X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=8a8774592a45b9a83227dd4b5391c2e617a42117;hp=3c578de7c89f2f1b3bd58fec65b99784f20eb17a;hb=a0cfc1b357998166773d3da36c1fe98ad0ea7d94;hpb=79cb8bb8418cca0c408db3c79d78fa23d5e18564 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 3c578de..8a87745 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -336,6 +336,50 @@ static void mag_set_req_data(request_rec *req, } } +gss_OID_set mag_filter_unwanted_mechs(gss_OID_set src) +{ + gss_const_OID unwanted_mechs[] = { + &gss_mech_spnego, + gss_mech_krb5_old, + gss_mech_krb5_wrong, + gss_mech_iakerb, + GSS_C_NO_OID + }; + gss_OID_set dst; + uint32_t maj, min; + int present = 0; + + for (int i = 0; unwanted_mechs[i] != GSS_C_NO_OID; i++) { + maj = gss_test_oid_set_member(&min, + discard_const(unwanted_mechs[i]), + src, &present); + if (present) break; + } + if (present) { + maj = gss_create_empty_oid_set(&min, &dst); + if (maj != GSS_S_COMPLETE) { + return GSS_C_NO_OID_SET; + } + for (int i = 0; i < src->count; i++) { + present = 0; + for (int j = 0; unwanted_mechs[j] != GSS_C_NO_OID; j++) { + if (gss_oid_equal(&src->elements[i], unwanted_mechs[j])) { + present = 1; + break; + } + } + if (present) continue; + maj = gss_add_oid_set_member(&min, &src->elements[i], &dst); + if (maj != GSS_S_COMPLETE) { + gss_release_oid_set(&min, &dst); + return GSS_C_NO_OID_SET; + } + } + return dst; + } + return src; +} + static bool mag_auth_basic(request_rec *req, struct mag_config *cfg, gss_buffer_desc ba_user, @@ -358,48 +402,114 @@ static bool mag_auth_basic(request_rec *req, gss_name_t server = GSS_C_NO_NAME; gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT; + gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; gss_buffer_desc input = GSS_C_EMPTY_BUFFER; gss_buffer_desc output = GSS_C_EMPTY_BUFFER; - gss_OID_set allowed_mechs = GSS_C_NO_OID_SET; - gss_OID_set_desc all_mechs_desc; + gss_OID_set indicated_mechs = GSS_C_NO_OID_SET; + gss_OID_set allowed_mechs; + gss_OID_set filtered_mechs; gss_OID_set actual_mechs = GSS_C_NO_OID_SET; uint32_t init_flags = 0; uint32_t maj, min; + int present = 0; bool ret = false; -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - rs = apr_generate_random_bytes((unsigned char *)(&rndname), - sizeof(long long unsigned int)); - if (rs != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "Failed to generate random ccache name"); - goto done; - } - user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); - maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); + maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", - mag_error(req, "gss_krb5_ccache_name() " - "failed", maj, min)); + mag_error(req, "gss_import_name() failed", + maj, min)); goto done; } -#endif - maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user); + if (cfg->basic_mechs) { + allowed_mechs = cfg->basic_mechs; + } else if (cfg->allowed_mechs) { + allowed_mechs = cfg->allowed_mechs; + } else { + /* Try to fetch the default set if not explicitly configured, + * We need to do this because gss_acquire_cred_with_password() + * is currently limited to acquire creds for a single "default" + * mechanism if no desired mechanisms are passed in. This causes + * authentication to fail for secondary mechanisms as no user + * credentials are generated for those. */ + maj = gss_indicate_mechs(&min, &indicated_mechs); + if (maj != GSS_S_COMPLETE) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s", + mag_error(req, "gss_indicate_mechs() failed", + maj, min)); + /* if indicated _mechs failed, set GSS_C_NO_OID_SET. This + * generally causes only the krb5 mechanism to be tried due + * to implementation constraints, but may change in future. */ + allowed_mechs = GSS_C_NO_OID_SET; + } else { + allowed_mechs = indicated_mechs; + } + } + + /* Remove Spnego if present, or we'd repeat failed authentiations + * multiple times, one within Spnego and then again with an explicit + * mechanism. We would normally just force Spnego and use + * gss_set_neg_mechs, but due to the way we source the server name + * and the fact MIT up to 1.14 at least does no handle union names, + * we can't provide spnego with a server name that can be used by + * multiple mechanisms, causing any but the first mechanism to fail. + * Also remove unwanted krb mechs, or AS requests will be repeated + * multiple times uselessly. + */ + filtered_mechs = mag_filter_unwanted_mechs(allowed_mechs); + if (filtered_mechs == GSS_C_NO_OID_SET) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Fatal " + "failure while filtering mechs, aborting"); + goto done; + } else if (filtered_mechs != allowed_mechs) { + /* if indicated_mechs where sourced then free them here before + * reusing the pointer */ + gss_release_oid_set(&min, &indicated_mechs); + + /* mark the list of mechs needs to be freed */ + indicated_mechs = filtered_mechs; + + /* use the filtered list */ + allowed_mechs = filtered_mechs; + } + +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + /* If we are using the krb5 mechanism make sure to set a per thread + * memory ccache so that there can't be interferences between threads. + * Also make sure we have new cache so no cached results end up being + * used. Some implementations of gss_acquire_cred_with_password() do + * not reacquire creds if cached ones are around, failing to check + * again for the password. */ + maj = gss_test_oid_set_member(&min, discard_const(gss_mech_krb5), + allowed_mechs, &present); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", - mag_error(req, "gss_import_name() failed", + mag_error(req, "gss_test_oid_set_member() failed", maj, min)); goto done; } - - if (cfg->allowed_mechs && cfg->allowed_mechs->count > 1) { - all_mechs_desc.count = cfg->allowed_mechs->count - 1; - all_mechs_desc.elements = &cfg->allowed_mechs->elements[1]; - allowed_mechs = &all_mechs_desc; + if (present) { + rs = apr_generate_random_bytes((unsigned char *)(&rndname), + sizeof(long long unsigned int)); + if (rs != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "Failed to generate random ccache name"); + goto done; + } + user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); + maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_krb5_ccache_name() " + "failed", maj, min)); + goto done; + } } +#endif maj = gss_acquire_cred_with_password(&min, user, &ba_pwd, GSS_C_INDEFINITE, @@ -414,6 +524,22 @@ static bool mag_auth_basic(request_rec *req, goto done; } + /* must acquire creds based on the actual mechs we want to try */ + if (!mag_acquire_creds(req, cfg, actual_mechs, + GSS_C_BOTH, &acquired_cred, NULL)) { + goto done; + } + + if (cred_usage == GSS_C_BOTH) { + /* must acquire with GSS_C_ACCEPT to get the server name */ + if (!mag_acquire_creds(req, cfg, actual_mechs, + GSS_C_ACCEPT, &server_cred, NULL)) { + goto done; + } + } else { + server_cred = acquired_cred; + } + #ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir) { /* delegate ourselves credentials so we store them as requested */ @@ -423,8 +549,7 @@ static bool mag_auth_basic(request_rec *req, for (int i = 0; i < actual_mechs->count; i++) { - /* skip spnego if present (it is usually present when - * cfg->allowed_mechs is not set) */ + /* skip spnego if present */ if (gss_oid_equal(&actual_mechs->elements[i], &gss_mech_spnego)) { continue; @@ -434,34 +559,17 @@ static bool mag_auth_basic(request_rec *req, gss_release_buffer(&min, &output); gss_release_buffer(&min, &input); gss_release_name(&min, &server); - gss_release_cred(&min, &server_cred); - - all_mechs_desc.count = 1; - all_mechs_desc.elements = &actual_mechs->elements[i]; - /* must acquire with GSS_C_ACCEPT to get the server name */ - if (!mag_acquire_creds(req, cfg, allowed_mechs, - GSS_C_ACCEPT, &server_cred, NULL)) { - continue; - } - maj = gss_inquire_cred(&min, server_cred, &server, - NULL, NULL, NULL); + maj = gss_inquire_cred_by_mech(&min, server_cred, + &actual_mechs->elements[i], + &server, NULL, NULL, NULL); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_inquired_cred_() " + "%s", mag_error(req, "gss_inquired_cred_by_mech() " "failed", maj, min)); continue; } - if (cred_usage == GSS_C_BOTH) { - /* reacquire server creds in order to allow delegation */ - gss_release_cred(&min, &server_cred); - if (!mag_acquire_creds(req, cfg, allowed_mechs, - GSS_C_BOTH, &server_cred, NULL)) { - continue; - } - } - do { /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, @@ -475,7 +583,7 @@ static bool mag_auth_basic(request_rec *req, break; } gss_release_buffer(&min, &output); - maj = gss_accept_sec_context(&min, &server_ctx, server_cred, + maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred, &input, GSS_C_NO_CHANNEL_BINDINGS, client, mech_type, &output, NULL, vtime, delegated_cred); @@ -498,12 +606,15 @@ done: gss_release_buffer(&min, &output); gss_release_buffer(&min, &input); gss_release_name(&min, &server); - gss_release_cred(&min, &server_cred); + if (server_cred != acquired_cred) + gss_release_cred(&min, &server_cred); gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER); + gss_release_cred(&min, &acquired_cred); gss_release_name(&min, &user); gss_release_cred(&min, &user_cred); gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER); gss_release_oid_set(&min, &actual_mechs); + gss_release_oid_set(&min, &indicated_mechs); #ifdef HAVE_GSS_KRB5_CCACHE_NAME if (user_ccache != NULL) { maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); @@ -723,6 +834,7 @@ static int mag_auth(request_rec *req) cred_usage = GSS_C_BOTH; } #endif + if (auth_type == AUTH_TYPE_BASIC) { if (mag_auth_basic(req, cfg, ba_user, ba_pwd, cred_usage, &client, &mech_type, @@ -1028,6 +1140,7 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, } #endif +#ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) { struct mag_config *cfg = (struct mag_config *)mconfig; @@ -1035,49 +1148,102 @@ static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) cfg->use_basic_auth = on ? true : false; return NULL; } +#endif -#define MAX_ALLOWED_MECHS 10 - -static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, - const char *w) +static apr_status_t mag_oid_set_destroy(void *ptr) { - struct mag_config *cfg = (struct mag_config *)mconfig; - gss_const_OID oid; - size_t size; + uint32_t min; + gss_OID_set set = (gss_OID_set)ptr; + (void)gss_release_oid_set(&min, &set); + return APR_SUCCESS; +} - if (!cfg->allowed_mechs) { - cfg->allowed_mechs = apr_pcalloc(parms->pool, - sizeof(gss_OID_set_desc)); - size = sizeof(gss_OID) * MAX_ALLOWED_MECHS; - cfg->allowed_mechs->elements = apr_palloc(parms->pool, size); +static void mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset, + bool add_spnego, const char *w) +{ + gss_buffer_desc buf = { 0 }; + uint32_t maj, min; + gss_OID_set set; + gss_OID oid; + bool release_oid = false; - cfg->allowed_mechs->elements[0] = gss_mech_spnego; - cfg->allowed_mechs->count++; + if (NULL == *oidset) { + maj = gss_create_empty_oid_set(&min, &set); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "gss_create_empty_oid_set() failed."); + *oidset = GSS_C_NO_OID_SET; + return; + } + if (add_spnego) { + oid = discard_const(&gss_mech_spnego); + maj = gss_add_oid_set_member(&min, oid, &set); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "gss_add_oid_set_member() failed."); + (void)gss_release_oid_set(&min, &set); + *oidset = GSS_C_NO_OID_SET; + return; + } + } + /* register in the pool so it can be released once the server + * winds down */ + apr_pool_cleanup_register(parms->pool, (void *)set, + mag_oid_set_destroy, + apr_pool_cleanup_null); + *oidset = set; + } else { + set = *oidset; } if (strcmp(w, "krb5") == 0) { - oid = gss_mech_krb5; + oid = discard_const(gss_mech_krb5); } else if (strcmp(w, "iakerb") == 0) { - oid = gss_mech_iakerb; + oid = discard_const(gss_mech_iakerb); } else if (strcmp(w, "ntlmssp") == 0) { - oid = &gss_mech_ntlmssp; + oid = discard_const(&gss_mech_ntlmssp); } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, - "Unrecognized GSSAPI Mechanism: %s", w); - return NULL; + buf.value = discard_const(w); + buf.length = strlen(w); + maj = gss_str_to_oid(&min, &buf, &oid); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Unrecognized GSSAPI Mechanism: [%s]", w); + return; + } + release_oid = true; } - - if (cfg->allowed_mechs->count >= MAX_ALLOWED_MECHS) { + maj = gss_add_oid_set_member(&min, oid, &set); + if (maj != GSS_S_COMPLETE) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, - "Too many GssapiAllowedMech options (MAX: %d)", - MAX_ALLOWED_MECHS); - return NULL; + "gss_add_oid_set_member() failed for [%s].", w); } - cfg->allowed_mechs->elements[cfg->allowed_mechs->count] = *oid; - cfg->allowed_mechs->count++; + if (release_oid) { + (void)gss_release_oid(&min, &oid); + } +} + +static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + mag_list_of_mechs(parms, &cfg->allowed_mechs, true, w); + + return NULL; +} + +#ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD +static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + mag_list_of_mechs(parms, &cfg->basic_mechs, false, w); return NULL; } +#endif static const command_rec mag_commands[] = { AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG, @@ -1103,6 +1269,8 @@ static const command_rec mag_commands[] = { #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG, "Allows use of Basic Auth for authentication"), + AP_INIT_ITERATE("GssapiBasicAuthMech", mag_basic_auth_mechs, NULL, + OR_AUTHCFG, "Mechanisms to use for basic auth"), #endif AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG, "Allowed Mechanisms"),