[pubcookie-dev] CVS update: willey;
webiso/pubcookie/src mod_pubcookie.c,1.188,1.189
security_legacy.c,1.55,1.56
willey at washington.edu
willey at washington.edu
Fri Oct 28 14:27:30 PDT 2005
Update of /usr/local/cvsroot/webiso/pubcookie/src
In directory webiso-cvs.cac.washington.edu:/var/tmp/cvs-serv31586
Modified Files:
mod_pubcookie.c security_legacy.c
Log Message:
more specific error messages for missing session cert and keyfiles
Index: webiso/pubcookie/src/mod_pubcookie.c
diff -c webiso/pubcookie/src/mod_pubcookie.c:1.188 webiso/pubcookie/src/mod_pubcookie.c:1.189
*** webiso/pubcookie/src/mod_pubcookie.c:1.188 Thu Oct 27 17:42:29 2005
--- webiso/pubcookie/src/mod_pubcookie.c Fri Oct 28 14:27:28 2005
***************
*** 18,24 ****
/** @file mod_pubcookie.c
* Apache pubcookie module
*
! * $Id: mod_pubcookie.c,v 1.188 2005/10/28 00:42:29 willey Exp $
*/
#define MAX_POST_DATA 10485760
--- 18,24 ----
/** @file mod_pubcookie.c
* Apache pubcookie module
*
! * $Id: mod_pubcookie.c,v 1.189 2005/10/28 21:27:28 willey Exp $
*/
#define MAX_POST_DATA 10485760
***************
*** 517,523 ****
rr->creds,
(cfg->session_reauth < 0) ? 23 : 24,
(unsigned char *) appsrvid (r),
! appid (r), ME(r), 0, scfg->crypt_alg);
}
new_cookie = ap_psprintf (p, "%s=%s; path=%s;%s",
--- 517,523 ----
rr->creds,
(cfg->session_reauth < 0) ? 23 : 24,
(unsigned char *) appsrvid (r),
! appid (r), ME (r), 0, scfg->crypt_alg);
}
new_cookie = ap_psprintf (p, "%s=%s; path=%s;%s",
***************
*** 538,545 ****
the first time since our cred cookie doesn't expire (which is poor
and why we need cookie extensions) */
/* encrypt */
! if (libpbc_mk_priv (p, scfg->sectext, ME(r), 0, rr->cred_transfer,
! rr->cred_transfer_len, &blob, &bloblen, scfg->crypt_alg)) {
ap_log_rerror (PC_LOG_ERR, r,
"credtrans: libpbc_mk_priv() failed");
res = -1;
--- 538,546 ----
the first time since our cred cookie doesn't expire (which is poor
and why we need cookie extensions) */
/* encrypt */
! if (libpbc_mk_priv (p, scfg->sectext, ME (r), 0, rr->cred_transfer,
! rr->cred_transfer_len, &blob, &bloblen,
! scfg->crypt_alg)) {
ap_log_rerror (PC_LOG_ERR, r,
"credtrans: libpbc_mk_priv() failed");
res = -1;
***************
*** 856,864 ****
/* acquire any GET args */
if (r->args) {
/* error out if length of GET args would cause a problem */
! if ( strlen(r->args) > PBC_MAX_GET_ARGS ) {
rr->stop_message =
! ap_psprintf (p, "GET arguments longer than supported. (args length: %d)", strlen(r->args));
stop_the_show (r, scfg, cfg, rr);
return (OK);
}
--- 857,867 ----
/* acquire any GET args */
if (r->args) {
/* error out if length of GET args would cause a problem */
! if (strlen (r->args) > PBC_MAX_GET_ARGS) {
rr->stop_message =
! ap_psprintf (p,
! "GET arguments longer than supported. (args length: %d)",
! strlen (r->args));
stop_the_show (r, scfg, cfg, rr);
return (OK);
}
***************
*** 895,901 ****
if ((pre_sess_tok = get_pre_s_token (r)) == -1) {
/* this is weird since we're already in a handler */
rr->stop_message =
! ap_pstrdup (p, "Couldn't get pre session token. (Already in handler)");
stop_the_show (r, scfg, cfg, rr);
return (OK);
}
--- 898,905 ----
if ((pre_sess_tok = get_pre_s_token (r)) == -1) {
/* this is weird since we're already in a handler */
rr->stop_message =
! ap_pstrdup (p,
! "Couldn't get pre session token. (Already in handler)");
stop_the_show (r, scfg, cfg, rr);
return (OK);
}
***************
*** 906,913 ****
/* is our main way of communicating with it */
/* If we're doing compatibility encryption, send the */
/* compatibility version string. */
! sprintf(vstr,"%-2.2s%c\n", PBC_VERSION,
! scfg->crypt_alg=='d'? '\0':scfg->crypt_alg);
ap_snprintf (g_req_contents, PBC_4K - 1,
"%s=%s&%s=%s&%s=%c&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%d&%s=%s&%s=%s&%s=%d&%s=%d&%s=%c",
PBC_GETVAR_APPSRVID,
--- 910,917 ----
/* is our main way of communicating with it */
/* If we're doing compatibility encryption, send the */
/* compatibility version string. */
! sprintf (vstr, "%-2.2s%c\n", PBC_VERSION,
! scfg->crypt_alg == 'd' ? '\0' : scfg->crypt_alg);
ap_snprintf (g_req_contents, PBC_4K - 1,
"%s=%s&%s=%s&%s=%c&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%d&%s=%s&%s=%s&%s=%d&%s=%d&%s=%c",
PBC_GETVAR_APPSRVID,
***************
*** 980,1001 ****
/* The GET method requires a pre-session cookie */
if (!scfg->use_post) {
! ap_log_rerror (PC_LOG_DEBUG, r, "making a pre-session ckookie");
! pre_s = (char *) libpbc_get_cookie (p,
! scfg->sectext,
! (unsigned char *) "presesuser",
! PBC_COOKIE_TYPE_PRE_S,
! PBC_CREDS_NONE,
! pre_sess_tok,
! (unsigned char *) appsrvid (r),
! appid (r), ME(r), 0, scfg->crypt_alg);
!
! pre_s_cookie = ap_psprintf (p,
! "%s=%s; path=%s;%s",
! PBC_PRE_S_COOKIENAME,
! pre_s, "/", secure_cookie);
! ap_table_add (r->headers_out, "Set-Cookie", pre_s_cookie);
}
/* load and send the header */
--- 984,1006 ----
/* The GET method requires a pre-session cookie */
if (!scfg->use_post) {
! ap_log_rerror (PC_LOG_DEBUG, r, "making a pre-session ckookie");
! pre_s = (char *) libpbc_get_cookie (p,
! scfg->sectext,
! (unsigned char *) "presesuser",
! PBC_COOKIE_TYPE_PRE_S,
! PBC_CREDS_NONE,
! pre_sess_tok,
! (unsigned char *) appsrvid (r),
! appid (r), ME (r), 0,
! scfg->crypt_alg);
!
! pre_s_cookie = ap_psprintf (p,
! "%s=%s; path=%s;%s",
! PBC_PRE_S_COOKIENAME,
! pre_s, "/", secure_cookie);
! ap_table_add (r->headers_out, "Set-Cookie", pre_s_cookie);
}
/* load and send the header */
***************
*** 1021,1029 ****
if (((post_data_len = strtol (lenp, NULL, 10)) <= 0) ||
(post_data_len > MAX_POST_DATA) ||
(!(post_data = get_post_data (r, post_data_len)))) {
! rr->stop_message = ap_psprintf (p, "Invalid POST data. (POST data length: %d)", post_data_len);
stop_the_show (r, scfg, cfg, rr);
! return(OK);
}
}
--- 1026,1037 ----
if (((post_data_len = strtol (lenp, NULL, 10)) <= 0) ||
(post_data_len > MAX_POST_DATA) ||
(!(post_data = get_post_data (r, post_data_len)))) {
! rr->stop_message =
! ap_psprintf (p,
! "Invalid POST data. (POST data length: %d)",
! post_data_len);
stop_the_show (r, scfg, cfg, rr);
! return (OK);
}
}
***************
*** 1286,1294 ****
if (!scfg->post_reply_url)
scfg->post_reply_url = "PubCookie.reply";
! if (!scfg->crypt_alg) scfg->crypt_alg = PBC_DEF_CRYPT;
-
} /* end of per-server loop */
#ifdef APACHE2
--- 1294,1303 ----
if (!scfg->post_reply_url)
scfg->post_reply_url = "PubCookie.reply";
! if (!scfg->crypt_alg)
! scfg->crypt_alg = PBC_DEF_CRYPT;
!
} /* end of per-server loop */
#ifdef APACHE2
***************
*** 1359,1365 ****
nscfg->post_reply_url : pscfg->post_reply_url;
scfg->configlist = ap_overlay_tables (p, nscfg->configlist,
pscfg->configlist);
! scfg->crypt_alg = nscfg->crypt_alg ? nscfg->crypt_alg : pscfg->crypt_alg;
return (void *) scfg;
}
--- 1368,1375 ----
nscfg->post_reply_url : pscfg->post_reply_url;
scfg->configlist = ap_overlay_tables (p, nscfg->configlist,
pscfg->configlist);
! scfg->crypt_alg =
! nscfg->crypt_alg ? nscfg->crypt_alg : pscfg->crypt_alg;
return (void *) scfg;
}
***************
*** 1455,1468 ****
module_config,
&pubcookie_module);
! ap_log_rerror (PC_LOG_DEBUG, r, "retrieving a pre-session ckookie");
if ((cookie = get_cookie (r, PBC_PRE_S_COOKIENAME)) == NULL)
ap_log_rerror (PC_LOG_INFO, r,
"get_pre_s_from_cookie: no pre_s cookie, uri: %s\n",
r->uri);
else
cookie_data = libpbc_unbundle_cookie (p, scfg->sectext,
! cookie, ME(r), 0, scfg->crypt_alg);
if (cookie_data == NULL) {
ap_log_rerror (PC_LOG_INFO, r,
--- 1465,1479 ----
module_config,
&pubcookie_module);
! ap_log_rerror (PC_LOG_DEBUG, r, "retrieving a pre-session ckookie");
if ((cookie = get_cookie (r, PBC_PRE_S_COOKIENAME)) == NULL)
ap_log_rerror (PC_LOG_INFO, r,
"get_pre_s_from_cookie: no pre_s cookie, uri: %s\n",
r->uri);
else
cookie_data = libpbc_unbundle_cookie (p, scfg->sectext,
! cookie, ME (r), 0,
! scfg->crypt_alg);
if (cookie_data == NULL) {
ap_log_rerror (PC_LOG_INFO, r,
***************
*** 1597,1603 ****
char *new_cookie = ap_palloc (p, PBC_1K);
int cred_from_trans;
int pre_sess_from_cookie;
! int bogus_g = 0; /* remember if we get a g cookie we can't unbundle */
/* get defaults for unset args */
pubcookie_dir_defaults (cfg);
--- 1608,1614 ----
char *new_cookie = ap_palloc (p, PBC_1K);
int cred_from_trans;
int pre_sess_from_cookie;
! int bogus_g = 0; /* remember if we get a g cookie we can't unbundle */
/* get defaults for unset args */
pubcookie_dir_defaults (cfg);
***************
*** 1664,1676 ****
cookie_data = NULL;
if ((cookie = get_cookie (r, PBC_G_COOKIENAME))
&& strcmp (cookie, "") != 0
! && (scfg->use_post || get_cookie (r, PBC_PRE_S_COOKIENAME)) ) {
cookie_data =
libpbc_unbundle_cookie (p, scfg->sectext, cookie,
! ap_get_server_name (r), 1, scfg->crypt_alg);
if (!cookie_data) {
ap_log_rerror (PC_LOG_INFO, r,
! "can't unbundle G cookie, it's probably not for us; uri: %s\n", r->uri);
bogus_g = 1;
clear_granting_cookie (r);
}
--- 1675,1689 ----
cookie_data = NULL;
if ((cookie = get_cookie (r, PBC_G_COOKIENAME))
&& strcmp (cookie, "") != 0
! && (scfg->use_post || get_cookie (r, PBC_PRE_S_COOKIENAME))) {
cookie_data =
libpbc_unbundle_cookie (p, scfg->sectext, cookie,
! ap_get_server_name (r), 1,
! scfg->crypt_alg);
if (!cookie_data) {
ap_log_rerror (PC_LOG_INFO, r,
! "can't unbundle G cookie, it's probably not for us; uri: %s\n",
! r->uri);
bogus_g = 1;
clear_granting_cookie (r);
}
***************
*** 1694,1700 ****
} else { /* hav S cookie */
cookie_data =
! libpbc_unbundle_cookie (p, scfg->sectext, cookie, NULL, 0, scfg->crypt_alg);
if (!cookie_data) {
ap_log_rerror (PC_LOG_INFO, r,
"can't unbundle S cookie; uri: %s\n",
--- 1707,1714 ----
} else { /* hav S cookie */
cookie_data =
! libpbc_unbundle_cookie (p, scfg->sectext, cookie, NULL, 0,
! scfg->crypt_alg);
if (!cookie_data) {
ap_log_rerror (PC_LOG_INFO, r,
"can't unbundle S cookie; uri: %s\n",
***************
*** 1819,1825 ****
rr->has_granting = 1;
clear_granting_cookie (r);
! if (!scfg->use_post) clear_pre_session_cookie (r);
ap_log_rerror (PC_LOG_DEBUG, r,
"pubcookie_user: has granting; current uri is: %s",
--- 1833,1840 ----
rr->has_granting = 1;
clear_granting_cookie (r);
! if (!scfg->use_post)
! clear_pre_session_cookie (r);
ap_log_rerror (PC_LOG_DEBUG, r,
"pubcookie_user: has granting; current uri is: %s",
***************
*** 1829,1846 ****
if (!scfg->use_post) {
pre_sess_from_cookie = get_pre_s_from_cookie (r);
ap_log_rerror (PC_LOG_DEBUG, r,
! "pubcookie_user: ret from get_pre_s_from_cookie");
! if ((*cookie_data).broken.pre_sess_token != pre_sess_from_cookie) {
ap_log_rerror (PC_LOG_INFO, r,
! "pubcookie_user, pre session tokens mismatched, uri: %s",
! r->uri);
ap_log_rerror (PC_LOG_DEBUG, r,
! "pubcookie_user, pre session from G: %d PRE_S: %d, uri: %s",
! (*cookie_data).broken.pre_sess_token,
! pre_sess_from_cookie, r->uri);
rr->failed = PBC_BAD_AUTH;
rr->stop_message =
! ap_psprintf (p, "Couldn't decode pre-session cookie. (from G: %d from PRE_S: %s)", (*cookie_data).broken.pre_sess_token, pre_sess_from_cookie);
rr->redir_reason_no = PBC_RR_BADPRES_CODE;
return OK;
}
--- 1844,1865 ----
if (!scfg->use_post) {
pre_sess_from_cookie = get_pre_s_from_cookie (r);
ap_log_rerror (PC_LOG_DEBUG, r,
! "pubcookie_user: ret from get_pre_s_from_cookie");
! if ((*cookie_data).broken.pre_sess_token !=
! pre_sess_from_cookie) {
ap_log_rerror (PC_LOG_INFO, r,
! "pubcookie_user, pre session tokens mismatched, uri: %s",
! r->uri);
ap_log_rerror (PC_LOG_DEBUG, r,
! "pubcookie_user, pre session from G: %d PRE_S: %d, uri: %s",
! (*cookie_data).broken.pre_sess_token,
! pre_sess_from_cookie, r->uri);
rr->failed = PBC_BAD_AUTH;
rr->stop_message =
! ap_psprintf (p,
! "Couldn't decode pre-session cookie. (from G: %d from PRE_S: %s)",
! (*cookie_data).broken.pre_sess_token,
! pre_sess_from_cookie);
rr->redir_reason_no = PBC_RR_BADPRES_CODE;
return OK;
}
***************
*** 2004,2010 ****
if (!res && libpbc_rd_priv (p, scfg->sectext, cred_from_trans ?
ap_get_server_name (r) : NULL,
cred_from_trans ? 1 : 0,
! blob, bloblen, &plain, &plainlen, scfg->crypt_alg)) {
ap_log_rerror (PC_LOG_ERR, r,
"credtrans: libpbc_rd_priv() failed");
res = -1;
--- 2023,2030 ----
if (!res && libpbc_rd_priv (p, scfg->sectext, cred_from_trans ?
ap_get_server_name (r) : NULL,
cred_from_trans ? 1 : 0,
! blob, bloblen, &plain, &plainlen,
! scfg->crypt_alg)) {
ap_log_rerror (PC_LOG_ERR, r,
"credtrans: libpbc_rd_priv() failed");
res = -1;
***************
*** 2823,2829 ****
}
static const char *pubcookie_set_crypt (cmd_parms * cmd,
! void *mconfig, const char *v)
{
pubcookie_server_rec *scfg =
(pubcookie_server_rec *) ap_get_module_config (cmd->server->
--- 2843,2849 ----
}
static const char *pubcookie_set_crypt (cmd_parms * cmd,
! void *mconfig, const char *v)
{
pubcookie_server_rec *scfg =
(pubcookie_server_rec *) ap_get_module_config (cmd->server->
Index: webiso/pubcookie/src/security_legacy.c
diff -c webiso/pubcookie/src/security_legacy.c:1.55 webiso/pubcookie/src/security_legacy.c:1.56
*** webiso/pubcookie/src/security_legacy.c:1.55 Wed Oct 12 14:59:48 2005
--- webiso/pubcookie/src/security_legacy.c Fri Oct 28 14:27:28 2005
***************
*** 18,24 ****
/** @file security_legacy.c
* Heritage message protection
*
! * $Id: security_legacy.c,v 1.55 2005/10/12 21:59:48 willey Exp $
*/
--- 18,24 ----
/** @file security_legacy.c
* Heritage message protection
*
! * $Id: security_legacy.c,v 1.56 2005/10/28 21:27:28 willey Exp $
*/
***************
*** 266,278 ****
--- 266,297 ----
keyfile =
mystrdup (p, libpbc_config_getstring (p, "ssl_key_file", NULL));
if (keyfile && access (keyfile, R_OK | F_OK)) {
+ if (access (keyfile, F_OK)) {
+ pbc_log_activity (p, PBC_LOG_ERROR,
+ "security_init: Session keyfile (%s) doesn't exist.",
+ keyfile);
+ } else if (access (keyfile, R_OK)) {
+ pbc_log_activity (p, PBC_LOG_ERROR,
+ "security_init: Permissions prohibit reading session keyfile (%s).",
+ keyfile);
+ }
pbc_free (p, keyfile);
/* not there ? */
keyfile = NULL;
}
+
certfile =
mystrdup (p, libpbc_config_getstring (p, "ssl_cert_file", NULL));
if (certfile && access (certfile, R_OK | F_OK)) {
+ if (access (certfile, F_OK)) {
+ pbc_log_activity (p, PBC_LOG_ERROR,
+ "security_init: Session certfile (%s) doesn't exist.",
+ certfile);
+ } else if (access (certfile, R_OK)) {
+ pbc_log_activity (p, PBC_LOG_ERROR,
+ "security_init: Permissions prohibit reading session certfile (%s).",
+ certfile);
+ }
pbc_free (p, certfile);
/* not there ? */
certfile = NULL;
***************
*** 320,331 ****
#ifndef WIN32
if (!keyfile) {
pbc_log_activity (p, PBC_LOG_ERROR,
! "security_init: couldn't find session keyfile (try setting ssl_key_file?)");
return -1;
}
if (!certfile) {
pbc_log_activity (p, PBC_LOG_ERROR,
! "security_init: couldn't find session certfile (try setting ssl_cert_file?)");
return -1;
}
#endif
--- 339,350 ----
#ifndef WIN32
if (!keyfile) {
pbc_log_activity (p, PBC_LOG_ERROR,
! "security_init: couldn't find session keyfile (try setting ssl_key_file for login server or PubCookieSessionKeyFile for Apache module?)");
return -1;
}
if (!certfile) {
pbc_log_activity (p, PBC_LOG_ERROR,
! "security_init: couldn't find session certfile (try setting ssl_cert_file for login server or PubCookieSessionCertFile for Apache module?)");
return -1;
}
#endif
end of message
More information about the pubcookie-dev
mailing list