return msg_ret;
}
-static char *mag_error(request_rec *req, const char *msg,
- uint32_t maj, uint32_t min)
+char *mag_error(request_rec *req, const char *msg, uint32_t maj, uint32_t min)
{
char *msg_maj;
char *msg_min;
struct mag_config *cfg,
gss_buffer_desc ba_user,
gss_buffer_desc ba_pwd,
- gss_cred_usage_t cred_usage,
gss_name_t *client,
gss_OID *mech_type,
gss_cred_id_t *delegated_cred,
gss_name_t server = GSS_C_NO_NAME;
gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT;
- gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;
gss_buffer_desc input = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output = GSS_C_EMPTY_BUFFER;
gss_OID_set allowed_mechs;
/* must acquire creds based on the actual mechs we want to try */
if (!mag_acquire_creds(req, cfg, actual_mechs,
- cred_usage, &acquired_cred, NULL)) {
+ GSS_C_ACCEPT, &server_cred, NULL)) {
goto done;
}
- if (cred_usage == GSS_C_BOTH) {
- /* must acquire with GSS_C_ACCEPT to get the server name */
- if (!mag_acquire_creds(req, cfg, actual_mechs,
- GSS_C_ACCEPT, &server_cred, NULL)) {
- goto done;
- }
- } else {
- server_cred = acquired_cred;
- }
-
#ifdef HAVE_CRED_STORE
if (cfg->deleg_ccache_dir) {
/* delegate ourselves credentials so we store them as requested */
break;
}
gss_release_buffer(&min, &output);
- maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred,
+ maj = gss_accept_sec_context(&min, &server_ctx, server_cred,
&input, GSS_C_NO_CHANNEL_BINDINGS,
client, mech_type, &output, NULL,
vtime, delegated_cred);
gss_release_buffer(&min, &output);
gss_release_buffer(&min, &input);
gss_release_name(&min, &server);
- if (server_cred != acquired_cred)
- gss_release_cred(&min, &server_cred);
gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER);
- gss_release_cred(&min, &acquired_cred);
+ gss_release_cred(&min, &server_cred);
gss_release_name(&min, &user);
gss_release_cred(&min, &user_cred);
gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
return req_cfg;
}
+#ifdef HAVE_CRED_STORE
static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
if (req_cfg->cfg->use_s4u2proxy) {
if (req_cfg->cfg->deleg_ccache_dir != NULL) {
}
return false;
}
+#endif
static int mag_auth(request_rec *req)
{
gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
struct mag_conn *mc = NULL;
int i;
+ bool send_auth_header = true;
type = ap_auth_type(req);
if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) {
auth_header_type = ap_getword_white(req->pool, &auth_header);
if (!auth_header_type) goto done;
+ /* We got auth header, sending auth header would mean re-auth */
+ send_auth_header = !cfg->negotiate_once;
+
for (i = 0; auth_types[i] != NULL; i++) {
if (strcasecmp(auth_header_type, auth_types[i]) == 0) {
auth_type = i;
if (auth_type == AUTH_TYPE_BASIC) {
if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
- cred_usage, &client, &mech_type,
+ &client, &mech_type,
&delegated_cred, &vtime)) {
goto complete;
}
maj, min));
goto done;
}
+
mc->gss_name = apr_pstrndup(req->pool, name.value, name.length);
if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) {
vtime = MIN_SESS_EXP_TIME;
}
mc->expiration = time(NULL) + vtime;
+ mag_get_name_attributes(req, cfg, client, mc);
+
#ifdef HAVE_CRED_STORE
if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) {
mag_store_deleg_creds(req, cfg->deleg_ccache_dir, mc->gss_name,
apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply);
}
} else if (ret == HTTP_UNAUTHORIZED) {
- apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate");
-
- if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
- cfg->gss_conn_ctx)) {
- apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM");
+ if (send_auth_header) {
+ apr_table_add(req->err_headers_out,
+ req_cfg->rep_proto, "Negotiate");
+ if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
+ cfg->gss_conn_ctx)) {
+ apr_table_add(req->err_headers_out, req_cfg->rep_proto,
+ "NTLM");
+ }
}
if (cfg->use_basic_auth) {
apr_table_add(req->err_headers_out, req_cfg->rep_proto,
return NULL;
}
+static const char *mag_negotiate_once(cmd_parms *parms, void *mconfig, int on)
+{
+ struct mag_config *cfg = (struct mag_config *)mconfig;
+
+ cfg->negotiate_once = on ? true : false;
+ return NULL;
+}
+
+#define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata"
+
+static apr_status_t mag_name_attrs_cleanup(void *data)
+{
+ struct mag_config *cfg = (struct mag_config *)data;
+ free(cfg->name_attributes);
+ cfg->name_attributes = NULL;
+ return 0;
+}
+
+static const char *mag_name_attrs(cmd_parms *parms, void *mconfig,
+ const char *w)
+{
+ struct mag_config *cfg = (struct mag_config *)mconfig;
+ void *tmp_na;
+ size_t size = 0;
+ char *p;
+ int c;
+
+ if (!cfg->name_attributes) {
+ size = sizeof(struct mag_name_attributes)
+ + (sizeof(struct mag_na_map) * 16);
+ } else if (cfg->name_attributes->map_count % 16 == 0) {
+ size = sizeof(struct mag_name_attributes)
+ + (sizeof(struct mag_na_map)
+ * (cfg->name_attributes->map_count + 16));
+ }
+ if (size) {
+ tmp_na = realloc(cfg->name_attributes, size);
+ if (!tmp_na) apr_pool_abort_get(cfg->pool)(ENOMEM);
+
+ if (cfg->name_attributes) {
+ size_t empty = (sizeof(struct mag_na_map) * 16);
+ memset(tmp_na + size - empty, 0, empty);
+ } else {
+ memset(tmp_na, 0, size);
+ }
+ cfg->name_attributes = (struct mag_name_attributes *)tmp_na;
+ apr_pool_userdata_setn(cfg, GSS_NAME_ATTR_USERDATA,
+ mag_name_attrs_cleanup, cfg->pool);
+ }
+
+ p = strchr(w, ' ');
+ if (p == NULL) {
+ if (strcmp(w, "json") == 0) {
+ cfg->name_attributes->output_json = true;
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+ "Invalid Name Attributes value [%s].", w);
+ }
+ return NULL;
+ }
+
+ c = cfg->name_attributes->map_count;
+ cfg->name_attributes->map[c].env_name = apr_pstrndup(cfg->pool, w, p-w);
+ p++;
+ cfg->name_attributes->map[c].attr_name = apr_pstrdup(cfg->pool, p);
+ cfg->name_attributes->map_count += 1;
+
+ return NULL;
+}
+
#ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD
static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig,
const char *w)
#endif
AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG,
"Allowed Mechanisms"),
+ AP_INIT_FLAG("GssapiNegotiateOnce", mag_negotiate_once, NULL, OR_AUTHCFG,
+ "Don't resend negotiate header on negotiate failure"),
+ AP_INIT_RAW_ARGS("GssapiNameAttributes", mag_name_attrs, NULL, OR_AUTHCFG,
+ "Name Attributes to be exported as environ variables"),
{ NULL }
};
projects / mod_auth_gssapi.git / blobdiff