increased version number before creating a new release

[mod_auth_kerb.git] / src / mod_auth_kerb.c
diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c

index 855ab3f..97b4761 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -70,6 +70,10 @@
  
  #ident "$Id$"
  
+#include "config.h"
+
+#define MODAUTHKERB_VERSION "5.0-rc3"
+
  #ifndef APXS1
  #include "ap_compat.h"
  #include "apr_strings.h"
@@ -83,13 +87,16 @@
  
  #ifdef KRB5
  #include <krb5.h>
-#include <gssapi.h>
-#ifndef HEIMDAL
-#  include <gssapi_generic.h>
+#ifdef HEIMDAL
+#  include <gssapi.h>
+#else
+#  include <gssapi/gssapi.h>
+#  include <gssapi/gssapi_generic.h>
  #  define GSS_C_NT_USER_NAME gss_nt_user_name
  #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  #  define krb5_get_err_text(context,code) error_message(code)
  #endif
+#include "spnegokrb5.h"
  #endif /* KRB5 */
  
  #ifdef KRB4
@@ -99,6 +106,7 @@
  #  undef closesocket
  #endif
  #include <krb.h>
+#include <netdb.h> /* gethostbyname() */
  #endif /* KRB4 */
  
  #ifdef APXS1
@@ -113,21 +121,13 @@ module AP_MODULE_DECLARE_DATA auth_kerb_module;
  #ifdef APXS1
  #define MK_POOL pool
  #define MK_TABLE_GET ap_table_get
-#define MK_TABLE_SET ap_table_set
-#define MK_TABLE_TYPE table
-#define MK_PSTRDUP ap_pstrdup
  #define MK_USER r->connection->user
  #define MK_AUTH_TYPE r->connection->ap_auth_type
-#define MK_ARRAY_HEADER array_header
  #else
  #define MK_POOL apr_pool_t
  #define MK_TABLE_GET apr_table_get
-#define MK_TABLE_SET apr_table_set
-#define MK_TABLE_TYPE apr_table_t
-#define MK_PSTRDUP apr_pstrdup
  #define MK_USER r->user
  #define MK_AUTH_TYPE r->ap_auth_type
-#define MK_ARRAY_HEADER apr_array_header_t
  #endif /* APXS1 */
  
  
@@ -137,6 +137,9 @@ module AP_MODULE_DECLARE_DATA auth_kerb_module;
  typedef struct {
         char *krb_auth_realms;
         int krb_save_credentials;
+       int krb_verify_kdc;
+       char *krb_service_name;
+       int krb_authoritative;
  #ifdef KRB5
         char *krb_5_keytab;
         int krb_method_gssapi;
@@ -173,6 +176,15 @@ static const command_rec kerb_auth_cmds[] = {
     command("KrbSaveCredentials", ap_set_flag_slot, krb_save_credentials,
       FLAG, "Save and store credentials/tickets retrieved during auth."),
  
+   command("KrbVerifyKDC", ap_set_flag_slot, krb_verify_kdc,
+     FLAG, "Verify tickets against keytab to prevent KDC spoofing attacks."),
+
+   command("KrbServiceName", ap_set_string_slot, krb_service_name,
+     TAKE1, "Service name to be used by Apache for authentication."),
+
+   command("KrbAuthoritative", ap_set_flag_slot, krb_authoritative,
+     FLAG, "Set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module."),
+
  #ifdef KRB5
     command("Krb5Keytab", ap_set_file_slot, krb_5_keytab,
       TAKE1, "Location of Kerberos V5 keytab file."),
@@ -213,6 +225,9 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
         kerb_auth_config *rec;
  
         rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config));
+        ((kerb_auth_config *)rec)->krb_verify_kdc = 1;
+       ((kerb_auth_config *)rec)->krb_service_name = "khttp";
+       ((kerb_auth_config *)rec)->krb_authoritative = 1;
  #ifdef KRB5
         ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
         ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
@@ -234,16 +249,23 @@ void log_rerror(const char *file, int line, int level, int status,
                  const request_rec *r, const char *fmt, ...)
  {
     char errstr[1024];
+   char errnostr[1024];
     va_list ap;
  
     va_start(ap, fmt);
     vsnprintf(errstr, sizeof(errstr), fmt, ap);
     va_end(ap);
  
+   errnostr[0] = '\0';
+   if (errno)
+      snprintf(errnostr, sizeof(errnostr), "%s: (%s)", errstr, strerror(errno));
+   else
+      snprintf(errnostr, sizeof(errnostr), "%s", errstr);
+   
  #ifdef APXS1
-   ap_log_rerror(file, line, level, r, "%s", errstr);
+   ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errnostr);
  #else
-   ap_log_rerror(file, line, level, status, r, "%s", errstr);
+   ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errnostr);
  #endif
  }
  
@@ -253,7 +275,7 @@ void log_rerror(const char *file, int line, int level, int status,
   ***************************************************************************/
  static int
  verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
-                char *password, char *linstance, char *srvtab)
+                char *password, char *linstance, char *srvtab, int krb_verify_kdc)
  {
     int ret;
     char *phost;
@@ -266,8 +288,14 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
  
     ret = krb_get_pw_in_tkt(name, instance, realm, "krbtgt", realm, 
                            DEFAULT_TKT_LIFE, password);
-   if (ret)
-      /* log(krb_err_txt[ret]) */
+   if (ret) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                "Cannot get krb4 ticket: krb_get_pw_in_tkt() failed: %s",
+                krb_get_err_text(ret));
+      return ret;
+   }
+
+   if (!krb_verify_kdc)
        return ret;
  
     hostname = ap_get_server_name(r);
@@ -275,6 +303,9 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
     hp = gethostbyname(hostname);
     if (hp == NULL) {
        dest_tkt();
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                "Cannot verify krb4 ticket: gethostbyname() failed: %s",
+                hstrerror(h_errno));
        return h_errno;
     }
     memcpy(&addr, hp->h_addr, sizeof(addr));
@@ -285,13 +316,20 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
  
     ret = krb_mk_req(&ticket, linstance, phost, lrealm, 0);
     if (ret) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                "Cannot verify krb4 ticket: krb_mk_req() failed: %s",
+                krb_get_err_text(ret));
        dest_tkt();
        return ret;
     }
  
     ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab);
-   if (ret)
+   if (ret) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                "Cannot verify krb4 ticket: krb_rd_req() failed: %s",
+                krb_get_err_text(ret));
        dest_tkt();
+   }
  
     return ret;
  }
@@ -322,6 +360,7 @@ authenticate_user_krb4pwd(request_rec *r,
     const char *realm;
     char *user;
     char lrealm[REALM_SZ];
+   int all_principals_unkown;
  
     sent_pw = ap_pbase64decode(r->pool, auth_line);
     sent_name = ap_getword (r->pool, &sent_pw, ':');
@@ -352,6 +391,7 @@ authenticate_user_krb4pwd(request_rec *r,
  
     krb_set_tkt_string(tkt_file);
  
+   all_principals_unkown = 1;
     realms = conf->krb_auth_realms;
     do {
        memset(lrealm, 0, sizeof(lrealm));
@@ -368,16 +408,25 @@ authenticate_user_krb4pwd(request_rec *r,
  
        ret = verify_krb4_user(r, (char *)sent_name, 
                              (sent_instance) ? sent_instance : "",
-                            (char *)realm, (char *)sent_pw, "khttp",
-                            conf->krb_4_srvtab);
+                            (char *)realm, (char *)sent_pw,
+                            conf->krb_service_name,
+                            conf->krb_4_srvtab, conf->krb_verify_kdc);
+      if (!conf->krb_authoritative && ret) {
+        /* if we're not authoritative, we allow authentication to pass on
+         * to another modules if (and only if) the user is not known to us */
+        if (all_principals_unkown && ret != KDC_PR_UNKNOWN)
+           all_principals_unkown = 0;
+      }
+
        if (ret == 0)
          break;
     } while (realms && *realms);
  
     if (ret) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "Verifying krb4 password failed (%d)", ret);
-      ret = HTTP_UNAUTHORIZED;
+      /* XXX log only in the verify_krb4_user() call */
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Verifying krb4 password failed");
+      ret = (!conf->krb_authoritative && all_principals_unkown == 1 && ret == KDC_PR_UNKNOWN) ?
+                DECLINED : HTTP_UNAUTHORIZED;
        goto end;
     }
  
@@ -411,7 +460,7 @@ end:
  static krb5_error_code
  verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
                  krb5_ccache ccache, const char *password, const char *service,
-                krb5_keytab keytab)
+                krb5_keytab keytab, int krb_verify_kdc)
  {
     krb5_creds creds;
     krb5_principal server = NULL;
@@ -432,7 +481,7 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
        goto end;
  
     krb5_verify_init_creds_opt_init(&opt);
-   krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, 1);
+   krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, krb_verify_kdc);
  
     ret = krb5_verify_init_creds(context, &creds, server, keytab, NULL, &opt);
     if (ret)
@@ -490,9 +539,11 @@ create_krb5_ccache(krb5_context kcontext,
     int ret;
     krb5_ccache tmp_ccache = NULL;
  
-#ifdef HEIMDAL
+#ifdef HAVE_KRB5_CC_GEN_NEW
     problem = krb5_cc_gen_new(kcontext, &krb5_fcc_ops, &tmp_ccache);
  #else
+   /* only older MIT seem to not have the krb5_cc_gen_new() call, so we use
+    * MIT specific call here */
     problem = krb5_fcc_generate_new(kcontext, &tmp_ccache);
     /* krb5_fcc_generate_new() doesn't set KRB5_TC_OPENCLOSE, which makes 
        krb5_cc_initialize() fail */
@@ -589,7 +640,8 @@ int authenticate_user_krb5pwd(request_rec *r,
     krb5_ccache     ccache = NULL;
     krb5_keytab     keytab = NULL;
     int             ret;
-   char *name = NULL;
+   char            *name = NULL;
+   int             all_principals_unkown;
  
     code = krb5_init_context(&kcontext);
     if (code) {
@@ -608,9 +660,11 @@ int authenticate_user_krb5pwd(request_rec *r,
        goto end;
     } 
  
-#ifdef HEIMDAL
+#ifdef HAVE_KRB5_CC_GEN_NEW
     code = krb5_cc_gen_new(kcontext, &krb5_mcc_ops, &ccache);
  #else
+   /* only older MIT seem to not have the krb5_cc_gen_new() call, so we use
+    * MIT specific call here */
     code = krb5_mcc_generate_new(kcontext, &ccache);
  #endif
     if (code) {
@@ -623,8 +677,8 @@ int authenticate_user_krb5pwd(request_rec *r,
  
     if (conf->krb_5_keytab)
        krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
-      /* setenv("KRB5_KTNAME", conf->krb_5_keytab, 1); */
  
+   all_principals_unkown = 1;
     realms = conf->krb_auth_realms;
     do {
        if (realms && (code = krb5_set_default_realm(kcontext,
@@ -639,8 +693,16 @@ int authenticate_user_krb5pwd(request_rec *r,
        if (code)
          continue;
  
-      code = verify_krb5_user(r, kcontext, client, ccache, sent_pw, "khttp",
-                             keytab);
+      code = verify_krb5_user(r, kcontext, client, ccache, sent_pw, 
+                             conf->krb_service_name, 
+                             keytab, conf->krb_verify_kdc);
+      if (!conf->krb_authoritative && code) {
+        /* if we're not authoritative, we allow authentication to pass on
+         * to another modules if (and only if) the user is not known to us */
+        if (all_principals_unkown && code != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)
+           all_principals_unkown = 0;
+      }
+
        if (code == 0)
          break;
  
@@ -651,10 +713,15 @@ int authenticate_user_krb5pwd(request_rec *r,
     memset((char *)sent_pw, 0, strlen(sent_pw));
  
     if (code) {
+      /* XXX log only in the verify_krb5_user() call */
        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                  "Verifying krb5 password failed: %s",
                  krb5_get_err_text(kcontext, code));
-      ret = HTTP_UNAUTHORIZED;
+      if (!conf->krb_authoritative && all_principals_unkown == 1 && code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)
+        ret = DECLINED;
+      else
+        ret = HTTP_UNAUTHORIZED;
+
        goto end;
     }
  
@@ -799,7 +866,7 @@ get_gss_creds(request_rec *r,
     gss_name_t server_name = GSS_C_NO_NAME;
     char buf[1024];
  
-   snprintf(buf, sizeof(buf), "%s/%s", "khttp", ap_get_server_name(r));
+   snprintf(buf, sizeof(buf), "%s/%s", conf->krb_service_name, ap_get_server_name(r));
  
     input_token.value = buf;
     input_token.length = strlen(buf) + 1;
@@ -829,6 +896,33 @@ get_gss_creds(request_rec *r,
  }
  
  static int
+cmp_gss_type(gss_buffer_t token, gss_OID oid)
+{
+   unsigned char *p;
+   size_t len;
+
+   if (token->length == 0)
+      return GSS_S_DEFECTIVE_TOKEN;
+
+   p = token->value;
+   if (*p++ != 0x60)
+      return GSS_S_DEFECTIVE_TOKEN;
+   len = *p++;
+   if (len & 0x80) {
+      if ((len & 0x7f) > 4)
+        return GSS_S_DEFECTIVE_TOKEN;
+      p += len & 0x7f;
+   }
+   if (*p++ != 0x06)
+      return GSS_S_DEFECTIVE_TOKEN;
+
+   if (((OM_uint32) *p++) != oid->length)
+      return GSS_S_DEFECTIVE_TOKEN;
+
+   return memcmp(p, oid->elements, oid->length);
+}
+
+static int
  authenticate_user_gss(request_rec *r,
                       kerb_auth_config *conf,
                       const char *auth_line)
@@ -840,12 +934,11 @@ authenticate_user_gss(request_rec *r,
    int ret;
    gss_name_t client_name = GSS_C_NO_NAME;
    gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
-  static int initial_return = HTTP_UNAUTHORIZED;
+  OM_uint32 (*accept_sec_token)();
+  gss_OID_desc spnego_oid;
  
-  /* needed to work around replay caches */
-  if (!ap_is_initial_req(r))
-     return initial_return;
-  initial_return = HTTP_UNAUTHORIZED;
+  spnego_oid.length = 6;
+  spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
  
    if (gss_connection == NULL) {
       gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection));
@@ -859,8 +952,20 @@ authenticate_user_gss(request_rec *r,
       ap_register_cleanup(r->connection->pool, gss_connection, cleanup_gss_connection, ap_null_cleanup);
    }
  
-  if (conf->krb_5_keytab)
-     setenv("KRB5_KTNAME", conf->krb_5_keytab, 1);
+  if (conf->krb_5_keytab) {
+     char *ktname;
+     /* we don't use the ap_* calls here, since the string passed to putenv()
+      * will become part of the enviroment and shouldn't be free()ed by apache
+      */
+     ktname = malloc(strlen("KRB5_KTNAME=") + strlen(conf->krb_5_keytab) + 1);
+     if (ktname == NULL) {
+       log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "malloc() failed: not enough memory");
+       ret = HTTP_INTERNAL_SERVER_ERROR;
+       goto end;
+     }
+     sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
+     putenv(ktname);
+  }
  
    if (gss_connection->server_creds == GSS_C_NO_CREDENTIAL) {
       ret = get_gss_creds(r, conf, &gss_connection->server_creds);
@@ -887,22 +992,20 @@ authenticate_user_gss(request_rec *r,
    }
    input_token.length = ap_base64decode(input_token.value, auth_param);
  
-#if 0 
-  major_status = gss_accept_sec_context(
-#else
-  major_status = gss_accept_sec_context_spnego(
-#endif
-                                       &minor_status,
-                                       &gss_connection->context,
-                                       gss_connection->server_creds,
-                                       &input_token,
-                                       GSS_C_NO_CHANNEL_BINDINGS,
-                                       &client_name,
-                                       NULL,
-                                       &output_token,
-                                       NULL,
-                                       NULL,
-                                       &delegated_cred);
+  accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ?
+                       gss_accept_sec_context_spnego : gss_accept_sec_context;
+
+  major_status = accept_sec_token(&minor_status,
+                                 &gss_connection->context,
+                                 gss_connection->server_creds,
+                                 &input_token,
+                                 GSS_C_NO_CHANNEL_BINDINGS,
+                                 &client_name,
+                                 NULL,
+                                 &output_token,
+                                 NULL,
+                                 NULL,
+                                 &delegated_cred);
    if (output_token.length) {
       char *token = NULL;
       size_t len;
@@ -919,7 +1022,7 @@ authenticate_user_gss(request_rec *r,
       ap_base64encode(token, output_token.value, output_token.length);
       token[len] = '\0';
       ap_table_set(r->err_headers_out, "WWW-Authenticate",
-                 ap_pstrcat(r->pool, "GSS-Negotiate ", token, NULL));
+                 ap_pstrcat(r->pool, "Negotiate ", token, NULL));
       gss_release_buffer(&minor_status2, &output_token);
    }
  
@@ -970,11 +1073,20 @@ end:
  
    cleanup_gss_connection(gss_connection);
  
-  initial_return = ret;
    return ret;
  }
  #endif /* KRB5 */
  
+static int
+already_succeeded(request_rec *r)
+{
+   if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL)
+      return 0;
+   if (strcmp(MK_AUTH_TYPE, "Negotiate") ||
+       (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@')))
+      return 1;
+   return 0;
+}
  
  static void
  note_kerb_auth_failure(request_rec *r, const kerb_auth_config *conf,
@@ -989,7 +1101,7 @@ note_kerb_auth_failure(request_rec *r, const kerb_auth_config *conf,
     /* XXX should the WWW-Authenticate header be cleared first? */
  #ifdef KRB5
     if (use_krb5 && conf->krb_method_gssapi)
-      ap_table_add(r->err_headers_out, "WWW-Authenticate", "GSS-Negotiate ");
+      ap_table_add(r->err_headers_out, "WWW-Authenticate", "Negotiate");
     if (use_krb5 && conf->krb_method_k5pass) {
        ap_table_add(r->err_headers_out, "WWW-Authenticate",
                     ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
@@ -1014,6 +1126,7 @@ int kerb_authenticate_user(request_rec *r)
     const char *type = NULL;
     int use_krb5 = 0, use_krb4 = 0;
     int ret;
+   static int last_return = HTTP_UNAUTHORIZED;
  
     /* get the type specified in .htaccess */
     type = ap_auth_type(r);
@@ -1035,11 +1148,14 @@ int kerb_authenticate_user(request_rec *r)
     }
     auth_type = ap_getword_white(r->pool, &auth_line);
  
+   if (already_succeeded(r))
+      return last_return;
+
     ret = HTTP_UNAUTHORIZED;
  
  #ifdef KRB5
     if (use_krb5 && conf->krb_method_gssapi &&
-       strcasecmp(auth_type, "GSS-Negotiate") == 0) {
+       strcasecmp(auth_type, "Negotiate") == 0) {
        ret = authenticate_user_gss(r, conf, auth_line);
     } else if (use_krb5 && conf->krb_method_k5pass &&
               strcasecmp(auth_type, "Basic") == 0) {
@@ -1056,6 +1172,7 @@ int kerb_authenticate_user(request_rec *r)
     if (ret == HTTP_UNAUTHORIZED)
        note_kerb_auth_failure(r, conf, use_krb4, use_krb5);
  
+   last_return = ret;
     return ret;
  }
  
@@ -1086,8 +1203,17 @@ module MODULE_VAR_EXPORT auth_kerb_module = {
         NULL                            /* [ 1] post read_request handling    */
  };
  #else
+static int
+kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
+                 apr_pool_t *ptemp, server_rec *s)
+{
+   ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+   return OK;
+}
+
  void kerb_register_hooks(apr_pool_t *p)
  {
+   ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
  }