X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mod_auth_gssweb.c;h=9bfcca72852762c4765c0ea4af09096d198ff711;hb=a27b292813973201e7a3c2131a93644ac6a97f93;hp=f59fe728391e6e6fce17c61782b89d2e28cd893e;hpb=d3713d71def8134987b474b83db4980241516868;p=mod_auth_kerb.cvs%2F.git diff --git a/mod_auth_gssweb.c b/mod_auth_gssweb.c index f59fe72..9bfcca7 100644 --- a/mod_auth_gssweb.c +++ b/mod_auth_gssweb.c @@ -1,39 +1,42 @@ /* - * Copyright (c) 2010 CESNET + * Copyright (c) 2012, 2013, 2014 JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of CESNET nor the names of its contributors may - * be used to endorse or promote products derived from this software + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * NOTE: Some code in this module was derived from code in + * mod_auth_gssapi.c which is copyrighted by CESNET. See that file + * for full copyright details. + * * NOTE: Portions of the code in this file were derived from example * code distributed under the Apache 2.0 license: * http://www.apache.org/licenses/LICENSE-2.0 - * The example code was modified for inclusion in this module. * * This module implements the Apache server side of the GSSWeb * authentiction type which allows Moonshot to be used for @@ -49,6 +52,7 @@ * described in the protocol.txt file included with module source. */ +#include #include "mod_auth_gssweb.h" module AP_MODULE_DECLARE_DATA auth_gssweb_module; @@ -68,36 +72,37 @@ static const command_rec gssweb_config_cmds[] = { #define DEFAULT_ENCTYPE "application/x-www-form-urlencoded" #define GSS_MAX_TOKEN_SIZE 4096 //TBD -- check this value -/* gssweb_read_post() -- Reads the post data associated with a - * request. +/* gssweb_read_req() -- reads the request data into a buffer */ -static int gssweb_read_post(request_rec *r, const char **rbuf) +static int gssweb_read_req(request_rec *r, const char **rbuf, apr_off_t *size) { - int rc; - if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)) != OK) { - return rc; + int rc = OK; + + if((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) { + return(rc); } - if (ap_should_client_block(r)) { - char argsbuffer[GSS_MAX_TOKEN_SIZE+256]; - int rsize, len_read, rpos = 0; - long length = r->remaining; - *rbuf = ap_pcalloc(r->pool, length + 1); - ap_hard_timeout("util_read", r); - while ((len_read = - ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) { - ap_reset_timeout(r); - if ((rpos + len_read) > length) { + + if(ap_should_client_block(r)) { + + char argsbuffer[HUGE_STRING_LEN]; + apr_off_t rsize, len_read, rpos = 0; + apr_off_t length = r->remaining; + + *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1)); + *size = length; + while((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) { + if((rpos + len_read) > length) { rsize = length - rpos; } else { rsize = len_read; } - memcpy((char*)*rbuf + rpos, argsbuffer, rsize); + + memcpy((char *) *rbuf + rpos, argsbuffer, (size_t) rsize); rpos += rsize; } - ap_kill_timeout(r); } - return rc; + return(rc); } /* gssweb_get_post_data() -- Gets the token and nonce from the request @@ -106,34 +111,57 @@ static int gssweb_read_post(request_rec *r, const char **rbuf) static int gssweb_get_post_data(request_rec *r, int *nonce, gss_buffer_desc *input_token) { const char *data; + apr_off_t datalen; const char *key, *val, *type; int rc = 0; + *nonce = 0; + input_token->length = 0; + input_token->value = NULL; + if(r->method_number != M_POST) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: Request data is not a POST, declining."); return DECLINED; } - type = ap_table_get(r->headers_in, "Content-Type"); + type = apr_table_get(r->headers_in, "Content-Type"); if(strcasecmp(type, DEFAULT_ENCTYPE) != 0) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: Unexpected content type, declining."); return DECLINED; } - if((rc = util_read(r, &data)) != OK) { + if((rc = gssweb_read_req(r, &data, &datalen)) != OK) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: Data read error, rc = %d", rc); return rc; } - if(*tab) { - ap_clear_table(*tab); - } - else { - *tab = ap_make_table(r->pool, 8); - } + while(*data && (val = ap_getword(r->pool, &data, '&'))) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: obtained val from ap_getword() (%s)", val); key = ap_getword(r->pool, &val, '='); ap_unescape_url((char*)key); ap_unescape_url((char*)val); - ap_table_merge(*tab, key, val); + if (0 == strcasecmp(key, "token")) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: found token (%s)", val); + input_token->value = malloc(strlen(val)); + input_token->length = apr_base64_decode(input_token->value, val); + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: Token successfully decoded."); + } + else if (0 == strcasecmp(key, "nonce")) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: found nonce (%s)", val); + *nonce = atoi(val); + } + else { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: unknown key (%s)", key); + } + } + if ((0 == *nonce) || (0 == input_token->length)) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: nonce (%d) or token len (%d) is 0, declining", *nonce, input_token->length); + return DECLINED; + } + else { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_get_post_data: returning nonce (%d) and token (%d bytes)", *nonce, input_token->length); + return OK; } - return OK; } /* gssweb_authenticate_filter() -- Output filter for gssweb authentication. @@ -143,72 +171,184 @@ static int gssweb_get_post_data(request_rec *r, int *nonce, gss_buffer_desc *inp * one filter call by maintaining state until an EOS bucket is received. */ static apr_status_t gssweb_authenticate_filter (ap_filter_t *f, - apr_bucket_brigade *pbbIn) + apr_bucket_brigade *brig_in) { request_rec *r = f->r; conn_rec *c = r->connection; - apr_bucket *pbktIn; - apr_bucket_brigade *pbbOut; + apr_bucket_brigade *brig_out; + apr_bucket *bkt_in = NULL; + apr_bucket *bkt_out = NULL; + apr_bucket *bkt_eos = NULL; + const char *data = NULL; + apr_size_t len = 0; + apr_size_t enc_len = 0; + char *buf = NULL; + char *stoken = NULL; + apr_size_t n = 0; + gss_conn_ctx conn_ctx = NULL; + const char *c_type = NULL; + const char *c_len = NULL; + apr_status_t ret = 0; + + gss_log(APLOG_MARK, APLOG_DEBUG, 0, f->r, "Entering GSSWeb filter"); + + /* get the context from the request */ + conn_ctx = gss_retrieve_conn_ctx(r); + if (NULL == conn_ctx) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_filter: Failed to find valid context."); + apr_brigade_cleanup(brig_in); + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* if this is the first call for a response, send opening JSON block */ + if (GSS_FILT_NEW == conn_ctx->filter_stat) { + if (NULL == (brig_out = apr_brigade_create(r->pool, c->bucket_alloc))) { + conn_ctx->filter_stat = GSS_FILT_ERROR; + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_filter: Unable to allocate output brigade (opening)"); + apr_brigade_cleanup(brig_in); + return HTTP_INTERNAL_SERVER_ERROR; + } - pbbOut=apr_brigade_create(r->pool, c->bucket_alloc); - for (pbktIn = APR_BRIGADE_FIRST(pbbIn); - pbktIn != APR_BRIGADE_SENTINEL(pbbIn); - pbktIn = APR_BUCKET_NEXT(pbktIn)) + len = apr_base64_encode_len(conn_ctx->output_token.length); + if (NULL == (data = apr_bucket_alloc(len+1024, c->bucket_alloc)) || + NULL == (stoken = apr_bucket_alloc(len+1, c->bucket_alloc))) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_filter: Unable to allocate space for opening json block"); + apr_brigade_cleanup(brig_in); + apr_brigade_cleanup(brig_out); + return HTTP_INTERNAL_SERVER_ERROR; + } + + apr_base64_encode_binary(stoken, conn_ctx->output_token.value, conn_ctx->output_token.length); + snprintf((char *)data, len+1024, + "{\"gssweb\": {\n\"token\": \"%s\",\n\"nonce\": \"%d\"},\n\"application\": {\n\"data\": \"", + stoken, conn_ctx->nonce); + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_filter: Sending (%d bytes): %s", strlen(data), data); + + bkt_out = apr_bucket_heap_create(data, strlen(data), apr_bucket_free, + c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(brig_out, bkt_out); + if (0 != (ret = ap_pass_brigade(f->next, brig_out))) { + apr_brigade_cleanup(brig_in); + apr_brigade_cleanup(brig_out); + return ret; + } + + conn_ctx->filter_stat = GSS_FILT_INPROGRESS; + } + + /* loop through the app data buckets, escaping and sending each one */ + for (bkt_in = APR_BRIGADE_FIRST(brig_in); + bkt_in != APR_BRIGADE_SENTINEL(brig_in); + bkt_in = APR_BUCKET_NEXT(bkt_in)) { - const char *data; - apr_size_t len; - char *buf; - apr_size_t n; - apr_bucket *pbktOut; + if (NULL == (brig_out = apr_brigade_create(r->pool, c->bucket_alloc))) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_filter: Unable to allocate brigade (loop)"); + conn_ctx->filter_stat = GSS_FILT_ERROR; + apr_brigade_cleanup(brig_in); + return HTTP_INTERNAL_SERVER_ERROR; + } - if(APR_BUCKET_IS_EOS(pbktIn)) + /* if this is an EOS, send the JSON closing block */ + if(APR_BUCKET_IS_EOS(bkt_in)) { - apr_bucket *pbktEOS=apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(pbbOut,pbktEOS); - continue; + /* create and add the JSON closing block */ + + if (NULL == (data = apr_bucket_alloc(1024, c->bucket_alloc))) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_filter: Unable to allocate space for closing json block"); + apr_brigade_cleanup(brig_in); + apr_brigade_cleanup(brig_out); + return HTTP_INTERNAL_SERVER_ERROR; + } + + c_type = apr_table_get(r->headers_in, "Content-Type"); + c_len = apr_table_get(r->headers_in, "Content-Length"); + snprintf((char *)data, 1024, "\",\n\"content-type\": \"%s\",\n\"content-length\": \"%s\"\n}\n}", c_type, c_len); + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_filter: Sending (%d bytes) %s", strlen(data), data); + + bkt_out = apr_bucket_heap_create(data, strlen(data), apr_bucket_free, + c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(brig_out, bkt_out); + + /* Indicate that the next filter call is a new response */ + conn_ctx->filter_stat = GSS_FILT_NEW; + + /* set EOS in the outbound brigade */ + bkt_eos = apr_bucket_eos_create(c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL (brig_out, bkt_eos); + + /* pass the brigade */ + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_filter: Sending: EOS"); + if (0 != (ret = ap_pass_brigade(f->next, brig_out))) { + conn_ctx->filter_stat = GSS_FILT_ERROR; + apr_brigade_cleanup(brig_in); + apr_brigade_cleanup(brig_out); + return ret; + } + break; } - /* read */ - apr_bucket_read(pbktIn,&data,&len,APR_BLOCK_READ); + /* Read application data from each input bucket */ + apr_bucket_read(bkt_in, &data, &len, APR_BLOCK_READ); + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_filter: Application Data (%d bytes): %s", len, data); + + /* Base64 encode the data */ + enc_len = apr_base64_encode_len(len); + if (NULL == (buf = apr_bucket_alloc(enc_len, c->bucket_alloc))) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_filter: Unable to allocate space for application data"); + apr_brigade_cleanup(brig_in); + apr_brigade_cleanup(brig_out); + return HTTP_INTERNAL_SERVER_ERROR; + } + enc_len = apr_base64_encode_binary(buf, data, len); + + /* Put the data in a bucket and add it to the the output brigade */ + bkt_out = apr_bucket_heap_create(buf, enc_len-1, apr_bucket_free, c->bucket_alloc); + buf[enc_len] = '\0'; + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_filter: Sending (%d bytes):", enc_len, buf); + APR_BRIGADE_INSERT_TAIL(brig_out, bkt_out); + + /* Send the output brigade */ + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_filter: Passing the application data brigade"); + if (OK != (ret = ap_pass_brigade(f->next, brig_out))) { + apr_brigade_cleanup(brig_in); + apr_brigade_cleanup(brig_out); + return ret; + } + } + + /* Make sure we don't see the same data again */ + apr_brigade_cleanup(brig_in); + return OK; +} - /* write */ - buf = apr_bucket_alloc(len, c->bucket_alloc); - for(n=0 ; n < len ; ++n) - buf[n] = apr_toupper(data[n]); +/* gssweb_add_filter() -- Hook to add our output filter to the request + * (r). Called for all error responses through the + * gssweb_insert_error_filter hook. + */ +static void +gssweb_add_filter(request_rec *r) +{ + gss_conn_ctx conn_ctx = NULL; - pbktOut = apr_bucket_heap_create(buf, len, apr_bucket_free, - c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(pbbOut,pbktOut); - } + /* Get the context for this request, if any */ + conn_ctx = gss_retrieve_conn_ctx(r); - /* Q: is there any advantage to passing a brigade for each bucket? - * A: obviously, it can cut down server resource consumption, if this - * experimental module was fed a file of 4MB, it would be using 8MB for - * the 'read' buckets and the 'write' buckets. - * - * Note it is more efficient to consume (destroy) each bucket as it's - * processed above than to do a single cleanup down here. In any case, - * don't let our caller pass the same buckets to us, twice; - */ - apr_brigade_cleanup(pbbIn); - return ap_pass_brigade(f->next,pbbOut); + /* Add the output filter */ + ap_add_output_filter("gssweb_auth_filter", (void *)conn_ctx, r, r->connection); + return; } /* gssweb_authenticate_user() -- Hook to perform actual user * authentication. Will be called once for each round trip in the GSS * authentication loop. Reads the tokend from the request, calls * gss_accept_sec_context(), and stores the output token and context - * in the user data area. Registers output filter to send the GSS + * in the user data areas. Adds output filter to send the GSS * output token back to the client. */ static int gssweb_authenticate_user(request_rec *r) { - gss_auth_config *conf = - (gss_auth_config *) ap_get_module_config(r->per_dir_config, - &auth_gssweb_module); const char *auth_line = NULL; - const char *type = NULL; char *auth_type = NULL; char *negotiate_ret_value = NULL; gss_conn_ctx conn_ctx = NULL; @@ -216,82 +356,74 @@ gssweb_authenticate_user(request_rec *r) OM_uint32 major_status, minor_status, minor_status2; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; - const char *posted_token = NULL; gss_name_t client_name = GSS_C_NO_NAME; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; - gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; OM_uint32 ret_flags = 0; unsigned int nonce; + int release_output_token = 1; + gss_auth_config *conf = NULL; gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "Entering GSSWeb authentication"); - - /* Check if this is for our auth type */ - type = ap_auth_type(r); - if (type == NULL || strcasecmp(type, "GSSWeb") != 0) { - gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, - "AuthType '%s' is not GSSWeb, bailing out", - (type) ? type : "(NULL)"); - return DECLINED; - } + /* Get the module configuration */ + conf = (gss_auth_config *) ap_get_module_config(r->per_dir_config, + &auth_gssweb_module); - /* Set up a GSS context for this request, if there isn't one already */ - conn_ctx = gss_get_conn_ctx(r); - if (conn_ctx == NULL) { - gss_log(APLOG_MARK, APLOG_ERR, 0, r, "Failed to create internal context: probably not enough memory"); - return HTTP_INTERNAL_SERVER_ERROR; + /* Check if this is for our auth type */ + auth_type = (char *)ap_auth_type(r); + if (auth_type == NULL || strcasecmp(auth_type, "GSSWeb") != 0) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, + "gssweb_authenticate_user: AuthType '%s' is not GSSWeb, bailing out", + (auth_type) ? auth_type : "(NULL)"); + ret = DECLINED; + goto end; } /* Read the token and nonce from the POST */ if (0 != gssweb_get_post_data(r, &nonce, &input_token)) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_user: Unable to read nonce or input token."); ret = HTTP_UNAUTHORIZED; - gss_log(APLOG_MARK, APLOG_ERR, 0, r, "Unable to read nonce or input token."); goto end; } - gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "GSSWeb nonce value = %u.", nonce); - - /* If the nonce is set and doesn't match, start over */ - if ((0 != conn_ctx->nonce) && (conn_ctx->nonce != nonce)) { - if (GSS_C_NO_CONTEXT != conn_ctx->context) { - gss_delete_sec_context(&minor_status, &conn_ctx->context, GSS_C_NO_BUFFER); - } - conn_ctx->context = GSS_C_NO_CONTEXT; - conn_ctx->state = GSS_CTX_EMPTY; - conn_ctx->user = NULL; - if (0 != conn_ctx->output_token.length) { - gss_release_buffer(&minor_status, &conn_ctx->output_token); + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: GSSWeb nonce value = %u.", nonce); + + /* Retrieve the existing context (if any) and see if it matches this request */ + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: Attempting to retrieve GSS context"); + conn_ctx = gss_retrieve_conn_ctx(r); + + /* If there is no matching context, create a new one */ + if ((NULL == conn_ctx) || + (conn_ctx->nonce != nonce)) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: Creating a new GSS context"); + if (conn_ctx) + gss_cleanup_conn_ctx(conn_ctx); + if (NULL == (conn_ctx = gss_create_conn_ctx (r, conf))) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_user: Failed to create GSS context"); + ret = HTTP_INTERNAL_SERVER_ERROR; + goto end; } - conn_ctx->output_token = GSS_C_EMPTY_BUFFER; } - + + if (NULL == conn_ctx) { + gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_user: ERROR -- no GSS context"); + goto end; + } + /* If the output filter reported an internal server error, return it */ - if (GSS_CTX_ERROR == conn_ctx->state) { + if (GSS_FILT_ERROR == conn_ctx->filter_stat) { ret = HTTP_INTERNAL_SERVER_ERROR; gss_log(APLOG_MARK, APLOG_ERR, 0, r, - "Output filter returned internal server error, reporting."); + "gssweb_authenticate_user: Output filter returned error, reporting."); goto end; } - /* If this is a new authentiction cycle, set-up the output filter. */ - if (GSS_CTX_EMPTY == conn_ctx->state) - { - ap_add_output_filter("gssweb_auth_filter",conn_ctx->ctx,r,r->connection); - ap_register_output_filter("gssweb_auth_filter",gssweb_authenticate_filter,AP_FTYPE_RESOURCE); - - } + /* Add the output filter to this request (only applies to non-error returns) */ + ap_add_output_filter("gssweb_auth_filter", (void *)conn_ctx, r, r->connection); - /* Acquire server credentials */ - ret = get_gss_creds(r, conf, &server_creds); - if (ret) - goto end; - - /* Decode input token */ - input_token.length = apr_base64_decode(input_token.value, posted_token); - /* Call gss_accept_sec_context */ major_status = gss_accept_sec_context(&minor_status, - &ctx->context, - server_creds, + &conn_ctx->context, + conn_ctx->server_creds, &input_token, GSS_C_NO_CHANNEL_BINDINGS, NULL, @@ -301,55 +433,67 @@ gssweb_authenticate_user(request_rec *r) NULL, &delegated_cred); gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, - "Client %s us their credential", + "gssweb_authenticate_user: Client %s us their credential", (ret_flags & GSS_C_DELEG_FLAG) ? "delegated" : "didn't delegate"); - + if (output_token.length >= 4) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: First four bytes of output token are: %.2x %.2x %.2x %.2x", ((char *)output_token.value)[0], ((char *)output_token.value)[1], ((char *)output_token.value)[2], ((char *)output_token.value)[3]); + } else { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: No output token"); + } + if (GSS_ERROR(major_status)) { gss_log(APLOG_MARK, APLOG_ERR, 0, r, "%s", get_gss_error(r, major_status, minor_status, - "Failed to establish authentication")); - gss_delete_sec_context(&minor_status, &ctx->context, GSS_C_NO_BUFFER); - ctx->context = GSS_C_NO_CONTEXT; - ctx->state = GSS_CTX_EMPTY; + "gssweb_authenticate_user: Failed to establish authentication")); + gss_delete_sec_context(&minor_status, &conn_ctx->context, GSS_C_NO_BUFFER); + conn_ctx->context = GSS_C_NO_CONTEXT; + conn_ctx->state = GSS_CTX_EMPTY; ret = HTTP_UNAUTHORIZED; goto end; + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: Decoding ouput token."); } + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: Got sec context, storing nonce and output token."); + /* Store the nonce & ouput token in the stored context */ conn_ctx->nonce = nonce; conn_ctx->output_token = output_token; - + release_output_token = 0; + /* If we aren't done yet, go around again */ if (major_status & GSS_S_CONTINUE_NEEDED) { - ctx->state = GSS_CTX_IN_PROGRESS; + conn_ctx->state = GSS_CTX_IN_PROGRESS; ret = HTTP_UNAUTHORIZED; goto end; } - ctx->state = GSS_CTX_ESTABLISHED; - // TBD -- set the user and authtype in the request structure + conn_ctx->state = GSS_CTX_ESTABLISHED; + r->user = apr_pstrdup(r->pool, conn_ctx->user); + r->ap_auth_type = "GSSWeb"; ret = OK; end: if (delegated_cred) gss_release_cred(&minor_status, &delegated_cred); - if (output_token.length) + if ((release_output_token) && (output_token.length)) gss_release_buffer(&minor_status, &output_token); if (client_name != GSS_C_NO_NAME) gss_release_name(&minor_status, &client_name); - if (server_creds != GSS_C_NO_CREDENTIAL) - gss_release_cred(&minor_status, &server_creds); - return ret; } static void gssweb_register_hooks(apr_pool_t *p) { - ap_hook_check_user_id(gssweb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); + /* register the gssweb output filter */ + ap_register_output_filter("gssweb_auth_filter", gssweb_authenticate_filter, NULL, AP_FTYPE_RESOURCE); + + /* register hooks */ + ap_hook_check_user_id(gssweb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_insert_error_filter(gssweb_add_filter, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA auth_gssweb_module = {