return false;
}
+static char *escape(apr_pool_t *pool, const char *name,
+ char find, const char *replace)
+{
+ char *escaped = NULL;
+ char *namecopy;
+ char *n;
+ char *p;
+
+ namecopy = apr_pstrdup(pool, name);
+ if (!namecopy) goto done;
+
+ p = strchr(namecopy, find);
+ if (!p) return namecopy;
+
+ /* first segment */
+ n = namecopy;
+ while (p) {
+ /* terminate previous segment */
+ *p = '\0';
+ if (escaped) {
+ escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
+ } else {
+ escaped = apr_pstrcat(pool, n, replace, NULL);
+ }
+ if (!escaped) goto done;
+ /* move to next segment */
+ n = p + 1;
+ p = strchr(n, find);
+ }
+ /* append last segment if any */
+ if (*n) {
+ escaped = apr_pstrcat(pool, escaped, n, NULL);
+ }
+
+done:
+ if (!escaped) {
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
+ "OOM escaping name");
+ }
+ return escaped;
+}
+
static void mag_store_deleg_creds(request_rec *req,
char *dir, char *clientname,
gss_cred_id_t delegated_cred,
gss_key_value_set_desc store;
char *value;
uint32_t maj, min;
-
- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
+ char *escaped;
+
+ /* We need to escape away '/', we can't have path separators in
+ * a ccache file name */
+ /* first double escape the esacping char (~) if any */
+ escaped = escape(req->pool, clientname, '~', "~~");
+ if (!escaped) return;
+ /* then escape away the separator (/) if any */
+ escaped = escape(req->pool, escaped, '/', "~");
+ if (!escaped) return;
+
+ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
if (!value) {
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
"OOM storing delegated credentials");
return DECLINED;
}
- /* ignore auth for subrequests */
+ cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+
+ /* implicit auth for subrequests if main auth already happened */
if (!ap_is_initial_req(req)) {
- return OK;
+ type = ap_auth_type(req->main);
+ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
+ /* warn if the subrequest location and the main request
+ * location have different configs */
+ if (cfg != ap_get_module_config(req->main->per_dir_config,
+ &auth_gssapi_module)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
+ req, "Subrequest authentication bypass on "
+ "location with different configuration!");
+ }
+ if (req->main->user) {
+ req->user = apr_pstrdup(req->pool, req->main->user);
+ return OK;
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ "The main request is tasked to establish the "
+ "security context, can't proceed!");
+ return HTTP_UNAUTHORIZED;
+ }
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
+ "Subrequest GSSAPI auth with no auth on the main "
+ "request. This operation may fail if other "
+ "subrequests already established a context or the "
+ "mechanism requires multiple roundtrips.");
+ }
}
- cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
-
if (cfg->ssl_only) {
if (!mag_conn_is_https(req->connection)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w)
{
struct mag_config *cfg = (struct mag_config *)mconfig;
- struct databuf keys;
+ struct databuf key;
unsigned char *val;
apr_status_t rc;
const char *k;
return NULL;
}
- keys.length = (int)apr_base64_decode_binary(val, k);
- keys.value = (unsigned char *)val;
+ key.length = (int)apr_base64_decode_binary(val, k);
+ key.value = (unsigned char *)val;
- if (keys.length != 32) {
+ if (key.length < 32) {
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server,
- "Invalid key lenght, expected 32 got %d", keys.length);
+ "Invalid key length, expected >=32 got %d", key.length);
return NULL;
}
- rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys);
+ rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &key);
if (rc != OK) {
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server,
"Failed to import sealing key!");
projects / mod_auth_gssapi.git / blobdiff