#include "mod_auth_gssapi.h"
+const gss_OID_desc gss_mech_ntlmssp = {
+ GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING
+};
+
#define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION
module AP_MODULE_DECLARE_DATA auth_gssapi_module;
return false;
}
+static bool mag_acquire_creds(request_rec *req,
+ struct mag_config *cfg,
+ gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t *creds)
+{
+ uint32_t maj, min;
+#ifdef HAVE_CRED_STORE
+ gss_const_key_value_set_t store = cfg->cred_store;
+
+ maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+ desired_mechs, cred_usage, store, creds,
+ NULL, NULL);
+#else
+ maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+ desired_mechs, cred_usage, creds, NULL, NULL);
+#endif
+
+ if (GSS_ERROR(maj)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
+ mag_error(req, "gss_acquire_cred[_from]() "
+ "failed to get server creds",
+ maj, min));
+ return false;
+ }
+
+ return true;
+}
+
#ifdef HAVE_CRED_STORE
static char *escape(apr_pool_t *pool, const char *name,
char find, const char *replace)
#endif
maj = gss_acquire_cred_with_password(&min, client, &ba_pwd,
GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET,
+ cfg->allowed_mechs,
GSS_C_INITIATE,
&user_cred, NULL, NULL);
if (GSS_ERROR(maj)) {
if (cfg->use_s4u2proxy) {
cred_usage = GSS_C_BOTH;
}
- if (cfg->cred_store) {
- maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, cred_usage,
- cfg->cred_store, &acquired_cred,
- NULL, NULL);
- if (GSS_ERROR(maj)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
- mag_error(req, "gss_acquire_cred_from() failed",
- maj, min));
- goto done;
- }
- }
#endif
+ if (!mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET,
+ cred_usage, &acquired_cred)) {
+ goto done;
+ }
if (is_basic) {
- if (!acquired_cred) {
- /* Try to acquire default creds */
- maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, cred_usage,
- &acquired_cred, NULL, NULL);
- if (GSS_ERROR(maj)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
- "%s", mag_error(req, "gss_acquire_cred()"
- " failed", maj, min));
- goto done;
- }
- }
if (cred_usage == GSS_C_BOTH) {
/* If GSS_C_BOTH is used then inquire_cred will return the client
* name instead of the SPN of the server credentials. Therefore we
* need to acquire a different set of credential setting
* GSS_C_ACCEPT explicitly */
-#ifdef HAVE_CRED_STORE
- if (cfg->cred_store) {
- maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME,
- GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
- GSS_C_ACCEPT, cfg->cred_store,
- &server_cred, NULL, NULL);
- } else {
-#else
- {
-#endif
- /* Try to acquire default creds */
- maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
- &server_cred, NULL, NULL);
- }
- if (GSS_ERROR(maj)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
- mag_error(req, "gss_acquire_cred[_from]() "
- "failed to get server creds",
- maj, min));
+ if (!mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET,
+ GSS_C_ACCEPT, &server_cred)) {
goto done;
}
} else {
}
}
+ if (!is_basic && cfg->allowed_mechs != GSS_C_NO_OID_SET) {
+ maj = gss_set_neg_mechs(&min, acquired_cred, cfg->allowed_mechs);
+ if (GSS_ERROR(maj)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
+ mag_error(req, "gss_set_neg_mechs() failed",
+ maj, min));
+ goto done;
+ }
+ }
+
maj = gss_accept_sec_context(&min, pctx, acquired_cred,
&input, GSS_C_NO_CHANNEL_BINDINGS,
&client, &mech_type, &output, &flags, &vtime,
return NULL;
}
+#define MAX_ALLOWED_MECHS 10
+
+static const char *mag_allow_mech(cmd_parms *parms, void *mconfig,
+ const char *w)
+{
+ struct mag_config *cfg = (struct mag_config *)mconfig;
+ gss_const_OID oid;
+ size_t size;
+
+ if (!cfg->allowed_mechs) {
+ cfg->allowed_mechs = apr_pcalloc(parms->pool,
+ sizeof(gss_OID_set_desc));
+ size = sizeof(gss_OID) * MAX_ALLOWED_MECHS;
+ cfg->allowed_mechs->elements = apr_palloc(parms->pool, size);
+ }
+
+ if (strcmp(w, "krb5") == 0) {
+ oid = gss_mech_krb5;
+ } else if (strcmp(w, "iakerb") == 0) {
+ oid = gss_mech_iakerb;
+ } else if (strcmp(w, "ntlmssp") == 0) {
+ oid = &gss_mech_ntlmssp;
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+ "Unrecognized GSSAPI Mechanism: %s", w);
+ return NULL;
+ }
+
+ if (cfg->allowed_mechs->count >= MAX_ALLOWED_MECHS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+ "Too many GssapiAllowedMech options (MAX: %d)",
+ MAX_ALLOWED_MECHS);
+ return NULL;
+ }
+ cfg->allowed_mechs->elements[cfg->allowed_mechs->count] = *oid;
+ cfg->allowed_mechs->count++;
+
+ return NULL;
+}
+
static const command_rec mag_commands[] = {
AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG,
"Work only if connection is SSL Secured"),
AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG,
"Allows use of Basic Auth for authentication"),
#endif
+ AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG,
+ "Allowed Mechanisms"),
{ NULL }
};