Merge from the 5.3 branch (security fix). Tagged as merge_53_src, merge_53_dst, merge...

[mod_auth_kerb.git] / src / mod_auth_kerb.c

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index b161c6a..e99f366 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -50,7 +50,7 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#define MODAUTHKERB_VERSION "5.0-rc6"
+#define MODAUTHKERB_VERSION "5.3"
 
 #define MECH_NEGOTIATE "Negotiate"
 #define SERVICE_NAME "HTTP"
@@ -65,24 +65,19 @@
 #ifdef STANDARD20_MODULE_STUFF
 #include <apr_strings.h>
 #include <apr_base64.h>
-
-#define ap_null_cleanup NULL
-#define ap_register_cleanup apr_pool_cleanup_register
-
-#define ap_pstrdup apr_pstrdup
-#define ap_pstrcat apr_pstrcat
-#define ap_pcalloc apr_pcalloc
-#define ap_psprintf apr_psprintf
-
-#define ap_base64decode_len apr_base64_decode_len
-#define ap_base64decode apr_base64_decode
-#define ap_base64encode_len apr_base64_encode_len
-#define ap_base64encode apr_base64_encode
-
-#define ap_table_setn apr_table_setn
-#define ap_table_add apr_table_add
 #else
-#define ap_pstrchr_c strchr
+#define apr_pstrdup            ap_pstrdup
+#define apr_psprintf           ap_psprintf
+#define apr_pstrcat            ap_pstrcat
+#define apr_pcalloc            ap_pcalloc
+#define apr_table_setn         ap_table_setn
+#define apr_table_add          ap_table_add
+#define apr_base64_decode_len  ap_base64decode_len
+#define apr_base64_decode      ap_base64decode
+#define apr_base64_encode_len  ap_base64encode_len
+#define apr_base64_encode      ap_base64encode
+#define apr_pool_cleanup_null  ap_null_cleanup
+#define apr_pool_cleanup_register      ap_register_cleanup
 #endif /* STANDARD20_MODULE_STUFF */
 
 #ifdef _WIN32
@@ -100,6 +95,7 @@
 #  include <gssapi/gssapi_krb5.h>
 #  define GSS_C_NT_USER_NAME gss_nt_user_name
 #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#  define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name
 #  define krb5_get_err_text(context,code) error_message(code)
 #endif
 #ifndef GSSAPI_SUPPORTS_SPNEGO
@@ -122,6 +118,14 @@
 #include <unistd.h>
 #endif
 
+#ifndef KRB5_LIB_FUNCTION
+#  if defined(_WIN32)
+#    define KRB5_LIB_FUNCTION _stdcall
+#  else
+#    define KRB5_LIB_FUNCTION
+#  endif
+#endif
+
 #ifdef STANDARD20_MODULE_STUFF
 module AP_MODULE_DECLARE_DATA auth_kerb_module;
 #else
@@ -307,7 +311,7 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
 {
        kerb_auth_config *rec;
 
-       rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config));
+       rec = (kerb_auth_config *) apr_pcalloc(p, sizeof(kerb_auth_config));
         ((kerb_auth_config *)rec)->krb_verify_kdc = 1;
        ((kerb_auth_config *)rec)->krb_service_name = NULL;
        ((kerb_auth_config *)rec)->krb_authoritative = 1;
@@ -329,7 +333,7 @@ static const char*
 krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg)
 {
    kerb_auth_config *sec = (kerb_auth_config *) vsec;
-   sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
+   sec->krb_auth_realms= apr_pstrdup(cmd->pool, arg);
    return NULL;
 }
 
@@ -357,8 +361,8 @@ log_rerror(const char *file, int line, int level, int status,
  Username/Password Validation for Krb4
  ***************************************************************************/
 static int
-verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
-                char *password, char *linstance, char *srvtab, int krb_verify_kdc)
+verify_krb4_user(request_rec *r, const char *name, const char *instance,
+                 const char *realm, const char *password, const char *linstance, const char *srvtab, int krb_verify_kdc)
 {
    int ret;
    char *phost;
@@ -406,7 +410,7 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
       return ret;
    }
 
-   ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab);
+   ret = krb_rd_req(&ticket, (char *)linstance, phost, addr, &authdata, (char *)srvtab);
    if (ret) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                 "Cannot verify krb4 ticket: krb_rd_req() failed: %s",
@@ -448,13 +452,6 @@ authenticate_user_krb4pwd(request_rec *r,
    sent_pw = ap_pbase64decode(r->pool, auth_line);
    sent_name = ap_getword (r->pool, &sent_pw, ':');
 
-   /* do not allow user to override realm setting of server */
-   if (ap_strchr_c(sent_name, '@')) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "specifying realm in user name is prohibited");
-      return HTTP_UNAUTHORIZED;
-   }
-
    sent_instance = strchr(sent_name, '.');
    if (sent_instance)
       *sent_instance++ = '\0'; 
@@ -468,10 +465,10 @@ authenticate_user_krb4pwd(request_rec *r,
       return HTTP_INTERNAL_SERVER_ERROR;
    }
 
-   tkt_file_p = ap_pstrdup(r->pool, tkt_file);
-   ap_register_cleanup(r->pool, tkt_file_p,
-                      krb4_cache_cleanup, ap_null_cleanup);
-
+   tkt_file_p = apr_pstrdup(r->pool, tkt_file);
+   apr_pool_cleanup_register(r->pool, tkt_file_p, krb4_cache_cleanup,
+                            apr_pool_cleanup_null);
+   
    krb_set_tkt_string(tkt_file);
 
    all_principals_unkown = 1;
@@ -514,14 +511,14 @@ authenticate_user_krb4pwd(request_rec *r,
       goto end;
    }
 
-   user = ap_pstrdup(r->pool, sent_name);
+   user = apr_pstrdup(r->pool, sent_name);
    if (sent_instance)
-      user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL);
-   user = ap_pstrcat(r->pool, user, "@", realm, NULL);
+      user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL);
+   user = apr_pstrcat(r->pool, user, "@", realm, NULL);
 
    MK_USER = user;
    MK_AUTH_TYPE = "Basic";
-   ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
+   apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
 
    if (!conf->krb_save_credentials)
       krb4_cache_cleanup(tkt_file);
@@ -788,7 +785,7 @@ create_krb5_ccache(krb5_context kcontext,
    int ret;
    krb5_ccache tmp_ccache = NULL;
 
-   ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
+   ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
    fd = mkstemp(ccname + strlen("FILE:"));
    if (fd < 0) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
@@ -817,9 +814,9 @@ create_krb5_ccache(krb5_context kcontext,
       goto end;
    }
 
-   ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
-   ap_register_cleanup(r->pool, ccname,
-                      krb5_cache_cleanup, ap_null_cleanup);
+   apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
+   apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
+                            apr_pool_cleanup_null);
 
    *ccache = tmp_ccache;
    tmp_ccache = NULL;
@@ -960,7 +957,7 @@ authenticate_user_krb5pwd(request_rec *r,
    do {
       name = (char *) sent_name;
       if (realms && (realm = ap_getword_white(r->pool, &realms)))
-        name = ap_psprintf(r->pool, "%s@%s", sent_name, realm);
+        name = apr_psprintf(r->pool, "%s@%s", sent_name, realm);
 
       if (client) {
         krb5_free_principal(kcontext, client);
@@ -1009,7 +1006,7 @@ authenticate_user_krb5pwd(request_rec *r,
       ret = HTTP_UNAUTHORIZED;
       goto end;
    }
-   MK_USER = ap_pstrdup (r->pool, name);
+   MK_USER = apr_pstrdup (r->pool, name);
    MK_AUTH_TYPE = "Basic";
    free(name);
 
@@ -1040,14 +1037,18 @@ end:
  ********************************************************************/
 
 static const char *
-get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
+get_gss_error(request_rec *r, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 {
    OM_uint32 maj_stat, min_stat; 
    OM_uint32 msg_ctx = 0;
    gss_buffer_desc status_string;
    char *err_msg;
 
-   err_msg = ap_pstrdup(p, prefix);
+   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+             "GSS-API major_status:%8.8x, minor_status:%8.8x",
+             err_maj, err_min);
+
+   err_msg = apr_pstrdup(r->pool, prefix);
    do {
       maj_stat = gss_display_status (&min_stat,
                                     err_maj,
@@ -1055,11 +1056,16 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
                                     GSS_C_NO_OID,
                                     &msg_ctx,
                                     &status_string);
-      if (GSS_ERROR(maj_stat))
-        break;
-      err_msg = ap_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL);
-      gss_release_buffer(&min_stat, &status_string);
-      
+      if (!GSS_ERROR(maj_stat)) {
+         err_msg = apr_pstrcat(r->pool, err_msg, ": ",
+                              (char*) status_string.value, NULL);
+        gss_release_buffer(&min_stat, &status_string);
+      }
+   } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
+
+   msg_ctx = 0;
+   err_msg = apr_pstrcat(r->pool, err_msg, " (", NULL);
+   do {
       maj_stat = gss_display_status (&min_stat,
                                     err_min,
                                     GSS_C_MECH_CODE,
@@ -1067,11 +1073,12 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
                                     &msg_ctx,
                                     &status_string);
       if (!GSS_ERROR(maj_stat)) {
-        err_msg = ap_pstrcat(p, err_msg,
-                             " (", (char*) status_string.value, ")", NULL);
+        err_msg = apr_pstrcat(r->pool, err_msg, ", ",
+                              (char *) status_string.value, NULL);
         gss_release_buffer(&min_stat, &status_string);
       }
    } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
+   err_msg = apr_pstrcat(r->pool, err_msg, ")", NULL);
 
    return err_msg;
 }
@@ -1111,7 +1118,7 @@ store_gss_creds(request_rec *r, kerb_auth_config *conf, char *princ_name,
    if (GSS_ERROR(maj_stat)) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
         "Cannot store delegated credential (%s)", 
-        get_gss_error(r->pool, maj_stat, min_stat, "gss_krb5_copy_ccache"));
+        get_gss_error(r, maj_stat, min_stat, "gss_krb5_copy_ccache"));
       goto end;
    }
 
@@ -1139,6 +1146,7 @@ get_gss_creds(request_rec *r,
    char buf[1024];
    int have_server_princ;
 
+
    have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;
    if (have_server_princ)
       strncpy(buf, conf->krb_service_name, sizeof(buf));
@@ -1156,7 +1164,7 @@ get_gss_creds(request_rec *r,
    memset(&token, 0, sizeof(token));
    if (GSS_ERROR(major_status)) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "%s", get_gss_error(r->pool, major_status, minor_status,
+                "%s", get_gss_error(r, major_status, minor_status,
                 "gss_import_name() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
@@ -1166,7 +1174,7 @@ get_gss_creds(request_rec *r,
       /* Perhaps we could just ignore this error but it's safer to give up now,
          I think */
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "%s", get_gss_error(r->pool, major_status, minor_status,
+                "%s", get_gss_error(r, major_status, minor_status,
                                     "gss_display_name() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
@@ -1181,7 +1189,7 @@ get_gss_creds(request_rec *r,
    gss_release_name(&minor_status2, &server_name);
    if (GSS_ERROR(major_status)) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "%s", get_gss_error(r->pool, major_status, minor_status,
+                "%s", get_gss_error(r, major_status, minor_status,
                                     "gss_acquire_cred() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
@@ -1199,11 +1207,15 @@ get_gss_creds(request_rec *r,
    {
       krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
 
-      if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
-         gss_creds->rcache->ops->type &&  
-         memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+      /* First we try to verify we are linked with 1.3.x to prevent from
+         crashing when linked with 1.4.x */
+      if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
+        if (gss_creds->rcache && gss_creds->rcache->ops &&
+            gss_creds->rcache->ops->type &&  
+            memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
           /* Override the rcache operations */
         gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+      }
    }
 #endif
    
@@ -1256,6 +1268,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   gss_OID_desc spnego_oid;
   gss_ctx_id_t context = GSS_C_NO_CONTEXT;
   gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
+  OM_uint32 ret_flags = 0;
 
   *negotiate_ret_value = "\0";
 
@@ -1294,15 +1307,15 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      goto end;
   }
 
-  input_token.length = ap_base64decode_len(auth_param) + 1;
-  input_token.value = ap_pcalloc(r->connection->pool, input_token.length);
+  input_token.length = apr_base64_decode_len(auth_param) + 1;
+  input_token.value = apr_pcalloc(r->connection->pool, input_token.length);
   if (input_token.value == NULL) {
      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                "ap_pcalloc() failed (not enough memory)");
      ret = HTTP_INTERNAL_SERVER_ERROR;
      goto end;
   }
-  input_token.length = ap_base64decode(input_token.value, auth_param);
+  input_token.length = apr_base64_decode(input_token.value, auth_param);
 
 #ifdef GSSAPI_SUPPORTS_SPNEGO
   accept_sec_token = gss_accept_sec_context;
@@ -1324,17 +1337,18 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
                                  &client_name,
                                  NULL,
                                  &output_token,
-                                 NULL,
+                                 &ret_flags,
                                  NULL,
                                  &delegated_cred);
   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-            "Verification returned code %d", major_status);
+            "Client %s us their credential",
+            (ret_flags & GSS_C_DELEG_FLAG) ? "sent" : "didn't send");
   if (output_token.length) {
      char *token = NULL;
      size_t len;
      
-     len = ap_base64encode_len(output_token.length) + 1;
-     token = ap_pcalloc(r->connection->pool, len + 1);
+     len = apr_base64_encode_len(output_token.length) + 1;
+     token = apr_pcalloc(r->connection->pool, len + 1);
      if (token == NULL) {
        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                   "ap_pcalloc() failed (not enough memory)");
@@ -1342,7 +1356,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
        gss_release_buffer(&minor_status2, &output_token);
        goto end;
      }
-     ap_base64encode(token, output_token.value, output_token.length);
+     apr_base64_encode(token, output_token.value, output_token.length);
      token[len] = '\0';
      *negotiate_ret_value = token;
      log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1358,7 +1372,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
                  "Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.");
 
      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-               "%s", get_gss_error(r->pool, major_status, minor_status,
+               "%s", get_gss_error(r, major_status, minor_status,
                                    "gss_accept_sec_context() failed"));
      /* Don't offer the Negotiate method again if call to GSS layer failed */
      *negotiate_ret_value = NULL;
@@ -1380,14 +1394,14 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   gss_release_name(&minor_status, &client_name); 
   if (GSS_ERROR(major_status)) {
     log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-              "%s", get_gss_error(r->pool, major_status, minor_status,
-                                  "gss_export_name() failed"));
+              "%s", get_gss_error(r, major_status, minor_status,
+                                  "gss_display_name() failed"));
     ret = HTTP_INTERNAL_SERVER_ERROR;
     goto end;
   }
 
   MK_AUTH_TYPE = MECH_NEGOTIATE;
-  MK_USER = ap_pstrdup(r->pool, output_token.value);
+  MK_USER = apr_pstrdup(r->pool, output_token.value);
 
   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
@@ -1445,12 +1459,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #ifdef KRB5
    if (negotiate_ret_value != NULL && conf->krb_method_gssapi) {
       negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE :
-                 ap_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL);
-      ap_table_add(r->err_headers_out, header_name, negoauth_param);
+                 apr_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL);
+      apr_table_add(r->err_headers_out, header_name, negoauth_param);
    }
    if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) {
-      ap_table_add(r->err_headers_out, header_name,
-                  ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
+      apr_table_add(r->err_headers_out, header_name,
+                  apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
       set_basic = 1;
    }
 #endif
@@ -1458,8 +1472,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #ifdef KRB4
    if (!set_basic && 
        ((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic))
-      ap_table_add(r->err_headers_out, header_name,
-                 ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
+      apr_table_add(r->err_headers_out, header_name,
+                 apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
 #endif
 }
 
@@ -1555,14 +1569,46 @@ kerb_authenticate_user(request_rec *r)
    return ret;
 }
 
+int
+have_rcache_type(const char *type)
+{
+   krb5_error_code ret;
+   krb5_context context;
+   krb5_rcache id = NULL;
+   int found;
+
+   ret = krb5_init_context(&context);
+   if (ret)
+      return 0;
+
+   ret = krb5_rc_resolve_full(context, &id, "none:");
+   found = (ret == 0);
+
+   if (ret == 0)
+      krb5_rc_destroy(context, id);
+   krb5_free_context(context);
+
+   return found;
+}
 
 /*************************************************************************** 
  Module Setup/Configuration
  ***************************************************************************/
 #ifndef STANDARD20_MODULE_STUFF
+static void
+kerb_module_init(server_rec *dummy, pool *p)
+{
+#ifndef HEIMDAL
+   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+      1.3.x are covered by the hack overiding the replay calls */
+   if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+      putenv(strdup("KRB5RCACHETYPE=none"));
+#endif
+}
+
 module MODULE_VAR_EXPORT auth_kerb_module = {
        STANDARD_MODULE_STUFF,
-       NULL,                           /*      module initializer            */
+       kerb_module_init,               /*      module initializer            */
        kerb_dir_create_config,         /*      per-directory config creator  */
        NULL,                           /*      per-directory config merger   */
        NULL,                           /*      per-server    config creator  */
@@ -1593,6 +1639,13 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
                  apr_pool_t *ptemp, server_rec *s)
 {
    ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+#ifndef HEIMDAL
+   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+      1.3.x are covered by the hack overiding the replay calls */
+   if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+      putenv(strdup("KRB5RCACHETYPE=none"));
+#endif
+   
    return OK;
 }