apache1/auth_user.c

   1 int kerb_authenticate_user(request_rec *r) {
   2         const char *name;               /* AuthName specified */
   3         const char *type;               /* AuthType specified */
   4         int KerberosV5 = 0;             /* Kerberos V5 check enabled */
   5         int KerberosV4 = 0;             /* Kerberos V4 check enabled */
   6         int KerberosV4first = 0;        /* Kerberos V4 check first */
   7         const char *sent_pw;            /* Password sent by browser */
   8         int res;                        /* Response holder */
   9         int retcode;                    /* Return code holder */
  10         const char *t;                  /* Decoded auth_line */
  11         const char *authtype;           /* AuthType to send back to browser */
  12         const char *auth_line = ap_table_get(r->headers_in,
  13                                         (r->proxyreq == STD_PROXY)
  14                                                 ? "Proxy-Authorization"
  15                                                 : "Authorization");
  16         kerb_auth_config *conf =
  17                 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
  18                                         &kerb_auth_module);
  19
  20         type = ap_auth_type(r);
  21
  22         if (type != NULL) {
  23 #ifdef KRB5
  24                 if ((strncasecmp(type, "KerberosV5", 10) == 0) ||
  25                     (strncasecmp(conf->krb_auth_type, "KerberosV5", 10) == 0)) {
  26                         KerberosV5 = 1;
  27                 }
  28 #endif /* KRB5 */
  29
  30 #ifdef KRB4
  31                 if ((strncasecmp(type, "KerberosV4", 10) == 0) ||
  32                     (strncasecmp(conf->krb_auth_type, "KerberosV4", 10) == 0)) {
  33                         KerberosV4 = 1;
  34                 }
  35 #endif /* KRB4 */
  36
  37 #if defined(KRB5) && defined(KRB4)
  38                 if ((strncasecmp(type, "KerberosDualV5V4", 15) == 0) ||
  39                     (strncasecmp(conf->krb_auth_type, "KerberosDualV5V4", 15) == 0)) {
  40                         KerberosV5 = 1;
  41                         KerberosV4 = 1;
  42                 }
  43
  44                 if ((strncasecmp(type, "KerberosDualV4V5", 15) == 0) ||
  45                     (strncasecmp(conf->krb_auth_type, "KerberosDualV4V5", 15) == 0)) {
  46                         KerberosV5 = 1;
  47                         KerberosV4 = 1;
  48                         KerberosV4first = 1;
  49                 }
  50 #endif /* KRB5 && KRB4 */
  51         }
  52
  53         if (!KerberosV4 && !KerberosV5) {
  54                 return DECLINED;
  55         }
  56
  57         name = ap_auth_name(r);
  58         if (!name) {
  59                 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  60                                 "need AuthName: %s", r->uri);
  61                 return HTTP_INTERNAL_SERVER_ERROR;
  62         }
  63
  64         if (!auth_line) {
  65                 ap_table_set(r->err_headers_out, "WWW-Authenticate",
  66                         ap_pstrcat(r->pool, "Basic realm=\"", name, "\"", NULL));
  67                 return HTTP_UNAUTHORIZED;
  68         }
  69
  70         type = ap_getword_white(r->pool, &auth_line);
  71         t = ap_pbase64decode(r->pool, auth_line);
  72         r->connection->user = ap_getword_nulls(r->pool, &t, ':');
  73         r->connection->ap_auth_type = "Kerberos";
  74         sent_pw = ap_getword_white(r->pool, &t);
  75
  76         retcode = DECLINED;
  77
  78 #ifdef KRB5
  79         if (KerberosV5 && !KerberosV4first && retcode != OK) {
  80                 if (kerb5_password_validate(r->connection->user, sent_pw)) {
  81                         retcode = OK;
  82                 }
  83                 else {
  84                         retcode = conf->krb_fail_status;
  85                 }
  86         }
  87 #endif /* KRB5 */
  88
  89 #ifdef KRB4
  90         if (KerberosV4 && retcode != OK) {
  91                 if (kerb4_password_validate(r->connection->user, sent_pw)) {
  92                         retcode = OK;
  93                 }
  94                 else {
  95                         retcode = conf->krb_fail_status;
  96                 }
  97         }
  98 #endif /* KRB4 */
  99
 100 #if defined(KRB5) && defined(KRB4)
 101         if (KerberosV5 && KerberosV4first && retcode != OK) {
 102                 if (kerb5_password_validate(r->connection->user, sent_pw)) {
 103                         retcode = OK;
 104                 }
 105                 else {
 106                         retcode = conf->krb_fail_status;
 107                 }
 108         }
 109 #endif /* KRB5 && KRB4 */
 110
 111         return retcode;
 112 }