Add option to store the session encryption key.

simo5 · simo5 · commit d626779ab91d · 2016-12-19T15:40:08.000-05:00
With the new 'file:' sytnax a session key can be automatically generated
the first time mod_auth_gssapi runs and stored on the filesystem.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/README b/README
@@ -144,10 +144,21 @@ admin can choose to install a permanent key in the configuration so that
 session data remain accessible after a restart or by multiple servers
 sharing the same key.
 
-The key must be a base64 encoded raw key of 32 bytes of length.
+Two schemes to read persistent keys are provided, 'key' and 'file'.
 
-#### Example
+- 'key'
+    A key is read the key straight from the configuration directive.
+    The key must be a base64 encoded raw key of 32 bytes of length.
+
+- 'file'
+    A file on the file system is used to store the key. If the file does not
+    exists one is created with a randomly generated key during the first
+    execution.
+
+
+#### Examples
     GssapiSessionKey key:VGhpcyBpcyBhIDMyIGJ5dGUgbG9uZyBzZWNyZXQhISE=
+    GssapiSessionKey file:/etc/httpd/secrets/session.key
 
 
 ### GssapiCredStore
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
@@ -1238,6 +1238,8 @@ static const char *mag_deleg_ccache_unique(cmd_parms *parms, void *mconfig,
 
 #endif
 
+#define SESS_KEYS_TOT_LEN 32
+
 static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w)
 {
     struct mag_config *cfg = (struct mag_config *)mconfig;
@@ -1247,25 +1249,82 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w)
     const char *k;
     int l;
 
-    if (strncmp(w, "key:", 4) != 0) {
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
-                     "Invalid key format, expected prefix 'key:'");
-        return NULL;
-    }
-    k = w + 4;
+    if (strncmp(w, "key:", 4) == 0) {
+        k = w + 4;
+
+        l = apr_base64_decode_len(k);
+        val = apr_palloc(parms->temp_pool, l);
+
+        keys.length = (int)apr_base64_decode_binary(val, k);
+        keys.value = (unsigned char *)val;
 
-    l = apr_base64_decode_len(k);
-    val = apr_palloc(parms->temp_pool, l);
+        if (keys.length != SESS_KEYS_TOT_LEN) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                         "Invalid key length, expected 32 got %d",
+                         keys.length);
+            return NULL;
+        }
+    } else if (strncmp(w, "file:", 5) == 0) {
+        apr_status_t ret;
+        apr_file_t *fd = NULL;
+        apr_fileperms_t perms = APR_FPROT_UREAD | APR_FPROT_UWRITE;
+
+        keys.length = SESS_KEYS_TOT_LEN;
+        keys.value = apr_palloc(parms->temp_pool, keys.length);
 
-    keys.length = (int)apr_base64_decode_binary(val, k);
-    keys.value = (unsigned char *)val;
+        k = w + 5;
+
+        ret = apr_file_open(&fd, k, APR_FOPEN_READ, perms, parms->temp_pool);
+        if (APR_STATUS_IS_ENOENT(ret)) {
+            ret = apr_file_open(&fd, k, APR_FOPEN_CREATE | APR_FOPEN_WRITE |
+                                APR_FOPEN_EXCL, perms, parms->temp_pool);
+            if (ret != APR_SUCCESS) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                             "Failed to create key file %s", w);
+                return NULL;
+            }
+            ret = apr_generate_random_bytes(keys.value, keys.length);
+            if (ret != OK) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                             "Failed to generate random sealing key!");
+                apr_file_close(fd);
+                return NULL;
+            } else {
+                apr_size_t bw;
+                ret = apr_file_write_full(fd, keys.value, keys.length,
+                                          &bw);
+                if ((ret != APR_SUCCESS) || (bw != keys.length)) {
+                    ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                                 "Failed to store key in %s!", w);
+                    apr_file_close(fd);
+                    return NULL;
+                }
+            }
+            apr_file_close(fd);
+            fd = NULL;
 
-    if (keys.length != 32) {
+            ret = apr_file_open(&fd, k, APR_FOPEN_READ, perms,
+                                parms->temp_pool);
+        }
+        if (ret == APR_SUCCESS) {
+            apr_size_t br;
+            ret = apr_file_read_full(fd, keys.value, keys.length, &br);
+            apr_file_close(fd);
+            if ((ret != APR_SUCCESS) || (br != keys.length)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                             "Failed to read sealing key from %s!", w);
+                return NULL;
+            }
+        } else {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                         "Failed to open key file %s", w);
+            return NULL;
+        }
+    } else {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
-                     "Invalid key length, expected 32 got %d", keys.length);
+                     "Invalid key format, unexpected prefix in %s'", w);
         return NULL;
     }
-
     rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys);
     if (rc != OK) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
