components/apache2/mod_auth_gss/mod_auth_gss.c
author Petr Sumbera <petr.sumbera@oracle.com>
Thu, 02 Jun 2011 00:54:08 -0700
changeset 278 77b380ba9d84
permissions -rw-r--r--
7045614 Move Apache Web server to userland 6844584 mod_perl packaging improvements
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
278
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     1
/*
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     2
 * Wyllys Ingersoll <[email protected]>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     3
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     4
 * Based on work by
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     5
 *   Daniel Kouril <[email protected]>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     6
 *   James E. Robinson, III <[email protected]>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     7
 *   Daniel Henninger <[email protected]>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     8
 *   Ludek Sulak <[email protected]>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
     9
 */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    10
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    11
/* ====================================================================
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    12
 * The Apache Software License, Version 1.1
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    13
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    14
 * Copyright (c) 2000-2003 The Apache Software Foundation.  All rights
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    15
 * reserved.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    16
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    17
 * Redistribution and use in source and binary forms, with or without
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    18
 * modification, are permitted provided that the following conditions
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    19
 * are met:
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    20
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    21
 * 1. Redistributions of source code must retain the above copyright
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    22
 *    notice, this list of conditions and the following disclaimer.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    23
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    24
 * 2. Redistributions in binary form must reproduce the above copyright
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    25
 *    notice, this list of conditions and the following disclaimer in
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    26
 *    the documentation and/or other materials provided with the
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    27
 *    distribution.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    28
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    29
 * 3. The end-user documentation included with the redistribution,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    30
 *    if any, must include the following acknowledgment:
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    31
 *       "This product includes software developed by the
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    32
 *        Apache Software Foundation (http://www.apache.org/)."
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    33
 *    Alternately, this acknowledgment may appear in the software itself,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    34
 *    if and wherever such third-party acknowledgments normally appear.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    35
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    36
 * 4. The names "Apache" and "Apache Software Foundation" must
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    37
 *    not be used to endorse or promote products derived from this
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    38
 *    software without prior written permission. For written
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    39
 *    permission, please contact [email protected]
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    40
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    41
 * 5. Products derived from this software may not be called "Apache",
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    42
 *    nor may "Apache" appear in their name, without prior written
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    43
 *    permission of the Apache Software Foundation.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    44
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    45
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    46
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    47
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    48
 * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    49
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    50
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    51
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    52
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    53
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    54
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    55
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    56
 * SUCH DAMAGE.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    57
 * ====================================================================
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    58
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    59
 * This software consists of voluntary contributions made by many
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    60
 * individuals on behalf of the Apache Software Foundation.  For more
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    61
 * information on the Apache Software Foundation, please see
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    62
 * <http://www.apache.org/>.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    63
 *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    64
 * Portions of this software are based upon public domain software
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    65
 * originally written at the National Center for Supercomputing Applications,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    66
 * University of Illinois, Urbana-Champaign.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    67
 */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    68
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    69
/*
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    70
 * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    71
 */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    72
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    73
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    74
#include <sys/types.h>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    75
#include <strings.h>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    76
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    77
#include "httpd.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    78
#include "http_config.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    79
#include "http_core.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    80
#include "http_log.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    81
#include "http_protocol.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    82
#include "http_request.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    83
#include "ap_config.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    84
#include "apr_base64.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    85
#include "apr_lib.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    86
#include "apr_time.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    87
#include "apr_errno.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    88
#include "apr_global_mutex.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    89
#include "apr_strings.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    90
#include "ap_compat.h"
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    91
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    92
#include <gssapi/gssapi.h>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    93
#include <gssapi/gssapi_ext.h>
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    94
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    95
module auth_gss_module;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    96
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    97
static void *gss_create_dir_config(apr_pool_t *, char *);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    98
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
    99
int gss_authenticate(request_rec *);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   100
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   101
typedef struct {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   102
	char *gss_service_name;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   103
	char *keytab_file;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   104
	int gss_debug;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   105
} gss_auth_config;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   106
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   107
static const char *set_service_name(cmd_parms *cmd, void *config,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   108
	const char *name)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   109
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   110
    ((gss_auth_config *) config)->gss_service_name = (char *)name;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   111
    return NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   112
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   113
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   114
static const char *set_keytab_file(cmd_parms *cmd, void *config,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   115
	const char *file)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   116
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   117
	((gss_auth_config *) config)->keytab_file = (char *)file;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   118
	return NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   119
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   120
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   121
static const char *set_gss_debug(cmd_parms *cmd, void *config,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   122
	const char *debugflag)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   123
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   124
	((gss_auth_config *) config)->gss_debug = atoi(debugflag);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   125
	return NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   126
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   127
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   128
static const command_rec gss_auth_cmds[] = {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   129
	AP_INIT_TAKE1("AuthGSSServiceName", set_service_name, NULL,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   130
		OR_AUTHCFG, "Service name used for authentication."),
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   131
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   132
	AP_INIT_TAKE1("AuthGSSKeytabFile", set_keytab_file, NULL,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   133
		OR_AUTHCFG,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   134
		"Location of Kerberos V5 keytab file."),
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   135
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   136
	AP_INIT_TAKE1("AuthGssDebug", set_gss_debug, NULL,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   137
		OR_AUTHCFG,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   138
		"Enable debug logging in error_log"),
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   139
	{ NULL }
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   140
};
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   141
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   142
static void
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   143
gss_register_hooks(apr_pool_t *p)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   144
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   145
	ap_hook_check_user_id(gss_authenticate,NULL,NULL,APR_HOOK_MIDDLE);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   146
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   147
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   148
module AP_MODULE_DECLARE_DATA auth_gss_module = {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   149
	STANDARD20_MODULE_STUFF,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   150
	gss_create_dir_config,	/* dir config creater */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   151
	NULL,			/* dir merger --- default is to override */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   152
	NULL,			/* server config */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   153
	NULL,			/* merge server config */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   154
	gss_auth_cmds,		/* command apr_table_t */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   155
	gss_register_hooks		/* register hooks */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   156
};
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   157
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   158
typedef struct {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   159
	gss_ctx_id_t context;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   160
	gss_cred_id_t server_creds;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   161
} gss_connection_t;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   162
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   163
static gss_connection_t *gss_connection = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   164
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   165
static void *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   166
gss_create_dir_config(apr_pool_t *p, char *d)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   167
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   168
	gss_auth_config *rec =
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   169
		(gss_auth_config *) apr_pcalloc(p, sizeof(gss_auth_config));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   170
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   171
	((gss_auth_config *)rec)->gss_service_name = "HTTP";
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   172
	((gss_auth_config *)rec)->keytab_file = "/var/apache2/http.keytab";
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   173
	((gss_auth_config *)rec)->gss_debug = 0;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   174
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   175
	return rec;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   176
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   177
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   178
void log_rerror(const char *file, int line, int level, int status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   179
                const request_rec *r, const char *fmt, ...)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   180
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   181
	char errstr[1024];
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   182
	va_list ap;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   183
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   184
	va_start(ap, fmt);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   185
	vsnprintf(errstr, sizeof(errstr), fmt, ap);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   186
	va_end(ap);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   187
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   188
	ap_log_rerror(file, line, level | APLOG_NOERRNO, NULL, r, "%s", errstr);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   189
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   190
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   191
/*********************************************************************
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   192
 * GSSAPI Authentication
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   193
 ********************************************************************/
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   194
static const char *
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   195
gss_error_msg(apr_pool_t *p, OM_uint32 maj, OM_uint32 min, char *prefix)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   196
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   197
	OM_uint32 maj_stat, min_stat; 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   198
	OM_uint32 msg_ctx = 0;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   199
	gss_buffer_desc msg;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   200
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   201
	char *err_msg = (char *)apr_pstrdup(p, prefix);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   202
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   203
	do {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   204
		maj_stat = gss_display_status (&min_stat,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   205
			maj, GSS_C_GSS_CODE,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   206
			GSS_C_NO_OID, &msg_ctx,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   207
			&msg);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   208
		if (GSS_ERROR(maj_stat))
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   209
			break;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   210
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   211
		err_msg = apr_pstrcat(p, err_msg, ": ", (char*) msg.value,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   212
			NULL);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   213
		(void) gss_release_buffer(&min_stat, &msg);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   214
      
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   215
		maj_stat = gss_display_status (&min_stat,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   216
			min, GSS_C_MECH_CODE,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   217
			GSS_C_NULL_OID, &msg_ctx,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   218
			&msg);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   219
		if (!GSS_ERROR(maj_stat)) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   220
			err_msg = apr_pstrcat(p, err_msg,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   221
				" (", (char*) msg.value, ")", NULL);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   222
			(void) gss_release_buffer(&min_stat, &msg);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   223
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   224
	} while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   225
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   226
	return (err_msg);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   227
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   228
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   229
static int
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   230
cleanup_gss_connection(void *data)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   231
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   232
	OM_uint32 ret;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   233
	OM_uint32 minor_status;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   234
	gss_connection_t *gss_conn = (gss_connection_t *)data;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   235
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   236
	if (data == NULL)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   237
		return 0; 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   238
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   239
	if (gss_conn->context != GSS_C_NO_CONTEXT) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   240
		(void) gss_delete_sec_context(&minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   241
			&gss_conn->context,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   242
			GSS_C_NO_BUFFER);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   243
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   244
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   245
	if (gss_conn->server_creds != GSS_C_NO_CREDENTIAL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   246
		(void) gss_release_cred(&minor_status, &gss_conn->server_creds);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   247
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   248
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   249
	gss_connection = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   250
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   251
	return 0; 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   252
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   253
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   254
static int
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   255
acquire_server_creds(request_rec *r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   256
	gss_auth_config *conf,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   257
	gss_OID_set mechset,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   258
	gss_cred_id_t *server_creds)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   259
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   260
	int ret = 0;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   261
	gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   262
	OM_uint32 major_status, minor_status, minor_status2;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   263
	gss_name_t server_name = GSS_C_NO_NAME;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   264
	char buf[1024];
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   265
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   266
	snprintf(buf, sizeof(buf), "%[email protected]%s",
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   267
		conf->gss_service_name, r->hostname);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   268
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   269
	if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   270
   		log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   271
			"acquire_server_creds for %s", buf);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   272
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   273
	input_token.value = buf;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   274
	input_token.length = strlen(buf) + 1;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   275
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   276
	major_status = gss_import_name(&minor_status, &input_token,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   277
 			  GSS_C_NT_HOSTBASED_SERVICE,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   278
			  &server_name);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   279
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   280
	if (GSS_ERROR(major_status)) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   281
		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   282
			"%s", gss_error_msg(r->pool, major_status, minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   283
			"gss_import_name() failed"));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   284
		return (HTTP_INTERNAL_SERVER_ERROR);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   285
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   286
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   287
	major_status = gss_acquire_cred(&minor_status, server_name,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   288
		GSS_C_INDEFINITE,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   289
		mechset, GSS_C_ACCEPT,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   290
		server_creds, NULL, NULL);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   291
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   292
	if (GSS_ERROR(major_status)) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   293
		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   294
			"%s", gss_error_msg(r->pool, major_status, minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   295
		      "gss_acquire_cred() failed"));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   296
		ret = HTTP_INTERNAL_SERVER_ERROR;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   297
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   298
	(void) gss_release_name(&minor_status2, &server_name);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   299
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   300
	return (ret);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   301
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   302
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   303
static int
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   304
authenticate_user_gss(request_rec *r, gss_auth_config *conf,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   305
	const char *auth_line, char **negotiate_ret_value)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   306
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   307
	int ret = 0;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   308
	OM_uint32 major_status, minor_status, minor_status2;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   309
	gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   310
	gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   311
	const char *auth_param = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   312
	gss_name_t client_name = GSS_C_NO_NAME;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   313
	gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   314
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   315
	if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   316
		log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   317
		"authenticate_user_gss called");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   318
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   319
	*negotiate_ret_value = (char *)"";
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   320
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   321
	if (gss_connection == NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   322
		gss_connection = apr_pcalloc(r->connection->pool, sizeof(*gss_connection));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   323
		if (gss_connection == NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   324
			log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   325
		           "apr_pcalloc() failed (not enough memory)");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   326
			ret = HTTP_INTERNAL_SERVER_ERROR;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   327
			goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   328
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   329
		(void) memset(gss_connection, 0, sizeof(*gss_connection));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   330
		apr_pool_cleanup_register(r->connection->pool, gss_connection,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   331
			cleanup_gss_connection, apr_pool_cleanup_null);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   332
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   333
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   334
	if (conf->keytab_file) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   335
		char *ktname;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   336
		/*
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   337
		 * We don't use the ap_* calls here, since the string 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   338
		 * passed to putenv() will become part of the enviroment 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   339
		 * and shouldn't be free()ed by apache.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   340
		 */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   341
		ktname = malloc(strlen("KRB5_KTNAME=") + strlen(conf->keytab_file) + 1);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   342
		if (ktname == NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   343
			log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   344
				"malloc() failed: not enough memory");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   345
			ret = HTTP_INTERNAL_SERVER_ERROR;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   346
			goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   347
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   348
		/*
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   349
		 * Put the keytab name in the environment so that Kerberos
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   350
		 * knows where to look later.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   351
		 */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   352
		sprintf(ktname, "KRB5_KTNAME=%s", conf->keytab_file);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   353
		putenv(ktname);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   354
		if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   355
			log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Using keytab: %s", ktname);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   356
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   357
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   358
	/* ap_getword() shifts parameter */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   359
	auth_param = ap_getword_white(r->pool, &auth_line);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   360
	if (auth_param == NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   361
		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   362
			"No Authorization parameter in request from client");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   363
		ret = HTTP_UNAUTHORIZED;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   364
		goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   365
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   366
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   367
	input_token.length = apr_base64_decode_len(auth_param) + 1;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   368
	input_token.value = apr_pcalloc(r->connection->pool, input_token.length);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   369
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   370
	if (input_token.value == NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   371
		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   372
	   	"apr_pcalloc() failed (not enough memory)");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   373
		ret = HTTP_INTERNAL_SERVER_ERROR;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   374
		goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   375
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   376
	input_token.length = apr_base64_decode(input_token.value, auth_param);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   377
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   378
	if (gss_connection->server_creds == GSS_C_NO_CREDENTIAL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   379
		gss_OID_set_desc desiredMechs;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   380
		gss_OID_desc client_mech_desc;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   381
		gss_OID client_mechoid = &client_mech_desc;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   382
		char *mechstr = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   383
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   384
		if (!__gss_get_mech_type(client_mechoid, &input_token)) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   385
			mechstr = (char *)__gss_oid_to_mech(client_mechoid);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   386
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   387
		if (mechstr == NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   388
			client_mechoid = GSS_C_NULL_OID;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   389
			mechstr = "<unknown>";
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   390
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   391
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   392
		if (conf->gss_debug)   
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   393
			log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   394
				"Client wants GSS mech: %s", mechstr);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   395
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   396
		desiredMechs.count = 1;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   397
		desiredMechs.elements = client_mechoid;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   398
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   399
		/* Get creds using the mechanism that the client requested */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   400
		ret = acquire_server_creds(r, conf, &desiredMechs,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   401
			&gss_connection->server_creds);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   402
		if (ret)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   403
			goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   404
	} 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   405
	/*
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   406
	 * Try to display the server creds information.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   407
	 */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   408
	if (conf->gss_debug) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   409
		gss_name_t sname;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   410
		gss_buffer_desc dname;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   411
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   412
		major_status = gss_inquire_cred(&minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   413
			gss_connection->server_creds,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   414
			&sname, NULL, NULL, NULL);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   415
		if (major_status == GSS_S_COMPLETE) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   416
			major_status = gss_display_name(&minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   417
				sname, &dname, NULL);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   418
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   419
		if (major_status == GSS_S_COMPLETE) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   420
			log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   421
				"got server creds for: %.*s",
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   422
				(int)dname.length,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   423
				(char *)dname.value);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   424
			(void) gss_release_name(&minor_status, &sname);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   425
			(void) gss_release_buffer(&minor_status, &dname);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   426
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   427
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   428
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   429
	major_status = gss_accept_sec_context(&minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   430
			  &gss_connection->context,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   431
			  gss_connection->server_creds,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   432
			  &input_token,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   433
			  GSS_C_NO_CHANNEL_BINDINGS,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   434
			  &client_name,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   435
			  NULL,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   436
			  &output_token,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   437
			  NULL,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   438
			  NULL,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   439
			  &delegated_cred);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   440
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   441
	if (output_token.length) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   442
		char *token = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   443
		size_t len;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   444
		len = apr_base64_encode_len(output_token.length) + 1;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   445
		token = apr_pcalloc(r->connection->pool, len + 1);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   446
		if (token == NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   447
			log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   448
			"apr_pcalloc() failed (not enough memory)");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   449
			ret = HTTP_INTERNAL_SERVER_ERROR;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   450
			gss_release_buffer(&minor_status2, &output_token);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   451
			goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   452
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   453
		apr_base64_encode(token, output_token.value, output_token.length);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   454
		token[len] = '\0';
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   455
		*negotiate_ret_value = token;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   456
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   457
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   458
	if (GSS_ERROR(major_status)) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   459
		log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   460
			"%s", gss_error_msg(r->pool, major_status, minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   461
			"gss_accept_sec_context() failed"));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   462
		/* Don't offer the Negotiate method again if call to GSS layer failed */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   463
		*negotiate_ret_value = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   464
		ret = HTTP_UNAUTHORIZED;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   465
		goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   466
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   467
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   468
	if (major_status == GSS_S_CONTINUE_NEEDED) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   469
		/*
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   470
		 * Some GSSAPI mechanisms may require multiple iterations to
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   471
		 * establish authentication.  Most notably, when MUTUAL_AUTHENTICATION
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   472
		 * flag is used, multiple round trips are needed.
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   473
		 */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   474
		ret = HTTP_UNAUTHORIZED;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   475
		goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   476
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   477
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   478
	if (client_name != GSS_C_NO_NAME) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   479
		gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   480
		major_status = gss_display_name(&minor_status, client_name,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   481
			&name_token, NULL);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   482
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   483
		if (GSS_ERROR(major_status)) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   484
			log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   485
				"%s", gss_error_msg(r->pool, major_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   486
				minor_status,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   487
				"gss_export_name() failed"));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   488
			ret = HTTP_INTERNAL_SERVER_ERROR;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   489
			goto end;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   490
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   491
		if (name_token.length)  {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   492
			r->user = apr_pstrdup(r->pool, name_token.value);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   493
			gss_release_buffer(&minor_status, &name_token);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   494
		}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   495
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   496
		if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   497
			log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   498
				"Authenticated user: %s",
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   499
			r->user ?  r->user : "<unknown>");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   500
	} 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   501
	r->ap_auth_type = "Negotiate";
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   502
	ret = OK;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   503
end:
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   504
	if (delegated_cred)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   505
		gss_release_cred(&minor_status, &delegated_cred);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   506
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   507
	if (output_token.length) 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   508
		gss_release_buffer(&minor_status, &output_token);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   509
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   510
	if (client_name != GSS_C_NO_NAME)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   511
		gss_release_name(&minor_status, &client_name);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   512
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   513
	cleanup_gss_connection(gss_connection);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   514
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   515
	return ret;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   516
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   517
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   518
static int
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   519
already_succeeded(request_rec *r)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   520
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   521
	if (ap_is_initial_req(r) || r->ap_auth_type == NULL)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   522
		return 0;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   523
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   524
	return (strcmp(r->ap_auth_type, "Negotiate") ||
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   525
		(strcmp(r->ap_auth_type, "Basic") && strchr(r->user, '@')));
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   526
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   527
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   528
static void
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   529
note_gss_auth_failure(request_rec *r, const gss_auth_config *conf,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   530
	char *negotiate_ret_value)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   531
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   532
	const char *auth_name = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   533
	int set_basic = 0;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   534
	char *negoauth_param;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   535
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   536
	/* get the user realm specified in .htaccess */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   537
	auth_name = ap_auth_name(r);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   538
  
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   539
	if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   540
   		log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   541
			"note_gss_auth_failure: auth_name = %s",
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   542
			auth_name ? auth_name : "<undefined>");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   543
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   544
	if (negotiate_ret_value != NULL) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   545
		negoauth_param = (*negotiate_ret_value == '\0') ? "Negotiate" :
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   546
			apr_pstrcat(r->pool, "Negotiate ", negotiate_ret_value, NULL);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   547
		apr_table_add(r->err_headers_out, "WWW-Authenticate", negoauth_param);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   548
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   549
}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   550
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   551
int
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   552
gss_authenticate(request_rec *r)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   553
{
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   554
	int ret;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   555
	gss_auth_config *conf = 
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   556
		(gss_auth_config *) ap_get_module_config(r->per_dir_config,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   557
			&auth_gss_module);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   558
	const char *auth_type = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   559
	const char *auth_line = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   560
	const char *type = NULL;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   561
	char *negotiate_ret_value;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   562
	static int last_return = HTTP_UNAUTHORIZED;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   563
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   564
	/* get the type specified in .htaccess */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   565
	type = ap_auth_type(r);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   566
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   567
	if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   568
		log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   569
		"gss_authenticate: type = %s", type);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   570
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   571
	if (type == NULL || (strcasecmp(type, "GSSAPI") != 0)) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   572
		return DECLINED;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   573
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   574
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   575
	/* get what the user sent us in the HTTP header */
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   576
	auth_line = apr_table_get(r->headers_in, "Authorization");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   577
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   578
	if (!auth_line) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   579
		if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   580
			log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   581
				"No authentication data found");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   582
		note_gss_auth_failure(r, conf, "\0");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   583
		return HTTP_UNAUTHORIZED;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   584
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   585
	auth_type = ap_getword_white(r->pool, &auth_line);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   586
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   587
	if (already_succeeded(r))
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   588
		return last_return;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   589
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   590
	if (strcasecmp(auth_type, "Negotiate") == 0) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   591
		ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   592
	} else {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   593
		ret = HTTP_UNAUTHORIZED;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   594
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   595
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   596
	if (ret == HTTP_UNAUTHORIZED) {
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   597
		if (conf->gss_debug)
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   598
			log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   599
				"Authentication failed.");
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   600
		note_gss_auth_failure(r, conf, negotiate_ret_value);
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   601
	}
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   602
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   603
	last_return = ret;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   604
	return ret;
77b380ba9d84 7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff changeset
   605
}