X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=a88b653870980b71163e9da9125343491a9c6c7f;hp=a22a4b2d43e2df04346ad23cd89677c84c202bc6;hb=9cfa62da9119d2cd62314e5328215f8ea45c64b1;hpb=3ea39a3be4c36954a2c13fb1059d8f72c8faaf89 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index a22a4b2..a88b653 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -24,6 +24,14 @@ #include "mod_auth_gssapi.h" +const gss_OID_desc gss_mech_ntlmssp = { + GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING +}; + +const gss_OID_set_desc gss_mech_set_ntlmssp = { + 1, discard_const(&gss_mech_ntlmssp) +}; + #define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION module AP_MODULE_DECLARE_DATA auth_gssapi_module; @@ -89,7 +97,6 @@ static int mag_pre_connection(conn_rec *c, void *csd) struct mag_conn *mc; mc = apr_pcalloc(c->pool, sizeof(struct mag_conn)); - if (!mc) return DECLINED; mc->parent = c->pool; ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc); @@ -117,6 +124,38 @@ static bool mag_conn_is_https(conn_rec *c) return false; } +static bool mag_acquire_creds(request_rec *req, + struct mag_config *cfg, + gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_cred_id_t *creds, + gss_OID_set *actual_mechs) +{ + uint32_t maj, min; +#ifdef HAVE_CRED_STORE + gss_const_key_value_set_t store = cfg->cred_store; + + maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + desired_mechs, cred_usage, store, creds, + actual_mechs, NULL); +#else + maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, + desired_mechs, cred_usage, creds, + actual_mechs, NULL); +#endif + + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", + mag_error(req, "gss_acquire_cred[_from]() " + "failed to get server creds", + maj, min)); + return false; + } + + return true; +} + +#ifdef HAVE_CRED_STORE static char *escape(apr_pool_t *pool, const char *name, char find, const char *replace) { @@ -126,7 +165,6 @@ static char *escape(apr_pool_t *pool, const char *name, char *p; namecopy = apr_pstrdup(pool, name); - if (!namecopy) goto done; p = strchr(namecopy, find); if (!p) return namecopy; @@ -141,7 +179,6 @@ static char *escape(apr_pool_t *pool, const char *name, } else { escaped = apr_pstrcat(pool, n, replace, NULL); } - if (!escaped) goto done; /* move to next segment */ n = p + 1; p = strchr(n, find); @@ -151,11 +188,6 @@ static char *escape(apr_pool_t *pool, const char *name, escaped = apr_pstrcat(pool, escaped, n, NULL); } -done: - if (!escaped) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL, - "OOM escaping name"); - } return escaped; } @@ -180,11 +212,6 @@ static void mag_store_deleg_creds(request_rec *req, if (!escaped) return; value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped); - if (!value) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL, - "OOM storing delegated credentials"); - return; - } element.key = "ccache"; element.value = value; @@ -194,31 +221,71 @@ static void mag_store_deleg_creds(request_rec *req, maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, GSS_C_NULL_OID, 1, 1, &store, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "failed to store delegated creds", maj, min)); } *ccachefile = value; } +#endif + +static bool parse_auth_header(apr_pool_t *pool, const char **auth_header, + gss_buffer_t value) +{ + char *auth_header_value; + + auth_header_value = ap_getword_white(pool, auth_header); + if (!auth_header_value) return false; + value->length = apr_base64_decode_len(auth_header_value) + 1; + value->value = apr_pcalloc(pool, value->length); + if (!value->value) return false; + value->length = apr_base64_decode(value->value, auth_header_value); + + return true; +} + +static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech) +{ + if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true; + + for (int i = 0; i < cfg->allowed_mechs->count; i++) { + if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) { + return true; + } + } + return false; +} + +#define AUTH_TYPE_NEGOTIATE 0 +#define AUTH_TYPE_BASIC 1 +#define AUTH_TYPE_RAW_NTLM 2 +const char *auth_types[] = { + "Negotiate", + "Basic", + "NTLM", + NULL +}; static int mag_auth(request_rec *req) { const char *type; - const char *auth_type; + int auth_type = -1; struct mag_config *cfg; const char *auth_header; char *auth_header_type; - char *auth_header_value; int ret = HTTP_UNAUTHORIZED; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; gss_ctx_id_t *pctx; gss_buffer_desc input = GSS_C_EMPTY_BUFFER; gss_buffer_desc output = GSS_C_EMPTY_BUFFER; gss_buffer_desc name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc ba_user; + gss_buffer_desc ba_pwd; gss_name_t client = GSS_C_NO_NAME; gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; + gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; gss_cred_usage_t cred_usage = GSS_C_ACCEPT; uint32_t flags; @@ -228,9 +295,9 @@ static int mag_auth(request_rec *req) size_t replen; char *clientname; gss_OID mech_type = GSS_C_NO_OID; + gss_OID_set desired_mechs = GSS_C_NO_OID_SET; gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; - bool is_basic = false; gss_ctx_id_t user_ctx = GSS_C_NO_CONTEXT; gss_name_t server = GSS_C_NO_NAME; #ifdef HAVE_GSS_KRB5_CCACHE_NAME @@ -239,6 +306,7 @@ static int mag_auth(request_rec *req) #endif uint32_t init_flags = 0; time_t expiration; + int i; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { @@ -247,15 +315,22 @@ static int mag_auth(request_rec *req) cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + if (!cfg->allowed_mechs) { + /* Try to fetch the default set if not explicitly configured */ + (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT, + &server_cred, &cfg->allowed_mechs); + (void)gss_release_cred(&min, &server_cred); + } + /* implicit auth for subrequests if main auth already happened */ - if (!ap_is_initial_req(req)) { + if (!ap_is_initial_req(req) && req->main != NULL) { type = ap_auth_type(req->main); if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) { /* warn if the subrequest location and the main request * location have different configs */ if (cfg != ap_get_module_config(req->main->per_dir_config, &auth_gssapi_module)) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0, + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Subrequest authentication bypass on " "location with different configuration!"); } @@ -263,13 +338,13 @@ static int mag_auth(request_rec *req) req->user = apr_pstrdup(req->pool, req->main->user); return OK; } else { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "The main request is tasked to establish the " "security context, can't proceed!"); return HTTP_UNAUTHORIZED; } } else { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Subrequest GSSAPI auth with no auth on the main " "request. This operation may fail if other " "subrequests already established a context or the " @@ -279,7 +354,7 @@ static int mag_auth(request_rec *req) if (cfg->ssl_only) { if (!mag_conn_is_https(req->connection)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Not a TLS connection, refusing to authenticate!"); goto done; } @@ -290,7 +365,7 @@ static int mag_auth(request_rec *req) req->connection->conn_config, &auth_gssapi_module); if (!mc) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Failed to retrieve connection context!"); goto done; } @@ -308,13 +383,14 @@ static int mag_auth(request_rec *req) mag_conn_destroy, mc->parent); if (mc->established) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Already established context found!"); apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", apr_psprintf(req->pool, "%ld", (long)mc->expiration)); - req->ap_auth_type = apr_pstrdup(req->pool, mc->auth_type); + req->ap_auth_type = apr_pstrdup(req->pool, + auth_types[mc->auth_type]); req->user = apr_pstrdup(req->pool, mc->user_name); ret = OK; goto done; @@ -330,22 +406,23 @@ static int mag_auth(request_rec *req) auth_header_type = ap_getword_white(req->pool, &auth_header); if (!auth_header_type) goto done; - if (strcasecmp(auth_header_type, "Negotiate") == 0) { - auth_type = "Negotiate"; - - auth_header_value = ap_getword_white(req->pool, &auth_header); - if (!auth_header_value) goto done; - input.length = apr_base64_decode_len(auth_header_value) + 1; - input.value = apr_pcalloc(req->pool, input.length); - if (!input.value) goto done; - input.length = apr_base64_decode(input.value, auth_header_value); - } else if ((strcasecmp(auth_header_type, "Basic") == 0) && - (cfg->use_basic_auth == true)) { - auth_type = "Basic"; - is_basic = true; + for (i = 0; auth_types[i] != NULL; i++) { + if (strcasecmp(auth_header_type, auth_types[i]) == 0) { + auth_type = i; + break; + } + } - gss_buffer_desc ba_user; - gss_buffer_desc ba_pwd; + switch (auth_type) { + case AUTH_TYPE_NEGOTIATE: + if (!parse_auth_header(req->pool, &auth_header, &input)) { + goto done; + } + break; + case AUTH_TYPE_BASIC: + if (!cfg->use_basic_auth) { + goto done; + } ba_pwd.value = ap_pbase64decode(req->pool, auth_header); if (!ba_pwd.value) goto done; @@ -354,7 +431,7 @@ static int mag_auth(request_rec *req) if (!ba_user.value) goto done; if (((char *)ba_user.value)[0] == '\0' || ((char *)ba_pwd.value)[0] == '\0') { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Invalid empty user or password for Basic Auth"); goto done; } @@ -362,7 +439,7 @@ static int mag_auth(request_rec *req) ba_pwd.length = strlen(ba_pwd.value); maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_import_name() failed", maj, min)); @@ -376,14 +453,14 @@ static int mag_auth(request_rec *req) rs = apr_generate_random_bytes((unsigned char *)(&rndname), sizeof(long long unsigned int)); if (rs != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Failed to generate random ccache name"); goto done; } user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_krb5_ccache_name() " "failed", maj, min)); @@ -392,67 +469,80 @@ static int mag_auth(request_rec *req) #endif maj = gss_acquire_cred_with_password(&min, client, &ba_pwd, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, + cfg->allowed_mechs, GSS_C_INITIATE, &user_cred, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "In Basic Auth, %s", mag_error(req, "gss_acquire_cred_with_password() " "failed", maj, min)); goto done; } gss_release_name(&min, &client); - } else { + break; + + case AUTH_TYPE_RAW_NTLM: + if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "NTLM Authentication is not allowed!"); + goto done; + } + + if (!parse_auth_header(req->pool, &auth_header, &input)) { + goto done; + } + + desired_mechs = discard_const(&gss_mech_set_ntlmssp); + break; + + default: goto done; } - req->ap_auth_type = apr_pstrdup(req->pool, auth_type); + req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); -#ifdef HAVE_GSS_ACQUIRE_CRED_FROM +#ifdef HAVE_CRED_STORE if (cfg->use_s4u2proxy) { cred_usage = GSS_C_BOTH; } - if (cfg->cred_store) { - maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, cred_usage, - cfg->cred_store, &acquired_cred, - NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", - mag_error(req, "gss_acquire_cred_from() failed", - maj, min)); - goto done; - } - } #endif + if (!mag_acquire_creds(req, cfg, desired_mechs, + cred_usage, &acquired_cred, NULL)) { + goto done; + } - if (is_basic) { - if (!acquired_cred) { - /* Try to acquire default creds */ - maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, cred_usage, - &acquired_cred, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, - "%s", mag_error(req, "gss_acquire_cred_from()" - " failed", maj, min)); + if (auth_type == AUTH_TYPE_BASIC) { + if (cred_usage == GSS_C_BOTH) { + /* If GSS_C_BOTH is used then inquire_cred will return the client + * name instead of the SPN of the server credentials. Therefore we + * need to acquire a different set of credential setting + * GSS_C_ACCEPT explicitly */ + if (!mag_acquire_creds(req, cfg, cfg->allowed_mechs, + GSS_C_ACCEPT, &server_cred, NULL)) { goto done; } + } else { + server_cred = acquired_cred; } - maj = gss_inquire_cred(&min, acquired_cred, &server, + maj = gss_inquire_cred(&min, server_cred, &server, NULL, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_inquired_cred_() " "failed", maj, min)); goto done; } + if (server_cred != acquired_cred) { + gss_release_cred(&min, &server_cred); + } +#ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir) { /* delegate ourselves credentials so we store them as requested */ init_flags |= GSS_C_DELEG_FLAG; } +#endif /* output and input are inverted here, this is intentional */ maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, @@ -460,24 +550,39 @@ static int mag_auth(request_rec *req) GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_init_sec_context() " "failed", maj, min)); goto done; } } + if (auth_type == AUTH_TYPE_NEGOTIATE && + cfg->allowed_mechs != GSS_C_NO_OID_SET) { + maj = gss_set_neg_mechs(&min, acquired_cred, cfg->allowed_mechs); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", + mag_error(req, "gss_set_neg_mechs() failed", + maj, min)); + goto done; + } + } + maj = gss_accept_sec_context(&min, pctx, acquired_cred, &input, GSS_C_NO_CHANNEL_BINDINGS, &client, &mech_type, &output, &flags, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context() failed", maj, min)); goto done; } - if (is_basic) { + if (auth_type == AUTH_TYPE_BASIC) { + if (mc) { + apr_pool_cleanup_run(mc->parent, mc, mag_conn_destroy); + mc = NULL; + } while (maj == GSS_S_CONTINUE_NEEDED) { gss_release_buffer(&min, &input); /* output and input are inverted here, this is intentional */ @@ -486,7 +591,7 @@ static int mag_auth(request_rec *req) GSS_C_NO_CHANNEL_BINDINGS, &output, NULL, &input, NULL, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_init_sec_context() " "failed", maj, min)); goto done; @@ -497,7 +602,7 @@ static int mag_auth(request_rec *req) &client, &mech_type, &output, &flags, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context()" " failed", maj, min)); goto done; @@ -505,7 +610,7 @@ static int mag_auth(request_rec *req) } } else if (maj == GSS_S_CONTINUE_NEEDED) { if (!mc) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Mechanism needs continuation but neither " "GssapiConnectionBound nor " "GssapiUseSessions are available"); @@ -520,7 +625,7 @@ static int mag_auth(request_rec *req) /* Always set the GSS name in an env var */ maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_display_name() failed", maj, min)); goto done; @@ -531,7 +636,7 @@ static int mag_auth(request_rec *req) apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", apr_psprintf(req->pool, "%ld", (long)expiration)); -#ifdef HAVE_GSS_STORE_CRED_INTO +#ifdef HAVE_CRED_STORE if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { char *ccachefile = NULL; @@ -547,7 +652,7 @@ static int mag_auth(request_rec *req) if (cfg->map_to_local) { maj = gss_localname(&min, client, mech_type, &lname); if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_localname() failed", maj, min)); goto done; } @@ -577,18 +682,22 @@ static int mag_auth(request_rec *req) ret = OK; done: - if ((!is_basic) && (output.length != 0)) { + if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) { + int prefixlen = strlen(auth_types[auth_type]) + 1; replen = apr_base64_encode_len(output.length) + 1; - reply = apr_pcalloc(req->pool, 10 + replen); + reply = apr_pcalloc(req->pool, prefixlen + replen); if (reply) { - memcpy(reply, "Negotiate ", 10); - apr_base64_encode(&reply[10], output.value, output.length); + memcpy(reply, auth_types[auth_type], prefixlen - 1); + reply[prefixlen - 1] = ' '; + apr_base64_encode(&reply[prefixlen], output.value, output.length); apr_table_add(req->err_headers_out, "WWW-Authenticate", reply); } } else if (ret == HTTP_UNAUTHORIZED) { - apr_table_add(req->err_headers_out, - "WWW-Authenticate", "Negotiate"); + apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); + if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) { + apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM"); + } if (cfg->use_basic_auth) { apr_table_add(req->err_headers_out, "WWW-Authenticate", @@ -600,7 +709,7 @@ done: if (user_ccache != NULL) { maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Failed to restore per-thread ccache, %s", mag_error(req, "gss_krb5_ccache_name() " "failed", maj, min)); @@ -625,7 +734,6 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir) struct mag_config *cfg; cfg = (struct mag_config *)apr_pcalloc(p, sizeof(struct mag_config)); - if (!cfg) return NULL; cfg->pool = p; return cfg; @@ -666,6 +774,7 @@ static const char *mag_use_sess(cmd_parms *parms, void *mconfig, int on) return NULL; } +#ifdef HAVE_CRED_STORE static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) { struct mag_config *cfg = (struct mag_config *)mconfig; @@ -673,13 +782,10 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) if (cfg->deleg_ccache_dir == NULL) { cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, "/tmp"); - if (!cfg->deleg_ccache_dir) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, - parms->server, "%s", "OOM setting deleg_ccache_dir."); - } } return NULL; } +#endif static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) { @@ -691,7 +797,7 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) int l; if (strncmp(w, "key:", 4) != 0) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Invalid key format, expected prefix 'key:'"); return NULL; } @@ -699,29 +805,26 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) l = apr_base64_decode_len(k); val = apr_palloc(parms->temp_pool, l); - if (!val) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "Failed to get memory to decode key"); - return NULL; - } keys.length = (int)apr_base64_decode_binary(val, k); keys.value = (unsigned char *)val; if (keys.length != 32) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "Invalid key lenght, expected 32 got %d", keys.length); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Invalid key length, expected 32 got %d", keys.length); return NULL; } rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); if (rc != OK) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Failed to import sealing key!"); } return NULL; } +#ifdef HAVE_CRED_STORE + #define MAX_CRED_OPTIONS 10 static const char *mag_cred_store(cmd_parms *parms, void *mconfig, @@ -737,40 +840,26 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, p = strchr(w, ':'); if (!p) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "%s [%s]", "Invalid syntax for GssapiCredStore option", w); return NULL; } key = apr_pstrndup(parms->pool, w, (p-w)); value = apr_pstrdup(parms->pool, p + 1); - if (!key || !value) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiCredStore option"); - return NULL; - } if (!cfg->cred_store) { cfg->cred_store = apr_pcalloc(parms->pool, sizeof(gss_key_value_set_desc)); - if (!cfg->cred_store) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiCredStore option"); - return NULL; - } size = sizeof(gss_key_value_element_desc) * MAX_CRED_OPTIONS; cfg->cred_store->elements = apr_palloc(parms->pool, size); - if (!cfg->cred_store->elements) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiCredStore option"); - } } elements = cfg->cred_store->elements; count = cfg->cred_store->count; if (count >= MAX_CRED_OPTIONS) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, "Too many GssapiCredStore options (MAX: %d)", MAX_CRED_OPTIONS); return NULL; @@ -789,13 +878,10 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, struct mag_config *cfg = (struct mag_config *)mconfig; cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, value); - if (!cfg->deleg_ccache_dir) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiDelegCcacheDir option"); - } return NULL; } +#endif static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) { @@ -805,6 +891,46 @@ static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) return NULL; } +#define MAX_ALLOWED_MECHS 10 + +static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + gss_const_OID oid; + size_t size; + + if (!cfg->allowed_mechs) { + cfg->allowed_mechs = apr_pcalloc(parms->pool, + sizeof(gss_OID_set_desc)); + size = sizeof(gss_OID) * MAX_ALLOWED_MECHS; + cfg->allowed_mechs->elements = apr_palloc(parms->pool, size); + } + + if (strcmp(w, "krb5") == 0) { + oid = gss_mech_krb5; + } else if (strcmp(w, "iakerb") == 0) { + oid = gss_mech_iakerb; + } else if (strcmp(w, "ntlmssp") == 0) { + oid = &gss_mech_ntlmssp; + } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Unrecognized GSSAPI Mechanism: %s", w); + return NULL; + } + + if (cfg->allowed_mechs->count >= MAX_ALLOWED_MECHS) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Too many GssapiAllowedMech options (MAX: %d)", + MAX_ALLOWED_MECHS); + return NULL; + } + cfg->allowed_mechs->elements[cfg->allowed_mechs->count] = *oid; + cfg->allowed_mechs->count++; + + return NULL; +} + static const command_rec mag_commands[] = { AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG, "Work only if connection is SSL Secured"), @@ -818,11 +944,9 @@ static const command_rec mag_commands[] = { "Authentication uses mod_sessions to hold status"), AP_INIT_RAW_ARGS("GssapiSessionKey", mag_sess_key, NULL, OR_AUTHCFG, "Key Used to seal session data."), -#ifdef HAVE_GSS_ACQUIRE_CRED_FROM +#ifdef HAVE_CRED_STORE AP_INIT_FLAG("GssapiUseS4U2Proxy", mag_use_s4u2p, NULL, OR_AUTHCFG, "Initializes credentials for s4u2proxy usage"), -#endif -#ifdef HAVE_GSS_STORE_CRED_INTO AP_INIT_ITERATE("GssapiCredStore", mag_cred_store, NULL, OR_AUTHCFG, "Credential Store"), AP_INIT_RAW_ARGS("GssapiDelegCcacheDir", mag_deleg_ccache_dir, NULL, @@ -832,6 +956,8 @@ static const command_rec mag_commands[] = { AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG, "Allows use of Basic Auth for authentication"), #endif + AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG, + "Allowed Mechanisms"), { NULL } };