+static bool mag_acquire_creds(request_rec *req,
+ struct mag_config *cfg,
+ gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t *creds,
+ gss_OID_set *actual_mechs)
+{
+ uint32_t maj, min;
+#ifdef HAVE_CRED_STORE
+ gss_const_key_value_set_t store = cfg->cred_store;
+
+ maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+ desired_mechs, cred_usage, store, creds,
+ actual_mechs, NULL);
+#else
+ maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+ desired_mechs, cred_usage, creds,
+ actual_mechs, NULL);
+#endif
+
+ if (GSS_ERROR(maj)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
+ mag_error(req, "gss_acquire_cred[_from]() "
+ "failed to get server creds",
+ maj, min));
+ return false;
+ }
+
+ return true;
+}
+
+#ifdef HAVE_CRED_STORE
+static char *escape(apr_pool_t *pool, const char *name,
+ char find, const char *replace)
+{
+ char *escaped = NULL;
+ char *namecopy;
+ char *n;
+ char *p;
+
+ namecopy = apr_pstrdup(pool, name);
+
+ p = strchr(namecopy, find);
+ if (!p) return namecopy;
+
+ /* first segment */
+ n = namecopy;
+ while (p) {
+ /* terminate previous segment */
+ *p = '\0';
+ if (escaped) {
+ escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
+ } else {
+ escaped = apr_pstrcat(pool, n, replace, NULL);
+ }
+ /* move to next segment */
+ n = p + 1;
+ p = strchr(n, find);
+ }
+ /* append last segment if any */
+ if (*n) {
+ escaped = apr_pstrcat(pool, escaped, n, NULL);
+ }
+
+ return escaped;
+}
+
+static char *mag_gss_name_to_ccache_name(request_rec *req,
+ char *dir, const char *gss_name)
+{
+ char *escaped;
+
+ /* We need to escape away '/', we can't have path separators in
+ * a ccache file name */
+ /* first double escape the esacping char (~) if any */
+ escaped = escape(req->pool, gss_name, '~', "~~");
+ /* then escape away the separator (/) if any */
+ escaped = escape(req->pool, escaped, '/', "~");
+
+ return apr_psprintf(req->pool, "%s/%s", dir, escaped);
+}
+
+static void mag_set_KRB5CCANME(request_rec *req, char *ccname)
+{
+ apr_status_t status;
+ apr_finfo_t finfo;
+ char *value;
+
+ status = apr_stat(&finfo, ccname, APR_FINFO_MIN, req->pool);
+ if (status != APR_SUCCESS && status != APR_INCOMPLETE) {
+ /* set the file cache anyway, but warn */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ "KRB5CCNAME file (%s) lookup failed!", ccname);
+ }
+
+ value = apr_psprintf(req->pool, "FILE:%s", ccname);
+ apr_table_set(req->subprocess_env, "KRB5CCNAME", value);
+}
+
+static void mag_store_deleg_creds(request_rec *req,
+ char *dir, char *clientname,
+ gss_cred_id_t delegated_cred,
+ char **ccachefile)
+{
+ gss_key_value_element_desc element;
+ gss_key_value_set_desc store;
+ char *ccname;
+ uint32_t maj, min;
+ element.key = "ccache";
+ store.elements = &element;
+ store.count = 1;
+
+ ccname = mag_gss_name_to_ccache_name(req, dir, clientname);
+ element.value = apr_psprintf(req->pool, "FILE:%s", ccname);
+
+ maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE,
+ GSS_C_NULL_OID, 1, 1, &store, NULL, NULL);
+ if (GSS_ERROR(maj)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
+ mag_error(req, "failed to store delegated creds",
+ maj, min));
+ }
+
+ *ccachefile = ccname;
+}
+#endif
+
+static bool parse_auth_header(apr_pool_t *pool, const char **auth_header,
+ gss_buffer_t value)
+{
+ char *auth_header_value;
+
+ auth_header_value = ap_getword_white(pool, auth_header);
+ if (!auth_header_value) return false;
+ value->length = apr_base64_decode_len(auth_header_value) + 1;
+ value->value = apr_pcalloc(pool, value->length);
+ if (!value->value) return false;
+ value->length = apr_base64_decode(value->value, auth_header_value);
+
+ return true;
+}
+
+static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech)
+{
+ if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true;
+
+ for (int i = 0; i < cfg->allowed_mechs->count; i++) {
+ if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+#define AUTH_TYPE_NEGOTIATE 0
+#define AUTH_TYPE_BASIC 1
+#define AUTH_TYPE_RAW_NTLM 2
+const char *auth_types[] = {
+ "Negotiate",
+ "Basic",
+ "NTLM",
+ NULL
+};
+
+static void mag_set_req_data(request_rec *req,
+ struct mag_config *cfg,
+ struct mag_conn *mc)
+{
+ apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name);
+ apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION",
+ apr_psprintf(req->pool,
+ "%ld", (long)mc->expiration));
+ req->ap_auth_type = apr_pstrdup(req->pool,
+ auth_types[mc->auth_type]);
+ req->user = apr_pstrdup(req->pool, mc->user_name);
+ if (cfg->deleg_ccache_dir && mc->delegated) {
+ char *ccname;
+ ccname = mag_gss_name_to_ccache_name(req,
+ cfg->deleg_ccache_dir,
+ mc->gss_name);
+ if (ccname) {
+ mag_set_KRB5CCANME(req, ccname);
+ }
+ }
+}
+