apache1/auth_user.c

   1 int kerb_authenticate_user(request_rec *r) {
   2         const char *type;               /* AuthType specified */
   3         int KerberosV5 = 0;             /* Kerberos V5 check enabled */
   4         int KerberosV4 = 0;             /* Kerberos V4 check enabled */
   5         const char *sent_pw;            /* Password sent by browser */
   6         int res;                        /* Response holder */
   7         const char *auth_line = apr_table_get(r->headers_in,
   8                                         (PROXYREQ_PROXY == r->proxyreq)
   9                                                 ? "Proxy-Authorization"
  10                                                 : "Authorization");
  11
  12         type = ap_auth_type(r);
  13
  14         if (type != NULL) {
  15 #ifdef KRB5
  16                 if (strncasecmp(type, "KerberosV5", 10) == 0) {
  17                         KerberosV5 = 1;
  18                 }
  19 #endif /* KRB5 */
  20
  21 #ifdef KRB4
  22                 if (strncasecmp(type, "KerberosV4", 10) == 0) {
  23                         KerberosV4 = 1;
  24                 }
  25 #endif /* KRB4 */
  26         }
  27
  28         if (!KerberosV4 && !KerberosV5) {
  29                 return DECLINED;
  30         }
  31
  32         const char *t;
  33
  34         if (!(t = ap_auth_type(r)) || strcasecmp(t, "Basic"))
  35                 return DECLINED;
  36
  37         if (!ap_auth_name(r)) {
  38                 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR,
  39                         0, r, "need AuthName: %s", r->uri);
  40                 return HTTP_INTERNAL_SERVER_ERROR;
  41         }
  42
  43         if (!auth_line) {
  44                 ap_note_basic_auth_failure(r);
  45                 return HTTP_UNAUTHORIZED;
  46         }
  47
  48         if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
  49                 /* Client tried to authenticate using wrong auth scheme */
  50         ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
  51                       "client used wrong authentication scheme: %s", r->uri);
  52         ap_note_basic_auth_failure(r);
  53         return HTTP_UNAUTHORIZED;
  54     }
  55
  56     while (*auth_line == ' ' || *auth_line == '\t') {
  57         auth_line++;
  58     }
  59
  60     t = ap_pbase64decode(r->pool, auth_line);
  61     /* Note that this allocation has to be made from r->connection->pool
  62      * because it has the lifetime of the connection.  The other allocations
  63      * are temporary and can be tossed away any time.
  64      */
  65     r->user = ap_getword_nulls (r->pool, &t, ':');
  66     r->ap_auth_type = "Basic";
  67
  68     *pw = t;
  69
  70     return OK;
  71 }
  72
  73 #ifdef KRB5
  74         if (KerberosV5) {
  75                 if (kerb5_password_validate(r->connection->user, sent_pw)) {
  76                         return OK;
  77                 }
  78                 else {
  79                         return HTTP_UNAUTHORIZED;
  80                 }
  81         }
  82 #endif /* KRB5 */
  83 #ifdef KRB4
  84         if (KerberosV4) {
  85                 if (kerb4_password_validate(r->connection->user, sent_pw)) {
  86                         return OK;
  87                 }
  88                 else {
  89                         return HTTP_UNAUTHORIZED;
  90                 }
  91         }
  92 #endif /* KRB4 */
  93
  94         return DECLINED;
  95 }