X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=9624ef4f8d1c933a4d2f9ce7573a4329e5b9117e;hb=a46e335d132634304af61f1205a384b51dce0d33;hp=18d217185dbacf4388d34bc9f063b3d33341397a;hpb=d1e34b4cb68f0b19f7a9f9ca69f1aa375374b8e6;p=mod_auth_kerb.cvs%2F.git diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index 18d2171..9624ef4 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -11,7 +11,7 @@ */ /* - * Copyright (c) 2004 Masarykova universita + * Copyright (c) 2004-2005 Masarykova universita * (Masaryk University, Brno, Czech Republic) * All rights reserved. * @@ -61,9 +61,38 @@ #include #ifdef STANDARD20_MODULE_STUFF -#include #include #include + +#define ap_null_cleanup NULL +#define ap_register_cleanup apr_pool_cleanup_register + +#define ap_pstrdup apr_pstrdup +#define ap_pstrcat apr_pstrcat +#define ap_pcalloc apr_pcalloc +#define ap_psprintf apr_psprintf + +#define ap_base64decode_len apr_base64_decode_len +#define ap_base64decode apr_base64_decode +#define ap_base64encode_len apr_base64_encode_len +#define ap_base64encode apr_base64_encode + +#define ap_table_setn apr_table_setn +#define ap_table_add apr_table_add +#else +#define ap_pstrchr_c strchr +#endif /* STANDARD20_MODULE_STUFF */ + +#ifdef _WIN32 +#define vsnprintf _vsnprintf +#define snprintf _snprintf +#endif + +#ifndef KRB5_LIB_FUNCTION +# if defined(_WIN32) +# define KRB5_LIB_FUNCTION _stdcall +# else +# define KRB5_LIB_FUNCTION #endif #ifdef KRB5 @@ -91,11 +120,8 @@ #include /* gethostbyname() */ #endif /* KRB4 */ -#ifdef WIN32 -#define vsnprintf _vsnprintf -#define snprintf _snprintf -#else -/* XXX remove dependency on unistd.h ??? */ +#ifndef _WIN32 +/* should be HAVE_UNISTD_H instead */ #include #endif @@ -147,12 +173,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, int use_krb4, int use_krb5pwd, char *negotiate_ret_value); static const char* -krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg); +krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg); #ifdef STANDARD20_MODULE_STUFF #define command(name, func, var, type, usage) \ - AP_INIT_ ## type (name, func, \ - (void*)APR_XtOffsetOf(kerb_auth_config, var), \ + AP_INIT_ ## type (name, (void*) func, \ + (void*)APR_OFFSETOF(kerb_auth_config, var), \ OR_AUTHCFG | RSRC_CONF, usage) #else #define command(name, func, var, type, usage) \ @@ -205,7 +231,7 @@ static const command_rec kerb_auth_cmds[] = { { NULL } }; -#ifdef WIN32 +#ifdef _WIN32 int mkstemp(char *template) { @@ -245,7 +271,7 @@ mkstemp(char *template) #include "mit-internals.h" /* This is our replacement krb5_rc_store function */ -static krb5_error_code +static krb5_error_code KRB5_LIB_FUNCTION mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache, krb5_donot_replay_internal *donot_replay) { @@ -292,14 +318,16 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) } static const char* -krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg) +krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg) { + kerb_auth_config *sec = (kerb_auth_config *) vsec; sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg); return NULL; } -void log_rerror(const char *file, int line, int level, int status, - const request_rec *r, const char *fmt, ...) +static void +log_rerror(const char *file, int line, int level, int status, + const request_rec *r, const char *fmt, ...) { char errstr[1024]; va_list ap; @@ -413,7 +441,7 @@ authenticate_user_krb4pwd(request_rec *r, sent_name = ap_getword (r->pool, &sent_pw, ':'); /* do not allow user to override realm setting of server */ - if (strchr(sent_name, '@')) { + if (ap_strchr_c(sent_name, '@')) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "specifying realm in user name is prohibited"); return HTTP_UNAUTHORIZED; @@ -510,7 +538,7 @@ end: * we had to use this call instead, which is only a bit modified version of * krb5_verify_init_creds() */ static krb5_error_code -verify_krb5_init_creds(krb5_context context, krb5_creds *creds, +verify_krb5_init_creds(request_rec *r, krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab) { krb5_error_code ret; @@ -519,6 +547,7 @@ verify_krb5_init_creds(krb5_context context, krb5_creds *creds, krb5_creds *new_creds = NULL; krb5_auth_context auth_context = NULL; krb5_keytab keytab = NULL; + char *server_name; memset(&req, 0, sizeof(req)); @@ -530,16 +559,35 @@ verify_krb5_init_creds(krb5_context context, krb5_creds *creds, keytab = ap_req_keytab; ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_resolve() failed when verifying KDC"); return ret; + } ret = krb5_cc_initialize(context, local_ccache, creds->client); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); goto end; + } ret = krb5_cc_store_cred (context, local_ccache, creds); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); goto end; + } + + ret = krb5_unparse_name(context, ap_req_server, &server_name); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_unparse_name() failed when verifying KDC"); + goto end; + } + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to verify authenticity of KDC using principal %s", server_name); + free(server_name); if (!krb5_principal_compare (context, ap_req_server, creds->server)) { krb5_creds match_cred; @@ -551,25 +599,39 @@ verify_krb5_init_creds(krb5_context context, krb5_creds *creds, ret = krb5_get_credentials (context, 0, local_ccache, &match_cred, &new_creds); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_get_credentials() failed when verifying KDC"); goto end; + } creds = new_creds; } ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_mk_req_extended() failed when verifying KDC"); goto end; + } krb5_auth_con_free (context, auth_context); auth_context = NULL; ret = krb5_auth_con_init(context, &auth_context); - if (ret) + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_auth_con_init() failed when verifying KDC"); goto end; + } /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */ krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); ret = krb5_rd_req (context, &auth_context, &req, ap_req_server, keytab, 0, NULL); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_rd_req() failed when verifying KDC"); + goto end; + } end: #ifdef HEIMDAL @@ -600,6 +662,7 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, krb5_principal server = NULL; krb5_error_code ret; krb5_ccache ret_ccache = NULL; + char *name = NULL; /* XXX error messages shouldn't be logged here (and in the while() loop in * authenticate_user_krb5pwd() as weell), in order to avoid confusing log @@ -607,6 +670,13 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, memset(&creds, 0, sizeof(creds)); + ret = krb5_unparse_name(context, principal, &name); + if (ret == 0) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to get TGT for user %s", name); + free(name); + } + ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, NULL); @@ -614,7 +684,7 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_get_init_creds_password() failed: %s", krb5_get_err_text(context, ret)); - return ret; + goto end; } ret = krb5_sname_to_principal(context, ap_get_server_name(r), service, @@ -639,7 +709,7 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, */ if (krb_verify_kdc && - (ret = verify_krb5_init_creds(context, &creds, server, keytab))) { + (ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "failed to verify krb5 credentials: %s", krb5_get_err_text(context, ret)); @@ -810,9 +880,10 @@ store_krb5_creds(krb5_context kcontext, } -int authenticate_user_krb5pwd(request_rec *r, - kerb_auth_config *conf, - const char *auth_line) +static int +authenticate_user_krb5pwd(request_rec *r, + kerb_auth_config *conf, + const char *auth_line) { const char *sent_pw = NULL; const char *sent_name = NULL; @@ -826,6 +897,7 @@ int authenticate_user_krb5pwd(request_rec *r, int ret; char *name = NULL; int all_principals_unkown; + char *p = NULL; code = krb5_init_context(&kcontext); if (code) { @@ -836,13 +908,6 @@ int authenticate_user_krb5pwd(request_rec *r, sent_pw = ap_pbase64decode(r->pool, auth_line); sent_name = ap_getword (r->pool, &sent_pw, ':'); - /* do not allow user to override realm setting of server */ - if (strchr(sent_name, '@')) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "specifying realm in user name is prohibited"); - ret = HTTP_UNAUTHORIZED; - goto end; - } if (sent_pw == NULL || *sent_pw == '\0') { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, @@ -854,10 +919,21 @@ int authenticate_user_krb5pwd(request_rec *r, if (conf->krb_5_keytab) krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab); + p = strchr(sent_name, '@'); + if (p) { + *p++ = '\0'; + if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Specified realm `%s' not allowed by configuration", p); + ret = HTTP_UNAUTHORIZED; + goto end; + } + } + + realms = (p) ? p : conf->krb_auth_realms; all_principals_unkown = 1; - realms = conf->krb_auth_realms; do { - name = sent_name; + name = (char *) sent_name; if (realms && (realm = ap_getword_white(r->pool, &realms))) name = ap_psprintf(r->pool, "%s@%s", sent_name, realm); @@ -921,7 +997,7 @@ int authenticate_user_krb5pwd(request_rec *r, end: log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "kerb_authenticate_user_krb5pwd ret=%d user=%s authtype=%s", - ret, (MK_USER)?MK_USER:"(NULL)", MK_AUTH_TYPE); + ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)"); if (client) krb5_free_principal(kcontext, client); if (ccache) @@ -1140,8 +1216,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, int ret; gss_name_t client_name = GSS_C_NO_NAME; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; - OM_uint32 - (*accept_sec_token)(OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t, + OM_uint32 (KRB5_LIB_FUNCTION *accept_sec_token) + (OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t, const gss_buffer_t, const gss_channel_bindings_t, gss_name_t *, gss_OID *, gss_buffer_t, OM_uint32 *, OM_uint32 *, gss_cred_id_t *); @@ -1167,6 +1243,10 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, } sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab); putenv(ktname); +#ifdef HEIMDAL + /* Seems to be also supported by latest MIT */ + gsskrb5_register_acceptor_identity(conf->krb_5_keytab); +#endif } ret = get_gss_creds(r, conf, &server_creds); @@ -1234,6 +1314,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, "GSS-API token of length %d bytes will be sent back", output_token.length); gss_release_buffer(&minor_status2, &output_token); + set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value); } if (GSS_ERROR(major_status)) { @@ -1276,9 +1357,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); - if (*negotiate_ret_value) - set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value); - gss_release_buffer(&minor_status, &output_token); ret = OK; @@ -1350,7 +1428,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, #endif } -int kerb_authenticate_user(request_rec *r) +static int +kerb_authenticate_user(request_rec *r) { kerb_auth_config *conf = (kerb_auth_config *) ap_get_module_config(r->per_dir_config, @@ -1472,7 +1551,8 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, return OK; } -void kerb_register_hooks(apr_pool_t *p) +static void +kerb_register_hooks(apr_pool_t *p) { ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);