X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=9b8cd0839f55e7308dcf95793ed1e16889678ef4;hb=4b68f81eb41a5934a952e2326c1226b5ef583269;hp=5b69420c5fcdab194fed2c9465c3d4f5fca7e5a9;hpb=52ec43d6eb6e65e48c7046806f5a029351161ed3;p=mod_auth_gssapi.git diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 5b69420..9b8cd08 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -116,6 +116,36 @@ static bool mag_conn_is_https(conn_rec *c) return false; } +static bool mag_acquire_creds(request_rec *req, + struct mag_config *cfg, + gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t *creds) +{ + uint32_t maj, min; +#ifdef HAVE_CRED_STORE + gss_const_key_value_set_t store = cfg->cred_store; + + maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + desired_mechs, cred_usage, store, creds, + NULL, NULL); +#else + maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + desired_mechs, cred_usage, creds, NULL, NULL); +#endif + + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", + mag_error(req, "gss_acquire_cred[_from]() " + "failed to get server creds", + maj, min)); + return false; + } + + return true; +} + +#ifdef HAVE_CRED_STORE static char *escape(apr_pool_t *pool, const char *name, char find, const char *replace) { @@ -181,13 +211,14 @@ static void mag_store_deleg_creds(request_rec *req, maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, GSS_C_NULL_OID, 1, 1, &store, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "failed to store delegated creds", maj, min)); } *ccachefile = value; } +#endif static int mag_auth(request_rec *req) { @@ -206,6 +237,7 @@ static int mag_auth(request_rec *req) gss_name_t client = GSS_C_NO_NAME; gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; + gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; gss_cred_usage_t cred_usage = GSS_C_ACCEPT; uint32_t flags; @@ -242,7 +274,7 @@ static int mag_auth(request_rec *req) * location have different configs */ if (cfg != ap_get_module_config(req->main->per_dir_config, &auth_gssapi_module)) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0, + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Subrequest authentication bypass on " "location with different configuration!"); } @@ -250,13 +282,13 @@ static int mag_auth(request_rec *req) req->user = apr_pstrdup(req->pool, req->main->user); return OK; } else { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "The main request is tasked to establish the " "security context, can't proceed!"); return HTTP_UNAUTHORIZED; } } else { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Subrequest GSSAPI auth with no auth on the main " "request. This operation may fail if other " "subrequests already established a context or the " @@ -266,7 +298,7 @@ static int mag_auth(request_rec *req) if (cfg->ssl_only) { if (!mag_conn_is_https(req->connection)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Not a TLS connection, refusing to authenticate!"); goto done; } @@ -277,7 +309,7 @@ static int mag_auth(request_rec *req) req->connection->conn_config, &auth_gssapi_module); if (!mc) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Failed to retrieve connection context!"); goto done; } @@ -295,7 +327,7 @@ static int mag_auth(request_rec *req) mag_conn_destroy, mc->parent); if (mc->established) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Already established context found!"); apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", @@ -341,7 +373,7 @@ static int mag_auth(request_rec *req) if (!ba_user.value) goto done; if (((char *)ba_user.value)[0] == '\0' || ((char *)ba_pwd.value)[0] == '\0') { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Invalid empty user or password for Basic Auth"); goto done; } @@ -349,7 +381,7 @@ static int mag_auth(request_rec *req) ba_pwd.length = strlen(ba_pwd.value); maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_import_name() failed", maj, min)); @@ -363,14 +395,14 @@ static int mag_auth(request_rec *req) rs = apr_generate_random_bytes((unsigned char *)(&rndname), sizeof(long long unsigned int)); if (rs != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Failed to generate random ccache name"); goto done; } user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_krb5_ccache_name() " "failed", maj, min)); @@ -383,7 +415,7 @@ static int mag_auth(request_rec *req) GSS_C_INITIATE, &user_cred, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_acquire_cred_with_password() " "failed", maj, min)); @@ -396,50 +428,47 @@ static int mag_auth(request_rec *req) req->ap_auth_type = apr_pstrdup(req->pool, auth_type); -#ifdef HAVE_GSS_ACQUIRE_CRED_FROM +#ifdef HAVE_CRED_STORE if (cfg->use_s4u2proxy) { cred_usage = GSS_C_BOTH; } - if (cfg->cred_store) { - maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, cred_usage, - cfg->cred_store, &acquired_cred, - NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", - mag_error(req, "gss_acquire_cred_from() failed", - maj, min)); - goto done; - } - } #endif + if (!mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, + cred_usage, &acquired_cred)) { + goto done; + } if (is_basic) { - if (!acquired_cred) { - /* Try to acquire default creds */ - maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, cred_usage, - &acquired_cred, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, - "%s", mag_error(req, "gss_acquire_cred_from()" - " failed", maj, min)); + if (cred_usage == GSS_C_BOTH) { + /* If GSS_C_BOTH is used then inquire_cred will return the client + * name instead of the SPN of the server credentials. Therefore we + * need to acquire a different set of credential setting + * GSS_C_ACCEPT explicitly */ + if (!mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, + GSS_C_ACCEPT, &server_cred)) { goto done; } + } else { + server_cred = acquired_cred; } - maj = gss_inquire_cred(&min, acquired_cred, &server, + maj = gss_inquire_cred(&min, server_cred, &server, NULL, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_inquired_cred_() " "failed", maj, min)); goto done; } + if (server_cred != acquired_cred) { + gss_release_cred(&min, &server_cred); + } +#ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir) { /* delegate ourselves credentials so we store them as requested */ init_flags |= GSS_C_DELEG_FLAG; } +#endif /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, @@ -447,7 +476,7 @@ static int mag_auth(request_rec *req) GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_init_sec_context() " "failed", maj, min)); goto done; @@ -459,7 +488,7 @@ static int mag_auth(request_rec *req) &client, &mech_type, &output, &flags, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context() failed", maj, min)); goto done; @@ -473,7 +502,7 @@ static int mag_auth(request_rec *req) GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_init_sec_context() " "failed", maj, min)); goto done; @@ -484,7 +513,7 @@ static int mag_auth(request_rec *req) &client, &mech_type, &output, &flags, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context()" " failed", maj, min)); goto done; @@ -492,7 +521,7 @@ static int mag_auth(request_rec *req) } } else if (maj == GSS_S_CONTINUE_NEEDED) { if (!mc) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Mechanism needs continuation but neither " "GssapiConnectionBound nor " "GssapiUseSessions are available"); @@ -507,7 +536,7 @@ static int mag_auth(request_rec *req) /* Always set the GSS name in an env var */ maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_display_name() failed", maj, min)); goto done; @@ -518,7 +547,7 @@ static int mag_auth(request_rec *req) apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", apr_psprintf(req->pool, "%ld", (long)expiration)); -#ifdef HAVE_GSS_STORE_CRED_INTO +#ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { char *ccachefile = NULL; @@ -534,7 +563,7 @@ static int mag_auth(request_rec *req) if (cfg->map_to_local) { maj = gss_localname(&min, client, mech_type, &lname); if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_localname() failed", maj, min)); goto done; } @@ -587,7 +616,7 @@ done: if (user_ccache != NULL) { maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Failed to restore per-thread ccache, %s", mag_error(req, "gss_krb5_ccache_name() " "failed", maj, min)); @@ -652,6 +681,7 @@ static const char *mag_use_sess(cmd_parms *parms, void *mconfig, int on) return NULL; } +#ifdef HAVE_CRED_STORE static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) { struct mag_config *cfg = (struct mag_config *)mconfig; @@ -662,6 +692,7 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) } return NULL; } +#endif static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) { @@ -673,7 +704,7 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) int l; if (strncmp(w, "key:", 4) != 0) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Invalid key format, expected prefix 'key:'"); return NULL; } @@ -686,19 +717,21 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) keys.value = (unsigned char *)val; if (keys.length != 32) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "Invalid key lenght, expected 32 got %d", keys.length); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid key length, expected 32 got %d", keys.length); return NULL; } rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); if (rc != OK) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Failed to import sealing key!"); } return NULL; } +#ifdef HAVE_CRED_STORE + #define MAX_CRED_OPTIONS 10 static const char *mag_cred_store(cmd_parms *parms, void *mconfig, @@ -714,7 +747,7 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, p = strchr(w, ':'); if (!p) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "%s [%s]", "Invalid syntax for GssapiCredStore option", w); return NULL; } @@ -733,7 +766,7 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, count = cfg->cred_store->count; if (count >= MAX_CRED_OPTIONS) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Too many GssapiCredStore options (MAX: %d)", MAX_CRED_OPTIONS); return NULL; @@ -755,6 +788,7 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, return NULL; } +#endif static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) { @@ -777,11 +811,9 @@ static const command_rec mag_commands[] = { "Authentication uses mod_sessions to hold status"), AP_INIT_RAW_ARGS("GssapiSessionKey", mag_sess_key, NULL, OR_AUTHCFG, "Key Used to seal session data."), -#ifdef HAVE_GSS_ACQUIRE_CRED_FROM +#ifdef HAVE_CRED_STORE AP_INIT_FLAG("GssapiUseS4U2Proxy", mag_use_s4u2p, NULL, OR_AUTHCFG, "Initializes credentials for s4u2proxy usage"), -#endif -#ifdef HAVE_GSS_STORE_CRED_INTO AP_INIT_ITERATE("GssapiCredStore", mag_cred_store, NULL, OR_AUTHCFG, "Credential Store"), AP_INIT_RAW_ARGS("GssapiDelegCcacheDir", mag_deleg_ccache_dir, NULL,