EVP_CIPHER_CTX_cleanup(&ctx);
return err;
}
+
+int get_mac_size(struct seal_key *skey)
+{
+ if (skey) {
+ return skey->md->md_size;
+ } else {
+ return 0;
+ }
+}
struct databuf *plain, struct databuf *cipher);
apr_status_t UNSEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
struct databuf *cipher, struct databuf *plain);
+int get_mac_size(struct seal_key *skey);
mag_set_KRB5CCANME(req, ccname);
}
}
- ret = OK;
- goto done;
+ if (mc->auth_type != AUTH_TYPE_BASIC) {
+ /* In case we have basic auth, we need to check if the session
+ * matches the credentials that have been sent */
+ ret = OK;
+ goto done;
+ }
}
pctx = &mc->ctx;
} else {
}
ba_user.length = strlen(ba_user.value);
ba_pwd.length = strlen(ba_pwd.value);
+
+ if (mc && mag_basic_check(cfg, mc, ba_user, ba_pwd)) {
+ ret = OK;
+ goto done;
+ }
+
maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
goto done;
}
if (auth_type == AUTH_TYPE_BASIC) {
- if (mc) {
- apr_pool_cleanup_run(mc->parent, mc, mag_conn_destroy);
- mc = NULL;
- }
while (maj == GSS_S_CONTINUE_NEEDED) {
gss_release_buffer(&min, &input);
/* output and input are inverted here, this is intentional */
mag_attempt_session(req, cfg, mc);
}
mc->auth_type = auth_type;
+ if (auth_type == AUTH_TYPE_BASIC) {
+ mag_basic_cache(cfg, mc, ba_user, ba_pwd);
+ }
}
if (cfg->send_persist)
time_t expiration;
int auth_type;
bool delegated;
+ struct databuf basic_hash;
};
#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GSSSessionData, &gsessdata);
}
+static int mag_basic_hmac(struct seal_key *key, unsigned char *mac,
+ gss_buffer_desc user, gss_buffer_desc pwd)
+{
+ struct databuf hmacbuf = { mac, 0 };
+ int data_size = user.length + pwd.length + 1;
+ unsigned char data[data_size];
+ struct databuf databuf = { data, data_size };
+
+ memcpy(data, user.value, user.length);
+ data[user.length] = '\0';
+ memcpy(&data[user.length + 1], pwd.value, pwd.length);
+
+ return HMAC_BUFFER(key, &databuf, &hmacbuf);
+}
+
+bool mag_basic_check(struct mag_config *cfg, struct mag_conn *mc,
+ gss_buffer_desc user, gss_buffer_desc pwd)
+{
+ int mac_size = get_mac_size(cfg->mag_skey);
+ unsigned char mac[mac_size];
+ int ret, i, j;
+ bool res = false;
+
+ if (mac_size == 0) return false;
+
+ ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);
+ if (ret != 0) goto done;
+
+ for (i = 0, j = 0; i < mac_size; i++) {
+ if (mc->basic_hash.value[i] != mac[i]) j++;
+ }
+ if (j == 0) res = true;
+
+done:
+ if (res == false) {
+ mc->basic_hash.value = NULL;
+ mc->basic_hash.length = 0;
+ }
+ return res;
+}
+
+void mag_basic_cache(struct mag_config *cfg, struct mag_conn *mc,
+ gss_buffer_desc user, gss_buffer_desc pwd)
+{
+ int mac_size = get_mac_size(cfg->mag_skey);
+ unsigned char mac[mac_size];
+ int ret;
+
+ ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);
+ if (ret != 0) return;
+
+ mc->basic_hash.length = mac_size;
+ mc->basic_hash.value = apr_palloc(mc->parent, mac_size);
+ memcpy(mc->basic_hash.value, mac, mac_size);
+}
struct mag_config *cfg, struct mag_conn **conn);
void mag_attempt_session(request_rec *req,
struct mag_config *cfg, struct mag_conn *mc);
+bool mag_basic_check(struct mag_config *cfg, struct mag_conn *mc,
+ gss_buffer_desc user, gss_buffer_desc pwd);
+void mag_basic_cache(struct mag_config *cfg, struct mag_conn *mc,
+ gss_buffer_desc user, gss_buffer_desc pwd);