[OpenAFS] mod_waklog and rxkad-kdf

Russ Allbery rra@stanford.edu
Tue, 06 Aug 2013 18:55:25 -0700


--=-=-=

Here's a patch against the current mod_waklog Git repository that adds
support for rxkad-kdf (important if your web SSO forwards service tickets
instead of TGTs and doesn't know to request only DES session keys for AFS
service tickets).

Note the change to link with libafsrpc and libafsauthent instead of the
individual AFS libraries.  I'm not sure why this was required, but I was
getting "sealed data inconsistent" errors when attempting to use the
tokens obtained by the module before making that change.  (Yes, that's a
very odd error message for this particular change to generate.)

Thanks to Jeffrey Altman for the core code change of this patch.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>


--=-=-=
Content-Type: text/x-diff
Content-Disposition: attachment; filename=waklog.patch

diff --git a/Makefile.am b/Makefile.am
index 932b17b..9a91c86 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,8 +3,7 @@ all: mod_waklog.so
 APXS = @APXS@
 INCLUDES = -I@KRB5_INC@ -I@AFS_INC@ -I@APACHE_INC@ -I@APR_INC@
 LIB = -L@AFS_LIBS@ -L@KRB5_LIBS@ -L@APACHE_LIBS@ -lkrb5 -lk5crypto  \
-       -lprot -lauth -lresolv -lubik -lrxkad -lsys -lrx -llwp -ldes \
-       -lcom_err -lafsutil
+       -lafsauthent -lafsrpc
 
 APXSCC = `${APXS} -q CC` \
          @WAKLOG_DEBUG@ \
diff --git a/mod_waklog.c b/mod_waklog.c
index 023028b..0503bf7 100644
--- a/mod_waklog.c
+++ b/mod_waklog.c
@@ -425,7 +425,7 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
     /* create a principal out of our k5user string */
     
     if ( ( kerror = krb5_parse_name (child.kcontext, k5user, &kprinc ) ) ) {
-      log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse_name %s", (char *) error_message(kerror) );
+      log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse_name %s", (char *) afs_error_message(kerror) );
       goto cleanup;
     }
     
@@ -446,14 +446,14 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
     
         if ( ( kerror = krb5_kt_resolve(child.kcontext, keytab, &krb5kt ) ) ) {
           log_error( APLOG_MARK, APLOG_ERR, 0, s,
-            "mod_waklog: krb5_kt_resolve %s", error_message(kerror) );
+            "mod_waklog: krb5_kt_resolve %s", afs_error_message(kerror) );
           goto cleanup;
         }
     
         if ((kerror = krb5_get_init_creds_keytab (child.kcontext, &v5creds,
               kprinc, krb5kt, 0, NULL, &kopts ) ) ) {
                 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_init_creds_keytab %s",
-                  error_message(kerror) );
+                  afs_error_message(kerror) );
                 goto cleanup;
         }
       } else if (k5secret) {
@@ -463,7 +463,7 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
         if ((kerror = krb5_get_init_creds_password ( child.kcontext, &v5creds,
               kprinc, k5secret, NULL, NULL, 0, NULL, &kopts ) ) ) {
                 log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_init_creds_password %s",
-                  error_message(kerror) );
+                  afs_error_message(kerror) );
                   /* nuke the password so it doesn't end up in core files */
                   memset(k5secret, 0, sizeof(k5secret));               
                 goto cleanup;
@@ -475,20 +475,20 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
       /* initialize the credentials cache and store the stuff we just got */
       if ( ( kerror = krb5_cc_initialize (child.kcontext, child.ccache, kprinc) ) ) {
         log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: init credentials cache %s", 
-                  error_message(kerror));
+                  afs_error_message(kerror));
         goto cleanup;
       }
       
       if ( ( kerror = krb5_cc_store_cred(child.kcontext, child.ccache, &v5creds) ) ) {
         log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: cannot store credentials %s", 
-                  error_message(kerror));
+                  afs_error_message(kerror));
         goto cleanup;
       }
     
       krb5_free_cred_contents(child.kcontext, &v5creds);
  
       if ( kerror ) {
-        log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: store cred %s", error_message(kerror));
+        log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: store cred %s", afs_error_message(kerror));
         goto cleanup;
       }
       
@@ -529,7 +529,7 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
       log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: using AFS principal: %s", buf);
       
       if ((kerror = krb5_parse_name (child.kcontext, buf, &increds.server))) {
-        log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse name %s", error_message(kerror));
+        log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_parse name %s", afs_error_message(kerror));
         goto cleanup;
       }
 
@@ -538,7 +538,7 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
       }
 
       if ((kerror = krb5_cc_get_principal(child.kcontext, clientccache, &increds.client))) {
-        log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_cc_get_princ %s %p", error_message(kerror), clientccache);
+        log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_cc_get_princ %s %p", afs_error_message(kerror), clientccache);
         goto cleanup;
       }
       
@@ -546,13 +546,11 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
       
       increds.times.endtime = 0;
       
-      increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
-      
       if ( ( kerror = krb5_get_credentials (child.kcontext, 0, clientccache, &increds, &v5credsp ) ) ) {
         /* only complain once we've tried both afs@REALM and afs/cell@REALM */
         if (attempt>=1) {
           log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: krb5_get_credentials: %s",
-                    error_message(kerror));
+                    afs_error_message(kerror));
           goto cleanup;
         } else {
           continue;
@@ -575,7 +573,12 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
     token.startTime = v5credsp->times.starttime ? v5credsp->times.starttime : v5credsp->times.authtime;
     token.endTime = v5credsp->times.endtime;
     
-    memmove( &token.sessionKey, v5credsp->keyblock.contents, v5credsp->keyblock.length);
+    if (tkt_DeriveDesKey(v5credsp->keyblock.enctype, v5credsp->keyblock.contents,
+                         v5credsp->keyblock.length, &token.sessionKey) != 0) {
+        log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: tkt_DeriveDesKey failure (enctype: %d)",
+                  v5credsp->keyblock.enctype);
+        goto cleanup;
+    }
     token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
     token.ticketLen = v5credsp->ticket.length;
     memmove( token.ticket, v5credsp->ticket.data, token.ticketLen);
@@ -710,10 +713,10 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
   
   if ((rc = ktc_SetToken(&child.server, &child.token, &child.client, 0))) {
     log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: settoken returned %s for %s -- trying again", 
-      error_message(rc), k5user);
+      afs_error_message(rc), k5user);
     if ((rc = ktc_SetToken(&child.server, &child.token, &child.client, 0))) {
       log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: settoken2 returned %s for %s", 
-        error_message(rc), k5user);
+        afs_error_message(rc), k5user);
       goto cleanup;
     }
   }
@@ -735,7 +738,7 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
   if ( rc ) {
     log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: set_auth ending with %d", rc );
   } else if ( kerror ) {
-    log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: set_auth ending with krb5 error %d, %s", kerror, error_message(kerror));
+    log_error(APLOG_MARK, APLOG_ERR, 0, s, "mod_waklog: set_auth ending with krb5 error %d, %s", kerror, afs_error_message(kerror));
   } else {
     log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: set_auth ending ok");
   }

--=-=-=--