X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=c33ea34a02a4966c215dd7ce74dbef61e0b5de5c;hp=e8c1966991eadd222e799c0738041d736938411c;hb=bb7c20bc7f487b52c79ec0279c3f83d13582f9c2;hpb=342cea568dc94ed0d35dca27a90fc704d0424da1 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index e8c1966..c33ea34 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -24,6 +24,8 @@ #include "mod_auth_gssapi.h" +#define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION + module AP_MODULE_DECLARE_DATA auth_gssapi_module; APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); @@ -71,24 +73,17 @@ static char *mag_error(request_rec *req, const char *msg, static APR_OPTIONAL_FN_TYPE(ssl_is_https) *mag_is_https = NULL; -static int mag_post_config(apr_pool_t *cfg, apr_pool_t *log, +static int mag_post_config(apr_pool_t *cfgpool, apr_pool_t *log, apr_pool_t *temp, server_rec *s) { /* FIXME: create mutex to deal with connections and contexts ? */ mag_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); + mag_post_config_session(); + ap_add_version_component(cfgpool, MOD_AUTH_GSSAPI_VERSION); return OK; } - -struct mag_conn { - apr_pool_t *parent; - gss_ctx_id_t ctx; - bool established; - char *user_name; - char *gss_name; -}; - static int mag_pre_connection(conn_rec *c, void *csd) { struct mag_conn *mc; @@ -122,6 +117,39 @@ static bool mag_conn_is_https(conn_rec *c) return false; } +static void mag_store_deleg_creds(request_rec *req, + char *dir, char *clientname, + gss_cred_id_t delegated_cred, + char **ccachefile) +{ + gss_key_value_element_desc element; + gss_key_value_set_desc store; + char *value; + uint32_t maj, min; + + value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname); + if (!value) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL, + "OOM storing delegated credentials"); + return; + } + + element.key = "ccache"; + element.value = value; + store.elements = &element; + store.count = 1; + + maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, + GSS_C_NULL_OID, 1, 1, &store, NULL, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + mag_error(req, "failed to store delegated creds", + maj, min)); + } + + *ccachefile = value; +} + static int mag_auth(request_rec *req) { const char *type; @@ -136,8 +164,11 @@ static int mag_auth(request_rec *req) gss_buffer_desc output = GSS_C_EMPTY_BUFFER; gss_buffer_desc name = GSS_C_EMPTY_BUFFER; gss_name_t client = GSS_C_NO_NAME; + gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; + gss_cred_usage_t cred_usage = GSS_C_ACCEPT; uint32_t flags; + uint32_t vtime; uint32_t maj, min; char *reply; size_t replen; @@ -151,6 +182,11 @@ static int mag_auth(request_rec *req) return DECLINED; } + /* ignore auth for subrequests */ + if (!ap_is_initial_req(req)) { + return OK; + } + cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); if (cfg->ssl_only) { @@ -166,11 +202,26 @@ static int mag_auth(request_rec *req) req->connection->conn_config, &auth_gssapi_module); if (!mc) { - return DECLINED; + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + "Failed to retrieve connection context!"); + goto done; } + } + + /* if available, session always supersedes connection bound data */ + if (cfg->use_sessions) { + mag_check_session(req, cfg, &mc); + } + + if (mc) { + /* register the context in the memory pool, so it can be freed + * when the connection/request is terminated */ + apr_pool_userdata_set(mc, "mag_conn_ptr", + mag_conn_destroy, mc->parent); + if (mc->established) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, - "Connection bound pre-authentication found."); + "Already established context found!"); apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); req->ap_auth_type = apr_pstrdup(req->pool, "Negotiate"); req->user = apr_pstrdup(req->pool, mc->user_name); @@ -197,49 +248,55 @@ static int mag_auth(request_rec *req) if (!input.value) goto done; input.length = apr_base64_decode(input.value, auth_header_value); - maj = gss_accept_sec_context(&min, pctx, GSS_C_NO_CREDENTIAL, +#ifdef HAVE_GSS_ACQUIRE_CRED_FROM + if (cfg->use_s4u2proxy) { + cred_usage = GSS_C_BOTH; + } + if (cfg->cred_store) { + maj = gss_acquire_cred_from(&min, GSS_C_NO_NAME, 0, + GSS_C_NO_OID_SET, cred_usage, + cfg->cred_store, &acquired_cred, + NULL, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", + mag_error(req, "gss_acquire_cred_from() failed", + maj, min)); + goto done; + } + } +#endif + + maj = gss_accept_sec_context(&min, pctx, acquired_cred, &input, GSS_C_NO_CHANNEL_BINDINGS, - &client, &mech_type, &output, &flags, NULL, + &client, &mech_type, &output, &flags, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", mag_error(req, "gss_accept_sec_context() failed", maj, min)); goto done; } - /* register the context in the connection pool, so it can be freed - * when the connection is terminated */ - apr_pool_userdata_set(mc, "mag_conn_ptr", mag_conn_destroy, mc->parent); - if (maj == GSS_S_CONTINUE_NEEDED) { - if (!cfg->gss_conn_ctx) { + if (!mc) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, - "Mechanism needs continuation but " - "GssapiConnectionBound is off."); + "Mechanism needs continuation but neither " + "GssapiConnectionBound nor " + "GssapiUseSessions are available"); gss_delete_sec_context(&min, pctx, GSS_C_NO_BUFFER); gss_release_buffer(&min, &output); output.length = 0; } + /* auth not complete send token and wait next packet */ goto done; } -#ifdef HAVE_GSS_STORE_CRED_INTO - if (cfg->cred_store.count != 0 && delegated_cred != GSS_C_NO_CREDENTIAL) { - gss_key_value_set_desc store = {0, NULL}; - /* FIXME: run substitutions */ - - maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, - GSS_C_NULL_OID, 1, 1, &store, NULL, NULL); - } -#endif - req->ap_auth_type = apr_pstrdup(req->pool, "Negotiate"); /* Always set the GSS name in an env var */ maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", mag_error(req, "gss_accept_sec_context() failed", maj, min)); goto done; @@ -247,10 +304,23 @@ static int mag_auth(request_rec *req) clientname = apr_pstrndup(req->pool, name.value, name.length); apr_table_set(req->subprocess_env, "GSS_NAME", clientname); +#ifdef HAVE_GSS_STORE_CRED_INTO + if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { + char *ccachefile = NULL; + + mag_store_deleg_creds(req, cfg->deleg_ccache_dir, clientname, + delegated_cred, &ccachefile); + + if (ccachefile) { + apr_table_set(req->subprocess_env, "KRB5CCNAME", ccachefile); + } + } +#endif + if (cfg->map_to_local) { maj = gss_localname(&min, client, mech_type, &lname); if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s", mag_error(req, "gss_localname() failed", maj, min)); goto done; } @@ -263,6 +333,13 @@ static int mag_auth(request_rec *req) mc->user_name = apr_pstrdup(mc->parent, req->user); mc->gss_name = apr_pstrdup(mc->parent, clientname); mc->established = true; + if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { + vtime = MIN_SESS_EXP_TIME; + } + mc->expiration = time(NULL) + vtime; + if (cfg->use_sessions) { + mag_attempt_session(req, cfg, mc); + } } ret = OK; @@ -298,6 +375,7 @@ static void *mag_create_dir_config(apr_pool_t *p, char *dir) cfg = (struct mag_config *)apr_pcalloc(p, sizeof(struct mag_config)); if (!cfg) return NULL; + cfg->pool = p; return cfg; } @@ -323,6 +401,71 @@ static const char *mag_conn_ctx(cmd_parms *parms, void *mconfig, int on) return NULL; } +static const char *mag_use_sess(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + cfg->use_sessions = on ? true : false; + return NULL; +} + +static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + cfg->use_s4u2proxy = on ? true : false; + + if (cfg->deleg_ccache_dir == NULL) { + cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, "/tmp"); + if (!cfg->deleg_ccache_dir) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, + parms->server, "%s", "OOM setting deleg_ccache_dir."); + } + } + return NULL; +} + +static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + struct databuf keys; + unsigned char *val; + apr_status_t rc; + const char *k; + int l; + + if (strncmp(w, "key:", 4) != 0) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Invalid key format, expected prefix 'key:'"); + return NULL; + } + k = w + 4; + + l = apr_base64_decode_len(k); + val = apr_palloc(parms->temp_pool, l); + if (!val) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Failed to get memory to decode key"); + return NULL; + } + + keys.length = (int)apr_base64_decode_binary(val, k); + keys.value = (unsigned char *)val; + + if (keys.length != 32) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Invalid key lenght, expected 32 got %d", keys.length); + return NULL; + } + + rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); + if (rc != OK) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "Failed to import sealing key!"); + } + return NULL; +} + +#define MAX_CRED_OPTIONS 10 + static const char *mag_cred_store(cmd_parms *parms, void *mconfig, const char *w) { @@ -349,22 +492,49 @@ static const char *mag_cred_store(cmd_parms *parms, void *mconfig, return NULL; } - size = sizeof(gss_key_value_element_desc) * cfg->cred_store.count + 1; - elements = apr_palloc(parms->pool, size); - if (!elements) { + if (!cfg->cred_store) { + cfg->cred_store = apr_pcalloc(parms->pool, + sizeof(gss_key_value_set_desc)); + if (!cfg->cred_store) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "%s", "OOM handling GssapiCredStore option"); + return NULL; + } + size = sizeof(gss_key_value_element_desc) * MAX_CRED_OPTIONS; + cfg->cred_store->elements = apr_palloc(parms->pool, size); + if (!cfg->cred_store->elements) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "%s", "OOM handling GssapiCredStore option"); + } + } + + elements = cfg->cred_store->elements; + count = cfg->cred_store->count; + + if (count >= MAX_CRED_OPTIONS) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "%s", "OOM handling GssapiCredStore option"); + "Too many GssapiCredStore options (MAX: %d)", + MAX_CRED_OPTIONS); return NULL; } + cfg->cred_store->count++; - for (count = 0; count < cfg->cred_store.count; count++) { - elements[count] = cfg->cred_store.elements[count]; - } elements[count].key = key; elements[count].value = value; - cfg->cred_store.elements = elements; - cfg->cred_store.count = count; + return NULL; +} + +static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, + const char *value) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + cfg->deleg_ccache_dir = apr_pstrdup(parms->pool, value); + if (!cfg->deleg_ccache_dir) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, + "%s", "OOM handling GssapiDelegCcacheDir option"); + } return NULL; } @@ -373,11 +543,23 @@ static const command_rec mag_commands[] = { AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG, "Work only if connection is SSL Secured"), AP_INIT_FLAG("GssapiLocalName", mag_map_to_local, NULL, OR_AUTHCFG, - "Work only if connection is SSL Secured"), + "Translate principals to local names"), AP_INIT_FLAG("GssapiConnectionBound", mag_conn_ctx, NULL, OR_AUTHCFG, "Authentication is bound to the TCP connection"), + AP_INIT_FLAG("GssapiUseSessions", mag_use_sess, NULL, OR_AUTHCFG, + "Authentication uses mod_sessions to hold status"), + AP_INIT_RAW_ARGS("GssapiSessionKey", mag_sess_key, NULL, OR_AUTHCFG, + "Key Used to seal session data."), +#ifdef HAVE_GSS_ACQUIRE_CRED_FROM + AP_INIT_FLAG("GssapiUseS4U2Proxy", mag_use_s4u2p, NULL, OR_AUTHCFG, + "Initializes credentials for s4u2proxy usage"), +#endif +#ifdef HAVE_GSS_STORE_CRED_INTO AP_INIT_ITERATE("GssapiCredStore", mag_cred_store, NULL, OR_AUTHCFG, "Credential Store"), + AP_INIT_RAW_ARGS("GssapiDelegCcacheDir", mag_deleg_ccache_dir, NULL, + OR_AUTHCFG, "Directory to store delegated credentials"), +#endif { NULL } };