1 /* Copyright (C) 2014 mod_auth_gssapi authors - See COPYING for (C) terms */
3 #include "mod_auth_gssapi.h"
4 #include "asn1c/GSSSessionData.h"
6 APLOG_USE_MODULE(auth_gssapi);
8 static APR_OPTIONAL_FN_TYPE(ap_session_load) *mag_sess_load_fn = NULL;
9 static APR_OPTIONAL_FN_TYPE(ap_session_get) *mag_sess_get_fn = NULL;
10 static APR_OPTIONAL_FN_TYPE(ap_session_set) *mag_sess_set_fn = NULL;
12 void mag_post_config_session(void)
14 mag_sess_load_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_load);
15 mag_sess_get_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_get);
16 mag_sess_set_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_set);
19 static apr_status_t mag_session_load(request_rec *req, session_rec **sess)
21 if (mag_sess_load_fn) {
22 return mag_sess_load_fn(req, sess);
27 static apr_status_t mag_session_get(request_rec *req, session_rec *sess,
28 const char *key, const char **value)
30 if (mag_sess_get_fn) {
31 return mag_sess_get_fn(req, sess, key, value);
36 static apr_status_t mag_session_set(request_rec *req, session_rec *sess,
37 const char *key, const char *value)
39 if (mag_sess_set_fn) {
40 return mag_sess_set_fn(req, sess, key, value);
45 static bool encode_GSSSessionData(apr_pool_t *mempool,
46 GSSSessionData_t *gsessdata,
47 unsigned char **buf, int *len)
50 unsigned char *buffer = NULL;
54 /* dry run to compute the size */
55 rval = der_encode(&asn_DEF_GSSSessionData, gsessdata, NULL, NULL);
56 if (rval.encoded == -1) goto done;
58 buflen = rval.encoded;
59 buffer = apr_pcalloc(mempool, buflen);
62 rval = der_encode_to_buffer(&asn_DEF_GSSSessionData,
63 gsessdata, buffer, buflen);
64 if (rval.encoded == -1) goto done;
74 static GSSSessionData_t *decode_GSSSessionData(void *buf, size_t len)
76 GSSSessionData_t *gsessdata = NULL;
79 rval = ber_decode(NULL, &asn_DEF_GSSSessionData,
80 (void **)&gsessdata, buf, len);
81 if (rval.code == RC_OK) {
87 #define MAG_BEARER_KEY "MagBearerToken"
89 void mag_check_session(request_rec *req,
90 struct mag_config *cfg, struct mag_conn **conn)
94 session_rec *sess = NULL;
95 const char *sessval = NULL;
97 struct databuf ctxbuf = { 0 };
98 struct databuf cipherbuf = { 0 };
99 GSSSessionData_t *gsessdata;
102 rc = mag_session_load(req, &sess);
103 if (rc != OK || sess == NULL) {
104 ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
105 "Sessions not available, no cookies!");
111 mc = apr_pcalloc(req->pool, sizeof(struct mag_conn));
114 mc->parent = req->pool;
118 rc = mag_session_get(req, sess, MAG_BEARER_KEY, &sessval);
120 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
121 "Failed to get session data!");
125 /* no session established, just return */
129 if (!cfg->mag_skey) {
130 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
131 "Session key not available, no cookies!");
132 /* we do not have a key, just return */
137 declen = apr_base64_decode_len(sessval);
138 cipherbuf.value = apr_palloc(req->pool, declen);
139 if (!cipherbuf.value) return;
140 cipherbuf.length = (int)apr_base64_decode((char *)cipherbuf.value, sessval);
142 rc = UNSEAL_BUFFER(req->pool, cfg->mag_skey, &cipherbuf, &ctxbuf);
144 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
145 "Failed to unseal session data!");
149 gsessdata = decode_GSSSessionData(ctxbuf.value, ctxbuf.length);
151 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
152 "Failed to unpack session data!");
157 if (gsessdata->established != 0) mc->established = true;
158 if (gsessdata->delegated != 0) mc->delegated = true;
161 expiration = gsessdata->expiration;
162 if (expiration < time(NULL)) {
163 /* credentials fully expired, return nothing */
168 mc->user_name = apr_pstrndup(mc->parent,
169 (char *)gsessdata->username.buf,
170 gsessdata->username.size);
171 if (!mc->user_name) goto done;
174 mc->gss_name = apr_pstrndup(mc->parent,
175 (char *)gsessdata->gssname.buf,
176 gsessdata->gssname.size);
177 if (!mc->gss_name) goto done;
179 mc->basic_hash.length = gsessdata->basichash.size;
180 mc->basic_hash.value = apr_palloc(mc->parent, mc->basic_hash.length);
181 memcpy(mc->basic_hash.value,
182 gsessdata->basichash.buf, gsessdata->basichash.size);
184 /* OK we have a valid token */
185 mc->established = true;
188 ASN_STRUCT_FREE(asn_DEF_GSSSessionData, gsessdata);
191 void mag_attempt_session(request_rec *req,
192 struct mag_config *cfg, struct mag_conn *mc)
194 session_rec *sess = NULL;
195 struct databuf plainbuf = { 0 };
196 struct databuf cipherbuf = { 0 };
197 struct databuf ctxbuf = { 0 };
198 GSSSessionData_t gsessdata = { 0 };
202 /* we save the session only if the authentication is established */
204 if (!mc->established) return;
205 rc = mag_session_load(req, &sess);
206 if (rc != OK || sess == NULL) {
207 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
208 "Sessions not available, can't send cookies!");
212 if (!cfg->mag_skey) {
213 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
214 "Session key not available, generating new one.");
215 rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, NULL);
217 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
218 "Failed to create sealing key!");
223 gsessdata.established = mc->established?1:0;
224 gsessdata.delegated = mc->delegated?1:0;
225 gsessdata.expiration = mc->expiration;
226 if (OCTET_STRING_fromString(&gsessdata.username, mc->user_name) != 0)
228 if (OCTET_STRING_fromString(&gsessdata.gssname, mc->gss_name) != 0)
230 if (OCTET_STRING_fromBuf(&gsessdata.basichash,
231 (const char *)mc->basic_hash.value,
232 mc->basic_hash.length) != 0)
234 ret = encode_GSSSessionData(req->pool, &gsessdata,
235 &plainbuf.value, &plainbuf.length);
237 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
238 "Failed to pack session data!");
242 rc = SEAL_BUFFER(req->pool, cfg->mag_skey, &plainbuf, &cipherbuf);
244 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
245 "Failed to seal session data!");
249 ctxbuf.length = apr_base64_encode_len(cipherbuf.length);
250 ctxbuf.value = apr_pcalloc(req->pool, ctxbuf.length);
251 if (!ctxbuf.value) goto done;
253 ctxbuf.length = apr_base64_encode((char *)ctxbuf.value,
254 (char *)cipherbuf.value,
257 rc = mag_session_set(req, sess, MAG_BEARER_KEY, (char *)ctxbuf.value);
259 ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
260 "Failed to set session data!");
264 ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GSSSessionData, &gsessdata);
267 static int mag_basic_hmac(struct seal_key *key, unsigned char *mac,
268 gss_buffer_desc user, gss_buffer_desc pwd)
270 struct databuf hmacbuf = { mac, 0 };
271 int data_size = user.length + pwd.length + 1;
272 unsigned char data[data_size];
273 struct databuf databuf = { data, data_size };
275 memcpy(data, user.value, user.length);
276 data[user.length] = '\0';
277 memcpy(&data[user.length + 1], pwd.value, pwd.length);
279 return HMAC_BUFFER(key, &databuf, &hmacbuf);
282 static int mag_get_mac_size(struct mag_config *cfg)
286 if (!cfg->mag_skey) {
287 ap_log_perror(APLOG_MARK, APLOG_INFO, 0, cfg->pool,
288 "Session key not available, generating new one.");
289 rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, NULL);
291 ap_log_perror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, cfg->pool,
292 "Failed to create sealing key!");
297 return get_mac_size(cfg->mag_skey);
300 bool mag_basic_check(struct mag_config *cfg, struct mag_conn *mc,
301 gss_buffer_desc user, gss_buffer_desc pwd)
303 int mac_size = mag_get_mac_size(cfg);
304 unsigned char mac[mac_size];
308 if (mac_size == 0) return false;
309 if (mc->basic_hash.value == NULL) return false;
311 ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);
312 if (ret != 0) goto done;
314 for (i = 0, j = 0; i < mac_size; i++) {
315 if (mc->basic_hash.value[i] != mac[i]) j++;
317 if (j == 0) res = true;
321 mc->basic_hash.value = NULL;
322 mc->basic_hash.length = 0;
327 void mag_basic_cache(struct mag_config *cfg, struct mag_conn *mc,
328 gss_buffer_desc user, gss_buffer_desc pwd)
330 int mac_size = mag_get_mac_size(cfg);
331 unsigned char mac[mac_size];
334 ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);
335 if (ret != 0) return;
337 mc->basic_hash.length = mac_size;
338 mc->basic_hash.value = apr_palloc(mc->parent, mac_size);
339 memcpy(mc->basic_hash.value, mac, mac_size);