[pubcookie-dev] CVS update: willey; webiso/pubcookie/src
mod_pubcookie.c,1.188,1.189security_legacy.c,1.55,1.56
Stephen S. Willey
willey at washington.edu
Fri Oct 28 14:30:50 PDT 2005
Hmmm, I'll add that there were 'indent' changes in mod_pubcookie.c
steve
> -----Original Message-----
> From: pubcookie-dev-bounces at mailman1.u.washington.edu
> [mailto:pubcookie-dev-bounces at mailman1.u.washington.edu] On
> Behalf Of willey at washington.edu
> Sent: 28 October, 2005 14:28
> To: pubcookie-dev at u.washington.edu
> Subject: [pubcookie-dev] CVS update:
> willey;webiso/pubcookie/src
> mod_pubcookie.c,1.188,1.189security_legacy.c,1.55,1.56
>
> Update of /usr/local/cvsroot/webiso/pubcookie/src
> In directory webiso-cvs.cac.washington.edu:/var/tmp/cvs-serv31586
>
> Modified Files:
> mod_pubcookie.c security_legacy.c
> Log Message:
> more specific error messages for missing session cert and keyfiles
>
>
>
>
> Index: webiso/pubcookie/src/mod_pubcookie.c
> diff -c webiso/pubcookie/src/mod_pubcookie.c:1.188
> webiso/pubcookie/src/mod_pubcookie.c:1.189
> *** webiso/pubcookie/src/mod_pubcookie.c:1.188 Thu Oct
> 27 17:42:29 2005
> --- webiso/pubcookie/src/mod_pubcookie.c Fri Oct 28 14:27:28 2005
> ***************
> *** 18,24 ****
> /** @file mod_pubcookie.c
> * Apache pubcookie module
> *
> ! * $Id: mod_pubcookie.c,v 1.188 2005/10/28 00:42:29 willey Exp $
> */
>
> #define MAX_POST_DATA 10485760
> --- 18,24 ----
> /** @file mod_pubcookie.c
> * Apache pubcookie module
> *
> ! * $Id: mod_pubcookie.c,v 1.189 2005/10/28 21:27:28 willey Exp $
> */
>
> #define MAX_POST_DATA 10485760
> ***************
> *** 517,523 ****
> rr->creds,
> (cfg->session_reauth <
> 0) ? 23 : 24,
> (unsigned char *) appsrvid (r),
> ! appid (r), ME(r), 0,
> scfg->crypt_alg);
> }
>
> new_cookie = ap_psprintf (p, "%s=%s; path=%s;%s",
> --- 517,523 ----
> rr->creds,
> (cfg->session_reauth <
> 0) ? 23 : 24,
> (unsigned char *) appsrvid (r),
> ! appid (r), ME (r), 0,
> scfg->crypt_alg);
> }
>
> new_cookie = ap_psprintf (p, "%s=%s; path=%s;%s",
> ***************
> *** 538,545 ****
> the first time since our cred cookie doesn't
> expire (which is poor
> and why we need cookie extensions) */
> /* encrypt */
> ! if (libpbc_mk_priv (p, scfg->sectext, ME(r), 0,
> rr->cred_transfer,
> ! rr->cred_transfer_len, &blob,
> &bloblen, scfg->crypt_alg)) {
> ap_log_rerror (PC_LOG_ERR, r,
> "credtrans: libpbc_mk_priv() failed");
> res = -1;
> --- 538,546 ----
> the first time since our cred cookie doesn't
> expire (which is poor
> and why we need cookie extensions) */
> /* encrypt */
> ! if (libpbc_mk_priv (p, scfg->sectext, ME (r), 0,
> rr->cred_transfer,
> ! rr->cred_transfer_len, &blob, &bloblen,
> ! scfg->crypt_alg)) {
> ap_log_rerror (PC_LOG_ERR, r,
> "credtrans: libpbc_mk_priv() failed");
> res = -1;
> ***************
> *** 856,864 ****
> /* acquire any GET args */
> if (r->args) {
> /* error out if length of GET args would cause a problem */
> ! if ( strlen(r->args) > PBC_MAX_GET_ARGS ) {
> rr->stop_message =
> ! ap_psprintf (p, "GET arguments longer than
> supported. (args length: %d)", strlen(r->args));
> stop_the_show (r, scfg, cfg, rr);
> return (OK);
> }
> --- 857,867 ----
> /* acquire any GET args */
> if (r->args) {
> /* error out if length of GET args would cause a problem */
> ! if (strlen (r->args) > PBC_MAX_GET_ARGS) {
> rr->stop_message =
> ! ap_psprintf (p,
> ! "GET arguments longer than
> supported. (args length: %d)",
> ! strlen (r->args));
> stop_the_show (r, scfg, cfg, rr);
> return (OK);
> }
> ***************
> *** 895,901 ****
> if ((pre_sess_tok = get_pre_s_token (r)) == -1) {
> /* this is weird since we're already in a handler */
> rr->stop_message =
> ! ap_pstrdup (p, "Couldn't get pre session token.
> (Already in handler)");
> stop_the_show (r, scfg, cfg, rr);
> return (OK);
> }
> --- 898,905 ----
> if ((pre_sess_tok = get_pre_s_token (r)) == -1) {
> /* this is weird since we're already in a handler */
> rr->stop_message =
> ! ap_pstrdup (p,
> ! "Couldn't get pre session token.
> (Already in handler)");
> stop_the_show (r, scfg, cfg, rr);
> return (OK);
> }
> ***************
> *** 906,913 ****
> /* is our main way of communicating with it */
> /* If we're doing compatibility encryption, send the */
> /* compatibility version string. */
> ! sprintf(vstr,"%-2.2s%c\n", PBC_VERSION,
> ! scfg->crypt_alg=='d'? '\0':scfg->crypt_alg);
> ap_snprintf (g_req_contents, PBC_4K - 1,
>
> "%s=%s&%s=%s&%s=%c&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%d&%
> s=%s&%s=%s&%s=%d&%s=%d&%s=%c",
> PBC_GETVAR_APPSRVID,
> --- 910,917 ----
> /* is our main way of communicating with it */
> /* If we're doing compatibility encryption, send the */
> /* compatibility version string. */
> ! sprintf (vstr, "%-2.2s%c\n", PBC_VERSION,
> ! scfg->crypt_alg == 'd' ? '\0' : scfg->crypt_alg);
> ap_snprintf (g_req_contents, PBC_4K - 1,
>
> "%s=%s&%s=%s&%s=%c&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%d&%
> s=%s&%s=%s&%s=%d&%s=%d&%s=%c",
> PBC_GETVAR_APPSRVID,
> ***************
> *** 980,1001 ****
> /* The GET method requires a pre-session cookie */
>
> if (!scfg->use_post) {
> ! ap_log_rerror (PC_LOG_DEBUG, r, "making a
> pre-session ckookie");
> ! pre_s = (char *) libpbc_get_cookie (p,
> ! scfg->sectext,
> ! (unsigned char *)
> "presesuser",
> ! PBC_COOKIE_TYPE_PRE_S,
> ! PBC_CREDS_NONE,
> ! pre_sess_tok,
> ! (unsigned char *)
> appsrvid (r),
> ! appid (r), ME(r),
> 0, scfg->crypt_alg);
> !
> ! pre_s_cookie = ap_psprintf (p,
> ! "%s=%s; path=%s;%s",
> ! PBC_PRE_S_COOKIENAME,
> ! pre_s, "/", secure_cookie);
>
> ! ap_table_add (r->headers_out, "Set-Cookie", pre_s_cookie);
> }
>
> /* load and send the header */
> --- 984,1006 ----
> /* The GET method requires a pre-session cookie */
>
> if (!scfg->use_post) {
> ! ap_log_rerror (PC_LOG_DEBUG, r, "making a
> pre-session ckookie");
> ! pre_s = (char *) libpbc_get_cookie (p,
> ! scfg->sectext,
> ! (unsigned char
> *) "presesuser",
> ! PBC_COOKIE_TYPE_PRE_S,
> ! PBC_CREDS_NONE,
> ! pre_sess_tok,
> ! (unsigned char
> *) appsrvid (r),
> ! appid (r), ME (r), 0,
> ! scfg->crypt_alg);
> !
> ! pre_s_cookie = ap_psprintf (p,
> ! "%s=%s; path=%s;%s",
> ! PBC_PRE_S_COOKIENAME,
> ! pre_s, "/", secure_cookie);
>
> ! ap_table_add (r->headers_out, "Set-Cookie", pre_s_cookie);
> }
>
> /* load and send the header */
> ***************
> *** 1021,1029 ****
> if (((post_data_len = strtol (lenp, NULL, 10)) <= 0) ||
> (post_data_len > MAX_POST_DATA) ||
> (!(post_data = get_post_data (r, post_data_len)))) {
> ! rr->stop_message = ap_psprintf (p, "Invalid
> POST data. (POST data length: %d)", post_data_len);
> stop_the_show (r, scfg, cfg, rr);
> ! return(OK);
> }
> }
>
> --- 1026,1037 ----
> if (((post_data_len = strtol (lenp, NULL, 10)) <= 0) ||
> (post_data_len > MAX_POST_DATA) ||
> (!(post_data = get_post_data (r, post_data_len)))) {
> ! rr->stop_message =
> ! ap_psprintf (p,
> ! "Invalid POST data. (POST data
> length: %d)",
> ! post_data_len);
> stop_the_show (r, scfg, cfg, rr);
> ! return (OK);
> }
> }
>
> ***************
> *** 1286,1294 ****
> if (!scfg->post_reply_url)
> scfg->post_reply_url = "PubCookie.reply";
>
> ! if (!scfg->crypt_alg) scfg->crypt_alg = PBC_DEF_CRYPT;
>
> -
> } /* end of per-server loop */
>
> #ifdef APACHE2
> --- 1294,1303 ----
> if (!scfg->post_reply_url)
> scfg->post_reply_url = "PubCookie.reply";
>
> ! if (!scfg->crypt_alg)
> ! scfg->crypt_alg = PBC_DEF_CRYPT;
> !
>
> } /* end of per-server loop */
>
> #ifdef APACHE2
> ***************
> *** 1359,1365 ****
> nscfg->post_reply_url : pscfg->post_reply_url;
> scfg->configlist = ap_overlay_tables (p, nscfg->configlist,
> pscfg->configlist);
> ! scfg->crypt_alg = nscfg->crypt_alg ? nscfg->crypt_alg :
> pscfg->crypt_alg;
>
> return (void *) scfg;
> }
> --- 1368,1375 ----
> nscfg->post_reply_url : pscfg->post_reply_url;
> scfg->configlist = ap_overlay_tables (p, nscfg->configlist,
> pscfg->configlist);
> ! scfg->crypt_alg =
> ! nscfg->crypt_alg ? nscfg->crypt_alg : pscfg->crypt_alg;
>
> return (void *) scfg;
> }
> ***************
> *** 1455,1468 ****
>
> module_config,
>
> &pubcookie_module);
>
> ! ap_log_rerror (PC_LOG_DEBUG, r, "retrieving a
> pre-session ckookie");
> if ((cookie = get_cookie (r, PBC_PRE_S_COOKIENAME)) == NULL)
> ap_log_rerror (PC_LOG_INFO, r,
> "get_pre_s_from_cookie: no pre_s
> cookie, uri: %s\n",
> r->uri);
> else
> cookie_data = libpbc_unbundle_cookie (p, scfg->sectext,
> ! cookie,
> ME(r), 0, scfg->crypt_alg);
>
> if (cookie_data == NULL) {
> ap_log_rerror (PC_LOG_INFO, r,
> --- 1465,1479 ----
>
> module_config,
>
> &pubcookie_module);
>
> ! ap_log_rerror (PC_LOG_DEBUG, r, "retrieving a
> pre-session ckookie");
> if ((cookie = get_cookie (r, PBC_PRE_S_COOKIENAME)) == NULL)
> ap_log_rerror (PC_LOG_INFO, r,
> "get_pre_s_from_cookie: no pre_s
> cookie, uri: %s\n",
> r->uri);
> else
> cookie_data = libpbc_unbundle_cookie (p, scfg->sectext,
> ! cookie, ME (r), 0,
> ! scfg->crypt_alg);
>
> if (cookie_data == NULL) {
> ap_log_rerror (PC_LOG_INFO, r,
> ***************
> *** 1597,1603 ****
> char *new_cookie = ap_palloc (p, PBC_1K);
> int cred_from_trans;
> int pre_sess_from_cookie;
> ! int bogus_g = 0; /* remember if we get a g cookie we
> can't unbundle */
>
> /* get defaults for unset args */
> pubcookie_dir_defaults (cfg);
> --- 1608,1614 ----
> char *new_cookie = ap_palloc (p, PBC_1K);
> int cred_from_trans;
> int pre_sess_from_cookie;
> ! int bogus_g = 0; /* remember if we get a g
> cookie we can't unbundle */
>
> /* get defaults for unset args */
> pubcookie_dir_defaults (cfg);
> ***************
> *** 1664,1676 ****
> cookie_data = NULL;
> if ((cookie = get_cookie (r, PBC_G_COOKIENAME))
> && strcmp (cookie, "") != 0
> ! && (scfg->use_post || get_cookie (r,
> PBC_PRE_S_COOKIENAME)) ) {
> cookie_data =
> libpbc_unbundle_cookie (p, scfg->sectext, cookie,
> ! ap_get_server_name (r),
> 1, scfg->crypt_alg);
> if (!cookie_data) {
> ap_log_rerror (PC_LOG_INFO, r,
> ! "can't unbundle G cookie, it's
> probably not for us; uri: %s\n", r->uri);
> bogus_g = 1;
> clear_granting_cookie (r);
> }
> --- 1675,1689 ----
> cookie_data = NULL;
> if ((cookie = get_cookie (r, PBC_G_COOKIENAME))
> && strcmp (cookie, "") != 0
> ! && (scfg->use_post || get_cookie (r,
> PBC_PRE_S_COOKIENAME))) {
> cookie_data =
> libpbc_unbundle_cookie (p, scfg->sectext, cookie,
> ! ap_get_server_name (r), 1,
> ! scfg->crypt_alg);
> if (!cookie_data) {
> ap_log_rerror (PC_LOG_INFO, r,
> ! "can't unbundle G cookie, it's
> probably not for us; uri: %s\n",
> ! r->uri);
> bogus_g = 1;
> clear_granting_cookie (r);
> }
> ***************
> *** 1694,1700 ****
> } else { /* hav S cookie */
>
> cookie_data =
> ! libpbc_unbundle_cookie (p, scfg->sectext,
> cookie, NULL, 0, scfg->crypt_alg);
> if (!cookie_data) {
> ap_log_rerror (PC_LOG_INFO, r,
> "can't unbundle S cookie; uri: %s\n",
> --- 1707,1714 ----
> } else { /* hav S cookie */
>
> cookie_data =
> ! libpbc_unbundle_cookie (p, scfg->sectext,
> cookie, NULL, 0,
> ! scfg->crypt_alg);
> if (!cookie_data) {
> ap_log_rerror (PC_LOG_INFO, r,
> "can't unbundle S cookie; uri: %s\n",
> ***************
> *** 1819,1825 ****
> rr->has_granting = 1;
>
> clear_granting_cookie (r);
> ! if (!scfg->use_post) clear_pre_session_cookie (r);
>
> ap_log_rerror (PC_LOG_DEBUG, r,
> "pubcookie_user: has granting;
> current uri is: %s",
> --- 1833,1840 ----
> rr->has_granting = 1;
>
> clear_granting_cookie (r);
> ! if (!scfg->use_post)
> ! clear_pre_session_cookie (r);
>
> ap_log_rerror (PC_LOG_DEBUG, r,
> "pubcookie_user: has granting;
> current uri is: %s",
> ***************
> *** 1829,1846 ****
> if (!scfg->use_post) {
> pre_sess_from_cookie = get_pre_s_from_cookie (r);
> ap_log_rerror (PC_LOG_DEBUG, r,
> ! "pubcookie_user: ret from
> get_pre_s_from_cookie");
> ! if ((*cookie_data).broken.pre_sess_token !=
> pre_sess_from_cookie) {
> ap_log_rerror (PC_LOG_INFO, r,
> ! "pubcookie_user, pre session
> tokens mismatched, uri: %s",
> ! r->uri);
> ap_log_rerror (PC_LOG_DEBUG, r,
> ! "pubcookie_user, pre session
> from G: %d PRE_S: %d, uri: %s",
> ! (*cookie_data).broken.pre_sess_token,
> ! pre_sess_from_cookie, r->uri);
> rr->failed = PBC_BAD_AUTH;
> rr->stop_message =
> ! ap_psprintf (p, "Couldn't decode
> pre-session cookie. (from G: %d from PRE_S: %s)",
> (*cookie_data).broken.pre_sess_token, pre_sess_from_cookie);
> rr->redir_reason_no = PBC_RR_BADPRES_CODE;
> return OK;
> }
> --- 1844,1865 ----
> if (!scfg->use_post) {
> pre_sess_from_cookie = get_pre_s_from_cookie (r);
> ap_log_rerror (PC_LOG_DEBUG, r,
> ! "pubcookie_user: ret from
> get_pre_s_from_cookie");
> ! if ((*cookie_data).broken.pre_sess_token !=
> ! pre_sess_from_cookie) {
> ap_log_rerror (PC_LOG_INFO, r,
> ! "pubcookie_user, pre session
> tokens mismatched, uri: %s",
> ! r->uri);
> ap_log_rerror (PC_LOG_DEBUG, r,
> ! "pubcookie_user, pre session
> from G: %d PRE_S: %d, uri: %s",
> ! (*cookie_data).broken.pre_sess_token,
> ! pre_sess_from_cookie, r->uri);
> rr->failed = PBC_BAD_AUTH;
> rr->stop_message =
> ! ap_psprintf (p,
> ! "Couldn't decode
> pre-session cookie. (from G: %d from PRE_S: %s)",
> !
> (*cookie_data).broken.pre_sess_token,
> ! pre_sess_from_cookie);
> rr->redir_reason_no = PBC_RR_BADPRES_CODE;
> return OK;
> }
> ***************
> *** 2004,2010 ****
> if (!res && libpbc_rd_priv (p, scfg->sectext,
> cred_from_trans ?
> ap_get_server_name (r) : NULL,
> cred_from_trans ? 1 : 0,
> ! blob, bloblen, &plain,
> &plainlen, scfg->crypt_alg)) {
> ap_log_rerror (PC_LOG_ERR, r,
> "credtrans: libpbc_rd_priv() failed");
> res = -1;
> --- 2023,2030 ----
> if (!res && libpbc_rd_priv (p, scfg->sectext,
> cred_from_trans ?
> ap_get_server_name (r) : NULL,
> cred_from_trans ? 1 : 0,
> ! blob, bloblen, &plain,
> &plainlen,
> ! scfg->crypt_alg)) {
> ap_log_rerror (PC_LOG_ERR, r,
> "credtrans: libpbc_rd_priv() failed");
> res = -1;
> ***************
> *** 2823,2829 ****
> }
>
> static const char *pubcookie_set_crypt (cmd_parms * cmd,
> ! void *mconfig,
> const char *v)
> {
> pubcookie_server_rec *scfg =
> (pubcookie_server_rec *) ap_get_module_config (cmd->server->
> --- 2843,2849 ----
> }
>
> static const char *pubcookie_set_crypt (cmd_parms * cmd,
> ! void *mconfig,
> const char *v)
> {
> pubcookie_server_rec *scfg =
> (pubcookie_server_rec *) ap_get_module_config (cmd->server->
>
>
> Index: webiso/pubcookie/src/security_legacy.c
> diff -c webiso/pubcookie/src/security_legacy.c:1.55
> webiso/pubcookie/src/security_legacy.c:1.56
> *** webiso/pubcookie/src/security_legacy.c:1.55 Wed Oct
> 12 14:59:48 2005
> --- webiso/pubcookie/src/security_legacy.c Fri Oct 28 14:27:28 2005
> ***************
> *** 18,24 ****
> /** @file security_legacy.c
> * Heritage message protection
> *
> ! * $Id: security_legacy.c,v 1.55 2005/10/12 21:59:48 willey Exp $
> */
>
>
> --- 18,24 ----
> /** @file security_legacy.c
> * Heritage message protection
> *
> ! * $Id: security_legacy.c,v 1.56 2005/10/28 21:27:28 willey Exp $
> */
>
>
> ***************
> *** 266,278 ****
> --- 266,297 ----
> keyfile =
> mystrdup (p, libpbc_config_getstring (p,
> "ssl_key_file", NULL));
> if (keyfile && access (keyfile, R_OK | F_OK)) {
> + if (access (keyfile, F_OK)) {
> + pbc_log_activity (p, PBC_LOG_ERROR,
> + "security_init: Session
> keyfile (%s) doesn't exist.",
> + keyfile);
> + } else if (access (keyfile, R_OK)) {
> + pbc_log_activity (p, PBC_LOG_ERROR,
> + "security_init: Permissions
> prohibit reading session keyfile (%s).",
> + keyfile);
> + }
> pbc_free (p, keyfile);
> /* not there ? */
> keyfile = NULL;
> }
> +
> certfile =
> mystrdup (p, libpbc_config_getstring (p,
> "ssl_cert_file", NULL));
> if (certfile && access (certfile, R_OK | F_OK)) {
> + if (access (certfile, F_OK)) {
> + pbc_log_activity (p, PBC_LOG_ERROR,
> + "security_init: Session
> certfile (%s) doesn't exist.",
> + certfile);
> + } else if (access (certfile, R_OK)) {
> + pbc_log_activity (p, PBC_LOG_ERROR,
> + "security_init: Permissions
> prohibit reading session certfile (%s).",
> + certfile);
> + }
> pbc_free (p, certfile);
> /* not there ? */
> certfile = NULL;
> ***************
> *** 320,331 ****
> #ifndef WIN32
> if (!keyfile) {
> pbc_log_activity (p, PBC_LOG_ERROR,
> ! "security_init: couldn't find
> session keyfile (try setting ssl_key_file?)");
> return -1;
> }
> if (!certfile) {
> pbc_log_activity (p, PBC_LOG_ERROR,
> ! "security_init: couldn't find
> session certfile (try setting ssl_cert_file?)");
> return -1;
> }
> #endif
> --- 339,350 ----
> #ifndef WIN32
> if (!keyfile) {
> pbc_log_activity (p, PBC_LOG_ERROR,
> ! "security_init: couldn't find
> session keyfile (try setting ssl_key_file for login server or
> PubCookieSessionKeyFile for Apache module?)");
> return -1;
> }
> if (!certfile) {
> pbc_log_activity (p, PBC_LOG_ERROR,
> ! "security_init: couldn't find
> session certfile (try setting ssl_cert_file for login server
> or PubCookieSessionCertFile for Apache module?)");
> return -1;
> }
> #endif
>
>
>
> end of message
> _______________________________________________
> pubcookie-dev mailing list
> pubcookie-dev at u.washington.edu
> http://mailman1.u.washington.edu/mailman/listinfo/pubcookie-dev
>
More information about the pubcookie-dev
mailing list