X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=97e365cb9ed6e0185b75b83244ff2d63f567a913;hp=d673912a5ddab16721ea50bcff1936b0a5bd2ec0;hb=5571d79a78a1360f2a56b22c6bf59640cf2c88e8;hpb=c27219caa2d75baf854b1535eb222d679fbe4fcd diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index d673912..97e365c 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -28,13 +28,21 @@ const gss_OID_desc gss_mech_spnego = { 6, "\x2b\x06\x01\x05\x05\x02" }; -const gss_OID_desc gss_mech_ntlmssp = { +#ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H +const gss_OID_desc gss_mech_ntlmssp_desc = { GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING }; +gss_const_OID gss_mech_ntlmssp = &gss_mech_ntlmssp_desc; -const gss_OID_set_desc gss_mech_set_ntlmssp = { - 1, discard_const(&gss_mech_ntlmssp) +const gss_OID_set_desc gss_mech_set_ntlmssp_desc = { + 1, discard_const(&gss_mech_ntlmssp_desc) }; +gss_const_OID_set gss_mech_set_ntlmssp = &gss_mech_set_ntlmssp_desc; + +#else +gss_OID gss_mech_ntlmssp = GSS_C_NO_OID; +gss_OID_set gss_mech_set_ntlmssp = GSS_C_NO_OID_SET; +#endif #define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION @@ -72,8 +80,7 @@ static char *mag_status(request_rec *req, int type, uint32_t err) return msg_ret; } -static char *mag_error(request_rec *req, const char *msg, - uint32_t maj, uint32_t min) +char *mag_error(request_rec *req, const char *msg, uint32_t maj, uint32_t min) { char *msg_maj; char *msg_min; @@ -101,6 +108,7 @@ static int mag_pre_connection(conn_rec *c, void *csd) struct mag_conn *mc; mc = mag_new_conn_ctx(c->pool); + mc->is_preserved = true; ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc); return OK; } @@ -126,7 +134,6 @@ struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool) * when the connection/request is terminated */ apr_pool_cleanup_register(mc->pool, (void *)mc, mag_conn_destroy, apr_pool_cleanup_null); - return mc; } @@ -217,8 +224,8 @@ static char *escape(apr_pool_t *pool, const char *name, return escaped; } -static char *mag_gss_name_to_ccache_name(request_rec *req, - char *dir, const char *gss_name) +char *mag_gss_name_to_ccache_name(request_rec *req, + char *dir, const char *gss_name) { char *escaped; @@ -232,27 +239,9 @@ static char *mag_gss_name_to_ccache_name(request_rec *req, return apr_psprintf(req->pool, "%s/%s", dir, escaped); } -static void mag_set_KRB5CCANME(request_rec *req, char *ccname) -{ - apr_status_t status; - apr_finfo_t finfo; - char *value; - - status = apr_stat(&finfo, ccname, APR_FINFO_MIN, req->pool); - if (status != APR_SUCCESS && status != APR_INCOMPLETE) { - /* set the file cache anyway, but warn */ - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, - "KRB5CCNAME file (%s) lookup failed!", ccname); - } - - value = apr_psprintf(req->pool, "FILE:%s", ccname); - apr_table_set(req->subprocess_env, "KRB5CCNAME", value); -} - static void mag_store_deleg_creds(request_rec *req, - char *dir, char *clientname, - gss_cred_id_t delegated_cred, - char **ccachefile) + char *dir, const char *gss_name, + gss_cred_id_t delegated_cred) { gss_key_value_element_desc element; gss_key_value_set_desc store; @@ -262,7 +251,7 @@ static void mag_store_deleg_creds(request_rec *req, store.elements = &element; store.count = 1; - ccname = mag_gss_name_to_ccache_name(req, dir, clientname); + ccname = mag_gss_name_to_ccache_name(req, dir, gss_name); element.value = apr_psprintf(req->pool, "FILE:%s", ccname); maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, @@ -272,8 +261,6 @@ static void mag_store_deleg_creds(request_rec *req, mag_error(req, "failed to store delegated creds", maj, min)); } - - *ccachefile = ccname; } #endif @@ -292,12 +279,18 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header, return true; } -static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech) +static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech, + bool multi_step_supported) { - if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true; + if (mech == GSS_C_NO_OID) return false; - for (int i = 0; i < cfg->allowed_mechs->count; i++) { - if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) { + if (!multi_step_supported && gss_oid_equal(gss_mech_ntlmssp, mech)) + return false; + + if (allowed_mechs == GSS_C_NO_OID_SET) return true; + + for (int i = 0; i < allowed_mechs->count; i++) { + if (gss_oid_equal(&allowed_mechs->elements[i], mech)) { return true; } } @@ -314,26 +307,9 @@ const char *auth_types[] = { NULL }; -static void mag_set_req_data(request_rec *req, - struct mag_config *cfg, - struct mag_conn *mc) +const char *mag_str_auth_type(int auth_type) { - apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); - apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", - apr_psprintf(req->pool, - "%ld", (long)mc->expiration)); - req->ap_auth_type = apr_pstrdup(req->pool, - auth_types[mc->auth_type]); - req->user = apr_pstrdup(req->pool, mc->user_name); - if (cfg->deleg_ccache_dir && mc->delegated) { - char *ccname; - ccname = mag_gss_name_to_ccache_name(req, - cfg->deleg_ccache_dir, - mc->gss_name); - if (ccname) { - mag_set_KRB5CCANME(req, ccname); - } - } + return auth_types[auth_type]; } gss_OID_set mag_filter_unwanted_mechs(gss_OID_set src) @@ -386,7 +362,6 @@ static bool mag_auth_basic(request_rec *req, struct mag_config *cfg, gss_buffer_desc ba_user, gss_buffer_desc ba_pwd, - gss_cred_usage_t cred_usage, gss_name_t *client, gss_OID *mech_type, gss_cred_id_t *delegated_cred, @@ -404,10 +379,8 @@ static bool mag_auth_basic(request_rec *req, gss_name_t server = GSS_C_NO_NAME; gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT; - gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; gss_buffer_desc input = GSS_C_EMPTY_BUFFER; gss_buffer_desc output = GSS_C_EMPTY_BUFFER; - gss_OID_set indicated_mechs = GSS_C_NO_OID_SET; gss_OID_set allowed_mechs; gss_OID_set filtered_mechs; gss_OID_set actual_mechs = GSS_C_NO_OID_SET; @@ -430,24 +403,19 @@ static bool mag_auth_basic(request_rec *req, } else if (cfg->allowed_mechs) { allowed_mechs = cfg->allowed_mechs; } else { + struct mag_server_config *scfg; /* Try to fetch the default set if not explicitly configured, * We need to do this because gss_acquire_cred_with_password() * is currently limited to acquire creds for a single "default" * mechanism if no desired mechanisms are passed in. This causes * authentication to fail for secondary mechanisms as no user * credentials are generated for those. */ - maj = gss_indicate_mechs(&min, &indicated_mechs); - if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s", - mag_error(req, "gss_indicate_mechs() failed", - maj, min)); - /* if indicated _mechs failed, set GSS_C_NO_OID_SET. This - * generally causes only the krb5 mechanism to be tried due - * to implementation constraints, but may change in future. */ - allowed_mechs = GSS_C_NO_OID_SET; - } else { - allowed_mechs = indicated_mechs; - } + scfg = ap_get_module_config(req->server->module_config, + &auth_gssapi_module); + /* In the worst case scenario default_mechs equals to GSS_C_NO_OID_SET. + * This generally causes only the krb5 mechanism to be tried due + * to implementation constraints, but may change in future. */ + allowed_mechs = scfg->default_mechs; } /* Remove Spnego if present, or we'd repeat failed authentiations @@ -461,19 +429,14 @@ static bool mag_auth_basic(request_rec *req, * multiple times uselessly. */ filtered_mechs = mag_filter_unwanted_mechs(allowed_mechs); - if ((allowed_mechs != GSS_C_NO_OID_SET) && - (filtered_mechs == GSS_C_NO_OID_SET)) { + if (filtered_mechs == allowed_mechs) { + /* in case filtered_mechs was not allocated here don't free it */ + filtered_mechs = GSS_C_NO_OID_SET; + } else if (filtered_mechs == GSS_C_NO_OID_SET) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Fatal " "failure while filtering mechs, aborting"); goto done; - } else if (filtered_mechs != allowed_mechs) { - /* if indicated_mechs where sourced then free them here before - * reusing the pointer */ - gss_release_oid_set(&min, &indicated_mechs); - - /* mark the list of mechs needs to be freed */ - indicated_mechs = filtered_mechs; - + } else { /* use the filtered list */ allowed_mechs = filtered_mechs; } @@ -529,20 +492,10 @@ static bool mag_auth_basic(request_rec *req, /* must acquire creds based on the actual mechs we want to try */ if (!mag_acquire_creds(req, cfg, actual_mechs, - cred_usage, &acquired_cred, NULL)) { + GSS_C_ACCEPT, &server_cred, NULL)) { goto done; } - if (cred_usage == GSS_C_BOTH) { - /* must acquire with GSS_C_ACCEPT to get the server name */ - if (!mag_acquire_creds(req, cfg, actual_mechs, - GSS_C_ACCEPT, &server_cred, NULL)) { - goto done; - } - } else { - server_cred = acquired_cred; - } - #ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir) { /* delegate ourselves credentials so we store them as requested */ @@ -580,7 +533,7 @@ static bool mag_auth_basic(request_rec *req, break; } gss_release_buffer(&min, &output); - maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred, + maj = gss_accept_sec_context(&min, &server_ctx, server_cred, &input, GSS_C_NO_CHANNEL_BINDINGS, client, mech_type, &output, NULL, vtime, delegated_cred); @@ -603,15 +556,13 @@ done: gss_release_buffer(&min, &output); gss_release_buffer(&min, &input); gss_release_name(&min, &server); - if (server_cred != acquired_cred) - gss_release_cred(&min, &server_cred); gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER); - gss_release_cred(&min, &acquired_cred); + gss_release_cred(&min, &server_cred); gss_release_name(&min, &user); gss_release_cred(&min, &user_cred); gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER); gss_release_oid_set(&min, &actual_mechs); - gss_release_oid_set(&min, &indicated_mechs); + gss_release_oid_set(&min, &filtered_mechs); #ifdef HAVE_GSS_KRB5_CCACHE_NAME if (user_ccache != NULL) { maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); @@ -626,11 +577,65 @@ done: return ret; } +struct mag_req_cfg *mag_init_cfg(request_rec *req) +{ + struct mag_server_config *scfg; + struct mag_req_cfg *req_cfg = apr_pcalloc(req->pool, + sizeof(struct mag_req_cfg)); + req_cfg->req = req; + req_cfg->cfg = ap_get_module_config(req->per_dir_config, + &auth_gssapi_module); + + scfg = ap_get_module_config(req->server->module_config, + &auth_gssapi_module); + + if (req_cfg->cfg->allowed_mechs) { + req_cfg->desired_mechs = req_cfg->cfg->allowed_mechs; + } else { + /* Use the default set if not explicitly configured */ + req_cfg->desired_mechs = scfg->default_mechs; + } + + if (req_cfg->cfg->mag_skey) { + req_cfg->mag_skey = req_cfg->cfg->mag_skey; + } else { + /* Use server random key if not explicitly configured */ + req_cfg->mag_skey = scfg->mag_skey; + } + + if (req->proxyreq == PROXYREQ_PROXY) { + req_cfg->req_proto = "Proxy-Authorization"; + req_cfg->rep_proto = "Proxy-Authenticate"; + } else { + req_cfg->req_proto = "Authorization"; + req_cfg->rep_proto = "WWW-Authenticate"; + req_cfg->use_sessions = req_cfg->cfg->use_sessions; + req_cfg->send_persist = req_cfg->cfg->send_persist; + } + + return req_cfg; +} + +#ifdef HAVE_CRED_STORE +static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { + if (req_cfg->cfg->use_s4u2proxy) { + if (req_cfg->cfg->deleg_ccache_dir != NULL) { + return true; + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req_cfg->req, + "S4U2 Proxy requested but GssapiDelegCcacheDir " + "is not set. Constrained delegation disabled!"); + } + } + return false; +} +#endif static int mag_auth(request_rec *req) { const char *type; int auth_type = -1; + struct mag_req_cfg *req_cfg; struct mag_config *cfg; const char *auth_header; char *auth_header_type; @@ -650,34 +655,23 @@ static int mag_auth(request_rec *req) uint32_t maj, min; char *reply; size_t replen; - char *clientname; gss_OID mech_type = GSS_C_NO_OID; gss_OID_set desired_mechs = GSS_C_NO_OID_SET; - gss_OID_set indicated_mechs = GSS_C_NO_OID_SET; gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; - time_t expiration; int i; + bool send_auth_header = true; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { return DECLINED; } - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + req_cfg = mag_init_cfg(req); - if (cfg->allowed_mechs) { - desired_mechs = cfg->allowed_mechs; - } else { - /* Try to fetch the default set if not explicitly configured */ - maj = gss_indicate_mechs(&min, &indicated_mechs); - if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s", - mag_error(req, "gss_indicate_mechs() failed", - maj, min)); - } - desired_mechs = indicated_mechs; - } + cfg = req_cfg->cfg; + + desired_mechs = req_cfg->desired_mechs; /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req) && req->main != NULL) { @@ -729,11 +723,11 @@ static int mag_auth(request_rec *req) } /* if available, session always supersedes connection bound data */ - if (cfg->use_sessions) { - mag_check_session(req, cfg, &mc); + if (req_cfg->use_sessions) { + mag_check_session(req_cfg, &mc); } - auth_header = apr_table_get(req->headers_in, "Authorization"); + auth_header = apr_table_get(req->headers_in, req_cfg->req_proto); if (mc) { if (mc->established && @@ -747,6 +741,8 @@ static int mag_auth(request_rec *req) } pctx = &mc->ctx; } else { + /* no preserved mc, create one just for this request */ + mc = mag_new_conn_ctx(req->pool); pctx = &ctx; } @@ -756,6 +752,9 @@ static int mag_auth(request_rec *req) auth_header_type = ap_getword_white(req->pool, &auth_header); if (!auth_header_type) goto done; + /* We got auth header, sending auth header would mean re-auth */ + send_auth_header = !cfg->negotiate_once; + for (i = 0; auth_types[i] != NULL; i++) { if (strcasecmp(auth_header_type, auth_types[i]) == 0) { auth_type = i; @@ -779,6 +778,7 @@ static int mag_auth(request_rec *req) ba_user.value = ap_getword_nulls_nc(req->pool, (char **)&ba_pwd.value, ':'); if (!ba_user.value) goto done; + if (((char *)ba_user.value)[0] == '\0' || ((char *)ba_pwd.value)[0] == '\0') { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, @@ -788,8 +788,8 @@ static int mag_auth(request_rec *req) ba_user.length = strlen(ba_user.value); ba_pwd.length = strlen(ba_pwd.value); - if (mc && mc->established && - mag_basic_check(cfg, mc, ba_user, ba_pwd)) { + if (mc->is_preserved && mc->established && + mag_basic_check(req_cfg, mc, ba_user, ba_pwd)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Already established BASIC AUTH context found!"); mag_set_req_data(req, cfg, mc); @@ -800,7 +800,8 @@ static int mag_auth(request_rec *req) break; case AUTH_TYPE_RAW_NTLM: - if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) { + if (!is_mech_allowed(desired_mechs, gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "NTLM Authentication is not allowed!"); goto done; @@ -810,31 +811,31 @@ static int mag_auth(request_rec *req) goto done; } - desired_mechs = discard_const(&gss_mech_set_ntlmssp); + desired_mechs = discard_const(gss_mech_set_ntlmssp); break; default: goto done; } - if (mc && mc->established) { + if (mc->established) { /* if we are re-authenticating make sure the conn context * is cleaned up so we do not accidentally reuse an existing * established context */ mag_conn_clear(mc); } - req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); + mc->auth_type = auth_type; #ifdef HAVE_CRED_STORE - if (cfg->use_s4u2proxy) { + if (use_s4u2proxy(req_cfg)) { cred_usage = GSS_C_BOTH; } #endif if (auth_type == AUTH_TYPE_BASIC) { if (mag_auth_basic(req, cfg, ba_user, ba_pwd, - cred_usage, &client, &mech_type, + &client, &mech_type, &delegated_cred, &vtime)) { goto complete; } @@ -867,7 +868,7 @@ static int mag_auth(request_rec *req) maj, min)); goto done; } else if (maj == GSS_S_CONTINUE_NEEDED) { - if (!mc) { + if (!mc->is_preserved) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Mechanism needs continuation but neither " "GssapiConnectionBound nor " @@ -880,7 +881,6 @@ static int mag_auth(request_rec *req) } complete: - /* Always set the GSS name in an env var */ maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", @@ -888,26 +888,20 @@ complete: maj, min)); goto done; } - clientname = apr_pstrndup(req->pool, name.value, name.length); - apr_table_set(req->subprocess_env, "GSS_NAME", clientname); - expiration = time(NULL) + vtime; - apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", - apr_psprintf(req->pool, "%ld", (long)expiration)); - -#ifdef HAVE_CRED_STORE - if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { - char *ccachefile = NULL; - mag_store_deleg_creds(req, cfg->deleg_ccache_dir, clientname, - delegated_cred, &ccachefile); + mc->gss_name = apr_pstrndup(req->pool, name.value, name.length); + if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { + vtime = MIN_SESS_EXP_TIME; + } + mc->expiration = time(NULL) + vtime; - if (ccachefile) { - mag_set_KRB5CCANME(req, ccachefile); - } + mag_get_name_attributes(req, cfg, client, mc); - if (mc) { - mc->delegated = true; - } +#ifdef HAVE_CRED_STORE + if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { + mag_store_deleg_creds(req, cfg->deleg_ccache_dir, mc->gss_name, + delegated_cred); + mc->delegated = true; } #endif @@ -918,59 +912,57 @@ complete: mag_error(req, "gss_localname() failed", maj, min)); goto done; } - req->user = apr_pstrndup(req->pool, lname.value, lname.length); + mc->user_name = apr_pstrndup(req->pool, lname.value, lname.length); } else { - req->user = clientname; + mc->user_name = apr_pstrdup(mc->pool, mc->gss_name); } - if (mc) { - mc->user_name = apr_pstrdup(mc->pool, req->user); - mc->gss_name = apr_pstrdup(mc->pool, clientname); - mc->established = true; - if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { - vtime = MIN_SESS_EXP_TIME; - } - mc->expiration = expiration; - mc->auth_type = auth_type; - if (auth_type == AUTH_TYPE_BASIC) { - mag_basic_cache(cfg, mc, ba_user, ba_pwd); - } - if (cfg->use_sessions) { - mag_attempt_session(req, cfg, mc); - } + mc->established = true; + if (auth_type == AUTH_TYPE_BASIC) { + mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); } + if (req_cfg->use_sessions) { + mag_attempt_session(req_cfg, mc); + } + + /* Now set request data and env vars */ + mag_set_req_data(req, cfg, mc); - if (cfg->send_persist) + if (req_cfg->send_persist) apr_table_set(req->headers_out, "Persistent-Auth", cfg->gss_conn_ctx ? "true" : "false"); ret = OK; done: + if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) { - int prefixlen = strlen(auth_types[auth_type]) + 1; + int prefixlen = strlen(mag_str_auth_type(auth_type)) + 1; replen = apr_base64_encode_len(output.length) + 1; reply = apr_pcalloc(req->pool, prefixlen + replen); if (reply) { - memcpy(reply, auth_types[auth_type], prefixlen - 1); + memcpy(reply, mag_str_auth_type(auth_type), prefixlen - 1); reply[prefixlen - 1] = ' '; apr_base64_encode(&reply[prefixlen], output.value, output.length); - apr_table_add(req->err_headers_out, - "WWW-Authenticate", reply); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); } } else if (ret == HTTP_UNAUTHORIZED) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); - if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM"); + if (send_auth_header) { + apr_table_add(req->err_headers_out, + req_cfg->rep_proto, "Negotiate"); + if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { + apr_table_add(req->err_headers_out, req_cfg->rep_proto, + "NTLM"); + } } if (cfg->use_basic_auth) { - apr_table_add(req->err_headers_out, - "WWW-Authenticate", + apr_table_add(req->err_headers_out, req_cfg->rep_proto, apr_psprintf(req->pool, "Basic realm=\"%s\"", ap_auth_name(req))); } } - gss_release_oid_set(&min, &indicated_mechs); + if (ctx != GSS_C_NO_CONTEXT) gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); gss_release_cred(&min, &acquired_cred); @@ -1034,9 +1026,6 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) struct mag_config *cfg = (struct mag_config *)mconfig; cfg->use_s4u2proxy = on ? true : false; - if (cfg->deleg_ccache_dir == NULL) { - cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, "/tmp"); - } return NULL; } #endif @@ -1198,7 +1187,7 @@ static bool mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset, } else if (strcmp(w, "iakerb") == 0) { oid = discard_const(gss_mech_iakerb); } else if (strcmp(w, "ntlmssp") == 0) { - oid = discard_const(&gss_mech_ntlmssp); + oid = discard_const(gss_mech_ntlmssp); } else { buf.value = discard_const(w); buf.length = strlen(w); @@ -1233,6 +1222,76 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, return NULL; } +static const char *mag_negotiate_once(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + cfg->negotiate_once = on ? true : false; + return NULL; +} + +#define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata" + +static apr_status_t mag_name_attrs_cleanup(void *data) +{ + struct mag_config *cfg = (struct mag_config *)data; + free(cfg->name_attributes); + cfg->name_attributes = NULL; + return 0; +} + +static const char *mag_name_attrs(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + void *tmp_na; + size_t size = 0; + char *p; + int c; + + if (!cfg->name_attributes) { + size = sizeof(struct mag_name_attributes) + + (sizeof(struct mag_na_map) * 16); + } else if (cfg->name_attributes->map_count % 16 == 0) { + size = sizeof(struct mag_name_attributes) + + (sizeof(struct mag_na_map) + * (cfg->name_attributes->map_count + 16)); + } + if (size) { + tmp_na = realloc(cfg->name_attributes, size); + if (!tmp_na) apr_pool_abort_get(cfg->pool)(ENOMEM); + + if (cfg->name_attributes) { + size_t empty = (sizeof(struct mag_na_map) * 16); + memset(tmp_na + size - empty, 0, empty); + } else { + memset(tmp_na, 0, size); + } + cfg->name_attributes = (struct mag_name_attributes *)tmp_na; + apr_pool_userdata_setn(cfg, GSS_NAME_ATTR_USERDATA, + mag_name_attrs_cleanup, cfg->pool); + } + + p = strchr(w, ' '); + if (p == NULL) { + if (strcmp(w, "json") == 0) { + cfg->name_attributes->output_json = true; + } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid Name Attributes value [%s].", w); + } + return NULL; + } + + c = cfg->name_attributes->map_count; + cfg->name_attributes->map[c].env_name = apr_pstrndup(cfg->pool, w, p-w); + p++; + cfg->name_attributes->map[c].attr_name = apr_pstrdup(cfg->pool, p); + cfg->name_attributes->map_count += 1; + + return NULL; +} + #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig, const char *w) @@ -1246,6 +1305,33 @@ static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig, } #endif +static void *mag_create_server_config(apr_pool_t *p, server_rec *s) +{ + struct mag_server_config *scfg; + uint32_t maj, min; + apr_status_t rc; + + scfg = apr_pcalloc(p, sizeof(struct mag_server_config)); + + maj = gss_indicate_mechs(&min, &scfg->default_mechs); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "gss_indicate_mechs() failed"); + } else { + /* Register the set in pool */ + apr_pool_cleanup_register(p, (void *)scfg->default_mechs, + mag_oid_set_destroy, apr_pool_cleanup_null); + } + + rc = SEAL_KEY_CREATE(p, &scfg->mag_skey, NULL); + if (rc != OK) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Failed to generate random sealing key!"); + } + + return scfg; +} + static const command_rec mag_commands[] = { AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG, "Work only if connection is SSL Secured"), @@ -1275,6 +1361,10 @@ static const command_rec mag_commands[] = { #endif AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG, "Allowed Mechanisms"), + AP_INIT_FLAG("GssapiNegotiateOnce", mag_negotiate_once, NULL, OR_AUTHCFG, + "Don't resend negotiate header on negotiate failure"), + AP_INIT_RAW_ARGS("GssapiNameAttributes", mag_name_attrs, NULL, OR_AUTHCFG, + "Name Attributes to be exported as environ variables"), { NULL } }; @@ -1291,7 +1381,7 @@ module AP_MODULE_DECLARE_DATA auth_gssapi_module = STANDARD20_MODULE_STUFF, mag_create_dir_config, NULL, - NULL, + mag_create_server_config, NULL, mag_commands, mag_register_hooks