apache2/auth_user.c

   1 int kerb_authenticate_user(request_rec *r) {
   2         const char *name;               /* AuthName specified */
   3         const char *type;               /* AuthType specified */
   4         int KerberosV5 = 0;             /* Kerberos V5 check enabled */
   5         int KerberosV4 = 0;             /* Kerberos V4 check enabled */
   6         const char *sent_pw;            /* Password sent by browser */
   7         const char *t;                  /* Return value holder */
   8         int res;                        /* Response holder */
   9
  10         const char *auth_line = apr_table_get(r->headers_in,
  11                                         (PROXYREQ_PROXY == r->proxyreq)
  12                                                 ? "Proxy-Authorization"
  13                                                 : "Authorization");
  14
  15         type = ap_auth_type(r);
  16
  17         if (type != NULL) {
  18 #ifdef KRB5
  19                 if (strncasecmp(type, "KerberosV5", 10) == 0) {
  20                         KerberosV5 = 1;
  21                 }
  22 #endif /* KRB5 */
  23
  24 #ifdef KRB4
  25                 if (strncasecmp(type, "KerberosV4", 10) == 0) {
  26                         KerberosV4 = 1;
  27                 }
  28 #endif /* KRB4 */
  29         }
  30
  31         if (!KerberosV4 && !KerberosV5) {
  32                 return DECLINED;
  33         }
  34
  35         name = ap_auth_name(r);
  36         if (!name) {
  37                 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR,
  38                         0, r, "need AuthName: %s", r->uri);
  39                 return HTTP_INTERNAL_SERVER_ERROR;
  40         }
  41
  42         if (!auth_line) {
  43                 apr_table_set(r->err_headers_out, "WWW-Authenticate",
  44                         (char *)ap_pstrcat(r->pool, "Basic realm=\"", name, "\"", NULL));
  45                 return HTTP_UNAUTHORIZED;
  46         }
  47
  48         type = ap_getword_white(r->pool, &auth_line);
  49         t = ap_pbase64decode(r->pool, auth_line);
  50         r->user = ap_getword_nulls(r->pool, &t, ':');
  51         r->ap_auth_type = "Kerberos";
  52         sent_pw = ap_getword_white(r->pool, &t);
  53
  54 #ifdef KRB5
  55         if (KerberosV5) {
  56                 r->ap_auth_type = "KerberosV5";
  57                 if (kerb5_password_validate(r->user, sent_pw)) {
  58                         return OK;
  59                 }
  60                 else {
  61                         return HTTP_UNAUTHORIZED;
  62                 }
  63         }
  64 #endif /* KRB5 */
  65 #ifdef KRB4
  66         if (KerberosV4) {
  67                 r->ap_auth_type = "KerberosV4";
  68                 if (kerb4_password_validate(r->user, sent_pw)) {
  69                         return OK;
  70                 }
  71                 else {
  72                         return HTTP_UNAUTHORIZED;
  73                 }
  74         }
  75 #endif /* KRB4 */
  76
  77         return DECLINED;
  78 }