%s", host, c->session_firsturl);
        apr_table_setn(r->err_headers_out, "Location", session_firsturl);
        ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED_SESSION_FIRSTURL");
        r->content_type = NULL;
	ap_log_rerror(PC_LOG_CRIT, r, "mod_but: AAAAAAAAAAAAAAAA FURSTURL %s", session_firsturl);


    if (rc4 < 0 && rc4 != PCRE_ERROR_NOMATCH) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: r->uri does not contain CR/LF [%s]", r->uri);

	if (apr_strnatcmp(ssl_session_id,"")){
		session_firsturl = (char *)apr_psprintf(r->pool, "https://%s%s", host, c->session_firsturl);
	} else {
		session_firsturl = (char *)apr_psprintf(r->pool, "http://%s%s", host, c->session_firsturl);
	apr_table_setn(r->err_headers_out, "Location", session_firsturl);
	ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED_SESSION_FIRSTURL");
	r->content_type = NULL;
	ap_log_rerror(PC_LOG_CRIT, r, "mod_but: AAAAAAAAAAAAAAAA FURSTURL %s", session_firsturl);

    if (rc4 == 0) {
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: PCRE output vector too small (%d)", 3072/3-1);
        ap_log_rerror(PC_LOG_INFO, r, "mod_but: Problems with pcre CRLF = %s", r->uri);
	ap_log_rerror(PC_LOG_CRIT, r, "mod_but: BBBBBBBBBBBBBBBBBB");
	return DECLINED;

	if (rc4 > 0) {
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: ATTACK!!!! r->uri contains CR/LF [%s]", r->uri);
		apr_cpystrn(c->session_firsturl, "ATTACK", sizeof(c->session_firsturl));
		apr_table_setn(r->err_headers_out, "Location", session_firsturl);
		r->content_type = NULL;
		ap_log_rerror(PC_LOG_CRIT, r, "mod_but: CCCCCCCCCCCCCCCCC");



			Now let's do the authorization stuff, if enabled by config


		if (config->authorization_enabled) {
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Authorization checks are enabled");
			rc3 = do_authorization(shm_offset_number, r);
				if return code 
				7700: 	client not logged in yet
				7701:	client is properly authenticated
				7702:	authentication is not required for this url	
				7703:	client is properly authenticated, but not authorized
				7704: 	client is properly authenticated, but with too low auth_strength (1)
				7705:   client is properly authenticated, but with too low auth_strength (2)
				7706: 	DECLINED
			if (rc3 == 7700)
					If we are here, the requesting URI requires authentication and the client is not logged in yet.
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: URI requres auth, but user not logged in yet");

				ap_log_rerror(PC_LOG_INFO, r, "mod_but: Client is not logged in");
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: orig_url [%s]", c->orig_url_before_logon);
				apr_cpystrn(c->orig_url_before_logon, r->uri, sizeof(c->orig_url_before_logon));
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: CORE SET ORIG_URL TO %s", c->orig_url_before_logon);
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: Set logon_flag to[%d]", c->logon_flag);

				if (dconfig->logon_server_url){

						If we are here, a Login SERVER is configured for this Location


					ap_log_rerror(PC_LOG_INFO, r, "mod_but: Our Dir Config is [%s]", dconfig->logon_server_url);
                        		if (dconfig->logon_server_url == NULL ){
                                		ap_log_rerror(PC_LOG_INFO, r, "mod_but: dconfig->logon_server_url is empty");
                                		return HTTP_INTERNAL_SERVER_ERROR;
					if (apr_strnatcmp(ssl_session_id,"")){
						logon_server_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, dconfig->logon_server_url);
					} else {
						logon_server_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, dconfig->logon_server_url);
					apr_table_setn(r->err_headers_out, "Location", logon_server_url);
					ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED LOGON_SERVER_URL");
					r->content_type = NULL;

						If we are here, no LOGIN SERVER is configured for this Location
					ap_log_rerror(PC_LOG_INFO, r, "mod_but: NULL Our Dir Config is [%s]", dconfig->logon_server_url);
                                        if (config->global_logon_server_url == NULL ){
                                                ap_log_rerror(PC_LOG_INFO, r, "mod_but: config->global_logon_server_url is empty");
                                                return HTTP_INTERNAL_SERVER_ERROR;

					if (apr_strnatcmp(ssl_session_id,"")){
						global_logon_server_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->global_logon_server_url);
					} else {
						global_logon_server_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->global_logon_server_url);
					apr_table_setn(r->err_headers_out, "Location", global_logon_server_url);
					ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED GLOBAL_LOGON_SERVER_URL");
					r->content_type = NULL;


			if (rc3 == 7701)
					ap_log_rerror(PC_LOG_INFO, r, "mod_but: client is properly authenticated");

			if (rc3 == 7702)
					ap_log_rerror(PC_LOG_INFO, r, "mod_but: authentication is not required for this url");

			if (rc3 == 7703)
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: Client ist properly authenticated, but not allowed to request the url");
				if (apr_strnatcmp(ssl_session_id,"")){
					service_list_error_url = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->service_list_error_url);
				} else {
					service_list_error_url = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->service_list_error_url);
				apr_table_setn(r->err_headers_out, "Location", service_list_error_url);
				ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED SERVICE_LIST_ERROR_URL");
				r->content_type = NULL;

			if (rc3 == 7704)
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: Client authenticated, but auth_strength is too low");
				if (config->global_logon_server_url_1 == NULL ){
					ap_log_rerror(PC_LOG_INFO, r, "mod_but: config->global_logon_server_url_1 is empty");

				if (apr_strnatcmp(ssl_session_id,"")){
					global_logon_server_url_1 = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->global_logon_server_url_1);
				} else {
					global_logon_server_url_1 = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->global_logon_server_url_1);
				apr_table_setn(r->err_headers_out, "Location", global_logon_server_url_1);
				ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED GLOBAL_LOGON_SERVER_URL 1");
				r->content_type = NULL;

			if (rc3 == 7705)
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: Client authenticated, but auth_strength is too low");
				if (config->global_logon_server_url_2 == NULL ){
					ap_log_rerror(PC_LOG_INFO, r, "mod_but: config->global_logon_server_url_2 is empty");
					r->content_type = NULL;

				if (apr_strnatcmp(ssl_session_id,"")){
					global_logon_server_url_2 = (char *)apr_psprintf(r->pool, "https://%s%s", host, config->global_logon_server_url_2);
				} else {
					global_logon_server_url_2 = (char *)apr_psprintf(r->pool, "http://%s%s", host, config->global_logon_server_url_2);
				apr_table_setn(r->err_headers_out, "Location", global_logon_server_url_2);
				ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED GLOBAL_LOGON_SERVER_URL 2");
				r->content_type = NULL;

				if (rc3 == 7706)
					ap_log_rerror(PC_LOG_INFO, r, "mod_but: service_list PCRE output vector too small");
					return DECLINED;

			ap_log_rerror(PC_LOG_INFO, r, "mod_but: Authorization checks are disabled or LOGON is not required");

			If we are here, the client is properly authenticated and we start proceeding
			the request. 

			This is the callback function, if the user was previously successfully authenticated
			and the c->logon_flag = 1. The flag was set to 1 couple of lines above, if uri requires authentication but is not authenticated yet.

			we need to redirect the client to the OrigURL (initial uri, before authentication)
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: LOGON_FLAG [%d]", c->logon_flag);
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: LOGON_STATE [%d]", c->logon_state);
		if (c->logon_flag == 1 && c->logon_state == 1){
			if (c->orig_url_before_logon != NULL){
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: SEND REDIRECT AFTER SUCCESSFUL LOGON");
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: REDIRECT TO OrigURL: [%s]", c->orig_url_before_logon);

				if (apr_strnatcmp(ssl_session_id,"")){
					orig_url_before_logon = (char *)apr_psprintf(r->pool, "https://%s%s", host, c->orig_url_before_logon);
				} else {
					orig_url_before_logon = (char *)apr_psprintf(r->pool, "http://%s%s", host, c->orig_url_before_logon);
				apr_table_setn(r->err_headers_out, "Location", orig_url_before_logon);
				ap_log_rerror(PC_LOG_CRIT, r, "mod_but: FINISHED ORIG_URL BEFORE LOGON");
				r->content_type = NULL;
				ap_log_rerror(PC_LOG_INFO, r, "mod_but: PROBLEM: ORIG_URL is empty");
			ap_log_rerror(PC_LOG_INFO, r, "mod_but: LOGON_FLAG or LOGON_STATE 0");

			If the cookiestore has some "values", we will include them into the request header
			ADD Headers into the backend request
	    	if (c->link_to_cookiestore != -1){
			add_headers_into_request_from_cookiestore(r, c->link_to_cookiestore);

			// now all cookies from the cookiestore are within the r->notes REQUEST_COOKIES
			if (apr_table_get(r->notes, "REQUEST_COOKIES") != NULL) {
				apr_table_set(r->headers_in, "Cookie", apr_table_get(r->notes, "REQUEST_COOKIES"));

			Ok  now we will proceed with the request
		ap_log_rerror(PC_LOG_INFO, r, "mod_but: ========= STOP =========== mod_but hook is executed by apache core");
	    	return OK;
	return OK;
Exemplo n.º 8
static int authenticate_sslcert_user(request_rec *r)
    auth_sslcert_config_rec *conf = ap_get_module_config(r->per_dir_config,
    const char *current_auth;

    /* Are we configured to be SSLCert auth? */
    current_auth = ap_auth_type(r);
    if (!current_auth || strcasecmp(current_auth, "SSLCert") != 0) {
        return DECLINED;

    r->ap_auth_type = "SSLCert";

    if (strcasecmp((char *)ssl_var_lookup(r->pool, r->server, r->connection, r,
		   "SUCCESS") == 0) {
	if (conf->var == NULL) {
	    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
			  "AuthSSLCertVar is not set: \"%s\"", r->uri);
	char *user = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r,
	if (user != NULL && user[0] != '\0') {
	    if (conf->strip_suffix != NULL) {
		int i = strlen(user) - strlen(conf->strip_suffix);
		if (i >= 0 && strcasecmp(user + i, conf->strip_suffix) == 0) {
		    r->user = apr_pstrmemdup(r->pool, user, i);
		    return OK;
		} else if (!conf->strip_suffix_required) {
		    r->user = user;
		    return OK;
		} else {
		    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
				  "SSL username for \"%s\" has wrong suffix: \"%s\"",
				  r->uri, user);
	    } else {
		r->user = user;
		return OK;
	} else {
	    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
			  "no SSL username for \"%s\"", r->uri);
    } else if (conf->authoritative) {
	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
		      "SSL client not verified for \"%s\"", r->uri);

    /* If we're not authoritative, then any error is ignored. */
    if (!conf->authoritative) {
	return DECLINED;

    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
		  "SSLCert authentication failure for \"%s\"",
Exemplo n.º 9
static int
authenticate_webid_user(request_rec *request) {
    int r = 0;
    authn_webid_config_rec *conf =
        ap_get_module_config(request->per_dir_config, &authn_webid_module);
    if (!conf->authoritative) r = DECLINED;

    /* Check for AuthType WebID */
    const char *current_auth = ap_auth_type(request);
    if (!current_auth || strcasecmp(current_auth, "WebID") != 0) {
        return DECLINED;
    request->ap_auth_type = "WebID";

    /* Check for WebID cached in SSL session */
    const char *subjAltName = NULL;
        void *data = NULL;
        if (apr_pool_userdata_get(&data, UD_WEBID_KEY, request->connection->pool) == APR_SUCCESS && data != NULL) {
            subjAltName = data;
            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, request, "WebID: using cached URI <%s>", subjAltName);
            if (strlen(subjAltName)) {
                request->user = (char *)subjAltName;
                r = OK;
            return r;
#if AP_MODULE_MAGIC_AT_LEAST(20060101,0)
    apr_array_header_t *subjAltName_list = ssl_ext_list(request->pool, request->connection, 1, "");
    subjAltName = ssl_ext_lookup(request->pool, request->connection, 1, "");

    /* Load X509 Public Key + Exponent */
    char *pkey_n = NULL;
    char *pkey_e = NULL;
    unsigned int pkey_e_i = 0;
#if AP_MODULE_MAGIC_AT_LEAST(20060101,0)
    if (subjAltName_list != NULL) {
    if (subjAltName != NULL) {
        char *c_cert = NULL;
        BIO *bio_cert = NULL;
        X509 *x509 = NULL;
        EVP_PKEY *pkey = NULL;
        RSA *rsa = NULL;

        BIO *bio = NULL;
        BUF_MEM *bptr = NULL;

        if (NULL != (c_cert = ssl_var_lookup(request->pool, request->server, request->connection, request, "SSL_CLIENT_CERT"))
            && NULL != (bio_cert = BIO_new_mem_buf(c_cert, strlen(c_cert)))
            && NULL != (x509 = PEM_read_bio_X509(bio_cert, NULL, NULL, NULL))
            && NULL != (pkey = X509_get_pubkey(x509))
            && NULL != (rsa = EVP_PKEY_get1_RSA(pkey))) {

            // public key modulus
            bio = BIO_new(BIO_s_mem());
            BN_print(bio, rsa->n);
            BIO_get_mem_ptr(bio, &bptr);
            pkey_n = apr_pstrndup(request->pool, bptr->data, bptr->length);

            // public key exponent
            bio = BIO_new(BIO_s_mem());
            BN_print(bio, rsa->e);
            BIO_get_mem_ptr(bio, &bptr);
            pkey_e = apr_pstrndup(request->pool, bptr->data, bptr->length);
            pkey_e_i = apr_strtoi64(pkey_e, NULL, 16);
        } else {
            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, request, "WebID: invalid client SSL certificate");

        if (rsa)
        if (pkey)
        if (x509)
        if (bio_cert)

    if (pkey_n != NULL && pkey_e != NULL) {
#if AP_MODULE_MAGIC_AT_LEAST(20060101,0)
        const char *san;
        char *tok;
        int i;
        for (i = 0; i < subjAltName_list->nelts; i++) {
            san = APR_ARRAY_IDX(subjAltName_list, i, const char*);
            while ((tok = get_list_item(request->pool, &san)) != NULL) {
                if (strncmp(tok, "URI:", 4) == 0) {
                    if (validate_webid(request, tok+4, pkey_n, pkey_e_i) == OK) {
                        subjAltName = tok+4;
                        r = OK;
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, request, "WebID: subjectAltName = %s", subjAltName);
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, request, "WebID: client pkey.n  = %s", pkey_n);
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, request, "WebID: client pkey.e  = %d (%s)", pkey_e_i, pkey_e);
        const char *san = subjAltName;
        char *tok;
        while ((tok = get_list_item(request->pool, &san)) != NULL) {
            if (strncmp(tok, "URI:", 4) == 0) {
                if (validate_webid(request, tok+4, pkey_n, pkey_e_i) == OK) {
                    subjAltName = tok+4;
                    r = OK;

    if (r == OK) {
        ap_log_rerror(APLOG_MARK, APLOG_INFO | APLOG_TOCLIENT, 0, request, "WebID: authentication (%sauthoritative) succeeded for <%s> pubkey: \"%s\", URI: <%s>", conf->authoritative?"":"non-", subjAltName, pkey_n, request->uri);
        request->user = apr_psprintf(request->connection->pool, "%s", subjAltName);
    } else {
        ap_log_rerror(APLOG_MARK, (conf->authoritative?APLOG_WARNING:APLOG_INFO) | APLOG_TOCLIENT, 0, request, "WebID: authentication (%sauthoritative) failed for <%s> pubkey: \"%s\", URI: <%s>", conf->authoritative?"":"non-", subjAltName, pkey_n, request->uri);
        subjAltName = "";
    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, request, "WebID: setting cached URI <%s>", subjAltName);
    apr_pool_userdata_set(apr_pstrdup(request->connection->pool, subjAltName), UD_WEBID_KEY, NULL, request->connection->pool);

    return r;

static void
import_ssl_func() {
    ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
#if AP_MODULE_MAGIC_AT_LEAST(20060101,0)
    ssl_ext_list = APR_RETRIEVE_OPTIONAL_FN(ssl_ext_list);
    ssl_ext_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_ext_lookup);