X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=4b6512bad1aec4468dc1df24a9301bc0f54fdd3d;hb=e2d72778719af5da5fe4fa6b3f51f3bee2bdc295;hp=9a6f4dbf7e449384d013c7704503f3b955de4ca3;hpb=7ccf6736d99ccfe50ef6239970610ea6e577ff4f;p=mod_auth_kerb.git diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index 9a6f4db..4b6512b 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -11,7 +11,7 @@ */ /* - * Copyright (c) 2004 Masarykova universita + * Copyright (c) 2004-2006 Masarykova universita * (Masaryk University, Brno, Czech Republic) * All rights reserved. * @@ -46,7 +46,14 @@ #include "config.h" -#define MODAUTHKERB_VERSION "5.0-rc5" +#include +#include +#include + +#define MODAUTHKERB_VERSION "5.0-rc7" + +#define MECH_NEGOTIATE "Negotiate" +#define SERVICE_NAME "HTTP" #include #include @@ -56,9 +63,31 @@ #include #ifdef STANDARD20_MODULE_STUFF -#include #include #include + +#define ap_null_cleanup NULL +#define ap_register_cleanup apr_pool_cleanup_register + +#define ap_pstrdup apr_pstrdup +#define ap_pstrcat apr_pstrcat +#define ap_pcalloc apr_pcalloc +#define ap_psprintf apr_psprintf + +#define ap_base64decode_len apr_base64_decode_len +#define ap_base64decode apr_base64_decode +#define ap_base64encode_len apr_base64_encode_len +#define ap_base64encode apr_base64_encode + +#define ap_table_setn apr_table_setn +#define ap_table_add apr_table_add +#else +#define ap_pstrchr_c strchr +#endif /* STANDARD20_MODULE_STUFF */ + +#ifdef _WIN32 +#define vsnprintf _vsnprintf +#define snprintf _snprintf #endif #ifdef KRB5 @@ -73,7 +102,9 @@ # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name # define krb5_get_err_text(context,code) error_message(code) #endif -#include "spnegokrb5.h" +#ifndef GSSAPI_SUPPORTS_SPNEGO +# include "spnegokrb5.h" +#endif #endif /* KRB5 */ #ifdef KRB4 @@ -86,8 +117,10 @@ #include /* gethostbyname() */ #endif /* KRB4 */ -/* XXX remove dependency on unistd.h ??? */ +#ifndef _WIN32 +/* should be HAVE_UNISTD_H instead */ #include +#endif #ifdef STANDARD20_MODULE_STUFF module AP_MODULE_DECLARE_DATA auth_kerb_module; @@ -118,9 +151,12 @@ typedef struct { char *krb_auth_realms; int krb_save_credentials; int krb_verify_kdc; - char *krb_service_name; + const char *krb_service_name; int krb_authoritative; int krb_delegate_basic; +#if 0 + int krb_ssl_preauthentication; +#endif #ifdef KRB5 char *krb_5_keytab; int krb_method_gssapi; @@ -137,18 +173,18 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, int use_krb4, int use_krb5pwd, char *negotiate_ret_value); static const char* -krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg); +krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg); #ifdef STANDARD20_MODULE_STUFF #define command(name, func, var, type, usage) \ - AP_INIT_ ## type (name, func, \ - (void*)APR_XtOffsetOf(kerb_auth_config, var), \ - OR_AUTHCFG, usage) + AP_INIT_ ## type (name, (void*) func, \ + (void*)APR_OFFSETOF(kerb_auth_config, var), \ + OR_AUTHCFG | RSRC_CONF, usage) #else #define command(name, func, var, type, usage) \ { name, func, \ (void*)XtOffsetOf(kerb_auth_config, var), \ - OR_AUTHCFG, type, usage } + OR_AUTHCFG | RSRC_CONF, type, usage } #endif static const command_rec kerb_auth_cmds[] = { @@ -165,7 +201,7 @@ static const command_rec kerb_auth_cmds[] = { FLAG, "Verify tickets against keytab to prevent KDC spoofing attacks."), command("KrbServiceName", ap_set_string_slot, krb_service_name, - TAKE1, "Service name to be used by Apache for authentication."), + TAKE1, "Full or partial service name to be used by Apache for authentication."), command("KrbAuthoritative", ap_set_flag_slot, krb_authoritative, FLAG, "Set to 'off' to allow access control to be passed along to lower modules iff the UserID is not known to this module."), @@ -173,6 +209,11 @@ static const command_rec kerb_auth_cmds[] = { command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic, FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."), +#if 0 + command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication, + FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."), +#endif + #ifdef KRB5 command("Krb5Keytab", ap_set_file_slot, krb_5_keytab, TAKE1, "Location of Kerberos V5 keytab file."), @@ -195,12 +236,47 @@ static const command_rec kerb_auth_cmds[] = { { NULL } }; +#ifdef _WIN32 +int +mkstemp(char *template) +{ + int start, i; + pid_t val; + val = getpid(); + start = strlen(template) - 1; + while(template[start] == 'X') { + template[start] = '0' + val % 10; + val /= 10; + start--; + } + + do{ + int fd; + fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600); + if(fd >= 0 || errno != EEXIST) + return fd; + i = start + 1; + do{ + if(template[i] == 0) + return -1; + template[i]++; + if(template[i] == '9' + 1) + template[i] = 'a'; + if(template[i] <= 'z') + break; + template[i] = 'a'; + i++; + }while(1); + }while(1); +} +#endif + #if defined(KRB5) && !defined(HEIMDAL) /* Needed to work around problems with replay caches */ #include "mit-internals.h" /* This is our replacement krb5_rc_store function */ -static krb5_error_code +static krb5_error_code KRB5_LIB_FUNCTION mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache, krb5_donot_replay_internal *donot_replay) { @@ -233,9 +309,12 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config)); ((kerb_auth_config *)rec)->krb_verify_kdc = 1; - ((kerb_auth_config *)rec)->krb_service_name = "HTTP"; + ((kerb_auth_config *)rec)->krb_service_name = NULL; ((kerb_auth_config *)rec)->krb_authoritative = 1; ((kerb_auth_config *)rec)->krb_delegate_basic = 0; +#if 0 + ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0; +#endif #ifdef KRB5 ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; @@ -247,14 +326,16 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) } static const char* -krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg) +krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg) { + kerb_auth_config *sec = (kerb_auth_config *) vsec; sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg); return NULL; } -void log_rerror(const char *file, int line, int level, int status, - const request_rec *r, const char *fmt, ...) +static void +log_rerror(const char *file, int line, int level, int status, + const request_rec *r, const char *fmt, ...) { char errstr[1024]; va_list ap; @@ -368,7 +449,7 @@ authenticate_user_krb4pwd(request_rec *r, sent_name = ap_getword (r->pool, &sent_pw, ':'); /* do not allow user to override realm setting of server */ - if (strchr(sent_name, '@')) { + if (ap_strchr_c(sent_name, '@')) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "specifying realm in user name is prohibited"); return HTTP_UNAUTHORIZED; @@ -408,6 +489,7 @@ authenticate_user_krb4pwd(request_rec *r, realm = lrealm; } + /* XXX conf->krb_service_name */ ret = verify_krb4_user(r, (char *)sent_name, (sent_instance) ? sent_instance : "", (char *)realm, (char *)sent_pw, @@ -465,7 +547,7 @@ end: * we had to use this call instead, which is only a bit modified version of * krb5_verify_init_creds() */ static krb5_error_code -verify_krb5_init_creds(krb5_context context, krb5_creds *creds, +verify_krb5_init_creds(request_rec *r, krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab) { krb5_error_code ret; @@ -474,6 +556,7 @@ verify_krb5_init_creds(krb5_context context, krb5_creds *creds, krb5_creds *new_creds = NULL; krb5_auth_context auth_context = NULL; krb5_keytab keytab = NULL; + char *server_name; memset(&req, 0, sizeof(req)); @@ -485,16 +568,35 @@ verify_krb5_init_creds(krb5_context context, krb5_creds *creds, keytab = ap_req_keytab; ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_resolve() failed when verifying KDC"); return ret; + } ret = krb5_cc_initialize(context, local_ccache, creds->client); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); goto end; + } ret = krb5_cc_store_cred (context, local_ccache, creds); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); + goto end; + } + + ret = krb5_unparse_name(context, ap_req_server, &server_name); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_unparse_name() failed when verifying KDC"); goto end; + } + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to verify authenticity of KDC using principal %s", server_name); + free(server_name); if (!krb5_principal_compare (context, ap_req_server, creds->server)) { krb5_creds match_cred; @@ -506,28 +608,47 @@ verify_krb5_init_creds(krb5_context context, krb5_creds *creds, ret = krb5_get_credentials (context, 0, local_ccache, &match_cred, &new_creds); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_get_credentials() failed when verifying KDC"); goto end; + } creds = new_creds; } ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_mk_req_extended() failed when verifying KDC"); goto end; + } krb5_auth_con_free (context, auth_context); auth_context = NULL; ret = krb5_auth_con_init(context, &auth_context); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_auth_con_init() failed when verifying KDC"); goto end; + } /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */ krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); ret = krb5_rd_req (context, &auth_context, &req, ap_req_server, keytab, 0, NULL); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_rd_req() failed when verifying KDC"); + goto end; + } end: +#ifdef HEIMDAL + /* XXX Do I ever want to support Heimdal 0.4 ??? */ + krb5_data_free(&req); +#else krb5_free_data_contents(context, &req); +#endif if (auth_context) krb5_auth_con_free (context, auth_context); if (new_creds) @@ -543,13 +664,13 @@ end: /* Inspired by krb5_verify_user from Heimdal */ static krb5_error_code verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, - const char *password, const char *service, krb5_keytab keytab, - int krb_verify_kdc, krb5_ccache *ccache) + const char *password, krb5_principal server, + krb5_keytab keytab, int krb_verify_kdc, krb5_ccache *ccache) { krb5_creds creds; - krb5_principal server = NULL; krb5_error_code ret; krb5_ccache ret_ccache = NULL; + char *name = NULL; /* XXX error messages shouldn't be logged here (and in the while() loop in * authenticate_user_krb5pwd() as weell), in order to avoid confusing log @@ -557,6 +678,13 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, memset(&creds, 0, sizeof(creds)); + ret = krb5_unparse_name(context, principal, &name); + if (ret == 0) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to get TGT for user %s", name); + free(name); + } + ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, NULL); @@ -564,18 +692,8 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_get_init_creds_password() failed: %s", krb5_get_err_text(context, ret)); - return ret; - } - - ret = krb5_sname_to_principal(context, ap_get_server_name(r), service, - KRB5_NT_UNKNOWN, &server); - if (ret) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "krb5_sname_to_principal() failed: %s", - krb5_get_err_text(context, ret)); goto end; } - /* XXX log_debug: lookig for in keytab */ /* XXX { @@ -589,7 +707,7 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, */ if (krb_verify_kdc && - (ret = verify_krb5_init_creds(context, &creds, server, keytab))) { + (ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "failed to verify krb5 credentials: %s", krb5_get_err_text(context, ret)); @@ -624,8 +742,6 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, end: krb5_free_cred_contents(context, &creds); - if (server) - krb5_free_principal(context, server); if (ret_ccache) krb5_cc_destroy(context, ret_ccache); @@ -760,21 +876,25 @@ store_krb5_creds(krb5_context kcontext, } -int authenticate_user_krb5pwd(request_rec *r, - kerb_auth_config *conf, - const char *auth_line) +static int +authenticate_user_krb5pwd(request_rec *r, + kerb_auth_config *conf, + const char *auth_line) { const char *sent_pw = NULL; const char *sent_name = NULL; const char *realms = NULL; + const char *realm = NULL; krb5_context kcontext = NULL; krb5_error_code code; krb5_principal client = NULL; + krb5_principal server = NULL; krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; int ret; char *name = NULL; int all_principals_unkown; + char *p = NULL; code = krb5_init_context(&kcontext); if (code) { @@ -785,13 +905,6 @@ int authenticate_user_krb5pwd(request_rec *r, sent_pw = ap_pbase64decode(r->pool, auth_line); sent_name = ap_getword (r->pool, &sent_pw, ':'); - /* do not allow user to override realm setting of server */ - if (strchr(sent_name, '@')) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "specifying realm in user name is prohibited"); - ret = HTTP_UNAUTHORIZED; - goto end; - } if (sent_pw == NULL || *sent_pw == '\0') { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, @@ -803,22 +916,58 @@ int authenticate_user_krb5pwd(request_rec *r, if (conf->krb_5_keytab) krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab); - all_principals_unkown = 1; - realms = conf->krb_auth_realms; - do { - if (realms && (code = krb5_set_default_realm(kcontext, - ap_getword_white(r->pool, &realms)))){ + if (conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL) + ret = krb5_parse_name (kcontext, conf->krb_service_name, &server); + else + ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r), + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + KRB5_NT_SRV_HST, &server); + + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error parsing server name (%s): %s", + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + krb5_get_err_text(kcontext, ret)); + ret = HTTP_UNAUTHORIZED; + goto end; + } + + code = krb5_unparse_name(kcontext, server, &name); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_unparse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + ret = HTTP_UNAUTHORIZED; + goto end; + } + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Using %s as server principal for password verification", name); + free(name); + name = NULL; + + p = strchr(sent_name, '@'); + if (p) { + *p++ = '\0'; + if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "krb5_set_default_realm() failed: %s", - krb5_get_err_text(kcontext, code)); - continue; + "Specified realm `%s' not allowed by configuration", p); + ret = HTTP_UNAUTHORIZED; + goto end; } + } + + realms = (p) ? p : conf->krb_auth_realms; + all_principals_unkown = 1; + do { + name = (char *) sent_name; + if (realms && (realm = ap_getword_white(r->pool, &realms))) + name = ap_psprintf(r->pool, "%s@%s", sent_name, realm); if (client) { krb5_free_principal(kcontext, client); client = NULL; } - code = krb5_parse_name(kcontext, sent_name, &client); + + code = krb5_parse_name(kcontext, name, &client); if (code) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_parse_name() failed: %s", @@ -826,9 +975,8 @@ int authenticate_user_krb5pwd(request_rec *r, continue; } - code = verify_krb5_user(r, kcontext, client, sent_pw, - conf->krb_service_name, - keytab, conf->krb_verify_kdc, &ccache); + code = verify_krb5_user(r, kcontext, client, sent_pw, + server, keytab, conf->krb_verify_kdc, &ccache); if (!conf->krb_authoritative && code) { /* if we're not authoritative, we allow authentication to pass on * to another modules if (and only if) the user is not known to us */ @@ -871,8 +1019,13 @@ int authenticate_user_krb5pwd(request_rec *r, ret = OK; end: + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_user_krb5pwd ret=%d user=%s authtype=%s", + ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)"); if (client) krb5_free_principal(kcontext, client); + if (server) + krb5_free_principal(kcontext, server); if (ccache) krb5_cc_destroy(kcontext, ccache); if (keytab) @@ -980,20 +1133,27 @@ get_gss_creds(request_rec *r, kerb_auth_config *conf, gss_cred_id_t *server_creds) { - gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; OM_uint32 major_status, minor_status, minor_status2; gss_name_t server_name = GSS_C_NO_NAME; char buf[1024]; + int have_server_princ; - snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name, - ap_get_server_name(r)); + have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL; + if (have_server_princ) + strncpy(buf, conf->krb_service_name, sizeof(buf)); + else + snprintf(buf, sizeof(buf), "%s@%s", + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + ap_get_server_name(r)); - input_token.value = buf; - input_token.length = strlen(buf) + 1; + token.value = buf; + token.length = strlen(buf) + 1; - major_status = gss_import_name(&minor_status, &input_token, - GSS_C_NT_HOSTBASED_SERVICE, + major_status = gss_import_name(&minor_status, &token, + (have_server_princ) ? GSS_KRB5_NT_PRINCIPAL_NAME : GSS_C_NT_HOSTBASED_SERVICE, &server_name); + memset(&token, 0, sizeof(token)); if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", get_gss_error(r->pool, major_status, minor_status, @@ -1001,7 +1161,19 @@ get_gss_creds(request_rec *r, return HTTP_INTERNAL_SERVER_ERROR; } - log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", buf); + major_status = gss_display_name(&minor_status, server_name, &token, NULL); + if (GSS_ERROR(major_status)) { + /* Perhaps we could just ignore this error but it's safer to give up now, + I think */ + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s", get_gss_error(r->pool, major_status, minor_status, + "gss_display_name() failed")); + return HTTP_INTERNAL_SERVER_ERROR; + } + + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", + token.value); + gss_release_buffer(&minor_status, &token); major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, @@ -1047,8 +1219,6 @@ cmp_gss_type(gss_buffer_t token, gss_OID oid) if (token->length == 0) return GSS_S_DEFECTIVE_TOKEN; - /* XXX if (token->value == NTLMSSP) log_debug("NTLM mechanism used"); */ - p = token->value; if (*p++ != 0x60) return GSS_S_DEFECTIVE_TOKEN; @@ -1078,7 +1248,11 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, int ret; gss_name_t client_name = GSS_C_NO_NAME; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; - OM_uint32 (*accept_sec_token)(); + OM_uint32 (KRB5_LIB_FUNCTION *accept_sec_token) + (OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t, + const gss_buffer_t, const gss_channel_bindings_t, + gss_name_t *, gss_OID *, gss_buffer_t, OM_uint32 *, + OM_uint32 *, gss_cred_id_t *); gss_OID_desc spnego_oid; gss_ctx_id_t context = GSS_C_NO_CONTEXT; gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; @@ -1101,6 +1275,10 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, } sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab); putenv(ktname); +#ifdef HEIMDAL + /* Seems to be also supported by latest MIT */ + gsskrb5_register_acceptor_identity(conf->krb_5_keytab); +#endif } ret = get_gss_creds(r, conf, &server_creds); @@ -1126,8 +1304,12 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, } input_token.length = ap_base64decode(input_token.value, auth_param); +#ifdef GSSAPI_SUPPORTS_SPNEGO + accept_sec_token = gss_accept_sec_context; +#else accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ? gss_accept_sec_context_spnego : gss_accept_sec_context; +#endif log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using %s", (accept_sec_token == gss_accept_sec_context) @@ -1145,6 +1327,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, NULL, NULL, &delegated_cred); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Verification returned code %d", major_status); if (output_token.length) { char *token = NULL; size_t len; @@ -1162,12 +1346,17 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, token[len] = '\0'; *negotiate_ret_value = token; log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Verification suceeded, GSS-API token of length %d bytes will be sent back", + "GSS-API token of length %d bytes will be sent back", output_token.length); gss_release_buffer(&minor_status2, &output_token); + set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value); } if (GSS_ERROR(major_status)) { + if (input_token.length > 7 && memcmp(input_token.value, "NTLMSSP", 7) == 0) + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration."); + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", get_gss_error(r->pool, major_status, minor_status, "gss_accept_sec_context() failed")); @@ -1197,15 +1386,12 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, goto end; } - MK_AUTH_TYPE = "Negotiate"; + MK_AUTH_TYPE = MECH_NEGOTIATE; MK_USER = ap_pstrdup(r->pool, output_token.value); if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); - if (*negotiate_ret_value) - set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value); - gss_release_buffer(&minor_status, &output_token); ret = OK; @@ -1235,7 +1421,7 @@ already_succeeded(request_rec *r) { if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL) return 0; - if (strcmp(MK_AUTH_TYPE, "Negotiate") || + if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) || (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@'))) return 1; return 0; @@ -1258,8 +1444,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, * apache in the proxy mode should retain client's authN headers? */ #ifdef KRB5 if (negotiate_ret_value != NULL && conf->krb_method_gssapi) { - negoauth_param = (*negotiate_ret_value == '\0') ? "Negotiate" : - ap_pstrcat(r->pool, "Negotiate ", negotiate_ret_value, NULL); + negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE : + ap_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL); ap_table_add(r->err_headers_out, header_name, negoauth_param); } if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) { @@ -1277,7 +1463,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, #endif } -int kerb_authenticate_user(request_rec *r) +static int +kerb_authenticate_user(request_rec *r) { kerb_auth_config *conf = (kerb_auth_config *) ap_get_module_config(r->per_dir_config, @@ -1293,15 +1480,29 @@ int kerb_authenticate_user(request_rec *r) /* get the type specified in .htaccess */ type = ap_auth_type(r); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_user entered with user %s and auth_type %s", + (MK_USER)?MK_USER:"(NULL)",type?type:"(NULL)"); + if (type && strcasecmp(type, "Kerberos") == 0) use_krb5 = use_krb4 = 1; else if(type && strcasecmp(type, "KerberosV5") == 0) - use_krb4 = 0; + use_krb5 = 1; else if(type && strcasecmp(type, "KerberosV4") == 0) - use_krb5 = 0; + use_krb4 = 1; else return DECLINED; +#if 0 + if (conf->krb_ssl_preauthentication) { + const char *ssl_client_verify = ssl_var_lookup(r->pool, r->server, + r->connection, r, "SSL_CLIENT_VERIFY"); + + if (ssl_client_verify && strcmp(ssl_client_verify, "SUCCESS") == 0) + return OK; + } +#endif + /* get what the user sent us in the HTTP header */ auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authorization" @@ -1331,7 +1532,7 @@ int kerb_authenticate_user(request_rec *r) #ifdef KRB5 if (use_krb5 && conf->krb_method_gssapi && - strcasecmp(auth_type, "Negotiate") == 0) { + strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); } else if (use_krb5 && conf->krb_method_k5pass && strcasecmp(auth_type, "Basic") == 0) { @@ -1395,7 +1596,8 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, return OK; } -void kerb_register_hooks(apr_pool_t *p) +static void +kerb_register_hooks(apr_pool_t *p) { ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);