search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
minor: coverity comments
[lighttpd.git] / src / mod_authn_gssapi.c
bloba2afffc094a0f217bf1fd25b026dccd9f11c1942
1 #include "first.h"
2
3 /* mod_authn_gssapi
4 *
5 * - provides http_auth_backend_t "gssapi" for HTTP auth Basic realm="Kerberos"
6 * - provides http_auth_scheme_t "Negotiate"
7 * - (does not provide http_auth_backend_t for HTTP auth Digest)
8 *
9 * Note: Credentials cache (KRB5CCNAME) is exported into CGI and SSI environment
10 * as well as passed to FastCGI and SCGI (useful if on same machine
11 * and running under same user account with access to KRB5CCNAME file).
12 * Credentials are clean up at the end of each request.
13 *
14 * LIMITATIONS:
15 * - no rate limiting of auth requests, so remote attacker can send many auth
16 * requests very quickly if attempting brute force password cracking attack
17 *
18 * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
19 * - Kerberos auth is synchronous and blocks waiting for response
20 * TODO: attempt async?
21 */
22
23 #include "plugin.h"
24
25 #include <krb5.h>
26 #include <gssapi.h>
27 #include <gssapi/gssapi_krb5.h>
28
29 #include "http_auth.h"
30 #include "base.h"
31 #include "log.h"
32 #include "md5.h"
33 #include "base64.h"
34 #include "response.h"
35
36 #include <errno.h>
37 #include <stdlib.h>
38 #include <string.h>
39
40 typedef struct {
41 buffer *auth_gssapi_keytab;
42 buffer *auth_gssapi_principal;
43 } plugin_config;
44
45 typedef struct {
46 PLUGIN_DATA;
47 plugin_config **config_storage;
48 plugin_config conf;
49 buffer *auth_cred;
50 } plugin_data;
51
52 static handler_t mod_authn_gssapi_check(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
53 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
54
55 static plugin_data *plugin_data_singleton;
56
57 INIT_FUNC(mod_authn_gssapi_init) {
58 static http_auth_scheme_t http_auth_scheme_gssapi =
59 { "gssapi", mod_authn_gssapi_check, NULL };
60 static http_auth_backend_t http_auth_backend_gssapi =
61 { "gssapi", mod_authn_gssapi_basic, NULL, NULL };
62 plugin_data *p = calloc(1, sizeof(*p));
63
64 /* register http_auth_scheme_gssapi and http_auth_backend_gssapi */
65 http_auth_scheme_gssapi.p_d = p;
66 http_auth_scheme_set(&http_auth_scheme_gssapi);
67 http_auth_backend_gssapi.p_d = p;
68 http_auth_backend_set(&http_auth_backend_gssapi);
69
70 plugin_data_singleton = p;
71 return p;
72 }
73
74 FREE_FUNC(mod_authn_gssapi_free) {
75 plugin_data *p = p_d;
76
77 UNUSED(srv);
78
79 if (!p) return HANDLER_GO_ON;
80
81 if (p->config_storage) {
82 size_t i;
83 for (i = 0; i < srv->config_context->used; i++) {
84 plugin_config *s = p->config_storage[i];
85
86 if (NULL == s) continue;
87
88 buffer_free(s->auth_gssapi_keytab);
89 buffer_free(s->auth_gssapi_principal);
90
91 free(s);
92 }
93 free(p->config_storage);
94 }
95
96 free(p);
97
98 return HANDLER_GO_ON;
99 }
100
101 SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) {
102 plugin_data *p = p_d;
103 size_t i;
104 config_values_t cv[] = {
105 { "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
106 { "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
107 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
108 };
109
110 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
111
112 for (i = 0; i < srv->config_context->used; i++) {
113 data_config const* config = (data_config const*)srv->config_context->data[i];
114 plugin_config *s;
115
116 s = calloc(1, sizeof(plugin_config));
117
118 s->auth_gssapi_keytab = buffer_init();
119 s->auth_gssapi_principal = buffer_init();
120
121 cv[0].destination = s->auth_gssapi_keytab;
122 cv[1].destination = s->auth_gssapi_principal;
123
124 p->config_storage[i] = s;
125
126 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
127 return HANDLER_ERROR;
128 }
129 }
130
131 return HANDLER_GO_ON;
132 }
133
134 #define PATCH(x) \
135 p->conf.x = s->x;
136 static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugin_data *p)
137 {
138 size_t i, j;
139 plugin_config *s = p->config_storage[0];
140
141 PATCH(auth_gssapi_keytab);
142 PATCH(auth_gssapi_principal);
143
144 /* skip the first, the global context */
145 for (i = 1; i < srv->config_context->used; i++) {
146 data_config *dc = (data_config *)srv->config_context->data[i];
147 s = p->config_storage[i];
148
149 /* condition didn't match */
150 if (!config_check_cond(srv, con, dc)) continue;
151
152 /* merge config */
153 for (j = 0; j < dc->value->used; j++) {
154 data_unset *du = dc->value->data[j];
155
156 if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.keytab"))) {
157 PATCH(auth_gssapi_keytab);
158 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
159 PATCH(auth_gssapi_principal);
160 }
161 }
162 }
163
164 return 0;
165 }
166 #undef PATCH
167
168 static handler_t mod_authn_gssapi_send_400_bad_request (server *srv, connection *con)
169 {
170 UNUSED(srv);
171 con->http_status = 400;
172 con->mode = DIRECT;
173 return HANDLER_FINISHED;
174 }
175
176 static void mod_authn_gssapi_log_gss_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, OM_uint32 err_maj, OM_uint32 err_min)
177 {
178 buffer * const msg = buffer_init_string(func);
179 OM_uint32 maj_stat, min_stat;
180 OM_uint32 msg_ctx = 0;
181 gss_buffer_desc status_string;
182
183 buffer_append_string_len(msg, CONST_STR_LEN("("));
184 if (extra) buffer_append_string(msg, extra);
185 buffer_append_string_len(msg, CONST_STR_LEN("):"));
186
187 do {
188 maj_stat = gss_display_status(&min_stat, err_maj, GSS_C_GSS_CODE,
189 GSS_C_NO_OID, &msg_ctx, &status_string);
190 if (GSS_ERROR(maj_stat))
191 break;
192
193 buffer_append_string(msg, status_string.value);
194 gss_release_buffer(&min_stat, &status_string);
195
196 maj_stat = gss_display_status(&min_stat, err_min, GSS_C_MECH_CODE,
197 GSS_C_NULL_OID, &msg_ctx, &status_string);
198 if (!GSS_ERROR(maj_stat)) {
199 buffer_append_string(msg, " (");
200 buffer_append_string(msg, status_string.value);
201 buffer_append_string(msg, ")");
202 gss_release_buffer(&min_stat, &status_string);
203 }
204 } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
205
206 log_error_write(srv, file, line, "b", msg);
207 buffer_free(msg);
208 }
209
210 static void mod_authn_gssapi_log_krb5_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, krb5_context context, int code)
211 {
212 UNUSED(context);
213 /*(extra might be NULL)*/
214 log_error_write(srv, file, line, "sssss", func, "(", extra, "):",
215 error_message(code));
216 }
217
218 static int mod_authn_gssapi_create_krb5_ccache(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
219 {
220 buffer * const kccname = buffer_init_string("FILE:/tmp/krb5cc_gssapi_XXXXXX");
221 char * const ccname = kccname->ptr + sizeof("FILE:")-1;
222 const size_t ccnamelen = buffer_string_length(kccname)-(sizeof("FILE:")-1);
223 /*(future: might consider using server.upload-dirs instead of /tmp)*/
224 /* coverity[secure_temp : FALSE] */
225 int fd = mkstemp(ccname);
226 if (fd < 0) {
227 log_error_write(srv, __FILE__, __LINE__, "ss", "mkstemp():", strerror(errno));
228 buffer_free(kccname);
229 return -1;
230 }
231 close(fd);
232
233 do {
234 krb5_error_code problem;
235
236 problem = krb5_cc_resolve(kcontext, kccname->ptr, ccache);
237 if (problem) {
238 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, problem);
239 break;
240 }
241
242 problem = krb5_cc_initialize(kcontext, *ccache, princ);
243 if (problem) {
244 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", kccname->ptr, kcontext, problem);
245 break;
246 }
247
248 con->plugin_ctx[p->id] = kccname;
249
250 array_set_key_value(con->environment, CONST_STR_LEN("KRB5CCNAME"), ccname, ccnamelen);
251 array_set_key_value(con->request.headers, CONST_STR_LEN("X-Forwarded-Keytab"), ccname, ccnamelen);
252
253 return 0;
254
255 } while (0);
256
257 if (*ccache) {
258 krb5_cc_destroy(kcontext, *ccache);
259 *ccache = NULL;
260 }
261 unlink(ccname);
262 buffer_free(kccname);
263
264 return -1;
265 }
266
267 /*
268 * HTTP auth Negotiate
269 */
270
271 static handler_t mod_authn_gssapi_send_401_unauthorized_negotiate (server *srv, connection *con)
272 {
273 con->http_status = 401;
274 con->mode = DIRECT;
275 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Negotiate"));
276 return HANDLER_FINISHED;
277 }
278
279 static int mod_authn_gssapi_store_gss_creds(server *srv, connection *con, plugin_data *p, char *princ_name, gss_cred_id_t delegated_cred)
280 {
281 OM_uint32 maj_stat, min_stat;
282 krb5_principal princ = NULL;
283 krb5_ccache ccache = NULL;
284 krb5_error_code problem;
285 krb5_context context;
286
287 problem = krb5_init_context(&context);
288 if (problem) {
289 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_init_context", NULL, context, problem);
290 return 0;
291 }
292
293 problem = krb5_parse_name(context, princ_name, &princ);
294 if (problem) {
295 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", NULL, context, problem);
296 goto end;
297 }
298
299 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, context, princ, &ccache))
300 goto end;
301
302 maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache);
303 if (GSS_ERROR(maj_stat)) {
304 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_krb5_copy_ccache", princ_name, maj_stat, min_stat);
305 goto end;
306 }
307
308 krb5_cc_close(context, ccache);
309 krb5_free_principal(context, princ);
310 krb5_free_context(context);
311 return 1;
312
313 end:
314 if (princ)
315 krb5_free_principal(context, princ);
316 if (ccache)
317 krb5_cc_destroy(context, ccache);
318 krb5_free_context(context);
319
320 return 0;
321 }
322
323 static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plugin_data *p, const http_auth_require_t *require, const char *realm_str)
324 {
325 OM_uint32 st_major, st_minor, acc_flags;
326 gss_buffer_desc token_s = GSS_C_EMPTY_BUFFER;
327 gss_buffer_desc token_in = GSS_C_EMPTY_BUFFER;
328 gss_buffer_desc token_out = GSS_C_EMPTY_BUFFER;
329 gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
330 gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL;
331 gss_ctx_id_t context = GSS_C_NO_CONTEXT;
332 gss_name_t server_name = GSS_C_NO_NAME;
333 gss_name_t client_name = GSS_C_NO_NAME;
334
335 /*(future: might modify http_auth_scheme_t to store (void *)p_d
336 * and pass to checkfn, similar to http_auth_backend_t) */
337 buffer *ktname;
338 buffer *sprinc;
339 int ret = 0;
340
341 buffer *t_in = buffer_init();
342 if (!buffer_append_base64_decode(t_in, realm_str, strlen(realm_str), BASE64_STANDARD)) {
343 log_error_write(srv, __FILE__, __LINE__, "ss", "decoding GSSAPI authentication header failed", realm_str);
344 buffer_free(t_in);
345 return mod_authn_gssapi_send_400_bad_request(srv, con);
346 }
347
348 mod_authn_gssapi_patch_connection(srv, con, p);
349
350 /* ??? Should code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
351 * be used, instead of putenv() of KRB5_KTNAME=...? See mod_authn_gssapi_basic() */
352 /* ??? Should KRB5_KTNAME go into con->environment instead ??? */
353 /* ??? Should KRB5_KTNAME be added to mod_authn_gssapi_basic(), too? */
354 ktname = buffer_init_string("KRB5_KTNAME=");
355 buffer_append_string_buffer(ktname, p->conf.auth_gssapi_keytab);
356 putenv(ktname->ptr);
357 /* ktname becomes part of the environment, do not free */
358 /* buffer_free(ktname); */
359
360 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
361 if (strchr(sprinc->ptr, '/') == NULL) {
362 buffer_append_string(sprinc, "/");
363 /*(copy HTTP Host, omitting port if port is present)*/
364 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
365 }
366 if (strchr(sprinc->ptr, '@') == NULL) {
367 buffer_append_string(sprinc, "@");
368 buffer_append_string_buffer(sprinc, require->realm);
369 }
370 /*#define GSS_C_NT_USER_NAME gss_nt_user_name*/
371 /*#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name*/
372 #define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name
373
374 token_s.value = sprinc->ptr;
375 token_s.length = buffer_string_length(sprinc);
376 st_major = gss_import_name(&st_minor, &token_s, (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &server_name);
377 if (GSS_ERROR(st_major)) {
378 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_import_name", NULL, st_major, st_minor);
379 goto end;
380 }
381
382 memset(&token_s, 0, sizeof(token_s));
383 st_major = gss_display_name(&st_minor, server_name, &token_s, NULL);
384 if (GSS_ERROR(st_major)) {
385 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
386 goto end;
387 }
388
389 /* acquire server's own credentials */
390 st_major = gss_acquire_cred(&st_minor, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_cred, NULL, NULL);
391 if (GSS_ERROR(st_major)) {
392 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_acquire_cred", sprinc->ptr, st_major, st_minor);
393 goto end;
394 }
395
396 /* accept the user's context */
397 token_in.length = buffer_string_length(t_in);
398 token_in.value = t_in->ptr;
399 st_major = gss_accept_sec_context(&st_minor, &context, server_cred, &token_in, GSS_C_NO_CHANNEL_BINDINGS,
400 &client_name, NULL, &token_out, &acc_flags, NULL, &client_cred);
401 if (GSS_ERROR(st_major)) {
402 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_accept_sec_context", NULL, st_major, st_minor);
403 goto end;
404 }
405
406 /* fetch the username */
407 st_major = gss_display_name(&st_minor, client_name, &token_out, NULL);
408 if (GSS_ERROR(st_major)) {
409 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
410 goto end;
411 }
412
413 /* check the allow-rules */
414 if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
415 log_error_write(srv, __FILE__, __LINE__, "s", "rules didn't match");
416 goto end;
417 }
418
419 if (!(acc_flags & GSS_C_CONF_FLAG)) {
420 log_error_write(srv, __FILE__, __LINE__, "ss", "No confidentiality for user:", token_out.value);
421 goto end;
422 }
423
424 if (!(acc_flags & GSS_C_DELEG_FLAG)) {
425 log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
426 goto end;
427 }
428
429 ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
430 if (ret)
431 http_auth_setenv(con->environment, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
432
433 end:
434 buffer_free(t_in);
435 if (sprinc)
436 buffer_free(sprinc);
437
438 if (context != GSS_C_NO_CONTEXT)
439 gss_delete_sec_context(&st_minor, &context, GSS_C_NO_BUFFER);
440
441 if (client_cred != GSS_C_NO_CREDENTIAL)
442 gss_release_cred(&st_minor, &client_cred);
443 if (server_cred != GSS_C_NO_CREDENTIAL)
444 gss_release_cred(&st_minor, &server_cred);
445
446 if (client_name != GSS_C_NO_NAME)
447 gss_release_name(&st_minor, &client_name);
448 if (server_name != GSS_C_NO_NAME)
449 gss_release_name(&st_minor, &server_name);
450
451 if (token_s.length)
452 gss_release_buffer(&st_minor, &token_s);
453 /* if (token_in.length)
454 * gss_release_buffer(&st_minor, &token_in); */
455 if (token_out.length)
456 gss_release_buffer(&st_minor, &token_out);
457
458 return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
459 }
460
461 static handler_t mod_authn_gssapi_check (server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend)
462 {
463 data_string * const ds =
464 (data_string *)array_get_element(con->request.headers, "Authorization");
465
466 UNUSED(backend);
467 if (NULL == ds || buffer_is_empty(ds->value)) {
468 return mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
469 }
470
471 if (0 != strncasecmp(ds->value->ptr, "Negotiate ", sizeof("Negotiate ")-1)) {
472 return mod_authn_gssapi_send_400_bad_request(srv, con);
473 }
474
475 return mod_authn_gssapi_check_spnego(srv, con, (plugin_data *)p_d, require, ds->value->ptr+sizeof("Negotiate ")-1);
476 }
477
478 /*
479 * HTTP auth Basic realm="kerberos"
480 */
481
482 static krb5_error_code mod_authn_gssapi_verify_krb5_init_creds(server *srv, krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
483 {
484 krb5_error_code ret;
485 krb5_data req;
486 krb5_ccache local_ccache = NULL;
487 krb5_creds *new_creds = NULL;
488 krb5_auth_context auth_context = NULL;
489 krb5_keytab keytab = NULL;
490 char *server_name;
491
492 memset(&req, 0, sizeof(req));
493
494 if (ap_req_keytab == NULL) {
495 ret = krb5_kt_default(context, &keytab);
496 if (ret)
497 return ret;
498 } else
499 keytab = ap_req_keytab;
500
501 ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
502 if (ret) {
503 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_resolve() failed when verifying KDC");
504 /* return ret; */
505 goto end;
506 }
507
508 ret = krb5_cc_initialize(context, local_ccache, creds->client);
509 if (ret) {
510 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_initialize() failed when verifying KDC");
511 goto end;
512 }
513
514 ret = krb5_cc_store_cred(context, local_ccache, creds);
515 if (ret) {
516 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_store_cred() failed when verifying KDC");
517 goto end;
518 }
519
520 ret = krb5_unparse_name(context, ap_req_server, &server_name);
521 if (ret) {
522 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_unparse_name() failed when verifying KDC");
523 goto end;
524 }
525 /* log_error_write(srv, __FILE__, __LINE__, "ss", "Trying to verify authenticity of KDC using principal", server_name); */
526 free(server_name);
527
528 if (!krb5_principal_compare(context, ap_req_server, creds->server)) {
529 krb5_creds match_cred;
530
531 memset(&match_cred, 0, sizeof(match_cred));
532
533 match_cred.client = creds->client;
534 match_cred.server = ap_req_server;
535
536 ret = krb5_get_credentials(context, 0, local_ccache, &match_cred, &new_creds);
537 if (ret) {
538 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_get_credentials() failed when verifying KDC");
539 goto end;
540 }
541 creds = new_creds;
542 }
543
544 ret = krb5_mk_req_extended(context, &auth_context, 0, NULL, creds, &req);
545 if (ret) {
546 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_mk_req_extended() failed when verifying KDC");
547 goto end;
548 }
549
550 krb5_auth_con_free(context, auth_context);
551 auth_context = NULL;
552 ret = krb5_auth_con_init(context, &auth_context);
553 if (ret) {
554 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_auth_con_init() failed when verifying KDC");
555 goto end;
556 }
557
558 /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
559 krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
560 ret = krb5_rd_req(context, &auth_context, &req, ap_req_server, keytab, 0, NULL);
561 if (ret) {
562 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_rd_req() failed when verifying KDC");
563 goto end;
564 }
565
566 end:
567 krb5_free_data_contents(context, &req);
568 if (auth_context)
569 krb5_auth_con_free(context, auth_context);
570 if (new_creds)
571 krb5_free_creds(context, new_creds);
572 if (ap_req_keytab == NULL && keytab)
573 krb5_kt_close(context, keytab);
574 if (local_ccache)
575 krb5_cc_destroy(context, local_ccache);
576
577 return ret;
578 }
579
580 static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p,
581 krb5_context kcontext, krb5_ccache delegated_cred)
582 {
583 krb5_error_code problem;
584 krb5_principal princ = NULL;
585 krb5_ccache ccache = NULL;
586
587 problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ);
588 if (problem) {
589 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem);
590 goto end;
591 }
592
593 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) {
594 goto end;
595 }
596
597 problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache);
598 if (problem) {
599 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem);
600 goto end;
601 }
602
603 krb5_free_principal(kcontext, princ);
604 krb5_cc_close(kcontext, ccache);
605 return 0;
606
607 end:
608 if (princ)
609 krb5_free_principal(kcontext, princ);
610 if (ccache)
611 krb5_cc_destroy(kcontext, ccache);
612 return -1;
613 }
614
615 static handler_t mod_authn_gssapi_send_401_unauthorized_basic (server *srv, connection *con)
616 {
617 con->http_status = 401;
618 con->mode = DIRECT;
619 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Basic realm=\"Kerberos\""));
620 return HANDLER_FINISHED;
621 }
622
623 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw)
624 {
625 krb5_context kcontext = NULL;
626 krb5_keytab keytab = NULL;
627 krb5_principal s_princ = NULL;
628 krb5_principal c_princ = NULL;
629 krb5_creds c_creds;
630 krb5_ccache c_ccache = NULL;
631 krb5_ccache ret_ccache = NULL;
632 krb5_error_code code;
633 int ret;
634 buffer *sprinc;
635 buffer *user_at_realm = NULL;
636 plugin_data * const p = (plugin_data *)p_d;
637
638 if (*pw == '\0') {
639 log_error_write(srv, __FILE__, __LINE__, "s", "Empty passwords are not accepted");
640 mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
641 }
642
643 mod_authn_gssapi_patch_connection(srv, con, p);
644
645 code = krb5_init_context(&kcontext);
646 if (code) {
647 log_error_write(srv, __FILE__, __LINE__, "sd", "krb5_init_context():", code);
648 mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
649 }
650
651 code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
652 if (code) {
653 log_error_write(srv, __FILE__, __LINE__, "sdb", "krb5_kt_resolve():", code, p->conf.auth_gssapi_keytab);
654 mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
655 }
656
657 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
658 if (strchr(sprinc->ptr, '/') == NULL) {
659 buffer_append_string(sprinc, "/");
660 /*(copy HTTP Host, omitting port if port is present)*/
661 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
662 }
663
664 /*(init c_creds before anything which might krb5_free_cred_contents())*/
665 memset(&c_creds, 0, sizeof(c_creds));
666
667 ret = krb5_parse_name(kcontext, sprinc->ptr, &s_princ);
668 if (ret) {
669 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", sprinc->ptr, kcontext, ret);
670 ret = -1;
671 goto end;
672 }
673
674 if (strchr(username->ptr, '@') == NULL) {
675 user_at_realm = buffer_init_buffer(username);
676 BUFFER_APPEND_STRING_CONST(user_at_realm, "@");
677 buffer_append_string_buffer(user_at_realm, require->realm);
678 }
679
680 ret = krb5_parse_name(kcontext, (user_at_realm ? user_at_realm->ptr : username->ptr), &c_princ);
681 if (ret) {
682 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", (user_at_realm ? user_at_realm->ptr : username->ptr), kcontext, ret);
683 if (user_at_realm) buffer_free(user_at_realm);
684 ret = -1;
685 goto end;
686 }
687 if (user_at_realm) buffer_free(user_at_realm);
688 /* XXX: if the qualified username with @realm should be in REMOTE_USER,
689 * then http_auth_backend_t basic interface needs to change to pass
690 * modifiable buffer *username, but note that const char *pw follows
691 * in the truncated buffer *username, so pw would need to be copied
692 * before modifying buffer *username */
693
694 /*
695 * char *name = NULL;
696 * ret = krb5_unparse_name(kcontext, c_princ, &name);
697 * if (ret == 0) {
698 * log_error_write(srv, __FILE__, __LINE__, "sbss", "Trying to get TGT for user:", username, "password:", pw);
699 * free(name);
700 * }
701 */
702
703 ret = krb5_get_init_creds_password(kcontext, &c_creds, c_princ, pw, NULL, NULL, 0, NULL, NULL);
704 if (ret) {
705 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_get_init_creds_password", NULL, kcontext, ret);
706 goto end;
707 }
708
709 ret = mod_authn_gssapi_verify_krb5_init_creds(srv, kcontext, &c_creds, s_princ, keytab);
710 if (ret) {
711 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "mod_authn_gssapi_verify_krb5_init_creds", NULL, kcontext, ret);
712 goto end;
713 }
714
715 ret = krb5_cc_resolve(kcontext, "MEMORY:", &ret_ccache);
716 if (ret) {
717 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, ret);
718 goto end;
719 }
720
721 ret = krb5_cc_initialize(kcontext, ret_ccache, c_princ);
722 if (ret) {
723 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", NULL, kcontext, ret);
724 goto end;
725 }
726
727 ret = krb5_cc_store_cred(kcontext, ret_ccache, &c_creds);
728 if (ret) {
729 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_store_cred", NULL, kcontext, ret);
730 goto end;
731 }
732
733 c_ccache = ret_ccache;
734 ret_ccache = NULL;
735
736 end:
737
738 krb5_free_cred_contents(kcontext, &c_creds);
739 if (ret_ccache)
740 krb5_cc_destroy(kcontext, ret_ccache);
741
742 if (!ret && c_ccache && (ret = mod_authn_gssapi_store_krb5_creds(srv, con, p, kcontext, c_ccache))) {
743 log_error_write(srv, __FILE__, __LINE__, "sb", "mod_authn_gssapi_store_krb5_creds failed for", username);
744 }
745
746 if (c_princ)
747 krb5_free_principal(kcontext, c_princ);
748 if (s_princ)
749 krb5_free_principal(kcontext, s_princ);
750 if (sprinc)
751 buffer_free(sprinc);
752 if (c_ccache)
753 krb5_cc_destroy(kcontext, c_ccache);
754 if (keytab)
755 krb5_kt_close(kcontext, keytab);
756
757 krb5_free_context(kcontext);
758
759 if (0 == ret && http_auth_match_rules(require,username->ptr,NULL,NULL)){
760 return HANDLER_GO_ON;
761 }
762 else {
763 /* ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or no authz rules match */
764 log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
765 return mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
766 }
767 }
768
769
770 REQUESTDONE_FUNC(mod_authn_gssapi_request_done) {
771 plugin_data *p = (plugin_data *)p_d;
772 buffer *kccname = (buffer *)con->plugin_ctx[p->id];
773 if (NULL != kccname) {
774 con->plugin_ctx[p->id] = NULL;
775 unlink(kccname->ptr+sizeof("FILE:")-1);
776 buffer_free(kccname);
777 }
778
779 UNUSED(srv);
780 return HANDLER_GO_ON;
781 }
782
783 int mod_authn_gssapi_plugin_init(plugin *p);
784 int mod_authn_gssapi_plugin_init(plugin *p) {
785 p->version = LIGHTTPD_VERSION_ID;
786 p->name = buffer_init_string("authn_gssapi");
787 p->init = mod_authn_gssapi_init;
788 p->set_defaults= mod_authn_gssapi_set_defaults;
789 p->cleanup = mod_authn_gssapi_free;
790 p->handle_request_done = mod_authn_gssapi_request_done;
791
792 p->data = NULL;
793
794 return 0;
795 }
A fast webserver with minimal memory-footprint (lighttpd)