From b6f596343827f7184b884de2fc3921368744e2e0 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Tue, 12 Apr 2016 23:09:07 +0000 Subject: [PATCH] mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication. PR 53098. Proposed by: Dmitry A. Bakshaev git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1738878 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/proxy/ajp.h | 4 +++- modules/proxy/ajp_header.c | 16 ++++++++-------- modules/proxy/mod_proxy.c | 6 ++++++ modules/proxy/mod_proxy.h | 2 ++ modules/proxy/mod_proxy_ajp.c | 6 +++++- 6 files changed, 27 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index a5c23f0f16..0ef2feaaf4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy + AJP13 authentication. PR 53098. [Dmitry A. Bakshaev ] + *) mpm_event: Don't take over scoreboard slots from gracefully finishing threads. [Stefan Fritsch] diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h index 1b60cfc1e9..c6cd4d0dca 100644 --- a/modules/proxy/ajp.h +++ b/modules/proxy/ajp.h @@ -412,11 +412,13 @@ apr_status_t ajp_ilink_receive(apr_socket_t *sock, ajp_msg_t *msg); * @param r current request * @param buffsize max size of the AJP packet. * @param uri requested uri + * @param secret authentication secret * @return APR_SUCCESS or error */ apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, apr_size_t buffsize, - apr_uri_t *uri); + apr_uri_t *uri, + const char *secret); /** * Read the ajp message and return the type of the message. diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c index 4f94f7b684..153a03ee0c 100644 --- a/modules/proxy/ajp_header.c +++ b/modules/proxy/ajp_header.c @@ -213,7 +213,8 @@ AJPV13_REQUEST/AJPV14_REQUEST= static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, request_rec *r, - apr_uri_t *uri) + apr_uri_t *uri, + const char *secret) { int method; apr_uint32_t i, num_headers = 0; @@ -293,17 +294,15 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, i, elts[i].key, elts[i].val); } -/* XXXX need to figure out how to do this - if (s->secret) { + if (secret) { if (ajp_msg_append_uint8(msg, SC_A_SECRET) || - ajp_msg_append_string(msg, s->secret)) { + ajp_msg_append_string(msg, secret)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) - "Error ajp_marshal_into_msgb - " + "ajp_marshal_into_msgb: " "Error appending secret"); return APR_EGENERAL; } } - */ if (r->user) { if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || @@ -671,7 +670,8 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg, apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, apr_size_t buffsize, - apr_uri_t *uri) + apr_uri_t *uri, + const char *secret) { ajp_msg_t *msg; apr_status_t rc; @@ -683,7 +683,7 @@ apr_status_t ajp_send_header(apr_socket_t *sock, return rc; } - rc = ajp_marshal_into_msgb(msg, r, uri); + rc = ajp_marshal_into_msgb(msg, r, uri, secret); if (rc != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) "ajp_send_header: ajp_marshal_into_msgb failed"); diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 456a528b8f..965250f7ca 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -308,6 +308,12 @@ static const char *set_worker_param(apr_pool_t *p, (int)sizeof(worker->s->flusher)); } } + else if (!strcasecmp(key, "secret")) { + if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { + return apr_psprintf(p, "Secret length must be < %d characters", + (int)sizeof(worker->s->secret)); + } + } else { if (set_worker_hc_param_f) { return set_worker_hc_param_f(p, s, worker, key, val, NULL); diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h index 6af2457cbd..026601c440 100644 --- a/modules/proxy/mod_proxy.h +++ b/modules/proxy/mod_proxy.h @@ -348,6 +348,7 @@ PROXY_WORKER_HC_FAIL ) #define PROXY_WORKER_MAX_HOSTNAME_SIZE 96 #define PROXY_BALANCER_MAX_HOSTNAME_SIZE 64 #define PROXY_BALANCER_MAX_STICKY_SIZE 64 +#define PROXY_WORKER_MAX_SECRET_SIZE 64 /* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names, * dotted together(?) this would fit the below size (+ trailing NUL). @@ -444,6 +445,7 @@ typedef struct { unsigned int disablereuse_set:1; unsigned int was_malloced:1; unsigned int is_name_matchable:1; + char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ } proxy_worker_shared; #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c index d57fef0eab..04afec6c95 100644 --- a/modules/proxy/mod_proxy_ajp.c +++ b/modules/proxy/mod_proxy_ajp.c @@ -193,6 +193,7 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, apr_off_t content_length = 0; int original_status = r->status; const char *original_status_line = r->status_line; + const char *secret = NULL; if (psf->io_buffer_size_set) maxsize = psf->io_buffer_size; @@ -202,12 +203,15 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, maxsize = AJP_MSG_BUFFER_SZ; maxsize = APR_ALIGN(maxsize, 1024); + if (*conn->worker->s->secret) + secret = conn->worker->s->secret; + /* * Send the AJP request to the remote server */ /* send request headers */ - status = ajp_send_header(conn->sock, r, maxsize, uri); + status = ajp_send_header(conn->sock, r, maxsize, uri, secret); if (status != APR_SUCCESS) { conn->close = 1; ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) -- 2.40.0