X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=56e72970e9188eff8792524e4930fc9f272fca2d;hb=853e617855f6253de43c6b0c6e4f9a2119cca8ed;hp=7463e455eb91112277fba947b470f83b9be54531;hpb=ec2d63cb9ee38d1e72a6e0d1d51473a6b83ba515;p=mod_auth_kerb.cvs%2F.git diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index 7463e45..56e7297 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -1,70 +1,138 @@ +/* + * Daniel Kouril + * + * Source and Documentation can be found at: + * http://modauthkerb.sourceforge.net/ + * + * Based on work by + * James E. Robinson, III + * Daniel Henninger + * Ludek Sulak + */ + +/* + * Copyright (c) 2004 Masarykova universita + * (Masaryk University, Brno, Czech Republic) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the University nor the names of its contributors may + * be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + #ident "$Id$" -#include "httpd.h" -#include "http_config.h" -#include "http_core.h" -#include "http_log.h" -#include "http_protocol.h" -#include "http_request.h" +#include "config.h" + +#include +#include +#include + +#define MODAUTHKERB_VERSION "5.0-rc6" +#define MECH_NEGOTIATE "Negotiate" + +#include +#include +#include +#include +#include +#include + +#ifdef STANDARD20_MODULE_STUFF +#include +#include +#include +#endif #ifdef KRB5 #include -#include +#ifdef HEIMDAL +# include +#else +# include +# include +# include +# define GSS_C_NT_USER_NAME gss_nt_user_name +# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +# define krb5_get_err_text(context,code) error_message(code) +#endif +#include "spnegokrb5.h" #endif /* KRB5 */ #ifdef KRB4 +/* Prevent warning about closesocket redefinition (Apache's ap_config.h and + * MIT Kerberos' port-sockets.h both define it as close) */ +#ifdef closesocket +# undef closesocket +#endif #include +#include /* gethostbyname() */ #endif /* KRB4 */ -#ifdef APXS1 -module kerb_auth_module; +#ifdef WIN32 +#define vsnprintf _vsnprintf +#define snprintf _snprintf +#else +/* XXX remove dependency on unistd.h ??? */ +#include +#endif + +#ifdef STANDARD20_MODULE_STUFF +module AP_MODULE_DECLARE_DATA auth_kerb_module; #else -module AP_MODULE_DECLARE_DATA kerb_auth_module; +module auth_kerb_module; #endif /*************************************************************************** Macros To Ease Compatibility ***************************************************************************/ -#ifdef APXS1 -#define MK_POOL pool -#define MK_TABLE_GET ap_table_get -#define MK_TABLE_SET ap_table_set -#define MK_TABLE_TYPE table -#define MK_PSTRDUP ap_pstrdup -#define MK_PROXY STD_PROXY -#define MK_USER r->connection->user -#define MK_AUTH_TYPE r->connection->ap_auth_type -#define MK_ARRAY_HEADER array_header -#else +#ifdef STANDARD20_MODULE_STUFF #define MK_POOL apr_pool_t #define MK_TABLE_GET apr_table_get -#define MK_TABLE_SET apr_table_set -#define MK_TABLE_TYPE apr_table_t -#define MK_PSTRDUP apr_pstrdup -#define MK_PROXY PROXYREQ_PROXY #define MK_USER r->user #define MK_AUTH_TYPE r->ap_auth_type -#define MK_ARRAY_HEADER apr_array_header_t -#endif /* APXS1 */ - - - +#else +#define MK_POOL pool +#define MK_TABLE_GET ap_table_get +#define MK_USER r->connection->user +#define MK_AUTH_TYPE r->connection->ap_auth_type +#define PROXYREQ_PROXY STD_PROXY +#endif /*************************************************************************** Auth Configuration Structure ***************************************************************************/ typedef struct { - int krb_auth_enable; char *krb_auth_realms; - int krb_fail_status; - char *krb_force_instance; int krb_save_credentials; - char *krb_tmp_dir; - char *service_name; - char *krb_lifetime; + int krb_verify_kdc; + char *krb_service_name; + int krb_authoritative; + int krb_delegate_basic; #ifdef KRB5 char *krb_5_keytab; - int krb_forwardable; int krb_method_gssapi; int krb_method_k5pass; #endif @@ -74,64 +142,55 @@ typedef struct { #endif } kerb_auth_config; -#ifdef APXS1 +static void +set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, + int use_krb4, int use_krb5pwd, char *negotiate_ret_value); + +static const char* +krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg); + +#ifdef STANDARD20_MODULE_STUFF +#define command(name, func, var, type, usage) \ + AP_INIT_ ## type (name, func, \ + (void*)APR_XtOffsetOf(kerb_auth_config, var), \ + OR_AUTHCFG | RSRC_CONF, usage) +#else #define command(name, func, var, type, usage) \ { name, func, \ (void*)XtOffsetOf(kerb_auth_config, var), \ - OR_AUTHCFG, type, usage } -#else -#define command(name, func, var, type, usage) \ - AP_INIT_ ## type (name, func, \ - (void*)APR_XtOffsetOf(kerb_auth_config, var), \ - OR_AUTHCFG, usage) + OR_AUTHCFG | RSRC_CONF, type, usage } #endif static const command_rec kerb_auth_cmds[] = { - command("AuthKerberos", ap_set_flag_slot, krb_auth_enable, - FLAG, "Permit Kerberos auth without AuthType requirement."), - - command("KrbAuthRealm", ap_set_string_slot, krb_auth_realms, - ITERATE, "Realms to attempt authentication against (can be multiple)."), - - command("KrbAuthRealm", ap_set_string_slot, krb_auth_realms, - ITERATE, "Alias for KrbAuthRealm."), - -#if 0 - command("KrbFailStatus", kerb_set_fail_slot, krb_fail_status, - TAKE1, "If auth fails, return status set here."), -#endif + command("KrbAuthRealms", krb5_save_realms, krb_auth_realms, + RAW_ARGS, "Realms to attempt authentication against (can be multiple)."), - command("KrbForceInstance", ap_set_string_slot, krb_force_instance, - TAKE1, "Force authentication against an instance specified here."), + command("KrbAuthRealm", krb5_save_realms, krb_auth_realms, + RAW_ARGS, "Alias for KrbAuthRealms."), command("KrbSaveCredentials", ap_set_flag_slot, krb_save_credentials, FLAG, "Save and store credentials/tickets retrieved during auth."), - command("KrbSaveTickets", ap_set_flag_slot, krb_save_credentials, - FLAG, "Alias for KrbSaveCredentials."), + command("KrbVerifyKDC", ap_set_flag_slot, krb_verify_kdc, + FLAG, "Verify tickets against keytab to prevent KDC spoofing attacks."), - command("KrbTmpdir", ap_set_string_slot, krb_tmp_dir, - TAKE1, "Path to store ticket files and such in."), + command("KrbServiceName", ap_set_string_slot, krb_service_name, + TAKE1, "Service name to be used by Apache for authentication."), - command("KrbServiceName", ap_set_string_slot, service_name, - TAKE1, "Kerberos service name to be used by apache."), + command("KrbAuthoritative", ap_set_flag_slot, krb_authoritative, + FLAG, "Set to 'off' to allow access control to be passed along to lower modules iff the UserID is not known to this module."), -#if 0 - command("KrbLifetime", ap_set_string_slot, krb_lifetime, - TAKE1, "Kerberos ticket lifetime."), -#endif + command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic, + FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."), #ifdef KRB5 command("Krb5Keytab", ap_set_file_slot, krb_5_keytab, TAKE1, "Location of Kerberos V5 keytab file."), - command("KrbForwardable", ap_set_flag_slot, krb_forwardable, - FLAG, "Credentials retrieved will be flagged as forwardable."), - - command("KrbMethodGSSAPI", ap_set_flag_slot, krb_method_gssapi, - FLAG, "Enable GSSAPI authentication."), + command("KrbMethodNegotiate", ap_set_flag_slot, krb_method_gssapi, + FLAG, "Enable Negotiate authentication method."), - command("KrbMethodK5Pass", ap_set_flag_slot, krb_method_k5pass, + command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass, FLAG, "Enable Kerberos V5 password authentication."), #endif @@ -139,42 +198,75 @@ static const command_rec kerb_auth_cmds[] = { command("Krb4Srvtab", ap_set_file_slot, krb_4_srvtab, TAKE1, "Location of Kerberos V4 srvtab file."), - command("KrbMethodK4Pass", ap_set_flag_slot, krb_method_k4pass, + command("KrbMethodK4Passwd", ap_set_flag_slot, krb_method_k4pass, FLAG, "Enable Kerberos V4 password authentication."), #endif { NULL } }; - -/*************************************************************************** - GSSAPI Support Initialization - ***************************************************************************/ -#ifdef KRB5 -typedef struct { - gss_ctx_id_t context; - gss_cred_id_t server_creds; -} gss_connection_t; - -static gss_connection_t *gss_connection = NULL; - -static void -cleanup_gss_connection(void *data) +#ifdef WIN32 +int +mkstemp(char *template) { - OM_uint32 minor_status; - gss_connection_t *gss_conn = (gss_connection_t *)data; - - if (data == NULL) - return; - if (gss_conn->context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&minor_status, &gss_conn->context, - GSS_C_NO_BUFFER); - if (gss_conn->server_creds != GSS_C_NO_CREDENTIAL) - gss_release_cred(&minor_status, &gss_conn->server_creds); + int start, i; + pid_t val; + val = getpid(); + start = strlen(template) - 1; + while(template[start] == 'X') { + template[start] = '0' + val % 10; + val /= 10; + start--; + } + + do{ + int fd; + fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600); + if(fd >= 0 || errno != EEXIST) + return fd; + i = start + 1; + do{ + if(template[i] == 0) + return -1; + template[i]++; + if(template[i] == '9' + 1) + template[i] = 'a'; + if(template[i] <= 'z') + break; + template[i] = 'a'; + i++; + }while(1); + }while(1); } #endif +#if defined(KRB5) && !defined(HEIMDAL) +/* Needed to work around problems with replay caches */ +#include "mit-internals.h" + +/* This is our replacement krb5_rc_store function */ +static krb5_error_code +mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache, + krb5_donot_replay_internal *donot_replay) +{ + return 0; +} +/* And this is the operations vector for our replay cache */ +const krb5_rc_ops_internal mod_auth_kerb_rc_ops = { + 0, + "dfl", + krb5_rc_dfl_init, + krb5_rc_dfl_recover, + krb5_rc_dfl_destroy, + krb5_rc_dfl_close, + mod_auth_kerb_rc_store, + krb5_rc_dfl_expunge, + krb5_rc_dfl_get_span, + krb5_rc_dfl_get_name, + krb5_rc_dfl_resolve +}; +#endif /*************************************************************************** @@ -185,8 +277,10 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) kerb_auth_config *rec; rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config)); - ((kerb_auth_config *)rec)->krb_auth_enable = 1; - ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED; + ((kerb_auth_config *)rec)->krb_verify_kdc = 1; + ((kerb_auth_config *)rec)->krb_service_name = "HTTP"; + ((kerb_auth_config *)rec)->krb_authoritative = 1; + ((kerb_auth_config *)rec)->krb_delegate_basic = 0; #ifdef KRB5 ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; @@ -197,86 +291,440 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) return rec; } +static const char* +krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg) +{ + sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg); + return NULL; +} +void log_rerror(const char *file, int line, int level, int status, + const request_rec *r, const char *fmt, ...) +{ + char errstr[1024]; + va_list ap; + va_start(ap, fmt); + vsnprintf(errstr, sizeof(errstr), fmt, ap); + va_end(ap); + +#ifdef STANDARD20_MODULE_STUFF + ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr); +#else + ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr); +#endif +} + +#ifdef KRB4 /*************************************************************************** - Auth Configuration Parsers + Username/Password Validation for Krb4 ***************************************************************************/ -static const char *kerb_set_fail_slot(cmd_parms *cmd, void *struct_ptr, - const char *arg) +static int +verify_krb4_user(request_rec *r, char *name, char *instance, char *realm, + char *password, char *linstance, char *srvtab, int krb_verify_kdc) { - int offset = (int) (long) cmd->info; - if (!strncasecmp(arg, "unauthorized", 12)) - *(int *) ((char *)struct_ptr + offset) = HTTP_UNAUTHORIZED; - else if (!strncasecmp(arg, "forbidden", 9)) - *(int *) ((char *)struct_ptr + offset) = HTTP_FORBIDDEN; - else if (!strncasecmp(arg, "declined", 8)) - *(int *) ((char *)struct_ptr + offset) = DECLINED; - else - return "KrbAuthFailStatus must be Forbidden, Unauthorized, or Declined."; - return NULL; + int ret; + char *phost; + unsigned long addr; + struct hostent *hp; + const char *hostname; + KTEXT_ST ticket; + AUTH_DAT authdata; + char lrealm[REALM_SZ]; + + ret = krb_get_pw_in_tkt(name, instance, realm, "krbtgt", realm, + DEFAULT_TKT_LIFE, password); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot get krb4 ticket: krb_get_pw_in_tkt() failed: %s", + krb_get_err_text(ret)); + return ret; + } + + if (!krb_verify_kdc) + return ret; + + hostname = ap_get_server_name(r); + + hp = gethostbyname(hostname); + if (hp == NULL) { + dest_tkt(); + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot verify krb4 ticket: gethostbyname() failed: %s", + hstrerror(h_errno)); + return h_errno; + } + memcpy(&addr, hp->h_addr, sizeof(addr)); + + phost = krb_get_phost((char *)hostname); + + krb_get_lrealm(lrealm, 1); + + ret = krb_mk_req(&ticket, linstance, phost, lrealm, 0); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot verify krb4 ticket: krb_mk_req() failed: %s", + krb_get_err_text(ret)); + dest_tkt(); + return ret; + } + + ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot verify krb4 ticket: krb_rd_req() failed: %s", + krb_get_err_text(ret)); + dest_tkt(); + } + + return ret; } +static int +krb4_cache_cleanup(void *data) +{ + char *tkt_file = (char *) data; + + krb_set_tkt_string(tkt_file); + dest_tkt(); + return OK; +} -#ifndef HEIMDAL -krb5_error_code -krb5_verify_user(krb5_context context, krb5_principal principal, - krb5_ccache ccache, const char *password, krb5_boolean secure, - const char *service) +static int +authenticate_user_krb4pwd(request_rec *r, + kerb_auth_config *conf, + const char *auth_line) { int ret; - krb5_context kcontext; - krb5_principal server, client; - krb5_timestamp now; - krb5_creds my_creds; - krb5_flags options = 0; - krb5_principal me = NULL; - krb5_data tgtname = { - 0, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME - }; - - memset((char *)&my_creds, 0, sizeof(my_creds)); - my_creds.client = principal; - - if (krb5_build_principal_ext(kcontext, &server, - krb5_princ_realm(kcontext, me)->length, - krb5_princ_realm(kcontext, me)->data, - tgtname.length, tgtname.data, - krb5_princ_realm(kcontext, me)->length, - krb5_princ_realm(kcontext, me)->data, - 0)) { - return ret; - } - - my_creds.server = server; - if (krb5_timeofday(kcontext, &now)) - return -1; - - my_creds.times.starttime = 0; - /* XXX - my_creds.times.endtime = now + lifetime; - my_creds.times.renew_till = now + renewal; - */ + const char *sent_pw; + const char *sent_name; + char *sent_instance; + char tkt_file[32]; + char *tkt_file_p = NULL; + int fd; + const char *realms; + const char *realm; + char *user; + char lrealm[REALM_SZ]; + int all_principals_unkown; + + sent_pw = ap_pbase64decode(r->pool, auth_line); + sent_name = ap_getword (r->pool, &sent_pw, ':'); + + /* do not allow user to override realm setting of server */ + if (strchr(sent_name, '@')) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "specifying realm in user name is prohibited"); + return HTTP_UNAUTHORIZED; + } + + sent_instance = strchr(sent_name, '.'); + if (sent_instance) + *sent_instance++ = '\0'; + + snprintf(tkt_file, sizeof(tkt_file), "/tmp/apache_tkt_XXXXXX"); + fd = mkstemp(tkt_file); + if (fd < 0) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot create krb4 ccache: mkstemp() failed: %s", + strerror(errno)); + return HTTP_INTERNAL_SERVER_ERROR; + } + + tkt_file_p = ap_pstrdup(r->pool, tkt_file); + ap_register_cleanup(r->pool, tkt_file_p, + krb4_cache_cleanup, ap_null_cleanup); + + krb_set_tkt_string(tkt_file); + + all_principals_unkown = 1; + realms = conf->krb_auth_realms; + do { + memset(lrealm, 0, sizeof(lrealm)); + realm = NULL; + if (realms) + realm = ap_getword_white(r->pool, &realms); + + if (realm == NULL) { + ret = krb_get_lrealm(lrealm, 1); + if (ret) + break; + realm = lrealm; + } + + ret = verify_krb4_user(r, (char *)sent_name, + (sent_instance) ? sent_instance : "", + (char *)realm, (char *)sent_pw, + conf->krb_service_name, + conf->krb_4_srvtab, conf->krb_verify_kdc); + if (!conf->krb_authoritative && ret) { + /* if we're not authoritative, we allow authentication to pass on + * to another modules if (and only if) the user is not known to us */ + if (all_principals_unkown && ret != KDC_PR_UNKNOWN) + all_principals_unkown = 0; + } + + if (ret == 0) + break; + } while (realms && *realms); - ret = krb5_get_in_tkt_with_password(kcontext, options, 0, NULL, 0, - password, ccache, &my_creds, 0); if (ret) { - return ret; + /* XXX log only in the verify_krb4_user() call */ + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Verifying krb4 password failed"); + ret = (!conf->krb_authoritative && all_principals_unkown == 1 && ret == KDC_PR_UNKNOWN) ? + DECLINED : HTTP_UNAUTHORIZED; + goto end; } - return 0; -} -#endif + user = ap_pstrdup(r->pool, sent_name); + if (sent_instance) + user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL); + user = ap_pstrcat(r->pool, user, "@", realm, NULL); + + MK_USER = user; + MK_AUTH_TYPE = "Basic"; + ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p); + + if (!conf->krb_save_credentials) + krb4_cache_cleanup(tkt_file); + +end: + if (ret) + krb4_cache_cleanup(tkt_file); + close(fd); + tf_close(); + return ret; +} +#endif /* KRB4 */ +#ifdef KRB5 /*************************************************************************** - Username/Password Validation + Username/Password Validation for Krb5 ***************************************************************************/ -#ifdef KRB5 -static void + +/* MIT kerberos uses replay cache checks even during credential verification + * (i.e. in krb5_verify_init_creds()), which is obviosuly useless. In order to + * avoid problems with multiple apache processes accessing the same rcache file + * we had to use this call instead, which is only a bit modified version of + * krb5_verify_init_creds() */ +static krb5_error_code +verify_krb5_init_creds(request_rec *r, krb5_context context, krb5_creds *creds, + krb5_principal ap_req_server, krb5_keytab ap_req_keytab) +{ + krb5_error_code ret; + krb5_data req; + krb5_ccache local_ccache = NULL; + krb5_creds *new_creds = NULL; + krb5_auth_context auth_context = NULL; + krb5_keytab keytab = NULL; + char *server_name; + + memset(&req, 0, sizeof(req)); + + if (ap_req_keytab == NULL) { + ret = krb5_kt_default (context, &keytab); + if (ret) + return ret; + } else + keytab = ap_req_keytab; + + ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_resolve() failed when verifying KDC"); + return ret; + } + + ret = krb5_cc_initialize(context, local_ccache, creds->client); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); + goto end; + } + + ret = krb5_cc_store_cred (context, local_ccache, creds); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); + goto end; + } + + ret = krb5_unparse_name(context, ap_req_server, &server_name); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_unparse_name() failed when verifying KDC"); + goto end; + } + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to verify authenticity of KDC using principal %s", server_name); + free(server_name); + + if (!krb5_principal_compare (context, ap_req_server, creds->server)) { + krb5_creds match_cred; + + memset (&match_cred, 0, sizeof(match_cred)); + + match_cred.client = creds->client; + match_cred.server = ap_req_server; + + ret = krb5_get_credentials (context, 0, local_ccache, + &match_cred, &new_creds); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_get_credentials() failed when verifying KDC"); + goto end; + } + creds = new_creds; + } + + ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_mk_req_extended() failed when verifying KDC"); + goto end; + } + + krb5_auth_con_free (context, auth_context); + auth_context = NULL; + ret = krb5_auth_con_init(context, &auth_context); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_auth_con_init() failed when verifying KDC"); + goto end; + } + /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */ + krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); + + ret = krb5_rd_req (context, &auth_context, &req, ap_req_server, + keytab, 0, NULL); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_rd_req() failed when verifying KDC"); + goto end; + } + +end: +#ifdef HEIMDAL + /* XXX Do I ever want to support Heimdal 0.4 ??? */ + krb5_data_free(&req); +#else + krb5_free_data_contents(context, &req); +#endif + if (auth_context) + krb5_auth_con_free (context, auth_context); + if (new_creds) + krb5_free_creds (context, new_creds); + if (ap_req_keytab == NULL && keytab) + krb5_kt_close (context, keytab); + if (local_ccache) + krb5_cc_destroy (context, local_ccache); + + return ret; +} + +/* Inspired by krb5_verify_user from Heimdal */ +static krb5_error_code +verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, + const char *password, const char *service, krb5_keytab keytab, + int krb_verify_kdc, krb5_ccache *ccache) +{ + krb5_creds creds; + krb5_principal server = NULL; + krb5_error_code ret; + krb5_ccache ret_ccache = NULL; + char *name = NULL; + + /* XXX error messages shouldn't be logged here (and in the while() loop in + * authenticate_user_krb5pwd() as weell), in order to avoid confusing log + * entries when using multiple realms */ + + memset(&creds, 0, sizeof(creds)); + + ret = krb5_unparse_name(context, principal, &name); + if (ret == 0) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to get TGT for user %s", name); + free(name); + } + + ret = krb5_get_init_creds_password(context, &creds, principal, + (char *)password, NULL, + NULL, 0, NULL, NULL); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_get_init_creds_password() failed: %s", + krb5_get_err_text(context, ret)); + goto end; + } + + ret = krb5_sname_to_principal(context, ap_get_server_name(r), service, + KRB5_NT_SRV_HST, &server); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_sname_to_principal() failed: %s", + krb5_get_err_text(context, ret)); + goto end; + } + /* XXX log_debug: lookig for in keytab */ + + /* XXX + { + char *realm; + + krb5_get_default_realm(context, &realm); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "trying to verify password using key for %s/%s@%s", + service, ap_get_server_name(r), realm); + } + */ + + if (krb_verify_kdc && + (ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "failed to verify krb5 credentials: %s", + krb5_get_err_text(context, ret)); + goto end; + } + + ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "generating new memory ccache failed: %s", + krb5_get_err_text(context, ret)); + goto end; + } + + ret = krb5_cc_initialize(context, ret_ccache, principal); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_cc_initialize() failed: %s", + krb5_get_err_text(context, ret)); + goto end; + } + + ret = krb5_cc_store_cred(context, ret_ccache, &creds); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_cc_store_cred() failed: %s", + krb5_get_err_text(context, ret)); + goto end; + } + *ccache = ret_ccache; + ret_ccache = NULL; + +end: + krb5_free_cred_contents(context, &creds); + if (server) + krb5_free_principal(context, server); + if (ret_ccache) + krb5_cc_destroy(context, ret_ccache); + + return ret; +} + +static int krb5_cache_cleanup(void *data) { krb5_context context; @@ -286,20 +734,21 @@ krb5_cache_cleanup(void *data) problem = krb5_init_context(&context); if (problem) { - ap_log_error(APLOG_MARK, APLOG_ERR, NULL, "krb5_init_context() failed"); - return; + /* ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "krb5_init_context() failed"); */ + return HTTP_INTERNAL_SERVER_ERROR; } problem = krb5_cc_resolve(context, cache_name, &cache); if (problem) { - ap_log_error(APLOG_MARK, APLOG_ERR, NULL, - "krb5_cc_resolve() failed (%s: %s)", - cache_name, krb5_get_err_text(context, problem)); - return; + /* log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "krb5_cc_resolve() failed (%s: %s)", + cache_name, krb5_get_err_text(context, problem)); */ + return HTTP_INTERNAL_SERVER_ERROR; } krb5_cc_destroy(context, cache); krb5_free_context(context); + return OK; } static int @@ -309,76 +758,55 @@ create_krb5_ccache(krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache) { - char *c, ccname[MAX_STRING_LEN]; - krb5_error_code problem; - char errstr[1024]; - int ret; - krb5_ccache tmp_ccache = NULL; - - snprintf(ccname, sizeof(ccname), "FILE:%s/k5cc_ap_%s", - conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp", - MK_USER); - - for (c = ccname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir : - "/tmp") + 1; *c; c++) { - if (*c == '/') - *c = '.'; - } + char *ccname; + int fd; + krb5_error_code problem; + int ret; + krb5_ccache tmp_ccache = NULL; + + ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); + fd = mkstemp(ccname + strlen("FILE:")); + if (fd < 0) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mkstemp() failed: %s", strerror(errno)); + ret = HTTP_INTERNAL_SERVER_ERROR; + goto end; + } + close(fd); -#if 0 - /* not sure what's the purpose of this call here */ - problem = krb5_cc_set_default_name(kcontext, ccname); - if (problem) { - snprintf(errstr, sizeof(errstr), - "krb5_cc_set_default_name() failed: %s", - krb5_get_err_text(kcontext, problem)); - ap_log_reason (errstr, r->uri, r); - ret = SERVER_ERROR; - goto end; - } + problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache); + if (problem) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_cc_resolve() failed: %s", + krb5_get_err_text(kcontext, problem)); + ret = HTTP_INTERNAL_SERVER_ERROR; + unlink(ccname); + goto end; + } -#endif + problem = krb5_cc_initialize(kcontext, tmp_ccache, princ); + if (problem) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot initialize krb5 ccache %s: krb5_cc_initialize() failed: %s", + ccname, krb5_get_err_text(kcontext, problem)); + ret = HTTP_INTERNAL_SERVER_ERROR; + goto end; + } -#if 0 - /* XXX Dan: Why is this done? Cleanup? But the file would not be - * accessible from another processes (CGI) */ - unlink(ccname+strlen("FILE:")); -#endif + ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); + ap_register_cleanup(r->pool, ccname, + krb5_cache_cleanup, ap_null_cleanup); - problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache); - if (problem) { - snprintf(errstr, sizeof(errstr), - "krb5_cc_resolve() failed: %s", - krb5_get_err_text(kcontext, problem)); - ap_log_reason (errstr, r->uri, r); - ret = SERVER_ERROR; - goto end; - } - - problem = krb5_cc_initialize(kcontext, tmp_ccache, princ); - if (problem) { - snprintf(errstr, sizeof(errstr), - "krb5_cc_initialize() failed: %s", - krb5_get_err_text(kcontext, problem)); - ap_log_reason (errstr, r->uri, r); - ret = SERVER_ERROR; - goto end; - } - - ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); - ap_register_cleanup(r->pool, ccname, - krb5_cache_cleanup, ap_null_cleanup); - - *ccache = tmp_ccache; - tmp_ccache = NULL; - - ret = OK; + *ccache = tmp_ccache; + tmp_ccache = NULL; + + ret = OK; end: - if (tmp_ccache) - krb5_cc_destroy(kcontext, tmp_ccache); + if (tmp_ccache) + krb5_cc_destroy(kcontext, tmp_ccache); - return ret; /* XXX */ + return ret; } static int @@ -397,7 +825,7 @@ store_krb5_creds(krb5_context kcontext, if (problem) { snprintf(errstr, sizeof(errstr), "krb5_cc_get_principal() failed: %s", krb5_get_err_text(kcontext, problem)); - return SERVER_ERROR; + return HTTP_INTERNAL_SERVER_ERROR; } ret = create_krb5_ccache(kcontext, r, conf, princ, &ccache); @@ -406,75 +834,98 @@ store_krb5_creds(krb5_context kcontext, return ret; } +#ifdef HEIMDAL problem = krb5_cc_copy_cache(kcontext, delegated_cred, ccache); +#else + problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache); +#endif krb5_free_principal(kcontext, princ); if (problem) { - snprintf(errstr, sizeof(errstr), "krb5_cc_copy_cache() failed: %s", + snprintf(errstr, sizeof(errstr), "Failed to store credentials: %s", krb5_get_err_text(kcontext, problem)); krb5_cc_destroy(kcontext, ccache); - return SERVER_ERROR; + return HTTP_INTERNAL_SERVER_ERROR; } krb5_cc_close(kcontext, ccache); return OK; } + int authenticate_user_krb5pwd(request_rec *r, kerb_auth_config *conf, const char *auth_line) { const char *sent_pw = NULL; + const char *sent_name = NULL; const char *realms = NULL; - krb5_context kcontext; + const char *realm = NULL; + krb5_context kcontext = NULL; krb5_error_code code; krb5_principal client = NULL; krb5_ccache ccache = NULL; + krb5_keytab keytab = NULL; int ret; + char *name = NULL; + int all_principals_unkown; code = krb5_init_context(&kcontext); if (code) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO, r, - "Cannot initialize Kerberos5 context (%d)", code); - return SERVER_ERROR; + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot initialize Kerberos5 context (%d)", code); + return HTTP_INTERNAL_SERVER_ERROR; } - sent_pw = ap_uudecode(r->pool, auth_line); - r->connection->user = ap_getword (r->pool, &sent_pw, ':'); - r->connection->ap_auth_type = "Basic"; - + sent_pw = ap_pbase64decode(r->pool, auth_line); + sent_name = ap_getword (r->pool, &sent_pw, ':'); /* do not allow user to override realm setting of server */ - if (strchr(r->connection->user,'@')) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO, r, - "specifying realm in user name is prohibited"); + if (strchr(sent_name, '@')) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "specifying realm in user name is prohibited"); ret = HTTP_UNAUTHORIZED; goto end; - } + } -#ifdef HEIMDAL - code = krb5_cc_gen_new(kcontext, &krb5_mcc_ops, &ccache); -#else - code = krb5_mcc_generate_new(kcontext, &ccache); -#endif - if (code) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO, r, - "Cannot generate new ccache: %s", - krb5_get_err_text(kcontext, code)); - ret = SERVER_ERROR; + if (sent_pw == NULL || *sent_pw == '\0') { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "empty passwords are not accepted"); + ret = HTTP_UNAUTHORIZED; goto end; } + if (conf->krb_5_keytab) + krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab); + + all_principals_unkown = 1; realms = conf->krb_auth_realms; do { - if (realms && krb5_set_default_realm(kcontext, - ap_getword_white(r->pool, &realms))) - continue; + name = sent_name; + if (realms && (realm = ap_getword_white(r->pool, &realms))) + name = ap_psprintf(r->pool, "%s@%s", sent_name, realm); - code = krb5_parse_name(kcontext, r->connection->user, &client); - if (code) + if (client) { + krb5_free_principal(kcontext, client); + client = NULL; + } + + code = krb5_parse_name(kcontext, name, &client); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_parse_name() failed: %s", + krb5_get_err_text(kcontext, code)); continue; + } + + code = verify_krb5_user(r, kcontext, client, sent_pw, + conf->krb_service_name, + keytab, conf->krb_verify_kdc, &ccache); + if (!conf->krb_authoritative && code) { + /* if we're not authoritative, we allow authentication to pass on + * to another modules if (and only if) the user is not known to us */ + if (all_principals_unkown && code != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN) + all_principals_unkown = 0; + } - code = krb5_verify_user(kcontext, client, ccache, sent_pw, 1, "khttp"); - krb5_free_principal(kcontext, client); if (code == 0) break; @@ -485,154 +936,136 @@ int authenticate_user_krb5pwd(request_rec *r, memset((char *)sent_pw, 0, strlen(sent_pw)); if (code) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO, r, - "Verifying krb5 password failed: %s", - krb5_get_err_text(kcontext, code)); - ret = HTTP_UNAUTHORIZED; + if (!conf->krb_authoritative && all_principals_unkown == 1 && code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN) + ret = DECLINED; + else + ret = HTTP_UNAUTHORIZED; + goto end; } - if (conf->krb_save_credentials) { - ret = store_krb5_creds(kcontext, r, conf, ccache); - if (ret) /* Ignore error ?? */ - goto end; + code = krb5_unparse_name(kcontext, client, &name); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_unparse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + ret = HTTP_UNAUTHORIZED; + goto end; } + MK_USER = ap_pstrdup (r->pool, name); + MK_AUTH_TYPE = "Basic"; + free(name); + + if (conf->krb_save_credentials) + store_krb5_creds(kcontext, r, conf, ccache); ret = OK; end: + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_user_krb5pwd ret=%d user=%s authtype=%s", + ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)"); if (client) krb5_free_principal(kcontext, client); if (ccache) krb5_cc_destroy(kcontext, ccache); + if (keytab) + krb5_kt_close(kcontext, keytab); krb5_free_context(kcontext); return ret; } -#endif /* KRB5 */ - -#ifdef KRB4 -int kerb4_password_validate(request_rec *r, const char *user, const char *pass) -{ - kerb_auth_config *conf = - (kerb_auth_config *)ap_get_module_config(r->per_dir_config, - &kerb_auth_module); - int ret; - int lifetime = DEFAULT_TKT_LIFE; - char *c, *tfname; - char *username = NULL; - char *instance = NULL; - char *realm = NULL; - - username = (char *)ap_pstrdup(r->pool, user); - if (!username) { - return 0; - } - - instance = strchr(username, '.'); - if (instance) { - *instance++ = '\0'; - } - else { - instance = ""; - } - - realm = strchr(username, '@'); - if (realm) { - *realm++ = '\0'; - } - else { - realm = ""; - } - - if (conf->krb_lifetime) { - lifetime = atoi(conf->krb_lifetime); - } - - if (conf->krb_force_instance) { - instance = conf->krb_force_instance; - } - - if (conf->krb_save_credentials) { - tfname = (char *)malloc(sizeof(char) * MAX_STRING_LEN); - sprintf(tfname, "%s/k5cc_ap_%s", - conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp", - MK_USER); - - if (!strcmp(instance, "")) { - tfname = strcat(tfname, "."); - tfname = strcat(tfname, instance); - } - - if (!strcmp(realm, "")) { - tfname = strcat(tfname, "."); - tfname = strcat(tfname, realm); - } - - for (c = tfname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir : - "/tmp") + 1; *c; c++) { - if (*c == '/') - *c = '.'; - } - - krb_set_tkt_string(tfname); - } - - if (!strcmp(realm, "")) { - realm = (char *)malloc(sizeof(char) * (REALM_SZ + 1)); - ret = krb_get_lrealm(realm, 1); - if (ret != KSUCCESS) - return 0; - } - - ret = krb_get_pw_in_tkt((char *)user, instance, realm, "krbtgt", realm, - lifetime, (char *)pass); - switch (ret) { - case INTK_OK: - case INTK_W_NOTALL: - return 1; - break; - - default: - return 0; - break; - } -} -#endif /* KRB4 */ +/********************************************************************* + * GSSAPI Authentication + ********************************************************************/ - - -/*************************************************************************** - GSSAPI Validation - ***************************************************************************/ -#ifdef GSSAPI static const char * -get_gss_error(pool *p, OM_uint32 error_status, char *prefix) +get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) { - OM_uint32 maj_stat, min_stat; + OM_uint32 maj_stat, min_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; - char buf[1024]; - size_t len; + char *err_msg; - snprintf(buf, sizeof(buf), "%s: ", prefix); - len = strlen(buf); + err_msg = ap_pstrdup(p, prefix); do { maj_stat = gss_display_status (&min_stat, - error_status, - GSS_C_MECH_CODE, + err_maj, + GSS_C_GSS_CODE, GSS_C_NO_OID, &msg_ctx, &status_string); - if (sizeof(buf) > len + status_string.length + 1) { - sprintf(buf+len, "%s:", (char*) status_string.value); - len += status_string.length; - } + if (GSS_ERROR(maj_stat)) + break; + err_msg = ap_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL); gss_release_buffer(&min_stat, &status_string); + + maj_stat = gss_display_status (&min_stat, + err_min, + GSS_C_MECH_CODE, + GSS_C_NULL_OID, + &msg_ctx, + &status_string); + if (!GSS_ERROR(maj_stat)) { + err_msg = ap_pstrcat(p, err_msg, + " (", (char*) status_string.value, ")", NULL); + gss_release_buffer(&min_stat, &status_string); + } } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); - return (ap_pstrdup(p, buf)); + return err_msg; +} + +static int +store_gss_creds(request_rec *r, kerb_auth_config *conf, char *princ_name, + gss_cred_id_t delegated_cred) +{ + OM_uint32 maj_stat, min_stat; + krb5_principal princ = NULL; + krb5_ccache ccache = NULL; + krb5_error_code problem; + krb5_context context; + int ret = HTTP_INTERNAL_SERVER_ERROR; + + problem = krb5_init_context(&context); + if (problem) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Cannot initialize krb5 context"); + return HTTP_INTERNAL_SERVER_ERROR; + } + + problem = krb5_parse_name(context, princ_name, &princ); + if (problem) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot parse delegated username (%s)", krb5_get_err_text(context, problem)); + goto end; + } + + problem = create_krb5_ccache(context, r, conf, princ, &ccache); + if (problem) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot create krb5 ccache (%s)", krb5_get_err_text(context, problem)); + goto end; + } + + maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache); + if (GSS_ERROR(maj_stat)) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot store delegated credential (%s)", + get_gss_error(r->pool, maj_stat, min_stat, "gss_krb5_copy_ccache")); + goto end; + } + + krb5_cc_close(context, ccache); + ccache = NULL; + ret = 0; + +end: + if (princ) + krb5_free_principal(context, princ); + if (ccache) + krb5_cc_destroy(context, ccache); + krb5_free_context(context); + return ret; } static int @@ -640,63 +1073,107 @@ get_gss_creds(request_rec *r, kerb_auth_config *conf, gss_cred_id_t *server_creds) { - int ret = 0; - gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; - OM_uint32 major_status, minor_status; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + OM_uint32 major_status, minor_status, minor_status2; gss_name_t server_name = GSS_C_NO_NAME; + char buf[1024]; - if (conf->service_name) { - input_token.value = conf->service_name; - input_token.length = strlen(conf->service_name) + 1; - } - else { - input_token.value = "khttp"; - input_token.length = 6; - } - major_status = gss_import_name(&minor_status, &input_token, - (conf->service_name) ? - GSS_C_NT_USER_NAME : GSS_C_NT_HOSTBASED_SERVICE, + snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name, + ap_get_server_name(r)); + + token.value = buf; + token.length = strlen(buf) + 1; + + major_status = gss_import_name(&minor_status, &token, + GSS_C_NT_HOSTBASED_SERVICE, &server_name); + memset(&token, 0, sizeof(token)); if (GSS_ERROR(major_status)) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r, - "%s", get_gss_error(r->pool, minor_status, - "gss_import_name() failed")); - ret = SERVER_ERROR; - goto fail; + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s", get_gss_error(r->pool, major_status, minor_status, + "gss_import_name() failed")); + return HTTP_INTERNAL_SERVER_ERROR; } - -#ifdef KRB5 - if (conf->krb_5_keytab) - setenv("KRB5_KTNAME", conf->krb_5_keytab, 1); -#endif + major_status = gss_display_name(&minor_status, server_name, &token, NULL); + if (GSS_ERROR(major_status)) { + /* Perhaps we could just ignore this error but it's safer to give up now, + I think */ + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s", get_gss_error(r->pool, major_status, minor_status, + "gss_display_name() failed")); + return HTTP_INTERNAL_SERVER_ERROR; + } + + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", + token.value); + gss_release_buffer(&minor_status, &token); + major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, server_creds, NULL, NULL); -#ifdef KRB5 - if (conf->krb_5_keytab) - unsetenv("KRB5_KTNAME"); -#endif + gss_release_name(&minor_status2, &server_name); if (GSS_ERROR(major_status)) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r, - "%s", get_gss_error(r->pool, minor_status, - "gss_acquire_cred() failed")); - ret = SERVER_ERROR; - goto fail; + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s", get_gss_error(r->pool, major_status, minor_status, + "gss_acquire_cred() failed")); + return HTTP_INTERNAL_SERVER_ERROR; + } + +#ifndef HEIMDAL + /* + * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as + * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to + * the replay cache. + * This allows us to override the replay cache function vector with + * our own one. + * Note that this is a dirty hack to get things working and there may + * well be unknown side-effects. + */ + { + krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds; + + if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops && + gss_creds->rcache->ops->type && + memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0) + /* Override the rcache operations */ + gss_creds->rcache->ops = &mod_auth_kerb_rc_ops; } +#endif return 0; +} -fail: - /* XXX cleanup */ +static int +cmp_gss_type(gss_buffer_t token, gss_OID oid) +{ + unsigned char *p; + size_t len; - return ret; + if (token->length == 0) + return GSS_S_DEFECTIVE_TOKEN; + + p = token->value; + if (*p++ != 0x60) + return GSS_S_DEFECTIVE_TOKEN; + len = *p++; + if (len & 0x80) { + if ((len & 0x7f) > 4) + return GSS_S_DEFECTIVE_TOKEN; + p += len & 0x7f; + } + if (*p++ != 0x06) + return GSS_S_DEFECTIVE_TOKEN; + + if (((OM_uint32) *p++) != oid->length) + return GSS_S_DEFECTIVE_TOKEN; + + return memcmp(p, oid->elements, oid->length); } static int -authenticate_user_gss(request_rec *r, - kerb_auth_config *conf, - const char *auth_line) +authenticate_user_gss(request_rec *r, kerb_auth_config *conf, + const char *auth_line, char **negotiate_ret_value) { OM_uint32 major_status, minor_status, minor_status2; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; @@ -705,139 +1182,151 @@ authenticate_user_gss(request_rec *r, int ret; gss_name_t client_name = GSS_C_NO_NAME; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; - - if (gss_connection == NULL) { - gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection)); - if (gss_connection == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, r, - "ap_pcalloc() failed (not enough memory)"); - ret = SERVER_ERROR; + OM_uint32 + (*accept_sec_token)(OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t, + const gss_buffer_t, const gss_channel_bindings_t, + gss_name_t *, gss_OID *, gss_buffer_t, OM_uint32 *, + OM_uint32 *, gss_cred_id_t *); + gss_OID_desc spnego_oid; + gss_ctx_id_t context = GSS_C_NO_CONTEXT; + gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; + + *negotiate_ret_value = "\0"; + + spnego_oid.length = 6; + spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02"; + + if (conf->krb_5_keytab) { + char *ktname; + /* we don't use the ap_* calls here, since the string passed to putenv() + * will become part of the enviroment and shouldn't be free()ed by apache + */ + ktname = malloc(strlen("KRB5_KTNAME=") + strlen(conf->krb_5_keytab) + 1); + if (ktname == NULL) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "malloc() failed: not enough memory"); + ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } - memset(gss_connection, 0, sizeof(*gss_connection)); - ap_register_cleanup(r->connection->pool, gss_connection, cleanup_gss_connection, ap_null_cleanup); + sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab); + putenv(ktname); +#ifdef HEIMDAL + /* Seems to be also supported by latest MIT */ + gsskrb5_register_acceptor_identity(conf->krb_5_keytab); +#endif } - if (gss_connection->server_creds == GSS_C_NO_CREDENTIAL) { - ret = get_gss_creds(r, conf, &gss_connection->server_creds); - if (ret) - goto end; - } + ret = get_gss_creds(r, conf, &server_creds); + if (ret) + goto end; /* ap_getword() shifts parameter */ auth_param = ap_getword_white(r->pool, &auth_line); if (auth_param == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, r, - "No Authorization parameter in request from client"); + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "No Authorization parameter in request from client"); ret = HTTP_UNAUTHORIZED; goto end; } - input_token.length = ap_base64decode_len(auth_param); + input_token.length = ap_base64decode_len(auth_param) + 1; input_token.value = ap_pcalloc(r->connection->pool, input_token.length); if (input_token.value == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, r, - "ap_pcalloc() failed (not enough memory)"); - ret = SERVER_ERROR; + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "ap_pcalloc() failed (not enough memory)"); + ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } input_token.length = ap_base64decode(input_token.value, auth_param); - major_status = gss_accept_sec_context(&minor_status, - &gss_connection->context, - gss_connection->server_creds, - &input_token, - GSS_C_NO_CHANNEL_BINDINGS, - &client_name, - NULL, - &output_token, - NULL, - NULL, - &delegated_cred); + accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ? + gss_accept_sec_context_spnego : gss_accept_sec_context; + + /* pridat: Read client Negotiate data of length XXX, prefix YYY */ + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using %s", + (accept_sec_token == gss_accept_sec_context) + ? "KRB5 GSS-API" + : "SPNEGO GSS-API"); + + major_status = accept_sec_token(&minor_status, + &context, + server_creds, + &input_token, + GSS_C_NO_CHANNEL_BINDINGS, + &client_name, + NULL, + &output_token, + NULL, + NULL, + &delegated_cred); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Verification returned code %d", major_status); if (output_token.length) { char *token = NULL; size_t len; - len = ap_base64encode_len(output_token.length); + len = ap_base64encode_len(output_token.length) + 1; token = ap_pcalloc(r->connection->pool, len + 1); if (token == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, r, - "ap_pcalloc() failed (not enough memory)"); - ret = SERVER_ERROR; + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "ap_pcalloc() failed (not enough memory)"); + ret = HTTP_INTERNAL_SERVER_ERROR; gss_release_buffer(&minor_status2, &output_token); goto end; } ap_base64encode(token, output_token.value, output_token.length); token[len] = '\0'; - ap_table_set(r->err_headers_out, "WWW-Authenticate", - ap_pstrcat(r->pool, "GSS-Negotiate ", token, NULL)); + *negotiate_ret_value = token; + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "GSS-API token of length %d bytes will be sent back", + output_token.length); gss_release_buffer(&minor_status2, &output_token); } if (GSS_ERROR(major_status)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, r, - "%s", get_gss_error(r->pool, minor_status, - "gss_accept_sec_context() failed")); + if (input_token.length > 7 && memcmp(input_token.value, "NTLMSSP", 7) == 0) + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration."); + + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s", get_gss_error(r->pool, major_status, minor_status, + "gss_accept_sec_context() failed")); + /* Don't offer the Negotiate method again if call to GSS layer failed */ + *negotiate_ret_value = NULL; ret = HTTP_UNAUTHORIZED; goto end; } +#if 0 + /* This is a _Kerberos_ module so multiple authentication rounds aren't + * supported. If we wanted a generic GSS authentication we would have to do + * some magic with exporting context etc. */ if (major_status & GSS_S_CONTINUE_NEEDED) { - /* Some GSSAPI mechanism (eg GSI from Globus) may require multiple - * iterations to establish authentication */ ret = HTTP_UNAUTHORIZED; goto end; } +#endif - major_status = gss_export_name(&minor_status, client_name, &output_token); + major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); gss_release_name(&minor_status, &client_name); if (GSS_ERROR(major_status)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, r, - "%s", get_gss_error(r->pool, minor_status, - "gss_export_name() failed")); - ret = SERVER_ERROR; + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s", get_gss_error(r->pool, major_status, minor_status, + "gss_export_name() failed")); + ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } - r->connection->ap_auth_type = "Negotiate"; - r->connection->user = ap_pstrdup(r->pool, output_token.value); -#if 0 - /* If the user comes from a realm specified by configuration don't include - its realm name in the username so that the authorization routine could - work for both Password-based and Ticket-based authentication. It's - administrators responsibility to include only such realm that have - unified principal instances, i.e. if the same principal name occures in - multiple realms, it must be always assigned to a single user. - */ - p = strchr(r->connection->user, '@'); - if (p != NULL) { - const char *realms = conf->gss_krb5_realms; - - while (realms && *realms) { - if (strcmp(p+1, ap_getword_white(r->pool, &realms)) == 0) { - *p = '\0'; - break; - } - } - } -#endif + MK_AUTH_TYPE = MECH_NEGOTIATE; + MK_USER = ap_pstrdup(r->pool, output_token.value); + + if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) + store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); + + if (*negotiate_ret_value) + set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value); gss_release_buffer(&minor_status, &output_token); -#if 0 - /* This should be only done if afs token are requested or gss_save creds is - * specified */ - /* gss_export_cred() from the GGF GSS Extensions could be used */ - if (delegated_cred != GSS_C_NO_CREDENTIAL && - (conf->gss_save_creds || (conf->gss_krb5_cells && k_hasafs()))) { - krb5_init_context(&krb_ctx); - do_afs_log(krb_ctx, r, delegated_cred->ccache, conf->gss_krb5_cells); - ret = store_krb5_creds(krb_ctx, r, conf, delegated_cred->ccache); - krb5_free_context(krb_ctx); - if (ret) - goto end; - } -#endif ret = OK; end: @@ -850,131 +1339,150 @@ end: if (client_name != GSS_C_NO_NAME) gss_release_name(&minor_status, &client_name); + if (server_creds != GSS_C_NO_CREDENTIAL) + gss_release_cred(&minor_status, &server_creds); + + if (context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); + return ret; } -#endif /* GSSAPI */ +#endif /* KRB5 */ +static int +already_succeeded(request_rec *r) +{ + if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL) + return 0; + if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) || + (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@'))) + return 1; + return 0; +} static void -note_auth_failure(request_rec *r, const kerb_auth_config *conf) +set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, + int use_krb4, int use_krb5pwd, char *negotiate_ret_value) { - const char *auth_type = NULL; const char *auth_name = NULL; - - /* get the type specified in .htaccess */ - auth_type = ap_auth_type(r); + int set_basic = 0; + char *negoauth_param; + const char *header_name = + (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authenticate" : "WWW-Authenticate"; /* get the user realm specified in .htaccess */ auth_name = ap_auth_name(r); - /* XXX should the WWW-Authenticate header be cleared first? */ + /* XXX should the WWW-Authenticate header be cleared first? + * apache in the proxy mode should retain client's authN headers? */ #ifdef KRB5 - if (conf->krb_method_gssapi) - ap_table_add(r->err_headers_out, "WWW-Authenticate", "GSS-Negotiate "); + if (negotiate_ret_value != NULL && conf->krb_method_gssapi) { + negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE : + ap_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL); + ap_table_add(r->err_headers_out, header_name, negoauth_param); + } + if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) { + ap_table_add(r->err_headers_out, header_name, + ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); + set_basic = 1; + } #endif - if (auth_type && strncasecmp(auth_type, "KerberosV5", 10) == 0) - ap_table_add(r->err_headers_out, "WWW-Authenticate", - ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); -} - +#ifdef KRB4 + if (!set_basic && + ((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic)) + ap_table_add(r->err_headers_out, header_name, + ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); +#endif +} -/*************************************************************************** - User Authentication - ***************************************************************************/ int kerb_authenticate_user(request_rec *r) { kerb_auth_config *conf = (kerb_auth_config *) ap_get_module_config(r->per_dir_config, - &kerb_auth_module); + &auth_kerb_module); const char *auth_type = NULL; const char *auth_line = NULL; const char *type = NULL; + int use_krb5 = 0, use_krb4 = 0; int ret; + static int last_return = HTTP_UNAUTHORIZED; + char *negotiate_ret_value = NULL; /* get the type specified in .htaccess */ type = ap_auth_type(r); - if (!conf->krb_auth_enable && - (type == NULL || (strncasecmp(type, "Kerberos", 8) != 0))) + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_user entered with user %s and auth_type %s", + (MK_USER)?MK_USER:"(NULL)",type?type:"(NULL)"); + + if (type && strcasecmp(type, "Kerberos") == 0) + use_krb5 = use_krb4 = 1; + else if(type && strcasecmp(type, "KerberosV5") == 0) + use_krb5 = 1; + else if(type && strcasecmp(type, "KerberosV4") == 0) + use_krb4 = 1; + else return DECLINED; /* get what the user sent us in the HTTP header */ - auth_line = MK_TABLE_GET(r->headers_in, "Authorization"); + auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY) + ? "Proxy-Authorization" + : "Authorization"); if (!auth_line) { - note_auth_failure(r, conf); + set_kerb_auth_headers(r, conf, use_krb4, use_krb5, + (use_krb5) ? "\0" : NULL); return HTTP_UNAUTHORIZED; } auth_type = ap_getword_white(r->pool, &auth_line); - ret = HTTP_UNAUTHORIZED; + /* If we are delegating Basic to other modules, DECLINE the request */ + if (conf->krb_delegate_basic && +#ifdef KRB5 + !conf->krb_method_k5pass && +#endif +#ifdef KRB4 + !conf->krb_method_k4pass && +#endif + (strcasecmp(auth_type, "Basic") == 0)) + return DECLINED; + + if (already_succeeded(r)) + return last_return; - /* XXX Support for AuthType=Kerberos */ + ret = HTTP_UNAUTHORIZED; #ifdef KRB5 - if (conf->krb_method_gssapi && - strcasecmp(auth_type, "GSS-Negotiate") == 0) { - ret = authenticate_user_gss(r, conf, auth_line); - } else if (conf->krb_method_k5pass && + if (use_krb5 && conf->krb_method_gssapi && + strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { + ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); + } else if (use_krb5 && conf->krb_method_k5pass && strcasecmp(auth_type, "Basic") == 0) { ret = authenticate_user_krb5pwd(r, conf, auth_line); } #endif #ifdef KRB4 - if (ret == HTTP_UNAUTHORIZED && conf->krb_method_k4pass && + if (ret == HTTP_UNAUTHORIZED && use_krb4 && conf->krb_method_k4pass && strcasecmp(auth_type, "Basic") == 0) ret = authenticate_user_krb4pwd(r, conf, auth_line); #endif if (ret == HTTP_UNAUTHORIZED) - note_auth_failure(r, conf); - - return ret; -} + set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value); + /* XXX log_debug: if ret==OK, log(user XY authenticated) */ -#if 0 -int kerb_check_user_access(request_rec *r) -{ - register int x; - const char *t, *w; - const MK_ARRAY_HEADER *reqs_arr = ap_requires(r); - require_line *reqs; - kerb_auth_config *conf = - (kerb_auth_config *)ap_get_module_config(r->per_dir_config, - &kerb_auth_module); - - if (reqs_arr == NULL) { - return OK; - } - reqs = (require_line *)reqs_arr->elts; - - for (x = 0; x < reqs_arr->nelts; x++) { - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - if (strcmp(w, "realm") == 0) { - while (t[0] != '\0') { - w = ap_getword_conf(r->pool, &t); - if (strcmp(MK_USER, w) == 0) { - return OK; - } - } - } - } - - return DECLINED; + last_return = ret; + return ret; } -#endif - - /*************************************************************************** Module Setup/Configuration ***************************************************************************/ -#ifdef APXS1 -module MODULE_VAR_EXPORT kerb_auth_module = { +#ifndef STANDARD20_MODULE_STUFF +module MODULE_VAR_EXPORT auth_kerb_module = { STANDARD_MODULE_STUFF, NULL, /* module initializer */ kerb_dir_create_config, /* per-directory config creator */ @@ -994,14 +1502,29 @@ module MODULE_VAR_EXPORT kerb_auth_module = { NULL, /* process initialization */ NULL, /* process exit/cleanup */ NULL /* [ 1] post read_request handling */ +#ifdef EAPI + ,NULL, /* EAPI: add_module */ + NULL, /* EAPI: remove_module */ + NULL, /* EAPI: rewrite_command */ + NULL /* EAPI: new_connection */ +#endif }; #else +static int +kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, + apr_pool_t *ptemp, server_rec *s) +{ + ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); + return OK; +} + void kerb_register_hooks(apr_pool_t *p) { + ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); } -module AP_MODULE_DECLARE_DATA kerb_auth_module = +module AP_MODULE_DECLARE_DATA auth_kerb_module = { STANDARD20_MODULE_STUFF, kerb_dir_create_config, /* create per-dir conf structures */