X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=6ce5ff6845b88f411d4b0dfbcedaa5839185dc28;hb=69a14de88d66ae6b447bf4ef49f470ab0d3bb9c7;hp=4784fe73bb33bb98f09aa5067cf5abe6eb21287a;hpb=11e57ba5a1b929f95447e453e3e03babbaca8cd8;p=mod_auth_kerb.cvs%2F.git

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 4784fe7..6ce5ff6 100644
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -50,7 +50,7 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#define MODAUTHKERB_VERSION "5.0"
+#define MODAUTHKERB_VERSION "5.1"
 
 #define MECH_NEGOTIATE "Negotiate"
 #define SERVICE_NAME "HTTP"
@@ -65,10 +65,19 @@
 #ifdef STANDARD20_MODULE_STUFF
 #include <apr_strings.h>
 #include <apr_base64.h>
-#include <apr_compat.h>
-#include <apu_compat.h>
 #else
-#define ap_pstrchr_c strchr
+#define apr_pstrdup		ap_pstrdup
+#define apr_psprintf		ap_psprintf
+#define apr_pstrcat		ap_pstrcat
+#define apr_pcalloc		ap_pcalloc
+#define apr_table_setn		ap_table_setn
+#define apr_table_add		ap_table_add
+#define apr_base64_decode_len	ap_base64decode_len
+#define apr_base64_decode	ap_base64decode
+#define apr_base64_encode_len	ap_base64encode_len
+#define apr_base64_encode	ap_base64encode
+#define apr_pool_cleanup_null	ap_null_cleanup
+#define apr_pool_cleanup_register	ap_register_cleanup
 #endif /* STANDARD20_MODULE_STUFF */
 
 #ifdef _WIN32
@@ -86,6 +95,7 @@
 #  include <gssapi/gssapi_krb5.h>
 #  define GSS_C_NT_USER_NAME gss_nt_user_name
 #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#  define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name
 #  define krb5_get_err_text(context,code) error_message(code)
 #endif
 #ifndef GSSAPI_SUPPORTS_SPNEGO
@@ -108,6 +118,14 @@
 #include <unistd.h>
 #endif
 
+#ifndef KRB5_LIB_FUNCTION
+#  if defined(_WIN32)
+#    define KRB5_LIB_FUNCTION _stdcall
+#  else
+#    define KRB5_LIB_FUNCTION
+#  endif
+#endif
+
 #ifdef STANDARD20_MODULE_STUFF
 module AP_MODULE_DECLARE_DATA auth_kerb_module;
 #else
@@ -293,7 +311,7 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
 {
 	kerb_auth_config *rec;
 
-	rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config));
+	rec = (kerb_auth_config *) apr_pcalloc(p, sizeof(kerb_auth_config));
         ((kerb_auth_config *)rec)->krb_verify_kdc = 1;
 	((kerb_auth_config *)rec)->krb_service_name = NULL;
 	((kerb_auth_config *)rec)->krb_authoritative = 1;
@@ -315,7 +333,7 @@ static const char*
 krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg)
 {
    kerb_auth_config *sec = (kerb_auth_config *) vsec;
-   sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
+   sec->krb_auth_realms= apr_pstrdup(cmd->pool, arg);
    return NULL;
 }
 
@@ -343,8 +361,8 @@ log_rerror(const char *file, int line, int level, int status,
  Username/Password Validation for Krb4
  ***************************************************************************/
 static int
-verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
-      		 char *password, char *linstance, char *srvtab, int krb_verify_kdc)
+verify_krb4_user(request_rec *r, const char *name, const char *instance,
+                 const char *realm, const char *password, const char *linstance, const char *srvtab, int krb_verify_kdc)
 {
    int ret;
    char *phost;
@@ -392,7 +410,7 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
       return ret;
    }
 
-   ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab);
+   ret = krb_rd_req(&ticket, (char *)linstance, phost, addr, &authdata, (char *)srvtab);
    if (ret) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	         "Cannot verify krb4 ticket: krb_rd_req() failed: %s",
@@ -434,13 +452,6 @@ authenticate_user_krb4pwd(request_rec *r,
    sent_pw = ap_pbase64decode(r->pool, auth_line);
    sent_name = ap_getword (r->pool, &sent_pw, ':');
 
-   /* do not allow user to override realm setting of server */
-   if (ap_strchr_c(sent_name, '@')) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	         "specifying realm in user name is prohibited");
-      return HTTP_UNAUTHORIZED;
-   }
-
    sent_instance = strchr(sent_name, '.');
    if (sent_instance)
       *sent_instance++ = '\0'; 
@@ -454,10 +465,10 @@ authenticate_user_krb4pwd(request_rec *r,
       return HTTP_INTERNAL_SERVER_ERROR;
    }
 
-   tkt_file_p = ap_pstrdup(r->pool, tkt_file);
-   ap_register_cleanup(r->pool, tkt_file_p,
-	               krb4_cache_cleanup, ap_null_cleanup);
-
+   tkt_file_p = apr_pstrdup(r->pool, tkt_file);
+   apr_pool_cleanup_register(r->pool, tkt_file_p, krb4_cache_cleanup,
+	                     apr_pool_cleanup_null);
+   
    krb_set_tkt_string(tkt_file);
 
    all_principals_unkown = 1;
@@ -500,14 +511,14 @@ authenticate_user_krb4pwd(request_rec *r,
       goto end;
    }
 
-   user = ap_pstrdup(r->pool, sent_name);
+   user = apr_pstrdup(r->pool, sent_name);
    if (sent_instance)
-      user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL);
-   user = ap_pstrcat(r->pool, user, "@", realm, NULL);
+      user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL);
+   user = apr_pstrcat(r->pool, user, "@", realm, NULL);
 
    MK_USER = user;
    MK_AUTH_TYPE = "Basic";
-   ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
+   apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
 
    if (!conf->krb_save_credentials)
       krb4_cache_cleanup(tkt_file);
@@ -774,7 +785,7 @@ create_krb5_ccache(krb5_context kcontext,
    int ret;
    krb5_ccache tmp_ccache = NULL;
 
-   ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
+   ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
    fd = mkstemp(ccname + strlen("FILE:"));
    if (fd < 0) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
@@ -803,9 +814,9 @@ create_krb5_ccache(krb5_context kcontext,
       goto end;
    }
 
-   ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
-   ap_register_cleanup(r->pool, ccname,
-		       krb5_cache_cleanup, ap_null_cleanup);
+   apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
+   apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
+	 		     apr_pool_cleanup_null);
 
    *ccache = tmp_ccache;
    tmp_ccache = NULL;
@@ -946,7 +957,7 @@ authenticate_user_krb5pwd(request_rec *r,
    do {
       name = (char *) sent_name;
       if (realms && (realm = ap_getword_white(r->pool, &realms)))
-	 name = ap_psprintf(r->pool, "%s@%s", sent_name, realm);
+	 name = apr_psprintf(r->pool, "%s@%s", sent_name, realm);
 
       if (client) {
 	 krb5_free_principal(kcontext, client);
@@ -995,7 +1006,7 @@ authenticate_user_krb5pwd(request_rec *r,
       ret = HTTP_UNAUTHORIZED;
       goto end;
    }
-   MK_USER = ap_pstrdup (r->pool, name);
+   MK_USER = apr_pstrdup (r->pool, name);
    MK_AUTH_TYPE = "Basic";
    free(name);
 
@@ -1033,7 +1044,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
    gss_buffer_desc status_string;
    char *err_msg;
 
-   err_msg = ap_pstrdup(p, prefix);
+   err_msg = apr_pstrdup(p, prefix);
    do {
       maj_stat = gss_display_status (&min_stat,
 	                             err_maj,
@@ -1043,7 +1054,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 				     &status_string);
       if (GSS_ERROR(maj_stat))
 	 break;
-      err_msg = ap_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL);
+      err_msg = apr_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL);
       gss_release_buffer(&min_stat, &status_string);
       
       maj_stat = gss_display_status (&min_stat,
@@ -1053,7 +1064,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 				     &msg_ctx,
 				     &status_string);
       if (!GSS_ERROR(maj_stat)) {
-	 err_msg = ap_pstrcat(p, err_msg,
+	 err_msg = apr_pstrcat(p, err_msg,
 	                      " (", (char*) status_string.value, ")", NULL);
 	 gss_release_buffer(&min_stat, &status_string);
       }
@@ -1285,15 +1296,15 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      goto end;
   }
 
-  input_token.length = ap_base64decode_len(auth_param) + 1;
-  input_token.value = ap_pcalloc(r->connection->pool, input_token.length);
+  input_token.length = apr_base64_decode_len(auth_param) + 1;
+  input_token.value = apr_pcalloc(r->connection->pool, input_token.length);
   if (input_token.value == NULL) {
      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	   	"ap_pcalloc() failed (not enough memory)");
      ret = HTTP_INTERNAL_SERVER_ERROR;
      goto end;
   }
-  input_token.length = ap_base64decode(input_token.value, auth_param);
+  input_token.length = apr_base64_decode(input_token.value, auth_param);
 
 #ifdef GSSAPI_SUPPORTS_SPNEGO
   accept_sec_token = gss_accept_sec_context;
@@ -1324,8 +1335,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      char *token = NULL;
      size_t len;
      
-     len = ap_base64encode_len(output_token.length) + 1;
-     token = ap_pcalloc(r->connection->pool, len + 1);
+     len = apr_base64_encode_len(output_token.length) + 1;
+     token = apr_pcalloc(r->connection->pool, len + 1);
      if (token == NULL) {
 	log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	           "ap_pcalloc() failed (not enough memory)");
@@ -1333,7 +1344,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
 	gss_release_buffer(&minor_status2, &output_token);
 	goto end;
      }
-     ap_base64encode(token, output_token.value, output_token.length);
+     apr_base64_encode(token, output_token.value, output_token.length);
      token[len] = '\0';
      *negotiate_ret_value = token;
      log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1378,7 +1389,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   }
 
   MK_AUTH_TYPE = MECH_NEGOTIATE;
-  MK_USER = ap_pstrdup(r->pool, output_token.value);
+  MK_USER = apr_pstrdup(r->pool, output_token.value);
 
   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
@@ -1436,12 +1447,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #ifdef KRB5
    if (negotiate_ret_value != NULL && conf->krb_method_gssapi) {
       negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE :
-	          ap_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL);
-      ap_table_add(r->err_headers_out, header_name, negoauth_param);
+	          apr_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL);
+      apr_table_add(r->err_headers_out, header_name, negoauth_param);
    }
    if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) {
-      ap_table_add(r->err_headers_out, header_name,
-		   ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
+      apr_table_add(r->err_headers_out, header_name,
+		   apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
       set_basic = 1;
    }
 #endif
@@ -1449,8 +1460,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #ifdef KRB4
    if (!set_basic && 
        ((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic))
-      ap_table_add(r->err_headers_out, header_name,
-		  ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
+      apr_table_add(r->err_headers_out, header_name,
+		  apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
 #endif
 }
 
@@ -1550,18 +1561,19 @@ int
 have_rcache_type(const char *type)
 {
    krb5_error_code ret;
-   krb5_rcache id;
+   krb5_context context;
+   krb5_rcache id = NULL;
    int found;
 
-   memset(&id, 0, sizeof(id));
-
    ret = krb5_init_context(&context);
    if (ret)
       return 0;
 
-   ret = krb5_rc_resolve_type(context, id, type);
+   ret = krb5_rc_resolve_full(context, &id, "none:");
    found = (ret == 0);
 
+   if (ret == 0)
+      krb5_rc_destroy(context, id);
    krb5_free_context(context);
 
    return found;