X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=4b6512bad1aec4468dc1df24a9301bc0f54fdd3d;hb=e2d72778719af5da5fe4fa6b3f51f3bee2bdc295;hp=fd00cf166fdca3d258b05293209fe30054d5b300;hpb=8cff436365a7b5e1755fe52d44cd2498b2c6b364;p=mod_auth_kerb.git

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index fd00cf1..4b6512b 100644
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -11,7 +11,7 @@
  */
 
 /*
- * Copyright (c) 2004 Masarykova universita
+ * Copyright (c) 2004-2006 Masarykova universita
  * (Masaryk University, Brno, Czech Republic)
  * All rights reserved.
  *
@@ -50,8 +50,10 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#define MODAUTHKERB_VERSION "5.0-rc6"
+#define MODAUTHKERB_VERSION "5.0-rc7"
+
 #define MECH_NEGOTIATE "Negotiate"
+#define SERVICE_NAME "HTTP"
 
 #include <httpd.h>
 #include <http_config.h>
@@ -61,9 +63,31 @@
 #include <http_request.h>
 
 #ifdef STANDARD20_MODULE_STUFF
-#include <ap_compat.h>
 #include <apr_strings.h>
 #include <apr_base64.h>
+
+#define ap_null_cleanup NULL
+#define ap_register_cleanup apr_pool_cleanup_register
+
+#define ap_pstrdup apr_pstrdup
+#define ap_pstrcat apr_pstrcat
+#define ap_pcalloc apr_pcalloc
+#define ap_psprintf apr_psprintf
+
+#define ap_base64decode_len apr_base64_decode_len
+#define ap_base64decode apr_base64_decode
+#define ap_base64encode_len apr_base64_encode_len
+#define ap_base64encode apr_base64_encode
+
+#define ap_table_setn apr_table_setn
+#define ap_table_add apr_table_add
+#else
+#define ap_pstrchr_c strchr
+#endif /* STANDARD20_MODULE_STUFF */
+
+#ifdef _WIN32
+#define vsnprintf _vsnprintf
+#define snprintf _snprintf
 #endif
 
 #ifdef KRB5
@@ -78,7 +102,9 @@
 #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
 #  define krb5_get_err_text(context,code) error_message(code)
 #endif
-#include "spnegokrb5.h"
+#ifndef GSSAPI_SUPPORTS_SPNEGO
+#  include "spnegokrb5.h"
+#endif
 #endif /* KRB5 */
 
 #ifdef KRB4
@@ -91,11 +117,8 @@
 #include <netdb.h> /* gethostbyname() */
 #endif /* KRB4 */
 
-#ifdef WIN32
-#define vsnprintf _vsnprintf
-#define snprintf _snprintf
-#else
-/* XXX remove dependency on unistd.h ??? */
+#ifndef _WIN32
+/* should be HAVE_UNISTD_H instead */
 #include <unistd.h>
 #endif
 
@@ -128,9 +151,12 @@ typedef struct {
 	char *krb_auth_realms;
 	int krb_save_credentials;
 	int krb_verify_kdc;
-	char *krb_service_name;
+	const char *krb_service_name;
 	int krb_authoritative;
 	int krb_delegate_basic;
+#if 0
+	int krb_ssl_preauthentication;
+#endif
 #ifdef KRB5
 	char *krb_5_keytab;
 	int krb_method_gssapi;
@@ -147,12 +173,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
                       int use_krb4, int use_krb5pwd, char *negotiate_ret_value);
 
 static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg);
+krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
 
 #ifdef STANDARD20_MODULE_STUFF
 #define command(name, func, var, type, usage)           \
   AP_INIT_ ## type (name, (void*) func,                 \
-        (void*)APR_XtOffsetOf(kerb_auth_config, var),   \
+        (void*)APR_OFFSETOF(kerb_auth_config, var),     \
         OR_AUTHCFG | RSRC_CONF, usage)
 #else
 #define command(name, func, var, type, usage) 		\
@@ -175,7 +201,7 @@ static const command_rec kerb_auth_cmds[] = {
      FLAG, "Verify tickets against keytab to prevent KDC spoofing attacks."),
 
    command("KrbServiceName", ap_set_string_slot, krb_service_name,
-     TAKE1, "Service name to be used by Apache for authentication."),
+     TAKE1, "Full or partial service name to be used by Apache for authentication."),
 
    command("KrbAuthoritative", ap_set_flag_slot, krb_authoritative,
      FLAG, "Set to 'off' to allow access control to be passed along to lower modules iff the UserID is not known to this module."),
@@ -183,6 +209,11 @@ static const command_rec kerb_auth_cmds[] = {
    command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
      FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
 
+#if 0
+   command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
+     FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
+#endif
+
 #ifdef KRB5
    command("Krb5Keytab", ap_set_file_slot, krb_5_keytab,
      TAKE1, "Location of Kerberos V5 keytab file."),
@@ -205,7 +236,7 @@ static const command_rec kerb_auth_cmds[] = {
    { NULL }
 };
 
-#ifdef WIN32
+#ifdef _WIN32
 int
 mkstemp(char *template)
 {
@@ -245,7 +276,7 @@ mkstemp(char *template)
 #include "mit-internals.h"
 
 /* This is our replacement krb5_rc_store function */
-static krb5_error_code
+static krb5_error_code KRB5_LIB_FUNCTION
 mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
                        krb5_donot_replay_internal *donot_replay)
 {
@@ -278,9 +309,12 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
 
 	rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config));
         ((kerb_auth_config *)rec)->krb_verify_kdc = 1;
-	((kerb_auth_config *)rec)->krb_service_name = "HTTP";
+	((kerb_auth_config *)rec)->krb_service_name = NULL;
 	((kerb_auth_config *)rec)->krb_authoritative = 1;
 	((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+#if 0
+	((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
+#endif
 #ifdef KRB5
 	((kerb_auth_config *)rec)->krb_method_k5pass = 1;
 	((kerb_auth_config *)rec)->krb_method_gssapi = 1;
@@ -292,14 +326,16 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
 }
 
 static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg)
+krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg)
 {
+   kerb_auth_config *sec = (kerb_auth_config *) vsec;
    sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
    return NULL;
 }
 
-void log_rerror(const char *file, int line, int level, int status,
-                const request_rec *r, const char *fmt, ...)
+static void
+log_rerror(const char *file, int line, int level, int status,
+           const request_rec *r, const char *fmt, ...)
 {
    char errstr[1024];
    va_list ap;
@@ -413,7 +449,7 @@ authenticate_user_krb4pwd(request_rec *r,
    sent_name = ap_getword (r->pool, &sent_pw, ':');
 
    /* do not allow user to override realm setting of server */
-   if (strchr(sent_name, '@')) {
+   if (ap_strchr_c(sent_name, '@')) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	         "specifying realm in user name is prohibited");
       return HTTP_UNAUTHORIZED;
@@ -453,6 +489,7 @@ authenticate_user_krb4pwd(request_rec *r,
 	 realm = lrealm;
       }
 
+      /* XXX conf->krb_service_name */
       ret = verify_krb4_user(r, (char *)sent_name, 
 	                     (sent_instance) ? sent_instance : "",
 	    		     (char *)realm, (char *)sent_pw,
@@ -627,11 +664,10 @@ end:
 /* Inspired by krb5_verify_user from Heimdal */
 static krb5_error_code
 verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
-      		 const char *password, const char *service, krb5_keytab keytab,
-		 int krb_verify_kdc, krb5_ccache *ccache)
+      		 const char *password, krb5_principal server,
+		 krb5_keytab keytab, int krb_verify_kdc, krb5_ccache *ccache)
 {
    krb5_creds creds;
-   krb5_principal server = NULL;
    krb5_error_code ret;
    krb5_ccache ret_ccache = NULL;
    char *name = NULL;
@@ -659,16 +695,6 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
       goto end;
    }
 
-   ret = krb5_sname_to_principal(context, ap_get_server_name(r), service, 
-	 			 KRB5_NT_SRV_HST, &server);
-   if (ret) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	         "krb5_sname_to_principal() failed: %s",
-		 krb5_get_err_text(context, ret));
-      goto end;
-   }
-   /* XXX log_debug: lookig for <server_princ> in keytab */
-
    /* XXX
    {
       char *realm;
@@ -716,8 +742,6 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
 
 end:
    krb5_free_cred_contents(context, &creds);
-   if (server)
-      krb5_free_principal(context, server);
    if (ret_ccache)
       krb5_cc_destroy(context, ret_ccache);
 
@@ -852,9 +876,10 @@ store_krb5_creds(krb5_context kcontext,
 }
 
 
-int authenticate_user_krb5pwd(request_rec *r,
-	                      kerb_auth_config *conf,
-			      const char *auth_line)
+static int
+authenticate_user_krb5pwd(request_rec *r,
+                          kerb_auth_config *conf,
+                          const char *auth_line)
 {
    const char      *sent_pw = NULL; 
    const char      *sent_name = NULL;
@@ -863,6 +888,7 @@ int authenticate_user_krb5pwd(request_rec *r,
    krb5_context    kcontext = NULL;
    krb5_error_code code;
    krb5_principal  client = NULL;
+   krb5_principal  server = NULL;
    krb5_ccache     ccache = NULL;
    krb5_keytab     keytab = NULL;
    int             ret;
@@ -890,6 +916,34 @@ int authenticate_user_krb5pwd(request_rec *r,
    if (conf->krb_5_keytab)
       krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
 
+   if (conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL)
+      ret = krb5_parse_name (kcontext, conf->krb_service_name, &server);
+   else
+      ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
+	    			    (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
+				    KRB5_NT_SRV_HST, &server);
+
+   if (ret) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+	         "Error parsing server name (%s): %s",
+		 (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
+		 krb5_get_err_text(kcontext, ret));
+      ret = HTTP_UNAUTHORIZED;
+      goto end;
+   }
+
+   code = krb5_unparse_name(kcontext, server, &name);
+   if (code) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+	         "krb5_unparse_name() failed: %s",
+		 krb5_get_err_text(kcontext, code));
+      ret = HTTP_UNAUTHORIZED;
+      goto end;
+   }
+   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Using %s as server principal for password verification", name);
+   free(name);
+   name = NULL;
+
    p = strchr(sent_name, '@');
    if (p) {
       *p++ = '\0';
@@ -921,9 +975,8 @@ int authenticate_user_krb5pwd(request_rec *r,
 	 continue;
       }
 
-      code = verify_krb5_user(r, kcontext, client, sent_pw, 
-	    		      conf->krb_service_name, 
-	    		      keytab, conf->krb_verify_kdc, &ccache);
+      code = verify_krb5_user(r, kcontext, client, sent_pw,
+	    		      server, keytab, conf->krb_verify_kdc, &ccache);
       if (!conf->krb_authoritative && code) {
 	 /* if we're not authoritative, we allow authentication to pass on
 	  * to another modules if (and only if) the user is not known to us */
@@ -971,6 +1024,8 @@ end:
 	      ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)");
    if (client)
       krb5_free_principal(kcontext, client);
+   if (server)
+      krb5_free_principal(kcontext, server);
    if (ccache)
       krb5_cc_destroy(kcontext, ccache);
    if (keytab)
@@ -1082,15 +1137,21 @@ get_gss_creds(request_rec *r,
    OM_uint32 major_status, minor_status, minor_status2;
    gss_name_t server_name = GSS_C_NO_NAME;
    char buf[1024];
+   int have_server_princ;
 
-   snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name,
-	    ap_get_server_name(r));
+   have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;
+   if (have_server_princ)
+      strncpy(buf, conf->krb_service_name, sizeof(buf));
+   else
+      snprintf(buf, sizeof(buf), "%s@%s",
+	       (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
+	       ap_get_server_name(r));
 
    token.value = buf;
    token.length = strlen(buf) + 1;
 
    major_status = gss_import_name(&minor_status, &token,
-	 			  GSS_C_NT_HOSTBASED_SERVICE,
+	 			  (have_server_princ) ? GSS_KRB5_NT_PRINCIPAL_NAME : GSS_C_NT_HOSTBASED_SERVICE,
 				  &server_name);
    memset(&token, 0, sizeof(token));
    if (GSS_ERROR(major_status)) {
@@ -1187,8 +1248,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   int ret;
   gss_name_t client_name = GSS_C_NO_NAME;
   gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
-  OM_uint32 
-     (*accept_sec_token)(OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t,
+  OM_uint32 (KRB5_LIB_FUNCTION *accept_sec_token)
+     			 (OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t,
 			 const gss_buffer_t, const gss_channel_bindings_t,
 			 gss_name_t *, gss_OID *, gss_buffer_t, OM_uint32 *,
 			 OM_uint32 *, gss_cred_id_t *);
@@ -1243,10 +1304,13 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   }
   input_token.length = ap_base64decode(input_token.value, auth_param);
 
+#ifdef GSSAPI_SUPPORTS_SPNEGO
+  accept_sec_token = gss_accept_sec_context;
+#else
   accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ?
      			gss_accept_sec_context_spnego : gss_accept_sec_context;
+#endif
 
-  /* pridat: Read client Negotiate data of length XXX, prefix YYY */
   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using %s",
 	     (accept_sec_token == gss_accept_sec_context)
 	       ? "KRB5 GSS-API"
@@ -1285,6 +1349,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
 	        "GSS-API token of length %d bytes will be sent back",
 		output_token.length);
      gss_release_buffer(&minor_status2, &output_token);
+     set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
   }
 
   if (GSS_ERROR(major_status)) {
@@ -1327,9 +1392,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
 
-  if (*negotiate_ret_value)
-     set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
-
   gss_release_buffer(&minor_status, &output_token);
 
   ret = OK;
@@ -1401,7 +1463,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #endif
 }
 
-int kerb_authenticate_user(request_rec *r)
+static int
+kerb_authenticate_user(request_rec *r)
 {
    kerb_auth_config *conf = 
       (kerb_auth_config *) ap_get_module_config(r->per_dir_config,
@@ -1430,6 +1493,16 @@ int kerb_authenticate_user(request_rec *r)
    else
       return DECLINED;
 
+#if 0
+   if (conf->krb_ssl_preauthentication) {
+      const char *ssl_client_verify = ssl_var_lookup(r->pool, r->server,
+	    	r->connection, r, "SSL_CLIENT_VERIFY");
+
+      if (ssl_client_verify && strcmp(ssl_client_verify, "SUCCESS") == 0)
+	 return OK;
+   }
+#endif
+
    /* get what the user sent us in the HTTP header */
    auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
 	                                    ? "Proxy-Authorization"
@@ -1523,7 +1596,8 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
    return OK;
 }
 
-void kerb_register_hooks(apr_pool_t *p)
+static void
+kerb_register_hooks(apr_pool_t *p)
 {
    ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
    ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);