X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=97e365cb9ed6e0185b75b83244ff2d63f567a913;hp=42284f94b6c57bb49929cfb9a2bdba75d255309c;hb=5571d79a78a1360f2a56b22c6bf59640cf2c88e8;hpb=472d605d916f7ad63cd8bbffa100997eca700da4 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 42284f9..97e365c 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -80,8 +80,7 @@ static char *mag_status(request_rec *req, int type, uint32_t err) return msg_ret; } -static char *mag_error(request_rec *req, const char *msg, - uint32_t maj, uint32_t min) +char *mag_error(request_rec *req, const char *msg, uint32_t maj, uint32_t min) { char *msg_maj; char *msg_min; @@ -363,7 +362,6 @@ static bool mag_auth_basic(request_rec *req, struct mag_config *cfg, gss_buffer_desc ba_user, gss_buffer_desc ba_pwd, - gss_cred_usage_t cred_usage, gss_name_t *client, gss_OID *mech_type, gss_cred_id_t *delegated_cred, @@ -381,7 +379,6 @@ static bool mag_auth_basic(request_rec *req, gss_name_t server = GSS_C_NO_NAME; gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT; - gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; gss_buffer_desc input = GSS_C_EMPTY_BUFFER; gss_buffer_desc output = GSS_C_EMPTY_BUFFER; gss_OID_set allowed_mechs; @@ -495,20 +492,10 @@ static bool mag_auth_basic(request_rec *req, /* must acquire creds based on the actual mechs we want to try */ if (!mag_acquire_creds(req, cfg, actual_mechs, - cred_usage, &acquired_cred, NULL)) { + GSS_C_ACCEPT, &server_cred, NULL)) { goto done; } - if (cred_usage == GSS_C_BOTH) { - /* must acquire with GSS_C_ACCEPT to get the server name */ - if (!mag_acquire_creds(req, cfg, actual_mechs, - GSS_C_ACCEPT, &server_cred, NULL)) { - goto done; - } - } else { - server_cred = acquired_cred; - } - #ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir) { /* delegate ourselves credentials so we store them as requested */ @@ -546,7 +533,7 @@ static bool mag_auth_basic(request_rec *req, break; } gss_release_buffer(&min, &output); - maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred, + maj = gss_accept_sec_context(&min, &server_ctx, server_cred, &input, GSS_C_NO_CHANNEL_BINDINGS, client, mech_type, &output, NULL, vtime, delegated_cred); @@ -569,10 +556,8 @@ done: gss_release_buffer(&min, &output); gss_release_buffer(&min, &input); gss_release_name(&min, &server); - if (server_cred != acquired_cred) - gss_release_cred(&min, &server_cred); gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER); - gss_release_cred(&min, &acquired_cred); + gss_release_cred(&min, &server_cred); gss_release_name(&min, &user); gss_release_cred(&min, &user_cred); gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER); @@ -631,6 +616,7 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req) return req_cfg; } +#ifdef HAVE_CRED_STORE static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { if (req_cfg->cfg->use_s4u2proxy) { if (req_cfg->cfg->deleg_ccache_dir != NULL) { @@ -643,6 +629,7 @@ static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { } return false; } +#endif static int mag_auth(request_rec *req) { @@ -673,6 +660,7 @@ static int mag_auth(request_rec *req) gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; int i; + bool send_auth_header = true; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { @@ -764,6 +752,9 @@ static int mag_auth(request_rec *req) auth_header_type = ap_getword_white(req->pool, &auth_header); if (!auth_header_type) goto done; + /* We got auth header, sending auth header would mean re-auth */ + send_auth_header = !cfg->negotiate_once; + for (i = 0; auth_types[i] != NULL; i++) { if (strcasecmp(auth_header_type, auth_types[i]) == 0) { auth_type = i; @@ -844,7 +835,7 @@ static int mag_auth(request_rec *req) if (auth_type == AUTH_TYPE_BASIC) { if (mag_auth_basic(req, cfg, ba_user, ba_pwd, - cred_usage, &client, &mech_type, + &client, &mech_type, &delegated_cred, &vtime)) { goto complete; } @@ -897,12 +888,15 @@ complete: maj, min)); goto done; } + mc->gss_name = apr_pstrndup(req->pool, name.value, name.length); if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { vtime = MIN_SESS_EXP_TIME; } mc->expiration = time(NULL) + vtime; + mag_get_name_attributes(req, cfg, client, mc); + #ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { mag_store_deleg_creds(req, cfg->deleg_ccache_dir, mc->gss_name, @@ -953,11 +947,14 @@ done: apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); } } else if (ret == HTTP_UNAUTHORIZED) { - apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate"); - - if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, - cfg->gss_conn_ctx)) { - apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM"); + if (send_auth_header) { + apr_table_add(req->err_headers_out, + req_cfg->rep_proto, "Negotiate"); + if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { + apr_table_add(req->err_headers_out, req_cfg->rep_proto, + "NTLM"); + } } if (cfg->use_basic_auth) { apr_table_add(req->err_headers_out, req_cfg->rep_proto, @@ -1225,6 +1222,76 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, return NULL; } +static const char *mag_negotiate_once(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + cfg->negotiate_once = on ? true : false; + return NULL; +} + +#define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata" + +static apr_status_t mag_name_attrs_cleanup(void *data) +{ + struct mag_config *cfg = (struct mag_config *)data; + free(cfg->name_attributes); + cfg->name_attributes = NULL; + return 0; +} + +static const char *mag_name_attrs(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + void *tmp_na; + size_t size = 0; + char *p; + int c; + + if (!cfg->name_attributes) { + size = sizeof(struct mag_name_attributes) + + (sizeof(struct mag_na_map) * 16); + } else if (cfg->name_attributes->map_count % 16 == 0) { + size = sizeof(struct mag_name_attributes) + + (sizeof(struct mag_na_map) + * (cfg->name_attributes->map_count + 16)); + } + if (size) { + tmp_na = realloc(cfg->name_attributes, size); + if (!tmp_na) apr_pool_abort_get(cfg->pool)(ENOMEM); + + if (cfg->name_attributes) { + size_t empty = (sizeof(struct mag_na_map) * 16); + memset(tmp_na + size - empty, 0, empty); + } else { + memset(tmp_na, 0, size); + } + cfg->name_attributes = (struct mag_name_attributes *)tmp_na; + apr_pool_userdata_setn(cfg, GSS_NAME_ATTR_USERDATA, + mag_name_attrs_cleanup, cfg->pool); + } + + p = strchr(w, ' '); + if (p == NULL) { + if (strcmp(w, "json") == 0) { + cfg->name_attributes->output_json = true; + } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid Name Attributes value [%s].", w); + } + return NULL; + } + + c = cfg->name_attributes->map_count; + cfg->name_attributes->map[c].env_name = apr_pstrndup(cfg->pool, w, p-w); + p++; + cfg->name_attributes->map[c].attr_name = apr_pstrdup(cfg->pool, p); + cfg->name_attributes->map_count += 1; + + return NULL; +} + #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig, const char *w) @@ -1294,6 +1361,10 @@ static const command_rec mag_commands[] = { #endif AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG, "Allowed Mechanisms"), + AP_INIT_FLAG("GssapiNegotiateOnce", mag_negotiate_once, NULL, OR_AUTHCFG, + "Don't resend negotiate header on negotiate failure"), + AP_INIT_RAW_ARGS("GssapiNameAttributes", mag_name_attrs, NULL, OR_AUTHCFG, + "Name Attributes to be exported as environ variables"), { NULL } };