X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=880b6eaac09b673a6687ee1af6117e2e5785d30b;hb=dda1d7e4425e0aac9bc01c3b59adcdbbf4475ceb;hp=7fcb4fbea33284e0069d68375aeed30a911fa054;hpb=95bd55d2a2f8075711ee107d7e53b5725329b5c7;p=mod_auth_kerb.cvs%2F.git diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index 7fcb4fb..880b6ea 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -50,7 +50,7 @@ #include #include -#define MODAUTHKERB_VERSION "5.0-rc7" +#define MODAUTHKERB_VERSION "5.1" #define MECH_NEGOTIATE "Negotiate" #define SERVICE_NAME "HTTP" @@ -65,24 +65,19 @@ #ifdef STANDARD20_MODULE_STUFF #include #include - -#define ap_null_cleanup NULL -#define ap_register_cleanup apr_pool_cleanup_register - -#define ap_pstrdup apr_pstrdup -#define ap_pstrcat apr_pstrcat -#define ap_pcalloc apr_pcalloc -#define ap_psprintf apr_psprintf - -#define ap_base64decode_len apr_base64_decode_len -#define ap_base64decode apr_base64_decode -#define ap_base64encode_len apr_base64_encode_len -#define ap_base64encode apr_base64_encode - -#define ap_table_setn apr_table_setn -#define ap_table_add apr_table_add #else -#define ap_pstrchr_c strchr +#define apr_pstrdup ap_pstrdup +#define apr_psprintf ap_psprintf +#define apr_pstrcat ap_pstrcat +#define apr_pcalloc ap_pcalloc +#define apr_table_setn ap_table_setn +#define apr_table_add ap_table_add +#define apr_base64_decode_len ap_base64decode_len +#define apr_base64_decode ap_base64decode +#define apr_base64_encode_len ap_base64encode_len +#define apr_base64_encode ap_base64encode +#define apr_pool_cleanup_null ap_null_cleanup +#define apr_pool_cleanup_register ap_register_cleanup #endif /* STANDARD20_MODULE_STUFF */ #ifdef _WIN32 @@ -100,6 +95,7 @@ # include # define GSS_C_NT_USER_NAME gss_nt_user_name # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +# define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name # define krb5_get_err_text(context,code) error_message(code) #endif #ifndef GSSAPI_SUPPORTS_SPNEGO @@ -307,7 +303,7 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) { kerb_auth_config *rec; - rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config)); + rec = (kerb_auth_config *) apr_pcalloc(p, sizeof(kerb_auth_config)); ((kerb_auth_config *)rec)->krb_verify_kdc = 1; ((kerb_auth_config *)rec)->krb_service_name = NULL; ((kerb_auth_config *)rec)->krb_authoritative = 1; @@ -329,7 +325,7 @@ static const char* krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg) { kerb_auth_config *sec = (kerb_auth_config *) vsec; - sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg); + sec->krb_auth_realms= apr_pstrdup(cmd->pool, arg); return NULL; } @@ -357,8 +353,8 @@ log_rerror(const char *file, int line, int level, int status, Username/Password Validation for Krb4 ***************************************************************************/ static int -verify_krb4_user(request_rec *r, char *name, char *instance, char *realm, - char *password, char *linstance, char *srvtab, int krb_verify_kdc) +verify_krb4_user(request_rec *r, const char *name, const char *instance, + const char *realm, const char *password, const char *linstance, const char *srvtab, int krb_verify_kdc) { int ret; char *phost; @@ -406,7 +402,7 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm, return ret; } - ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab); + ret = krb_rd_req(&ticket, (char *)linstance, phost, addr, &authdata, (char *)srvtab); if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Cannot verify krb4 ticket: krb_rd_req() failed: %s", @@ -448,13 +444,6 @@ authenticate_user_krb4pwd(request_rec *r, sent_pw = ap_pbase64decode(r->pool, auth_line); sent_name = ap_getword (r->pool, &sent_pw, ':'); - /* do not allow user to override realm setting of server */ - if (ap_strchr_c(sent_name, '@')) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "specifying realm in user name is prohibited"); - return HTTP_UNAUTHORIZED; - } - sent_instance = strchr(sent_name, '.'); if (sent_instance) *sent_instance++ = '\0'; @@ -468,10 +457,10 @@ authenticate_user_krb4pwd(request_rec *r, return HTTP_INTERNAL_SERVER_ERROR; } - tkt_file_p = ap_pstrdup(r->pool, tkt_file); - ap_register_cleanup(r->pool, tkt_file_p, - krb4_cache_cleanup, ap_null_cleanup); - + tkt_file_p = apr_pstrdup(r->pool, tkt_file); + apr_pool_cleanup_register(r->pool, tkt_file_p, krb4_cache_cleanup, + apr_pool_cleanup_null); + krb_set_tkt_string(tkt_file); all_principals_unkown = 1; @@ -514,14 +503,14 @@ authenticate_user_krb4pwd(request_rec *r, goto end; } - user = ap_pstrdup(r->pool, sent_name); + user = apr_pstrdup(r->pool, sent_name); if (sent_instance) - user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL); - user = ap_pstrcat(r->pool, user, "@", realm, NULL); + user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL); + user = apr_pstrcat(r->pool, user, "@", realm, NULL); MK_USER = user; MK_AUTH_TYPE = "Basic"; - ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p); + apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p); if (!conf->krb_save_credentials) krb4_cache_cleanup(tkt_file); @@ -788,7 +777,7 @@ create_krb5_ccache(krb5_context kcontext, int ret; krb5_ccache tmp_ccache = NULL; - ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); + ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); fd = mkstemp(ccname + strlen("FILE:")); if (fd < 0) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, @@ -817,9 +806,9 @@ create_krb5_ccache(krb5_context kcontext, goto end; } - ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); - ap_register_cleanup(r->pool, ccname, - krb5_cache_cleanup, ap_null_cleanup); + apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); + apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup, + apr_pool_cleanup_null); *ccache = tmp_ccache; tmp_ccache = NULL; @@ -960,7 +949,7 @@ authenticate_user_krb5pwd(request_rec *r, do { name = (char *) sent_name; if (realms && (realm = ap_getword_white(r->pool, &realms))) - name = ap_psprintf(r->pool, "%s@%s", sent_name, realm); + name = apr_psprintf(r->pool, "%s@%s", sent_name, realm); if (client) { krb5_free_principal(kcontext, client); @@ -1009,7 +998,7 @@ authenticate_user_krb5pwd(request_rec *r, ret = HTTP_UNAUTHORIZED; goto end; } - MK_USER = ap_pstrdup (r->pool, name); + MK_USER = apr_pstrdup (r->pool, name); MK_AUTH_TYPE = "Basic"; free(name); @@ -1047,7 +1036,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) gss_buffer_desc status_string; char *err_msg; - err_msg = ap_pstrdup(p, prefix); + err_msg = apr_pstrdup(p, prefix); do { maj_stat = gss_display_status (&min_stat, err_maj, @@ -1057,7 +1046,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) &status_string); if (GSS_ERROR(maj_stat)) break; - err_msg = ap_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL); + err_msg = apr_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL); gss_release_buffer(&min_stat, &status_string); maj_stat = gss_display_status (&min_stat, @@ -1067,7 +1056,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) &msg_ctx, &status_string); if (!GSS_ERROR(maj_stat)) { - err_msg = ap_pstrcat(p, err_msg, + err_msg = apr_pstrcat(p, err_msg, " (", (char*) status_string.value, ")", NULL); gss_release_buffer(&min_stat, &status_string); } @@ -1299,15 +1288,15 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, goto end; } - input_token.length = ap_base64decode_len(auth_param) + 1; - input_token.value = ap_pcalloc(r->connection->pool, input_token.length); + input_token.length = apr_base64_decode_len(auth_param) + 1; + input_token.value = apr_pcalloc(r->connection->pool, input_token.length); if (input_token.value == NULL) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "ap_pcalloc() failed (not enough memory)"); ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } - input_token.length = ap_base64decode(input_token.value, auth_param); + input_token.length = apr_base64_decode(input_token.value, auth_param); #ifdef GSSAPI_SUPPORTS_SPNEGO accept_sec_token = gss_accept_sec_context; @@ -1338,8 +1327,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, char *token = NULL; size_t len; - len = ap_base64encode_len(output_token.length) + 1; - token = ap_pcalloc(r->connection->pool, len + 1); + len = apr_base64_encode_len(output_token.length) + 1; + token = apr_pcalloc(r->connection->pool, len + 1); if (token == NULL) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "ap_pcalloc() failed (not enough memory)"); @@ -1347,7 +1336,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, gss_release_buffer(&minor_status2, &output_token); goto end; } - ap_base64encode(token, output_token.value, output_token.length); + apr_base64_encode(token, output_token.value, output_token.length); token[len] = '\0'; *negotiate_ret_value = token; log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, @@ -1386,13 +1375,13 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", get_gss_error(r->pool, major_status, minor_status, - "gss_export_name() failed")); + "gss_display_name() failed")); ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } MK_AUTH_TYPE = MECH_NEGOTIATE; - MK_USER = ap_pstrdup(r->pool, output_token.value); + MK_USER = apr_pstrdup(r->pool, output_token.value); if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); @@ -1450,12 +1439,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, #ifdef KRB5 if (negotiate_ret_value != NULL && conf->krb_method_gssapi) { negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE : - ap_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL); - ap_table_add(r->err_headers_out, header_name, negoauth_param); + apr_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL); + apr_table_add(r->err_headers_out, header_name, negoauth_param); } if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) { - ap_table_add(r->err_headers_out, header_name, - ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); + apr_table_add(r->err_headers_out, header_name, + apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); set_basic = 1; } #endif @@ -1463,8 +1452,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, #ifdef KRB4 if (!set_basic && ((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic)) - ap_table_add(r->err_headers_out, header_name, - ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); + apr_table_add(r->err_headers_out, header_name, + apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); #endif } @@ -1560,6 +1549,27 @@ kerb_authenticate_user(request_rec *r) return ret; } +int +have_rcache_type(const char *type) +{ + krb5_error_code ret; + krb5_context context; + krb5_rcache id = NULL; + int found; + + ret = krb5_init_context(&context); + if (ret) + return 0; + + ret = krb5_rc_resolve_full(context, &id, "none:"); + found = (ret == 0); + + if (ret == 0) + krb5_rc_destroy(context, id); + krb5_free_context(context); + + return found; +} /*************************************************************************** Module Setup/Configuration @@ -1571,7 +1581,7 @@ kerb_module_init(server_rec *dummy, pool *p) #ifndef HEIMDAL /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. 1.3.x are covered by the hack overiding the replay calls */ - if (getenv("KRB5RCACHETYPE") == NULL) + if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) putenv(strdup("KRB5RCACHETYPE=none")); #endif } @@ -1612,7 +1622,7 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, #ifndef HEIMDAL /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. 1.3.x are covered by the hack overiding the replay calls */ - if (getenv("KRB5RCACHETYPE") == NULL) + if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) putenv(strdup("KRB5RCACHETYPE=none")); #endif