X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=b1b16e54c859cf9d5db100a36601c2bd14921c47;hp=911ac92bf75da2ed103fd8021c3f9879cfecdcd7;hb=7aed3f2080561c603bc2dc6e44dcce3f6f09a09e;hpb=db750842dd9e7bf2dd76bc9be91bbd4d045d3179 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 911ac92..b1b16e5 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -24,6 +24,10 @@ #include "mod_auth_gssapi.h" +const gss_OID_desc gss_mech_spnego = { + 6, "\x2b\x06\x01\x05\x05\x02" +}; + const gss_OID_desc gss_mech_ntlmssp = { GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING }; @@ -96,9 +100,7 @@ static int mag_pre_connection(conn_rec *c, void *csd) { struct mag_conn *mc; - mc = apr_pcalloc(c->pool, sizeof(struct mag_conn)); - - mc->parent = c->pool; + mc = mag_new_conn_ctx(c->pool); ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc); return OK; } @@ -111,10 +113,34 @@ static apr_status_t mag_conn_destroy(void *ptr) if (mc->ctx) { (void)gss_delete_sec_context(&min, &mc->ctx, GSS_C_NO_BUFFER); } - memset(mc, 0, sizeof(struct mag_conn)); return APR_SUCCESS; } +struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool) +{ + struct mag_conn *mc; + + mc = apr_pcalloc(pool, sizeof(struct mag_conn)); + apr_pool_create(&mc->pool, pool); + /* register the context in the memory pool, so it can be freed + * when the connection/request is terminated */ + apr_pool_cleanup_register(mc->pool, (void *)mc, + mag_conn_destroy, apr_pool_cleanup_null); + + return mc; +} + +static void mag_conn_clear(struct mag_conn *mc) +{ + (void)mag_conn_destroy(mc); + apr_pool_t *temp; + + apr_pool_clear(mc->pool); + temp = mc->pool; + memset(mc, 0, sizeof(struct mag_conn)); + mc->pool = temp; +} + static bool mag_conn_is_https(conn_rec *c) { if (mag_is_https) { @@ -266,12 +292,16 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header, return true; } -static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech) +static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech, + bool multi_step_supported) { - if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true; + if (!multi_step_supported && gss_oid_equal(&gss_mech_ntlmssp, mech)) + return false; + + if (allowed_mechs == GSS_C_NO_OID_SET) return true; - for (int i = 0; i < cfg->allowed_mechs->count; i++) { - if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) { + for (int i = 0; i < allowed_mechs->count; i++) { + if (gss_oid_equal(&allowed_mechs->elements[i], mech)) { return true; } } @@ -310,10 +340,342 @@ static void mag_set_req_data(request_rec *req, } } +gss_OID_set mag_filter_unwanted_mechs(gss_OID_set src) +{ + gss_const_OID unwanted_mechs[] = { + &gss_mech_spnego, + gss_mech_krb5_old, + gss_mech_krb5_wrong, + gss_mech_iakerb, + GSS_C_NO_OID + }; + gss_OID_set dst; + uint32_t maj, min; + int present = 0; + + if (src == GSS_C_NO_OID_SET) return GSS_C_NO_OID_SET; + + for (int i = 0; unwanted_mechs[i] != GSS_C_NO_OID; i++) { + maj = gss_test_oid_set_member(&min, + discard_const(unwanted_mechs[i]), + src, &present); + if (present) break; + } + if (present) { + maj = gss_create_empty_oid_set(&min, &dst); + if (maj != GSS_S_COMPLETE) { + return GSS_C_NO_OID_SET; + } + for (int i = 0; i < src->count; i++) { + present = 0; + for (int j = 0; unwanted_mechs[j] != GSS_C_NO_OID; j++) { + if (gss_oid_equal(&src->elements[i], unwanted_mechs[j])) { + present = 1; + break; + } + } + if (present) continue; + maj = gss_add_oid_set_member(&min, &src->elements[i], &dst); + if (maj != GSS_S_COMPLETE) { + gss_release_oid_set(&min, &dst); + return GSS_C_NO_OID_SET; + } + } + return dst; + } + return src; +} + +static bool mag_auth_basic(request_rec *req, + struct mag_config *cfg, + gss_buffer_desc ba_user, + gss_buffer_desc ba_pwd, + gss_cred_usage_t cred_usage, + gss_name_t *client, + gss_OID *mech_type, + gss_cred_id_t *delegated_cred, + uint32_t *vtime) +{ +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + const char *user_ccache = NULL; + const char *orig_ccache = NULL; + long long unsigned int rndname; + apr_status_t rs; +#endif + gss_name_t user = GSS_C_NO_NAME; + gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; + gss_ctx_id_t user_ctx = GSS_C_NO_CONTEXT; + gss_name_t server = GSS_C_NO_NAME; + gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; + gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT; + gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; + gss_buffer_desc input = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output = GSS_C_EMPTY_BUFFER; + gss_OID_set allowed_mechs; + gss_OID_set filtered_mechs; + gss_OID_set actual_mechs = GSS_C_NO_OID_SET; + uint32_t init_flags = 0; + uint32_t maj, min; + int present = 0; + bool ret = false; + + maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_import_name() failed", + maj, min)); + goto done; + } + + if (cfg->basic_mechs) { + allowed_mechs = cfg->basic_mechs; + } else if (cfg->allowed_mechs) { + allowed_mechs = cfg->allowed_mechs; + } else { + struct mag_server_config *scfg; + /* Try to fetch the default set if not explicitly configured, + * We need to do this because gss_acquire_cred_with_password() + * is currently limited to acquire creds for a single "default" + * mechanism if no desired mechanisms are passed in. This causes + * authentication to fail for secondary mechanisms as no user + * credentials are generated for those. */ + scfg = ap_get_module_config(req->server->module_config, + &auth_gssapi_module); + /* In the worst case scenario default_mechs equals to GSS_C_NO_OID_SET. + * This generally causes only the krb5 mechanism to be tried due + * to implementation constraints, but may change in future. */ + allowed_mechs = scfg->default_mechs; + } + + /* Remove Spnego if present, or we'd repeat failed authentiations + * multiple times, one within Spnego and then again with an explicit + * mechanism. We would normally just force Spnego and use + * gss_set_neg_mechs, but due to the way we source the server name + * and the fact MIT up to 1.14 at least does no handle union names, + * we can't provide spnego with a server name that can be used by + * multiple mechanisms, causing any but the first mechanism to fail. + * Also remove unwanted krb mechs, or AS requests will be repeated + * multiple times uselessly. + */ + filtered_mechs = mag_filter_unwanted_mechs(allowed_mechs); + if (filtered_mechs == allowed_mechs) { + /* in case filtered_mechs was not allocated here don't free it */ + filtered_mechs = GSS_C_NO_OID_SET; + } else if (filtered_mechs == GSS_C_NO_OID_SET) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Fatal " + "failure while filtering mechs, aborting"); + goto done; + } else { + /* use the filtered list */ + allowed_mechs = filtered_mechs; + } + +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + /* If we are using the krb5 mechanism make sure to set a per thread + * memory ccache so that there can't be interferences between threads. + * Also make sure we have new cache so no cached results end up being + * used. Some implementations of gss_acquire_cred_with_password() do + * not reacquire creds if cached ones are around, failing to check + * again for the password. */ + maj = gss_test_oid_set_member(&min, discard_const(gss_mech_krb5), + allowed_mechs, &present); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_test_oid_set_member() failed", + maj, min)); + goto done; + } + if (present) { + rs = apr_generate_random_bytes((unsigned char *)(&rndname), + sizeof(long long unsigned int)); + if (rs != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "Failed to generate random ccache name"); + goto done; + } + user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); + maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_krb5_ccache_name() " + "failed", maj, min)); + goto done; + } + } +#endif + + maj = gss_acquire_cred_with_password(&min, user, &ba_pwd, + GSS_C_INDEFINITE, + allowed_mechs, + GSS_C_INITIATE, + &user_cred, &actual_mechs, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_acquire_cred_with_password() " + "failed", maj, min)); + goto done; + } + + /* must acquire creds based on the actual mechs we want to try */ + if (!mag_acquire_creds(req, cfg, actual_mechs, + cred_usage, &acquired_cred, NULL)) { + goto done; + } + + if (cred_usage == GSS_C_BOTH) { + /* must acquire with GSS_C_ACCEPT to get the server name */ + if (!mag_acquire_creds(req, cfg, actual_mechs, + GSS_C_ACCEPT, &server_cred, NULL)) { + goto done; + } + } else { + server_cred = acquired_cred; + } + +#ifdef HAVE_CRED_STORE + if (cfg->deleg_ccache_dir) { + /* delegate ourselves credentials so we store them as requested */ + init_flags |= GSS_C_DELEG_FLAG; + } +#endif + + for (int i = 0; i < actual_mechs->count; i++) { + + /* free these if looping */ + gss_release_buffer(&min, &output); + gss_release_buffer(&min, &input); + gss_release_name(&min, &server); + + maj = gss_inquire_cred_by_mech(&min, server_cred, + &actual_mechs->elements[i], + &server, NULL, NULL, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "%s", mag_error(req, "gss_inquired_cred_by_mech() " + "failed", maj, min)); + continue; + } + + do { + /* output and input are inverted here, this is intentional */ + maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, + &actual_mechs->elements[i], init_flags, + 300, GSS_C_NO_CHANNEL_BINDINGS, &output, + NULL, &input, NULL, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "%s", mag_error(req, "gss_init_sec_context() " + "failed", maj, min)); + break; + } + gss_release_buffer(&min, &output); + maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred, + &input, GSS_C_NO_CHANNEL_BINDINGS, + client, mech_type, &output, NULL, + vtime, delegated_cred); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "%s", mag_error(req, "gss_accept_sec_context()" + " failed", maj, min)); + break; + } + gss_release_buffer(&min, &input); + } while (maj == GSS_S_CONTINUE_NEEDED); + + if (maj == GSS_S_COMPLETE) { + ret = true; + break; + } + } + +done: + gss_release_buffer(&min, &output); + gss_release_buffer(&min, &input); + gss_release_name(&min, &server); + if (server_cred != acquired_cred) + gss_release_cred(&min, &server_cred); + gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER); + gss_release_cred(&min, &acquired_cred); + gss_release_name(&min, &user); + gss_release_cred(&min, &user_cred); + gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER); + gss_release_oid_set(&min, &actual_mechs); + gss_release_oid_set(&min, &filtered_mechs); +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + if (user_ccache != NULL) { + maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); + if (maj != GSS_S_COMPLETE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "Failed to restore per-thread ccache, %s", + mag_error(req, "gss_krb5_ccache_name() " + "failed", maj, min)); + } + } +#endif + return ret; +} + +struct mag_req_cfg *mag_init_cfg(request_rec *req) +{ + struct mag_server_config *scfg; + struct mag_req_cfg *req_cfg = apr_pcalloc(req->pool, + sizeof(struct mag_req_cfg)); + req_cfg->req = req; + req_cfg->cfg = ap_get_module_config(req->per_dir_config, + &auth_gssapi_module); + + scfg = ap_get_module_config(req->server->module_config, + &auth_gssapi_module); + + if (req_cfg->cfg->allowed_mechs) { + req_cfg->desired_mechs = req_cfg->cfg->allowed_mechs; + } else { + /* Use the default set if not explicitly configured */ + req_cfg->desired_mechs = scfg->default_mechs; + } + + if (!req_cfg->cfg->mag_skey) { + req_cfg->mag_skey = req_cfg->cfg->mag_skey; + } else { + /* Use server random key if not explicitly configured */ + req_cfg->mag_skey = scfg->mag_skey; + } + + if (req->proxyreq == PROXYREQ_PROXY) { + req_cfg->req_proto = "Proxy-Authorization"; + req_cfg->rep_proto = "Proxy-Authenticate"; + } else { + req_cfg->req_proto = "Authorization"; + req_cfg->rep_proto = "WWW-Authenticate"; + req_cfg->use_sessions = req_cfg->cfg->use_sessions; + req_cfg->send_persist = req_cfg->cfg->send_persist; + } + + return req_cfg; +} + +static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) { + if (req_cfg->cfg->use_s4u2proxy) { + if (req_cfg->cfg->deleg_ccache_dir != NULL) { + return true; + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req_cfg->req, + "S4U2 Proxy requested but GssapiDelegCcacheDir " + "is not set. Constrained delegation disabled!"); + } + } + return false; +} + static int mag_auth(request_rec *req) { const char *type; int auth_type = -1; + struct mag_req_cfg *req_cfg; struct mag_config *cfg; const char *auth_header; char *auth_header_type; @@ -326,12 +688,9 @@ static int mag_auth(request_rec *req) gss_buffer_desc ba_user; gss_buffer_desc ba_pwd; gss_name_t client = GSS_C_NO_NAME; - gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; - gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; gss_cred_usage_t cred_usage = GSS_C_ACCEPT; - uint32_t flags; uint32_t vtime; uint32_t maj, min; char *reply; @@ -341,13 +700,6 @@ static int mag_auth(request_rec *req) gss_OID_set desired_mechs = GSS_C_NO_OID_SET; gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; - gss_ctx_id_t user_ctx = GSS_C_NO_CONTEXT; - gss_name_t server = GSS_C_NO_NAME; -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - const char *user_ccache = NULL; - const char *orig_ccache = NULL; -#endif - uint32_t init_flags = 0; time_t expiration; int i; @@ -356,14 +708,11 @@ static int mag_auth(request_rec *req) return DECLINED; } - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + req_cfg = mag_init_cfg(req); - if (!cfg->allowed_mechs) { - /* Try to fetch the default set if not explicitly configured */ - (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT, - &server_cred, &cfg->allowed_mechs); - (void)gss_release_cred(&min, &server_cred); - } + cfg = req_cfg->cfg; + + desired_mechs = req_cfg->desired_mechs; /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req) && req->main != NULL) { @@ -415,19 +764,16 @@ static int mag_auth(request_rec *req) } /* if available, session always supersedes connection bound data */ - if (cfg->use_sessions) { - mag_check_session(req, cfg, &mc); + if (req_cfg->use_sessions) { + mag_check_session(req_cfg, &mc); } - auth_header = apr_table_get(req->headers_in, "Authorization"); + auth_header = apr_table_get(req->headers_in, req_cfg->req_proto); if (mc) { - /* register the context in the memory pool, so it can be freed - * when the connection/request is terminated */ - apr_pool_cleanup_register(mc->parent, (void *) mc, - mag_conn_destroy, apr_pool_cleanup_null); - - if (mc->established && !auth_header) { + if (mc->established && + (auth_header == NULL) && + (mc->auth_type != AUTH_TYPE_BASIC)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Already established context found!"); mag_set_req_data(req, cfg, mc); @@ -452,13 +798,6 @@ static int mag_auth(request_rec *req) } } - if (mc && mc->established && auth_type != AUTH_TYPE_BASIC) { - /* if we are re-authenticating make sure the conn context - * is cleaned up so we do not accidentally reuse an existing - * established context */ - mag_conn_destroy(mc); - } - switch (auth_type) { case AUTH_TYPE_NEGOTIATE: if (!parse_auth_header(req->pool, &auth_header, &input)) { @@ -484,65 +823,20 @@ static int mag_auth(request_rec *req) ba_user.length = strlen(ba_user.value); ba_pwd.length = strlen(ba_pwd.value); - if (mc && mc->established) { - if (mag_basic_check(cfg, mc, ba_user, ba_pwd)) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, - "Already established BASIC AUTH context found!"); - mag_set_req_data(req, cfg, mc); - ret = OK; - goto done; - } else { - mag_conn_destroy(mc); - } - } - - maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "In Basic Auth, %s", - mag_error(req, "gss_import_name() failed", - maj, min)); - goto done; - } -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - /* Set a per-thread ccache in case we are using kerberos, - * it is not elegant but avoids interference between threads */ - long long unsigned int rndname; - apr_status_t rs; - rs = apr_generate_random_bytes((unsigned char *)(&rndname), - sizeof(long long unsigned int)); - if (rs != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "Failed to generate random ccache name"); - goto done; - } - user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); - maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "In Basic Auth, %s", - mag_error(req, "gss_krb5_ccache_name() " - "failed", maj, min)); - goto done; - } -#endif - maj = gss_acquire_cred_with_password(&min, client, &ba_pwd, - GSS_C_INDEFINITE, - cfg->allowed_mechs, - GSS_C_INITIATE, - &user_cred, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "In Basic Auth, %s", - mag_error(req, "gss_acquire_cred_with_password() " - "failed", maj, min)); + if (mc && mc->established && + mag_basic_check(req_cfg, mc, ba_user, ba_pwd)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "Already established BASIC AUTH context found!"); + mag_set_req_data(req, cfg, mc); + ret = OK; goto done; } - gss_release_name(&min, &client); + break; case AUTH_TYPE_RAW_NTLM: - if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) { + if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "NTLM Authentication is not allowed!"); goto done; @@ -559,61 +853,33 @@ static int mag_auth(request_rec *req) goto done; } + if (mc && mc->established) { + /* if we are re-authenticating make sure the conn context + * is cleaned up so we do not accidentally reuse an existing + * established context */ + mag_conn_clear(mc); + } + req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); #ifdef HAVE_CRED_STORE - if (cfg->use_s4u2proxy) { + if (use_s4u2proxy(req_cfg)) { cred_usage = GSS_C_BOTH; } #endif - if (!mag_acquire_creds(req, cfg, desired_mechs, - cred_usage, &acquired_cred, NULL)) { - goto done; - } if (auth_type == AUTH_TYPE_BASIC) { - if (cred_usage == GSS_C_BOTH) { - /* If GSS_C_BOTH is used then inquire_cred will return the client - * name instead of the SPN of the server credentials. Therefore we - * need to acquire a different set of credential setting - * GSS_C_ACCEPT explicitly */ - if (!mag_acquire_creds(req, cfg, cfg->allowed_mechs, - GSS_C_ACCEPT, &server_cred, NULL)) { - goto done; - } - } else { - server_cred = acquired_cred; - } - maj = gss_inquire_cred(&min, server_cred, &server, - NULL, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_inquired_cred_() " - "failed", maj, min)); - goto done; - } - if (server_cred != acquired_cred) { - gss_release_cred(&min, &server_cred); + if (mag_auth_basic(req, cfg, ba_user, ba_pwd, + cred_usage, &client, &mech_type, + &delegated_cred, &vtime)) { + goto complete; } + goto done; + } -#ifdef HAVE_CRED_STORE - if (cfg->deleg_ccache_dir) { - /* delegate ourselves credentials so we store them as requested */ - init_flags |= GSS_C_DELEG_FLAG; - } -#endif - - /* output and input are inverted here, this is intentional */ - maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, init_flags, 300, - GSS_C_NO_CHANNEL_BINDINGS, &output, - NULL, &input, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_init_sec_context() " - "failed", maj, min)); - goto done; - } + if (!mag_acquire_creds(req, cfg, desired_mechs, + cred_usage, &acquired_cred, NULL)) { + goto done; } if (auth_type == AUTH_TYPE_NEGOTIATE && @@ -629,40 +895,13 @@ static int mag_auth(request_rec *req) maj = gss_accept_sec_context(&min, pctx, acquired_cred, &input, GSS_C_NO_CHANNEL_BINDINGS, - &client, &mech_type, &output, &flags, &vtime, + &client, &mech_type, &output, NULL, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context() failed", maj, min)); goto done; - } - if (auth_type == AUTH_TYPE_BASIC) { - while (maj == GSS_S_CONTINUE_NEEDED) { - gss_release_buffer(&min, &input); - /* output and input are inverted here, this is intentional */ - maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, init_flags, 300, - GSS_C_NO_CHANNEL_BINDINGS, &output, - NULL, &input, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_init_sec_context() " - "failed", maj, min)); - goto done; - } - gss_release_buffer(&min, &output); - maj = gss_accept_sec_context(&min, pctx, acquired_cred, - &input, GSS_C_NO_CHANNEL_BINDINGS, - &client, &mech_type, &output, &flags, - &vtime, &delegated_cred); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_accept_sec_context()" - " failed", maj, min)); - goto done; - } - } } else if (maj == GSS_S_CONTINUE_NEEDED) { if (!mc) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, @@ -676,6 +915,7 @@ static int mag_auth(request_rec *req) goto done; } +complete: /* Always set the GSS name in an env var */ maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { @@ -720,8 +960,8 @@ static int mag_auth(request_rec *req) } if (mc) { - mc->user_name = apr_pstrdup(mc->parent, req->user); - mc->gss_name = apr_pstrdup(mc->parent, clientname); + mc->user_name = apr_pstrdup(mc->pool, req->user); + mc->gss_name = apr_pstrdup(mc->pool, clientname); mc->established = true; if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { vtime = MIN_SESS_EXP_TIME; @@ -729,20 +969,21 @@ static int mag_auth(request_rec *req) mc->expiration = expiration; mc->auth_type = auth_type; if (auth_type == AUTH_TYPE_BASIC) { - mag_basic_cache(cfg, mc, ba_user, ba_pwd); + mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); } - if (cfg->use_sessions) { - mag_attempt_session(req, cfg, mc); + if (req_cfg->use_sessions) { + mag_attempt_session(req_cfg, mc); } } - if (cfg->send_persist) + if (req_cfg->send_persist) apr_table_set(req->headers_out, "Persistent-Auth", cfg->gss_conn_ctx ? "true" : "false"); ret = OK; done: + if ((auth_type != AUTH_TYPE_BASIC) && (output.length != 0)) { int prefixlen = strlen(auth_types[auth_type]) + 1; replen = apr_base64_encode_len(output.length) + 1; @@ -751,41 +992,28 @@ done: memcpy(reply, auth_types[auth_type], prefixlen - 1); reply[prefixlen - 1] = ' '; apr_base64_encode(&reply[prefixlen], output.value, output.length); - apr_table_add(req->err_headers_out, - "WWW-Authenticate", reply); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); } } else if (ret == HTTP_UNAUTHORIZED) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); - if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) { - apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM"); + apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate"); + + if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { + apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM"); } if (cfg->use_basic_auth) { - apr_table_add(req->err_headers_out, - "WWW-Authenticate", + apr_table_add(req->err_headers_out, req_cfg->rep_proto, apr_psprintf(req->pool, "Basic realm=\"%s\"", ap_auth_name(req))); } } -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - if (user_ccache != NULL) { - maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); - if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "Failed to restore per-thread ccache, %s", - mag_error(req, "gss_krb5_ccache_name() " - "failed", maj, min)); - } - } -#endif + if (ctx != GSS_C_NO_CONTEXT) gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); - gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER); - gss_release_cred(&min, &user_cred); gss_release_cred(&min, &acquired_cred); gss_release_cred(&min, &delegated_cred); gss_release_buffer(&min, &output); gss_release_name(&min, &client); - gss_release_name(&min, &server); gss_release_buffer(&min, &name); gss_release_buffer(&min, &lname); return ret; @@ -843,9 +1071,6 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) struct mag_config *cfg = (struct mag_config *)mconfig; cfg->use_s4u2proxy = on ? true : false; - if (cfg->deleg_ccache_dir == NULL) { - cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, "/tmp"); - } return NULL; } #endif @@ -946,6 +1171,7 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, } #endif +#ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) { struct mag_config *cfg = (struct mag_config *)mconfig; @@ -953,46 +1179,133 @@ static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) cfg->use_basic_auth = on ? true : false; return NULL; } +#endif -#define MAX_ALLOWED_MECHS 10 +static apr_status_t mag_oid_set_destroy(void *ptr) +{ + uint32_t min; + gss_OID_set set = (gss_OID_set)ptr; + (void)gss_release_oid_set(&min, &set); + return APR_SUCCESS; +} -static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, - const char *w) +static bool mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset, + bool add_spnego, const char *w) { - struct mag_config *cfg = (struct mag_config *)mconfig; - gss_const_OID oid; - size_t size; + gss_buffer_desc buf = { 0 }; + uint32_t maj, min; + gss_OID_set set; + gss_OID oid; + bool release_oid = false; - if (!cfg->allowed_mechs) { - cfg->allowed_mechs = apr_pcalloc(parms->pool, - sizeof(gss_OID_set_desc)); - size = sizeof(gss_OID) * MAX_ALLOWED_MECHS; - cfg->allowed_mechs->elements = apr_palloc(parms->pool, size); + if (NULL == *oidset) { + maj = gss_create_empty_oid_set(&min, &set); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "gss_create_empty_oid_set() failed."); + *oidset = GSS_C_NO_OID_SET; + return false; + } + if (add_spnego) { + oid = discard_const(&gss_mech_spnego); + maj = gss_add_oid_set_member(&min, oid, &set); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "gss_add_oid_set_member() failed."); + (void)gss_release_oid_set(&min, &set); + *oidset = GSS_C_NO_OID_SET; + return false; + } + } + /* register in the pool so it can be released once the server + * winds down */ + apr_pool_cleanup_register(parms->pool, (void *)set, + mag_oid_set_destroy, + apr_pool_cleanup_null); + *oidset = set; + } else { + set = *oidset; } if (strcmp(w, "krb5") == 0) { - oid = gss_mech_krb5; + oid = discard_const(gss_mech_krb5); } else if (strcmp(w, "iakerb") == 0) { - oid = gss_mech_iakerb; + oid = discard_const(gss_mech_iakerb); } else if (strcmp(w, "ntlmssp") == 0) { - oid = &gss_mech_ntlmssp; + oid = discard_const(&gss_mech_ntlmssp); } else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, - "Unrecognized GSSAPI Mechanism: %s", w); - return NULL; + buf.value = discard_const(w); + buf.length = strlen(w); + maj = gss_str_to_oid(&min, &buf, &oid); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, + "Unrecognized GSSAPI Mechanism: [%s]", w); + return false; + } + release_oid = true; } - - if (cfg->allowed_mechs->count >= MAX_ALLOWED_MECHS) { + maj = gss_add_oid_set_member(&min, oid, &set); + if (maj != GSS_S_COMPLETE) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server, - "Too many GssapiAllowedMech options (MAX: %d)", - MAX_ALLOWED_MECHS); - return NULL; + "gss_add_oid_set_member() failed for [%s].", w); } - cfg->allowed_mechs->elements[cfg->allowed_mechs->count] = *oid; - cfg->allowed_mechs->count++; + if (release_oid) { + (void)gss_release_oid(&min, &oid); + } + + return true; +} + +static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + if (!mag_list_of_mechs(parms, &cfg->allowed_mechs, true, w)) + return "Failed to apply GssapiAllowedMech directive"; + + return NULL; +} + +#ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD +static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig, + const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + if (!mag_list_of_mechs(parms, &cfg->basic_mechs, false, w)) + return "Failed to apply GssapiBasicAuthMech directive"; return NULL; } +#endif + +static void *mag_create_server_config(apr_pool_t *p, server_rec *s) +{ + struct mag_server_config *scfg; + uint32_t maj, min; + apr_status_t rc; + + scfg = apr_pcalloc(p, sizeof(struct mag_server_config)); + + maj = gss_indicate_mechs(&min, &scfg->default_mechs); + if (maj != GSS_S_COMPLETE) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "gss_indicate_mechs() failed"); + } else { + /* Register the set in pool */ + apr_pool_cleanup_register(p, (void *)scfg->default_mechs, + mag_oid_set_destroy, apr_pool_cleanup_null); + } + + rc = SEAL_KEY_CREATE(p, &scfg->mag_skey, NULL); + if (rc != OK) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Failed to generate random sealing key!"); + } + + return scfg; +} static const command_rec mag_commands[] = { AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG, @@ -1018,6 +1331,8 @@ static const command_rec mag_commands[] = { #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG, "Allows use of Basic Auth for authentication"), + AP_INIT_ITERATE("GssapiBasicAuthMech", mag_basic_auth_mechs, NULL, + OR_AUTHCFG, "Mechanisms to use for basic auth"), #endif AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG, "Allowed Mechanisms"), @@ -1037,7 +1352,7 @@ module AP_MODULE_DECLARE_DATA auth_gssapi_module = STANDARD20_MODULE_STUFF, mag_create_dir_config, NULL, - NULL, + mag_create_server_config, NULL, mag_commands, mag_register_hooks