X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=48300e93467fd8bccfc1412e6d4fc156590b2022;hp=c7881bf9e149bb190ad73741250d94541abfd0e8;hb=fafb5384785c76c1f96cc689677574cfe459f3b6;hpb=286e3dac69c3d4b32db93de1f9937f434383588f diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index c7881bf..48300e9 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -239,19 +239,46 @@ static int mag_auth(request_rec *req) const char *user_ccache = NULL; const char *orig_ccache = NULL; #endif + uint32_t init_flags = 0; + time_t expiration; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { return DECLINED; } - /* ignore auth for subrequests */ + cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + + /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req)) { - return OK; + type = ap_auth_type(req->main); + if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) { + /* warn if the subrequest location and the main request + * location have different configs */ + if (cfg != ap_get_module_config(req->main->per_dir_config, + &auth_gssapi_module)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0, + req, "Subrequest authentication bypass on " + "location with different configuration!"); + } + if (req->main->user) { + req->user = apr_pstrdup(req->pool, req->main->user); + return OK; + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "The main request is tasked to establish the " + "security context, can't proceed!"); + return HTTP_UNAUTHORIZED; + } + } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + "Subrequest GSSAPI auth with no auth on the main " + "request. This operation may fail if other " + "subrequests already established a context or the " + "mechanism requires multiple roundtrips."); + } } - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); - if (cfg->ssl_only) { if (!mag_conn_is_https(req->connection)) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, @@ -286,6 +313,9 @@ static int mag_auth(request_rec *req) ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, "Already established context found!"); apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); + apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", + apr_psprintf(req->pool, + "%ld", (long)mc->expiration)); req->ap_auth_type = apr_pstrdup(req->pool, mc->auth_type); req->user = apr_pstrdup(req->pool, mc->user_name); ret = OK; @@ -420,9 +450,15 @@ static int mag_auth(request_rec *req) "failed", maj, min)); goto done; } + + if (cfg->deleg_ccache_dir) { + /* delegate ourselves credentials so we store them as requested */ + init_flags |= GSS_C_DELEG_FLAG; + } + /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { @@ -448,7 +484,7 @@ static int mag_auth(request_rec *req) gss_release_buffer(&min, &input); /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, 0, 300, + GSS_C_NO_OID, init_flags, 300, GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { @@ -493,6 +529,9 @@ static int mag_auth(request_rec *req) } clientname = apr_pstrndup(req->pool, name.value, name.length); apr_table_set(req->subprocess_env, "GSS_NAME", clientname); + expiration = time(NULL) + vtime; + apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", + apr_psprintf(req->pool, "%ld", (long)expiration)); #ifdef HAVE_GSS_STORE_CRED_INTO if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { @@ -526,7 +565,7 @@ static int mag_auth(request_rec *req) if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { vtime = MIN_SESS_EXP_TIME; } - mc->expiration = time(NULL) + vtime; + mc->expiration = expiration; if (cfg->use_sessions) { mag_attempt_session(req, cfg, mc); } @@ -536,25 +575,23 @@ static int mag_auth(request_rec *req) ret = OK; done: - if (ret == HTTP_UNAUTHORIZED) { - if (output.length != 0) { - replen = apr_base64_encode_len(output.length) + 1; - reply = apr_pcalloc(req->pool, 10 + replen); - if (reply) { - memcpy(reply, "Negotiate ", 10); - apr_base64_encode(&reply[10], output.value, output.length); - apr_table_add(req->err_headers_out, - "WWW-Authenticate", reply); - } - } else { + if ((!is_basic) && (output.length != 0)) { + replen = apr_base64_encode_len(output.length) + 1; + reply = apr_pcalloc(req->pool, 10 + replen); + if (reply) { + memcpy(reply, "Negotiate ", 10); + apr_base64_encode(&reply[10], output.value, output.length); apr_table_add(req->err_headers_out, - "WWW-Authenticate", "Negotiate"); - if (cfg->use_basic_auth) { - apr_table_add(req->err_headers_out, - "WWW-Authenticate", - apr_psprintf(req->pool, "Basic realm=\"%s\"", - ap_auth_name(req))); - } + "WWW-Authenticate", reply); + } + } else if (ret == HTTP_UNAUTHORIZED) { + apr_table_add(req->err_headers_out, + "WWW-Authenticate", "Negotiate"); + if (cfg->use_basic_auth) { + apr_table_add(req->err_headers_out, + "WWW-Authenticate", + apr_psprintf(req->pool, "Basic realm=\"%s\"", + ap_auth_name(req))); } } #ifdef HAVE_GSS_KRB5_CCACHE_NAME @@ -638,7 +675,7 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) { struct mag_config *cfg = (struct mag_config *)mconfig; - struct databuf key; + struct databuf keys; unsigned char *val; apr_status_t rc; const char *k; @@ -659,16 +696,16 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) return NULL; } - key.length = (int)apr_base64_decode_binary(val, k); - key.value = (unsigned char *)val; + keys.length = (int)apr_base64_decode_binary(val, k); + keys.value = (unsigned char *)val; - if (key.length < 32) { + if (keys.length != 32) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "Invalid key length, expected >=32 got %d", key.length); + "Invalid key lenght, expected 32 got %d", keys.length); return NULL; } - rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &key); + rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); if (rc != OK) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, "Failed to import sealing key!");