X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=c81d16cbd7d1f10f6d150f80504a5b004539018c;hb=50472b1baa359201a3dc84c5e2cc8dc4009c2210;hp=f567ab69c2e9372fb0e2c669eb3cf077aaf69672;hpb=f96433a73974106190c1df779afc8d8f7edcc959;p=mod_auth_kerb.cvs%2F.git

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index f567ab6..c81d16c 100644
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -50,7 +50,7 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#define MODAUTHKERB_VERSION "5.0"
+#define MODAUTHKERB_VERSION "5.2"
 
 #define MECH_NEGOTIATE "Negotiate"
 #define SERVICE_NAME "HTTP"
@@ -118,6 +118,14 @@
 #include <unistd.h>
 #endif
 
+#ifndef KRB5_LIB_FUNCTION
+#  if defined(_WIN32)
+#    define KRB5_LIB_FUNCTION _stdcall
+#  else
+#    define KRB5_LIB_FUNCTION
+#  endif
+#endif
+
 #ifdef STANDARD20_MODULE_STUFF
 module AP_MODULE_DECLARE_DATA auth_kerb_module;
 #else
@@ -353,8 +361,8 @@ log_rerror(const char *file, int line, int level, int status,
  Username/Password Validation for Krb4
  ***************************************************************************/
 static int
-verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
-      		 char *password, char *linstance, char *srvtab, int krb_verify_kdc)
+verify_krb4_user(request_rec *r, const char *name, const char *instance,
+                 const char *realm, const char *password, const char *linstance, const char *srvtab, int krb_verify_kdc)
 {
    int ret;
    char *phost;
@@ -402,7 +410,7 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
       return ret;
    }
 
-   ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab);
+   ret = krb_rd_req(&ticket, (char *)linstance, phost, addr, &authdata, (char *)srvtab);
    if (ret) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	         "Cannot verify krb4 ticket: krb_rd_req() failed: %s",
@@ -444,13 +452,6 @@ authenticate_user_krb4pwd(request_rec *r,
    sent_pw = ap_pbase64decode(r->pool, auth_line);
    sent_name = ap_getword (r->pool, &sent_pw, ':');
 
-   /* do not allow user to override realm setting of server */
-   if (ap_strchr_c(sent_name, '@')) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	         "specifying realm in user name is prohibited");
-      return HTTP_UNAUTHORIZED;
-   }
-
    sent_instance = strchr(sent_name, '.');
    if (sent_instance)
       *sent_instance++ = '\0'; 
@@ -464,10 +465,10 @@ authenticate_user_krb4pwd(request_rec *r,
       return HTTP_INTERNAL_SERVER_ERROR;
    }
 
-   tkt_file_p = ap_pstrdup(r->pool, tkt_file);
-   ap_register_cleanup(r->pool, tkt_file_p,
-	               krb4_cache_cleanup, ap_null_cleanup);
-
+   tkt_file_p = apr_pstrdup(r->pool, tkt_file);
+   apr_pool_cleanup_register(r->pool, tkt_file_p, krb4_cache_cleanup,
+	                     apr_pool_cleanup_null);
+   
    krb_set_tkt_string(tkt_file);
 
    all_principals_unkown = 1;
@@ -510,14 +511,14 @@ authenticate_user_krb4pwd(request_rec *r,
       goto end;
    }
 
-   user = ap_pstrdup(r->pool, sent_name);
+   user = apr_pstrdup(r->pool, sent_name);
    if (sent_instance)
-      user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL);
-   user = ap_pstrcat(r->pool, user, "@", realm, NULL);
+      user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL);
+   user = apr_pstrcat(r->pool, user, "@", realm, NULL);
 
    MK_USER = user;
    MK_AUTH_TYPE = "Basic";
-   ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
+   apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
 
    if (!conf->krb_save_credentials)
       krb4_cache_cleanup(tkt_file);
@@ -1036,14 +1037,18 @@ end:
  ********************************************************************/
 
 static const char *
-get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
+get_gss_error(request_rec *r, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 {
    OM_uint32 maj_stat, min_stat; 
    OM_uint32 msg_ctx = 0;
    gss_buffer_desc status_string;
    char *err_msg;
 
-   err_msg = apr_pstrdup(p, prefix);
+   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+	      "GSS-API major_status:%8.8x, minor_status:%8.8x",
+	      err_maj, err_min);
+
+   err_msg = apr_pstrdup(r->pool, prefix);
    do {
       maj_stat = gss_display_status (&min_stat,
 	                             err_maj,
@@ -1051,11 +1056,16 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 				     GSS_C_NO_OID,
 				     &msg_ctx,
 				     &status_string);
-      if (GSS_ERROR(maj_stat))
-	 break;
-      err_msg = apr_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL);
-      gss_release_buffer(&min_stat, &status_string);
-      
+      if (!GSS_ERROR(maj_stat)) {
+         err_msg = apr_pstrcat(r->pool, err_msg, ": ",
+	                       (char*) status_string.value, NULL);
+	 gss_release_buffer(&min_stat, &status_string);
+      }
+   } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
+
+   msg_ctx = 0;
+   err_msg = apr_pstrcat(r->pool, err_msg, " (", NULL);
+   do {
       maj_stat = gss_display_status (&min_stat,
 	                             err_min,
 				     GSS_C_MECH_CODE,
@@ -1063,11 +1073,12 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 				     &msg_ctx,
 				     &status_string);
       if (!GSS_ERROR(maj_stat)) {
-	 err_msg = apr_pstrcat(p, err_msg,
-	                      " (", (char*) status_string.value, ")", NULL);
+	 err_msg = apr_pstrcat(r->pool, err_msg, ", ",
+	                       (char *) status_string.value, NULL);
 	 gss_release_buffer(&min_stat, &status_string);
       }
    } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
+   err_msg = apr_pstrcat(r->pool, err_msg, ")", NULL);
 
    return err_msg;
 }
@@ -1107,7 +1118,7 @@ store_gss_creds(request_rec *r, kerb_auth_config *conf, char *princ_name,
    if (GSS_ERROR(maj_stat)) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	 "Cannot store delegated credential (%s)", 
-	 get_gss_error(r->pool, maj_stat, min_stat, "gss_krb5_copy_ccache"));
+	 get_gss_error(r, maj_stat, min_stat, "gss_krb5_copy_ccache"));
       goto end;
    }
 
@@ -1153,7 +1164,7 @@ get_gss_creds(request_rec *r,
    memset(&token, 0, sizeof(token));
    if (GSS_ERROR(major_status)) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	         "%s", get_gss_error(r->pool, major_status, minor_status,
+	         "%s", get_gss_error(r, major_status, minor_status,
 		 "gss_import_name() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
@@ -1163,7 +1174,7 @@ get_gss_creds(request_rec *r,
       /* Perhaps we could just ignore this error but it's safer to give up now,
          I think */
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	         "%s", get_gss_error(r->pool, major_status, minor_status,
+	         "%s", get_gss_error(r, major_status, minor_status,
 		                     "gss_display_name() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
@@ -1178,7 +1189,7 @@ get_gss_creds(request_rec *r,
    gss_release_name(&minor_status2, &server_name);
    if (GSS_ERROR(major_status)) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	         "%s", get_gss_error(r->pool, major_status, minor_status,
+	         "%s", get_gss_error(r, major_status, minor_status,
 		 		     "gss_acquire_cred() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
@@ -1257,6 +1268,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   gss_OID_desc spnego_oid;
   gss_ctx_id_t context = GSS_C_NO_CONTEXT;
   gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
+  OM_uint32 ret_flags = 0;
 
   *negotiate_ret_value = "\0";
 
@@ -1325,11 +1337,12 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
 				  &client_name,
 				  NULL,
 				  &output_token,
-				  NULL,
+				  &ret_flags,
 				  NULL,
 				  &delegated_cred);
   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-	     "Verification returned code %d", major_status);
+	     "Client %s us their credential",
+	     (ret_flags & GSS_C_DELEG_FLAG) ? "sent" : "didn't send");
   if (output_token.length) {
      char *token = NULL;
      size_t len;
@@ -1359,7 +1372,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
 	          "Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.");
 
      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	        "%s", get_gss_error(r->pool, major_status, minor_status,
+	        "%s", get_gss_error(r, major_status, minor_status,
 		                    "gss_accept_sec_context() failed"));
      /* Don't offer the Negotiate method again if call to GSS layer failed */
      *negotiate_ret_value = NULL;
@@ -1381,7 +1394,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   gss_release_name(&minor_status, &client_name); 
   if (GSS_ERROR(major_status)) {
     log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	       "%s", get_gss_error(r->pool, major_status, minor_status,
+	       "%s", get_gss_error(r, major_status, minor_status,
 		                   "gss_display_name() failed"));
     ret = HTTP_INTERNAL_SERVER_ERROR;
     goto end;
@@ -1459,8 +1472,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #ifdef KRB4
    if (!set_basic && 
        ((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic))
-      ap_table_add(r->err_headers_out, header_name,
-		  ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
+      apr_table_add(r->err_headers_out, header_name,
+		  apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
 #endif
 }
 
@@ -1561,18 +1574,18 @@ have_rcache_type(const char *type)
 {
    krb5_error_code ret;
    krb5_context context;
-   krb5_rcache id;
+   krb5_rcache id = NULL;
    int found;
 
-   memset(&id, 0, sizeof(id));
-
    ret = krb5_init_context(&context);
    if (ret)
       return 0;
 
-   ret = krb5_rc_resolve_type(context, &id, type);
+   ret = krb5_rc_resolve_full(context, &id, "none:");
    found = (ret == 0);
 
+   if (ret == 0)
+      krb5_rc_destroy(context, id);
    krb5_free_context(context);
 
    return found;