X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=e2331107b89734bd5da3a742a884c6a92489d5a8;hp=b5e6a2e807fb379e936a18f82899dbc7acf2f0c6;hb=e5db7c1f5738c7874e73869a2f4511193f956b81;hpb=1fc49992c107bd3830921a8198929a936e8b7fb2

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index b5e6a2e..e233110 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
     return false;
 }
 
+static char *escape(apr_pool_t *pool, const char *name,
+                    char find, const char *replace)
+{
+    char *escaped = NULL;
+    char *namecopy;
+    char *n;
+    char *p;
+
+    namecopy = apr_pstrdup(pool, name);
+    if (!namecopy) goto done;
+
+    p = strchr(namecopy, find);
+    if (!p) return namecopy;
+
+    /* first segment */
+    n = namecopy;
+    while (p) {
+        /* terminate previous segment */
+        *p = '\0';
+        if (escaped) {
+            escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
+        } else {
+            escaped = apr_pstrcat(pool, n, replace, NULL);
+        }
+        if (!escaped) goto done;
+        /* move to next segment */
+        n = p + 1;
+        p = strchr(n, find);
+    }
+    /* append last segment if any */
+    if (*n) {
+        escaped = apr_pstrcat(pool, escaped, n, NULL);
+    }
+
+done:
+    if (!escaped) {
+        ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
+                     "OOM escaping name");
+    }
+    return escaped;
+}
+
 static void mag_store_deleg_creds(request_rec *req,
                                   char *dir, char *clientname,
                                   gss_cred_id_t delegated_cred,
@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
     gss_key_value_set_desc store;
     char *value;
     uint32_t maj, min;
-
-    value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
+    char *escaped;
+
+    /* We need to escape away '/', we can't have path separators in
+     * a ccache file name */
+    /* first double escape the esacping char (~) if any */
+    escaped = escape(req->pool, clientname, '~', "~~");
+    if (!escaped) return;
+    /* then escape away the separator (/) if any */
+    escaped = escape(req->pool, escaped, '/', "~");
+    if (!escaped) return;
+
+    value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
     if (!value) {
         ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
                      "OOM storing delegated credentials");
@@ -193,13 +245,38 @@ static int mag_auth(request_rec *req)
         return DECLINED;
     }
 
-    /* ignore auth for subrequests */
+    cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+
+    /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req)) {
-        return OK;
+        type = ap_auth_type(req->main);
+        if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
+            /* warn if the subrequest location and the main request
+             * location have different configs */
+            if (cfg != ap_get_module_config(req->main->per_dir_config,
+                                            &auth_gssapi_module)) {
+                ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
+                              req, "Subrequest authentication bypass on "
+                                   "location with different configuration!");
+            }
+            if (req->main->user) {
+                req->user = apr_pstrdup(req->pool, req->main->user);
+                return OK;
+            } else {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+                              "The main request is tasked to establish the "
+                              "security context, can't proceed!");
+                return HTTP_UNAUTHORIZED;
+            }
+        } else {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
+                          "Subrequest GSSAPI auth with no auth on the main "
+                          "request. This operation may fail if other "
+                          "subrequests already established a context or the "
+                          "mechanism requires multiple roundtrips.");
+        }
     }
 
-    cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
-
     if (cfg->ssl_only) {
         if (!mag_conn_is_https(req->connection)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
@@ -586,7 +663,7 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on)
 static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w)
 {
     struct mag_config *cfg = (struct mag_config *)mconfig;
-    struct databuf keys;
+    struct databuf key;
     unsigned char *val;
     apr_status_t rc;
     const char *k;
@@ -607,16 +684,16 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w)
         return NULL;
     }
 
-    keys.length = (int)apr_base64_decode_binary(val, k);
-    keys.value = (unsigned char *)val;
+    key.length = (int)apr_base64_decode_binary(val, k);
+    key.value = (unsigned char *)val;
 
-    if (keys.length != 32) {
+    if (key.length < 32) {
         ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server,
-                     "Invalid key lenght, expected 32 got %d", keys.length);
+                     "Invalid key length, expected >=32 got %d", key.length);
         return NULL;
     }
 
-    rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys);
+    rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &key);
     if (rc != OK) {
         ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server,
                      "Failed to import sealing key!");