basicaly typos

[mod_auth_kerb.git] / src / mod_auth_kerb.c

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 90d5d50..175bbf1 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -58,9 +58,9 @@
 #ifdef STANDARD20_MODULE_STUFF
 #include <ap_compat.h>
 #include <apr_strings.h>
+#include <apr_base64.h>
 #endif
 
-
 #ifdef KRB5
 #include <krb5.h>
 #ifdef HEIMDAL
@@ -68,6 +68,7 @@
 #else
 #  include <gssapi/gssapi.h>
 #  include <gssapi/gssapi_generic.h>
+#  include <gssapi/gssapi_krb5.h>
 #  define GSS_C_NT_USER_NAME gss_nt_user_name
 #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
 #  define krb5_get_err_text(context,code) error_message(code)
@@ -76,7 +77,7 @@
 #endif /* KRB5 */
 
 #ifdef KRB4
-/*Prevent warning about closesocket redefinition (Apache's ap_config.h and 
+/* Prevent warning about closesocket redefinition (Apache's ap_config.h and 
  * MIT Kerberos' port-sockets.h both define it as close) */
 #ifdef closesocket
 #  undef closesocket
@@ -85,6 +86,9 @@
 #include <netdb.h> /* gethostbyname() */
 #endif /* KRB4 */
 
+/* XXX remove dependency on unistd.h ??? */
+#include <unistd.h>
+
 #ifdef STANDARD20_MODULE_STUFF
 module AP_MODULE_DECLARE_DATA auth_kerb_module;
 #else
@@ -187,13 +191,32 @@ static const command_rec kerb_auth_cmds[] = {
    { NULL }
 };
 
-#ifdef KRB5
-typedef struct {
-   gss_ctx_id_t context;
-   gss_cred_id_t server_creds;
-} gss_connection_t;
+#if defined(KRB5) && !defined(HEIMDAL)
+/* Needed to work around problems with replay caches */
+#include "mit-internals.h"
 
-static gss_connection_t *gss_connection = NULL;
+/* This is our replacement krb5_rc_store function */
+static krb5_error_code
+mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
+                        krb5_donot_replay *donot_replay)
+{
+   return 0;
+}
+
+/* And this is the operations vector for our replay cache */
+const krb5_rc_ops mod_auth_kerb_rc_ops = {
+  0,
+  "dfl",
+  krb5_rc_dfl_init,
+  krb5_rc_dfl_recover,
+  krb5_rc_dfl_destroy,
+  krb5_rc_dfl_close,
+  mod_auth_kerb_rc_store,
+  krb5_rc_dfl_expunge,
+  krb5_rc_dfl_get_span,
+  krb5_rc_dfl_get_name,
+  krb5_rc_dfl_resolve
+};
 #endif
 
 
@@ -430,16 +453,98 @@ end:
 /*************************************************************************** 
  Username/Password Validation for Krb5
  ***************************************************************************/
+
+/* MIT kerberos uses replay cache checks even during credential verification
+ * (i.e. in krb5_verify_init_creds()), which is obviosuly useless. In order to
+ * avoid problems with multiple apache processes accessing the same rcache file
+ * we had to use this call instead, which is only a bit modified version of
+ * krb5_verify_init_creds() */
+static krb5_error_code
+verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
+                       krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
+{
+   krb5_error_code ret;
+   krb5_data req;
+   krb5_ccache local_ccache = NULL;
+   krb5_creds *new_creds = NULL;
+   krb5_auth_context auth_context = NULL;
+   krb5_keytab keytab = NULL;
+
+   memset(&req, 0, sizeof(req));
+
+   if (ap_req_keytab == NULL) {
+      ret = krb5_kt_default (context, &keytab);
+      if (ret)
+        return ret;
+   } else
+      keytab = ap_req_keytab;
+
+   ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
+   if (ret)
+      return ret;
+
+   ret = krb5_cc_initialize(context, local_ccache, creds->client);
+   if (ret)
+      goto end;
+
+   ret = krb5_cc_store_cred (context, local_ccache, creds);
+   if (ret)
+      goto end;
+
+   if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
+      krb5_creds match_cred;
+
+      memset (&match_cred, 0, sizeof(match_cred));
+
+      match_cred.client = creds->client;
+      match_cred.server = ap_req_server;
+
+      ret = krb5_get_credentials (context, 0, local_ccache, 
+                                 &match_cred, &new_creds);
+      if (ret)
+        goto end;
+      creds = new_creds;
+   }
+
+   ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req);
+   if (ret)
+      goto end;
+
+   krb5_auth_con_free (context, auth_context);
+   auth_context = NULL;
+   ret = krb5_auth_con_init(context, &auth_context);
+   if (ret)
+      goto end;
+   /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
+   krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+   ret = krb5_rd_req (context, &auth_context, &req, ap_req_server,
+                     keytab, 0, NULL);
+
+end:
+   krb5_free_data_contents(context, &req);
+   if (auth_context)
+      krb5_auth_con_free (context, auth_context);
+   if (new_creds)
+      krb5_free_creds (context, new_creds);
+   if (ap_req_keytab == NULL && keytab)
+      krb5_kt_close (context, keytab);
+   if (local_ccache)
+      krb5_cc_destroy (context, local_ccache);
+
+   return ret;
+}
+
 /* Inspired by krb5_verify_user from Heimdal */
 static krb5_error_code
 verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
-                krb5_ccache ccache, const char *password, const char *service,
-                krb5_keytab keytab, int krb_verify_kdc)
+                const char *password, const char *service, krb5_keytab keytab,
+                int krb_verify_kdc, krb5_ccache *ccache)
 {
    krb5_creds creds;
    krb5_principal server = NULL;
    krb5_error_code ret;
-   krb5_verify_init_creds_opt opt;
+   krb5_ccache ret_ccache = NULL;
 
    /* XXX error messages shouldn't be logged here (and in the while() loop in
     * authenticate_user_krb5pwd() as weell), in order to avoid confusing log
@@ -465,6 +570,7 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
                 krb5_get_err_text(context, ret));
       goto end;
    }
+   /* XXX log_debug: lookig for <server_princ> in keytab */
 
    /* XXX
    {
@@ -477,39 +583,47 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
    }
    */
 
-   krb5_verify_init_creds_opt_init(&opt);
-   krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, krb_verify_kdc);
+   if (krb_verify_kdc &&
+       (ret = verify_krb5_init_creds(context, &creds, server, keytab))) {
+       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                 "failed to verify krb5 credentials: %s",
+                 krb5_get_err_text(context, ret));
+       goto end;
+   }
+
+   ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache);
+   if (ret) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 
+                "generating new memory ccache failed: %s",
+                krb5_get_err_text(kcontext, ret));
+      goto end;
+   }
 
-   ret = krb5_verify_init_creds(context, &creds, server, keytab, NULL, &opt);
+   ret = krb5_cc_initialize(context, ret_ccache, principal);
    if (ret) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "krb5_verify_init_creds() failed: %s",
+                "krb5_cc_initialize() failed: %s",
                 krb5_get_err_text(context, ret));
       goto end;
    }
-                
-   if (ccache) {
-      ret = krb5_cc_initialize(context, ccache, principal);
-      if (ret) {
-        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                   "krb5_cc_initialize() failed: %s",
-                   krb5_get_err_text(context, ret));
-        goto end;
-      }
 
-      ret = krb5_cc_store_cred(context, ccache, &creds);
-      if (ret) {
-        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                   "krb5_cc_store_cred() failed: %s",
-                   krb5_get_err_text(context, ret));
-        goto end;
-      }
+   ret = krb5_cc_store_cred(context, ret_ccache, &creds);
+   if (ret) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                "krb5_cc_store_cred() failed: %s",
+                krb5_get_err_text(context, ret));
+      goto end;
    }
+   *ccache = ret_ccache;
+   ret_ccache = NULL;
 
 end:
    krb5_free_cred_contents(context, &creds);
    if (server)
       krb5_free_principal(context, server);
+   if (ret_ccache)
+      krb5_cc_destroy(context, ret_ccache);
+
    return ret;
 }
 
@@ -656,8 +770,6 @@ int authenticate_user_krb5pwd(request_rec *r,
    int             ret;
    char            *name = NULL;
    int             all_principals_unkown;
-   char            *ccname = NULL;
-   int             fd;
 
    code = krb5_init_context(&kcontext);
    if (code) {
@@ -683,16 +795,6 @@ int authenticate_user_krb5pwd(request_rec *r,
       goto end;
    }
 
-   code = krb5_cc_resolve(kcontext, "MEMORY:", &ccache);
-   if (code) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "generating new memory ccache failed: %s",
-                 krb5_get_err_text(kcontext, code));
-      ret = HTTP_INTERNAL_SERVER_ERROR;
-      unlink(ccname);
-      goto end;
-   }
-
    if (conf->krb_5_keytab)
       krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
 
@@ -719,9 +821,9 @@ int authenticate_user_krb5pwd(request_rec *r,
         continue;
       }
 
-      code = verify_krb5_user(r, kcontext, client, ccache, sent_pw, 
+      code = verify_krb5_user(r, kcontext, client, sent_pw, 
                              conf->krb_service_name, 
-                             keytab, conf->krb_verify_kdc);
+                             keytab, conf->krb_verify_kdc, &ccache);
       if (!conf->krb_authoritative && code) {
         /* if we're not authoritative, we allow authentication to pass on
          * to another modules if (and only if) the user is not known to us */
@@ -786,7 +888,6 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
    OM_uint32 msg_ctx = 0;
    gss_buffer_desc status_string;
    char *err_msg;
-   size_t len;
 
    err_msg = ap_pstrdup(p, prefix);
    do {
@@ -818,25 +919,6 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 }
 
 static int
-cleanup_gss_connection(void *data)
-{
-   OM_uint32 minor_status;
-   gss_connection_t *gss_conn = (gss_connection_t *)data;
-
-   if (data == NULL)
-      return OK;
-   if (gss_conn->context != GSS_C_NO_CONTEXT)
-      gss_delete_sec_context(&minor_status, &gss_conn->context,
-                            GSS_C_NO_BUFFER);
-   if (gss_conn->server_creds != GSS_C_NO_CREDENTIAL)
-      gss_release_cred(&minor_status, &gss_conn->server_creds);
-
-   gss_connection = NULL;
-
-   return OK;
-}
-
-static int
 store_gss_creds(request_rec *r, kerb_auth_config *conf, char *princ_name,
                 gss_cred_id_t delegated_cred)
 {
@@ -898,13 +980,6 @@ get_gss_creds(request_rec *r,
    gss_name_t server_name = GSS_C_NO_NAME;
    char buf[1024];
 
-#if 0
-   /* Don't specify service name. This makes MIT 1.3 not to use replay caches,
-    * which causes large problems with the Microsoft krb5 implementation. MS
-    * obviously uses a format of the krb5 authenticator that is considered by
-    * the MIT as replay (Two valid MS authenticators may contain the same time
-    * and utime fields and only differ in the sequential numbers).
-    */
    snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name,
         ap_get_server_name(r));
 
@@ -920,7 +995,6 @@ get_gss_creds(request_rec *r,
                 "gss_import_name() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
-#endif
    
    major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
                                   GSS_C_NO_OID_SET, GSS_C_ACCEPT,
@@ -932,6 +1006,27 @@ get_gss_creds(request_rec *r,
                                     "gss_acquire_cred() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
+
+#ifndef HEIMDAL
+   /*
+    * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
+    * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
+    * the replay cache.
+    * This allows us to override the replay cache function vector with
+    * our own one.
+    * Note that this is a dirty hack to get things working and there may
+    * well be unknown side-effects.
+    */
+   {
+      krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
+
+      if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
+         gss_creds->rcache->ops->type &&  
+         memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+          /* Override the rcache operations */
+        gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+   }
+#endif
    
    return 0;
 }
@@ -978,24 +1073,14 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
   OM_uint32 (*accept_sec_token)();
   gss_OID_desc spnego_oid;
+  gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+  gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
 
   *negotiate_ret_value = "\0";
 
   spnego_oid.length = 6;
   spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
 
-  if (gss_connection == NULL) {
-     gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection));
-     if (gss_connection == NULL) {
-       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                  "ap_pcalloc() failed (not enough memory)");
-       ret = HTTP_INTERNAL_SERVER_ERROR;
-       goto end;
-     }
-     memset(gss_connection, 0, sizeof(*gss_connection));
-     ap_register_cleanup(r->connection->pool, gss_connection, cleanup_gss_connection, ap_null_cleanup);
-  }
-
   if (conf->krb_5_keytab) {
      char *ktname;
      /* we don't use the ap_* calls here, since the string passed to putenv()
@@ -1011,11 +1096,9 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      putenv(ktname);
   }
 
-  if (gss_connection->server_creds == GSS_C_NO_CREDENTIAL) {
-     ret = get_gss_creds(r, conf, &gss_connection->server_creds);
-     if (ret)
-       goto end;
-  }
+  ret = get_gss_creds(r, conf, &server_creds);
+  if (ret)
+     goto end;
 
   /* ap_getword() shifts parameter */
   auth_param = ap_getword_white(r->pool, &auth_line);
@@ -1040,8 +1123,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
                        gss_accept_sec_context_spnego : gss_accept_sec_context;
 
   major_status = accept_sec_token(&minor_status,
-                                 &gss_connection->context,
-                                 gss_connection->server_creds,
+                                 &context,
+                                 server_creds,
                                  &input_token,
                                  GSS_C_NO_CHANNEL_BINDINGS,
                                  &client_name,
@@ -1079,12 +1162,15 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      goto end;
   }
 
+#if 0
+  /* This is a _Kerberos_ module so multiple authentication rounds aren't
+   * supported. If we wanted a generic GSS authentication we would have to do
+   * some magic with exporting context etc. */
   if (major_status & GSS_S_CONTINUE_NEEDED) {
-     /* Some GSSAPI mechanism (eg GSI from Globus) may require multiple 
-      * iterations to establish authentication */
      ret = HTTP_UNAUTHORIZED;
      goto end;
   }
+#endif
 
   major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
   gss_release_name(&minor_status, &client_name); 
@@ -1119,8 +1205,11 @@ end:
   if (client_name != GSS_C_NO_NAME)
      gss_release_name(&minor_status, &client_name);
 
-  if (! major_status & GSS_S_CONTINUE_NEEDED)
-     cleanup_gss_connection(gss_connection);
+  if (server_creds != GSS_C_NO_CREDENTIAL)
+     gss_release_cred(&minor_status, &server_creds);
+
+  if (context != GSS_C_NO_CONTEXT)
+     gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
 
   return ret;
 }
@@ -1232,6 +1321,8 @@ int kerb_authenticate_user(request_rec *r)
    if (ret == HTTP_UNAUTHORIZED)
       set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value);
 
+   /* XXX log_debug: if ret==OK, log(user XY authenticated) */
+
    last_return = ret;
    return ret;
 }