X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=6057a44f4540fe63d663f882681822e0dc9e8467;hp=6cb8d3a532370212f8fc2e708b066511575fbd7e;hb=4d75af14e3f703ec0cfeeb4ffb998619449c859a;hpb=46c0a47fc6b8c97733dbd687b335784db758e8ea diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 6cb8d3a..6057a44 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -28,13 +28,21 @@ const gss_OID_desc gss_mech_spnego = { 6, "\x2b\x06\x01\x05\x05\x02" }; -const gss_OID_desc gss_mech_ntlmssp = { +#ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H +const gss_OID_desc gss_mech_ntlmssp_desc = { GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING }; +gss_const_OID gss_mech_ntlmssp = &gss_mech_ntlmssp_desc; -const gss_OID_set_desc gss_mech_set_ntlmssp = { - 1, discard_const(&gss_mech_ntlmssp) +const gss_OID_set_desc gss_mech_set_ntlmssp_desc = { + 1, discard_const(&gss_mech_ntlmssp_desc) }; +gss_const_OID_set gss_mech_set_ntlmssp = &gss_mech_set_ntlmssp_desc; + +#else +gss_OID gss_mech_ntlmssp = GSS_C_NO_OID; +gss_OID_set gss_mech_set_ntlmssp = GSS_C_NO_OID_SET; +#endif #define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION @@ -292,12 +300,18 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header, return true; } -static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech) +static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech, + bool multi_step_supported) { - if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true; + if (mech == GSS_C_NO_OID) return false; + + if (!multi_step_supported && gss_oid_equal(gss_mech_ntlmssp, mech)) + return false; + + if (allowed_mechs == GSS_C_NO_OID_SET) return true; - for (int i = 0; i < cfg->allowed_mechs->count; i++) { - if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) { + for (int i = 0; i < allowed_mechs->count; i++) { + if (gss_oid_equal(&allowed_mechs->elements[i], mech)) { return true; } } @@ -615,11 +629,63 @@ done: return ret; } +struct mag_req_cfg *mag_init_cfg(request_rec *req) +{ + struct mag_server_config *scfg; + struct mag_req_cfg *req_cfg = apr_pcalloc(req->pool, + sizeof(struct mag_req_cfg)); + req_cfg->req = req; + req_cfg->cfg = ap_get_module_config(req->per_dir_config, + &auth_gssapi_module); + + scfg = ap_get_module_config(req->server->module_config, + &auth_gssapi_module); + + if (req_cfg->cfg->allowed_mechs) { + req_cfg->desired_mechs = req_cfg->cfg->allowed_mechs; + } else { + /* Use the default set if not explicitly configured */ + req_cfg->desired_mechs = scfg->default_mechs; + } + + if (!req_cfg->cfg->mag_skey) { + req_cfg->mag_skey = req_cfg->cfg->mag_skey; + } else { + /* Use server random key if not explicitly configured */ + req_cfg->mag_skey = scfg->mag_skey; + } + + if (req->proxyreq == PROXYREQ_PROXY) { + req_cfg->req_proto = "Proxy-Authorization"; + req_cfg->rep_proto = "Proxy-Authenticate"; + } else { + req_cfg->req_proto = "Authorization"; + req_cfg->rep_proto = "WWW-Authenticate"; + req_cfg->use_sessions = req_cfg->cfg->use_sessions; + req_cfg->send_persist = req_cfg->cfg->send_persist; + } + + return req_cfg; +} + +static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { + if (req_cfg->cfg->use_s4u2proxy) { + if (req_cfg->cfg->deleg_ccache_dir != NULL) { + return true; + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req_cfg->req, + "S4U2 Proxy requested but GssapiDelegCcacheDir " + "is not set. Constrained delegation disabled!"); + } + } + return false; +} static int mag_auth(request_rec *req) { const char *type; int auth_type = -1; + struct mag_req_cfg *req_cfg; struct mag_config *cfg; const char *auth_header; char *auth_header_type; @@ -652,17 +718,11 @@ static int mag_auth(request_rec *req) return DECLINED; } - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + req_cfg = mag_init_cfg(req); - if (cfg->allowed_mechs) { - desired_mechs = cfg->allowed_mechs; - } else { - struct mag_server_config *scfg; - /* Try to fetch the default set if not explicitly configured */ - scfg = ap_get_module_config(req->server->module_config, - &auth_gssapi_module); - desired_mechs = scfg->default_mechs; - } + cfg = req_cfg->cfg; + + desired_mechs = req_cfg->desired_mechs; /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req) && req->main != NULL) { @@ -714,11 +774,11 @@ static int mag_auth(request_rec *req) } /* if available, session always supersedes connection bound data */ - if (cfg->use_sessions) { - mag_check_session(req, cfg, &mc); + if (req_cfg->use_sessions) { + mag_check_session(req_cfg, &mc); } - auth_header = apr_table_get(req->headers_in, "Authorization"); + auth_header = apr_table_get(req->headers_in, req_cfg->req_proto); if (mc) { if (mc->established && @@ -764,6 +824,7 @@ static int mag_auth(request_rec *req) ba_user.value = ap_getword_nulls_nc(req->pool, (char **)&ba_pwd.value, ':'); if (!ba_user.value) goto done; + if (((char *)ba_user.value)[0] == '\0' || ((char *)ba_pwd.value)[0] == '\0') { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, @@ -774,7 +835,7 @@ static int mag_auth(request_rec *req) ba_pwd.length = strlen(ba_pwd.value); if (mc && mc->established && - mag_basic_check(cfg, mc, ba_user, ba_pwd)) { + mag_basic_check(req_cfg, mc, ba_user, ba_pwd)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Already established BASIC AUTH context found!"); mag_set_req_data(req, cfg, mc); @@ -785,7 +846,8 @@ static int mag_auth(request_rec *req) break; case AUTH_TYPE_RAW_NTLM: - if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) { + if (!is_mech_allowed(desired_mechs, gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "NTLM Authentication is not allowed!"); goto done; @@ -795,7 +857,7 @@ static int mag_auth(request_rec *req) goto done; } - desired_mechs = discard_const(&gss_mech_set_ntlmssp); + desired_mechs = discard_const(gss_mech_set_ntlmssp); break; default: @@ -812,7 +874,7 @@ static int mag_auth(request_rec *req) req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); #ifdef HAVE_CRED_STORE - if (cfg->use_s4u2proxy) { + if (use_s4u2proxy(req_cfg)) { cred_usage = GSS_C_BOTH; } #endif @@ -918,20 +980,21 @@ complete: mc->expiration = expiration; mc->auth_type = auth_type; if (auth_type == AUTH_TYPE_BASIC) { - mag_basic_cache(cfg, mc, ba_user, ba_pwd); + mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); } - if (cfg->use_sessions) { - mag_attempt_session(req, cfg, mc); + if (req_cfg->use_sessions) { + mag_attempt_session(req_cfg, mc); } } - if (cfg->send_persist) + if (req_cfg->send_persist) apr_table_set(req->headers_out, "Persistent-Auth", cfg->gss_conn_ctx ? "true" : "false"); ret = OK; done: + if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) { int prefixlen = strlen(auth_types[auth_type]) + 1; replen = apr_base64_encode_len(output.length) + 1; @@ -940,17 +1003,17 @@ done: memcpy(reply, auth_types[auth_type], prefixlen - 1); reply[prefixlen - 1] = ' '; apr_base64_encode(&reply[prefixlen], output.value, output.length); - apr_table_add(req->err_headers_out, - "WWW-Authenticate", reply); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); } } else if (ret == HTTP_UNAUTHORIZED) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); - if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM"); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate"); + + if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { + apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM"); } if (cfg->use_basic_auth) { - apr_table_add(req->err_headers_out, - "WWW-Authenticate", + apr_table_add(req->err_headers_out, req_cfg->rep_proto, apr_psprintf(req->pool, "Basic realm=\"%s\"", ap_auth_name(req))); } @@ -1019,9 +1082,6 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) struct mag_config *cfg = (struct mag_config *)mconfig; cfg->use_s4u2proxy = on ? true : false; - if (cfg->deleg_ccache_dir == NULL) { - cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, "/tmp"); - } return NULL; } #endif @@ -1183,7 +1243,7 @@ static bool mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset, } else if (strcmp(w, "iakerb") == 0) { oid = discard_const(gss_mech_iakerb); } else if (strcmp(w, "ntlmssp") == 0) { - oid = discard_const(&gss_mech_ntlmssp); + oid = discard_const(gss_mech_ntlmssp); } else { buf.value = discard_const(w); buf.length = strlen(w); @@ -1235,6 +1295,7 @@ static void *mag_create_server_config(apr_pool_t *p, server_rec *s) { struct mag_server_config *scfg; uint32_t maj, min; + apr_status_t rc; scfg = apr_pcalloc(p, sizeof(struct mag_server_config)); @@ -1248,6 +1309,12 @@ static void *mag_create_server_config(apr_pool_t *p, server_rec *s) mag_oid_set_destroy, apr_pool_cleanup_null); } + rc = SEAL_KEY_CREATE(p, &scfg->mag_skey, NULL); + if (rc != OK) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Failed to generate random sealing key!"); + } + return scfg; }