112 lines
3.1 KiB
C
112 lines
3.1 KiB
C
/*
|
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
|
Copyright (C) 2026 mrkubax10 <mrkubax10@onet.pl>
|
|
*/
|
|
|
|
#include <apr_base64.h>
|
|
#include <httpd.h>
|
|
#include <http_core.h>
|
|
#include <http_protocol.h>
|
|
#include <http_log.h>
|
|
#include <stdbool.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <util_cookies.h>
|
|
#include <util_md5.h>
|
|
|
|
static const char* const TOKEN_COOKIE_NAME = "webgate_token";
|
|
|
|
// Returns true if user agent of client which performed the request looks like Git
|
|
static bool check_user_agent_exception(request_rec* r) {
|
|
static const char GIT_USER_AGENT_PREFIX[] = "git/";
|
|
const char* const user_agent = apr_table_get(r->headers_in, "User-Agent");
|
|
if(!user_agent || strncmp(user_agent, GIT_USER_AGENT_PREFIX, sizeof(GIT_USER_AGENT_PREFIX))!=0)
|
|
return false;
|
|
return apr_table_get(r->headers_in, "Git-Protocol");
|
|
}
|
|
|
|
static const char* generate_token(apr_pool_t* pool) {
|
|
char rnd[32];
|
|
apr_generate_random_bytes(rnd, sizeof(rnd));
|
|
char rnd_md5[APR_MD5_DIGESTSIZE];
|
|
apr_md5(rnd_md5, rnd, sizeof(rnd));
|
|
|
|
const apr_size_t encoded_size = apr_base64_encode_len(sizeof(rnd_md5));
|
|
char* output = apr_palloc(pool, encoded_size);
|
|
apr_base64_encode(output, rnd_md5, sizeof(rnd_md5));
|
|
return output;
|
|
}
|
|
|
|
// Generates new token and sets HTTP cookie containing it then presents client with challenge
|
|
static void handle_challenge(request_rec* r) {
|
|
const char* const generated = generate_token(r->pool);
|
|
ap_cookie_write(r, TOKEN_COOKIE_NAME, generated, NULL, 0, r->headers_out, NULL);
|
|
|
|
// Send challenge page beginning
|
|
ap_set_content_type(r, "text/html");
|
|
ap_rvputs(r, "<!DOCTYPE HTML>"
|
|
"<html lang=\"en\">"
|
|
"<head>"
|
|
"<title>mod_webgate</title>"
|
|
"</head>"
|
|
"<body>"
|
|
"<h5>mod_webgate: Please select appropriate option</h5>", NULL);
|
|
|
|
static const char* OPTION_STRINGS[] = {
|
|
"<a href=\"/fail\">I would like to access this server</a><br>",
|
|
"<a href=\"/success\">I would not like to access this server</a><br>",
|
|
};
|
|
unsigned char option_order[] = {
|
|
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0
|
|
};
|
|
|
|
// Randomize options order
|
|
for(size_t i = 0; i<sizeof(option_order); i++) {
|
|
char swap_index;
|
|
apr_generate_random_bytes(&swap_index, 1);
|
|
swap_index%=sizeof(option_order);
|
|
if(swap_index==0)
|
|
swap_index = 1;
|
|
// Temporary value for swap
|
|
unsigned char temp = option_order[1];
|
|
option_order[1] = option_order[swap_index];
|
|
option_order[swap_index] = temp;
|
|
}
|
|
|
|
// Send options
|
|
for(size_t i = 0; i<sizeof(option_order); i++)
|
|
ap_rvputs(r, OPTION_STRINGS[option_order[i]], NULL);
|
|
|
|
// Finish page
|
|
ap_rvputs(r, "</body>"
|
|
"</html>", NULL);
|
|
}
|
|
|
|
static int request_check_handler(request_rec* r) {
|
|
// Provide exception for requests performed by Git
|
|
if(check_user_agent_exception(r))
|
|
return DECLINED;
|
|
// Check if client already has the token
|
|
const char* token;
|
|
if(ap_cookie_read(r, TOKEN_COOKIE_NAME, &token, 0)!=APR_SUCCESS || !token) {
|
|
handle_challenge(r);
|
|
return OK;
|
|
}
|
|
|
|
return OK;
|
|
}
|
|
|
|
static void register_hooks(apr_pool_t* pool) {
|
|
ap_hook_handler(request_check_handler, NULL, NULL, APR_HOOK_FIRST);
|
|
}
|
|
|
|
module AP_MODULE_DECLARE_DATA webgate_module = {
|
|
STANDARD20_MODULE_STUFF,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
register_hooks
|
|
};
|