search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
minor: make packdist.sh more convenient for me
[lighttpd.git] / src / mod_authn_gssapi.c
blob42e9082304f2b4e9bbf66cb7361baa4637d42b2c
1 #include "first.h"
2
3 /* mod_authn_gssapi
4 *
5 * - provides http_auth_backend_t "gssapi" for HTTP auth Basic realm="Kerberos"
6 * - provides http_auth_scheme_t "Negotiate"
7 * - (does not provide http_auth_backend_t for HTTP auth Digest)
8 *
9 * Note: Credentials cache (KRB5CCNAME) is exported into CGI and SSI environment
10 * as well as passed to FastCGI and SCGI (useful if on same machine
11 * and running under same user account with access to KRB5CCNAME file).
12 * Credentials are clean up at the end of each request.
13 *
14 * LIMITATIONS:
15 * - no rate limiting of auth requests, so remote attacker can send many auth
16 * requests very quickly if attempting brute force password cracking attack
17 *
18 * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
19 * - Kerberos auth is synchronous and blocks waiting for response
20 * TODO: attempt async?
21 */
22
23 #include "plugin.h"
24
25 #ifdef HAVE_KRB5
26
27 #include <krb5.h>
28 #include <gssapi.h>
29 #include <gssapi/gssapi_krb5.h>
30
31 #include "http_auth.h"
32 #include "base.h"
33 #include "log.h"
34 #include "md5.h"
35 #include "base64.h"
36 #include "response.h"
37
38 #include <errno.h>
39 #include <stdlib.h>
40 #include <string.h>
41
42 typedef struct {
43 buffer *auth_gssapi_keytab;
44 buffer *auth_gssapi_principal;
45 } plugin_config;
46
47 typedef struct {
48 PLUGIN_DATA;
49 plugin_config **config_storage;
50 plugin_config conf;
51 buffer *auth_cred;
52 } plugin_data;
53
54 static handler_t mod_authn_gssapi_check(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
55 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
56
57 static plugin_data *plugin_data_singleton;
58
59 INIT_FUNC(mod_authn_gssapi_init) {
60 static http_auth_scheme_t http_auth_scheme_gssapi =
61 { "gssapi", mod_authn_gssapi_check, NULL };
62 static http_auth_backend_t http_auth_backend_gssapi =
63 { "gssapi", mod_authn_gssapi_basic, NULL, NULL };
64 plugin_data *p = calloc(1, sizeof(*p));
65
66 /* register http_auth_scheme_gssapi and http_auth_backend_gssapi */
67 http_auth_scheme_gssapi.p_d = p;
68 http_auth_scheme_set(&http_auth_scheme_gssapi);
69 http_auth_backend_gssapi.p_d = p;
70 http_auth_backend_set(&http_auth_backend_gssapi);
71
72 plugin_data_singleton = p;
73 return p;
74 }
75
76 FREE_FUNC(mod_authn_gssapi_free) {
77 plugin_data *p = p_d;
78
79 UNUSED(srv);
80
81 if (!p) return HANDLER_GO_ON;
82
83 if (p->config_storage) {
84 size_t i;
85 for (i = 0; i < srv->config_context->used; i++) {
86 plugin_config *s = p->config_storage[i];
87
88 if (NULL == s) continue;
89
90 buffer_free(s->auth_gssapi_keytab);
91 buffer_free(s->auth_gssapi_principal);
92
93 free(s);
94 }
95 free(p->config_storage);
96 }
97
98 free(p);
99
100 return HANDLER_GO_ON;
101 }
102
103 SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) {
104 plugin_data *p = p_d;
105 size_t i;
106 config_values_t cv[] = {
107 { "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
108 { "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
109 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
110 };
111
112 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
113
114 for (i = 0; i < srv->config_context->used; i++) {
115 data_config const* config = (data_config const*)srv->config_context->data[i];
116 plugin_config *s;
117
118 s = calloc(1, sizeof(plugin_config));
119
120 s->auth_gssapi_keytab = buffer_init();
121 s->auth_gssapi_principal = buffer_init();
122
123 cv[0].destination = s->auth_gssapi_keytab;
124 cv[1].destination = s->auth_gssapi_principal;
125
126 p->config_storage[i] = s;
127
128 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
129 return HANDLER_ERROR;
130 }
131 }
132
133 return HANDLER_GO_ON;
134 }
135
136 #define PATCH(x) \
137 p->conf.x = s->x;
138 static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugin_data *p)
139 {
140 size_t i, j;
141 plugin_config *s = p->config_storage[0];
142
143 PATCH(auth_gssapi_keytab);
144 PATCH(auth_gssapi_principal);
145
146 /* skip the first, the global context */
147 for (i = 1; i < srv->config_context->used; i++) {
148 data_config *dc = (data_config *)srv->config_context->data[i];
149 s = p->config_storage[i];
150
151 /* condition didn't match */
152 if (!config_check_cond(srv, con, dc)) continue;
153
154 /* merge config */
155 for (j = 0; j < dc->value->used; j++) {
156 data_unset *du = dc->value->data[j];
157
158 if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.keytab"))) {
159 PATCH(auth_gssapi_keytab);
160 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
161 PATCH(auth_gssapi_principal);
162 }
163 }
164 }
165
166 return 0;
167 }
168 #undef PATCH
169
170 static handler_t mod_authn_gssapi_send_400_bad_request (server *srv, connection *con)
171 {
172 UNUSED(srv);
173 con->http_status = 400;
174 con->mode = DIRECT;
175 return HANDLER_FINISHED;
176 }
177
178 static void mod_authn_gssapi_log_gss_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, OM_uint32 err_maj, OM_uint32 err_min)
179 {
180 buffer * const msg = buffer_init_string(func);
181 OM_uint32 maj_stat, min_stat;
182 OM_uint32 msg_ctx = 0;
183 gss_buffer_desc status_string;
184
185 buffer_append_string_len(msg, CONST_STR_LEN("("));
186 if (extra) buffer_append_string(msg, extra);
187 buffer_append_string_len(msg, CONST_STR_LEN("):"));
188
189 do {
190 maj_stat = gss_display_status(&min_stat, err_maj, GSS_C_GSS_CODE,
191 GSS_C_NO_OID, &msg_ctx, &status_string);
192 if (GSS_ERROR(maj_stat))
193 break;
194
195 buffer_append_string(msg, status_string.value);
196 gss_release_buffer(&min_stat, &status_string);
197
198 maj_stat = gss_display_status(&min_stat, err_min, GSS_C_MECH_CODE,
199 GSS_C_NULL_OID, &msg_ctx, &status_string);
200 if (!GSS_ERROR(maj_stat)) {
201 buffer_append_string(msg, " (");
202 buffer_append_string(msg, status_string.value);
203 buffer_append_string(msg, ")");
204 gss_release_buffer(&min_stat, &status_string);
205 }
206 } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
207
208 log_error_write(srv, file, line, "b", msg);
209 buffer_free(msg);
210 }
211
212 static void mod_authn_gssapi_log_krb5_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, krb5_context context, int code)
213 {
214 UNUSED(context);
215 /*(extra might be NULL)*/
216 log_error_write(srv, file, line, "sssss", func, "(", extra, "):",
217 error_message(code));
218 }
219
220 static int mod_authn_gssapi_create_krb5_ccache(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
221 {
222 buffer * const kccname = buffer_init_string("FILE:/tmp/krb5cc_gssapi_XXXXXX");
223 char * const ccname = kccname->ptr + sizeof("FILE:")-1;
224 const size_t ccnamelen = buffer_string_length(kccname)-(sizeof("FILE:")-1);
225 /*(future: might consider using server.upload-dirs instead of /tmp)*/
226 int fd = mkstemp(ccname);
227 if (fd < 0) {
228 log_error_write(srv, __FILE__, __LINE__, "ss", "mkstemp():", strerror(errno));
229 buffer_free(kccname);
230 return -1;
231 }
232 close(fd);
233
234 do {
235 krb5_error_code problem;
236
237 problem = krb5_cc_resolve(kcontext, kccname->ptr, ccache);
238 if (problem) {
239 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, problem);
240 break;
241 }
242
243 problem = krb5_cc_initialize(kcontext, *ccache, princ);
244 if (problem) {
245 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", kccname->ptr, kcontext, problem);
246 break;
247 }
248
249 con->plugin_ctx[p->id] = kccname;
250
251 array_set_key_value(con->environment, CONST_STR_LEN("KRB5CCNAME"), ccname, ccnamelen);
252 array_set_key_value(con->request.headers, CONST_STR_LEN("X-Forwarded-Keytab"), ccname, ccnamelen);
253
254 return 0;
255
256 } while (0);
257
258 if (*ccache) {
259 krb5_cc_destroy(kcontext, *ccache);
260 *ccache = NULL;
261 }
262 unlink(ccname);
263 buffer_free(kccname);
264
265 return -1;
266 }
267
268 /*
269 * HTTP auth Negotiate
270 */
271
272 static handler_t mod_authn_gssapi_send_401_unauthorized_negotiate (server *srv, connection *con)
273 {
274 con->http_status = 401;
275 con->mode = DIRECT;
276 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Negotiate"));
277 return HANDLER_FINISHED;
278 }
279
280 static int mod_authn_gssapi_store_gss_creds(server *srv, connection *con, plugin_data *p, char *princ_name, gss_cred_id_t delegated_cred)
281 {
282 OM_uint32 maj_stat, min_stat;
283 krb5_principal princ = NULL;
284 krb5_ccache ccache = NULL;
285 krb5_error_code problem;
286 krb5_context context;
287
288 problem = krb5_init_context(&context);
289 if (problem) {
290 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_init_context", NULL, context, problem);
291 return 0;
292 }
293
294 problem = krb5_parse_name(context, princ_name, &princ);
295 if (problem) {
296 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", NULL, context, problem);
297 goto end;
298 }
299
300 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, context, princ, &ccache))
301 goto end;
302
303 maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache);
304 if (GSS_ERROR(maj_stat)) {
305 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_krb5_copy_ccache", princ_name, maj_stat, min_stat);
306 goto end;
307 }
308
309 krb5_cc_close(context, ccache);
310 krb5_free_principal(context, princ);
311 krb5_free_context(context);
312 return 1;
313
314 end:
315 if (princ)
316 krb5_free_principal(context, princ);
317 if (ccache)
318 krb5_cc_destroy(context, ccache);
319 krb5_free_context(context);
320
321 return 0;
322 }
323
324 static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plugin_data *p, const http_auth_require_t *require, const char *realm_str)
325 {
326 OM_uint32 st_major, st_minor, acc_flags;
327 gss_buffer_desc token_s = GSS_C_EMPTY_BUFFER;
328 gss_buffer_desc token_in = GSS_C_EMPTY_BUFFER;
329 gss_buffer_desc token_out = GSS_C_EMPTY_BUFFER;
330 gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
331 gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL;
332 gss_ctx_id_t context = GSS_C_NO_CONTEXT;
333 gss_name_t server_name = GSS_C_NO_NAME;
334 gss_name_t client_name = GSS_C_NO_NAME;
335
336 /*(future: might modify http_auth_scheme_t to store (void *)p_d
337 * and pass to checkfn, similar to http_auth_backend_t) */
338 buffer *ktname;
339 buffer *sprinc;
340 int ret = 0;
341
342 buffer *t_in = buffer_init();
343 if (!buffer_append_base64_decode(t_in, realm_str, strlen(realm_str), BASE64_STANDARD)) {
344 log_error_write(srv, __FILE__, __LINE__, "ss", "decoding GSSAPI authentication header failed", realm_str);
345 buffer_free(t_in);
346 return mod_authn_gssapi_send_400_bad_request(srv, con);
347 }
348
349 mod_authn_gssapi_patch_connection(srv, con, p);
350
351 /* ??? Should code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
352 * be used, instead of putenv() of KRB5_KTNAME=...? See mod_authn_gssapi_basic() */
353 /* ??? Should KRB5_KTNAME go into con->environment instead ??? */
354 /* ??? Should KRB5_KTNAME be added to mod_authn_gssapi_basic(), too? */
355 ktname = buffer_init_string("KRB5_KTNAME=");
356 buffer_append_string_buffer(ktname, p->conf.auth_gssapi_keytab);
357 putenv(ktname->ptr);
358 /* ktname becomes part of the environment, do not free */
359 /* buffer_free(ktname); */
360
361 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
362 if (strchr(sprinc->ptr, '/') == NULL) {
363 buffer_append_string(sprinc, "/");
364 /*(copy HTTP Host, omitting port if port is present)*/
365 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
366 }
367 if (strchr(sprinc->ptr, '@') == NULL) {
368 buffer_append_string(sprinc, "@");
369 buffer_append_string_buffer(sprinc, require->realm);
370 }
371 /*#define GSS_C_NT_USER_NAME gss_nt_user_name*/
372 /*#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name*/
373 #define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name
374
375 token_s.value = sprinc->ptr;
376 token_s.length = buffer_string_length(sprinc);
377 st_major = gss_import_name(&st_minor, &token_s, (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &server_name);
378 if (GSS_ERROR(st_major)) {
379 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_import_name", NULL, st_major, st_minor);
380 goto end;
381 }
382
383 memset(&token_s, 0, sizeof(token_s));
384 st_major = gss_display_name(&st_minor, server_name, &token_s, NULL);
385 if (GSS_ERROR(st_major)) {
386 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
387 goto end;
388 }
389
390 /* acquire server's own credentials */
391 st_major = gss_acquire_cred(&st_minor, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_cred, NULL, NULL);
392 if (GSS_ERROR(st_major)) {
393 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_acquire_cred", sprinc->ptr, st_major, st_minor);
394 goto end;
395 }
396
397 /* accept the user's context */
398 token_in.length = buffer_string_length(t_in);
399 token_in.value = t_in->ptr;
400 st_major = gss_accept_sec_context(&st_minor, &context, server_cred, &token_in, GSS_C_NO_CHANNEL_BINDINGS,
401 &client_name, NULL, &token_out, &acc_flags, NULL, &client_cred);
402 if (GSS_ERROR(st_major)) {
403 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_accept_sec_context", NULL, st_major, st_minor);
404 goto end;
405 }
406
407 /* fetch the username */
408 st_major = gss_display_name(&st_minor, client_name, &token_out, NULL);
409 if (GSS_ERROR(st_major)) {
410 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
411 goto end;
412 }
413
414 /* check the allow-rules */
415 if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
416 log_error_write(srv, __FILE__, __LINE__, "s", "rules didn't match");
417 goto end;
418 }
419
420 if (!(acc_flags & GSS_C_CONF_FLAG)) {
421 log_error_write(srv, __FILE__, __LINE__, "ss", "No confidentiality for user:", token_out.value);
422 goto end;
423 }
424
425 if (!(acc_flags & GSS_C_DELEG_FLAG)) {
426 log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
427 goto end;
428 }
429
430 ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
431 if (ret)
432 http_auth_setenv(con->environment, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
433
434 end:
435 buffer_free(t_in);
436 if (sprinc)
437 buffer_free(sprinc);
438
439 if (context != GSS_C_NO_CONTEXT)
440 gss_delete_sec_context(&st_minor, &context, GSS_C_NO_BUFFER);
441
442 if (client_cred != GSS_C_NO_CREDENTIAL)
443 gss_release_cred(&st_minor, &client_cred);
444 if (server_cred != GSS_C_NO_CREDENTIAL)
445 gss_release_cred(&st_minor, &server_cred);
446
447 if (client_name != GSS_C_NO_NAME)
448 gss_release_name(&st_minor, &client_name);
449 if (server_name != GSS_C_NO_NAME)
450 gss_release_name(&st_minor, &server_name);
451
452 if (token_s.length)
453 gss_release_buffer(&st_minor, &token_s);
454 /* if (token_in.length)
455 * gss_release_buffer(&st_minor, &token_in); */
456 if (token_out.length)
457 gss_release_buffer(&st_minor, &token_out);
458
459 return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
460 }
461
462 static handler_t mod_authn_gssapi_check (server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend)
463 {
464 data_string * const ds =
465 (data_string *)array_get_element(con->request.headers, "Authorization");
466
467 UNUSED(backend);
468 if (NULL == ds || buffer_is_empty(ds->value)) {
469 return mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
470 }
471
472 if (0 != strncasecmp(ds->value->ptr, "Negotiate ", sizeof("Negotiate ")-1)) {
473 return mod_authn_gssapi_send_400_bad_request(srv, con);
474 }
475
476 return mod_authn_gssapi_check_spnego(srv, con, (plugin_data *)p_d, require, ds->value->ptr+sizeof("Negotiate ")-1);
477 }
478
479 /*
480 * HTTP auth Basic realm="kerberos"
481 */
482
483 static krb5_error_code mod_authn_gssapi_verify_krb5_init_creds(server *srv, krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
484 {
485 krb5_error_code ret;
486 krb5_data req;
487 krb5_ccache local_ccache = NULL;
488 krb5_creds *new_creds = NULL;
489 krb5_auth_context auth_context = NULL;
490 krb5_keytab keytab = NULL;
491 char *server_name;
492
493 memset(&req, 0, sizeof(req));
494
495 if (ap_req_keytab == NULL) {
496 ret = krb5_kt_default(context, &keytab);
497 if (ret)
498 return ret;
499 } else
500 keytab = ap_req_keytab;
501
502 ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
503 if (ret) {
504 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_resolve() failed when verifying KDC");
505 /* return ret; */
506 goto end;
507 }
508
509 ret = krb5_cc_initialize(context, local_ccache, creds->client);
510 if (ret) {
511 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_initialize() failed when verifying KDC");
512 goto end;
513 }
514
515 ret = krb5_cc_store_cred(context, local_ccache, creds);
516 if (ret) {
517 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_store_cred() failed when verifying KDC");
518 goto end;
519 }
520
521 ret = krb5_unparse_name(context, ap_req_server, &server_name);
522 if (ret) {
523 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_unparse_name() failed when verifying KDC");
524 goto end;
525 }
526 /* log_error_write(srv, __FILE__, __LINE__, "ss", "Trying to verify authenticity of KDC using principal", server_name); */
527 free(server_name);
528
529 if (!krb5_principal_compare(context, ap_req_server, creds->server)) {
530 krb5_creds match_cred;
531
532 memset(&match_cred, 0, sizeof(match_cred));
533
534 match_cred.client = creds->client;
535 match_cred.server = ap_req_server;
536
537 ret = krb5_get_credentials(context, 0, local_ccache, &match_cred, &new_creds);
538 if (ret) {
539 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_get_credentials() failed when verifying KDC");
540 goto end;
541 }
542 creds = new_creds;
543 }
544
545 ret = krb5_mk_req_extended(context, &auth_context, 0, NULL, creds, &req);
546 if (ret) {
547 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_mk_req_extended() failed when verifying KDC");
548 goto end;
549 }
550
551 krb5_auth_con_free(context, auth_context);
552 auth_context = NULL;
553 ret = krb5_auth_con_init(context, &auth_context);
554 if (ret) {
555 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_auth_con_init() failed when verifying KDC");
556 goto end;
557 }
558
559 /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
560 krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
561 ret = krb5_rd_req(context, &auth_context, &req, ap_req_server, keytab, 0, NULL);
562 if (ret) {
563 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_rd_req() failed when verifying KDC");
564 goto end;
565 }
566
567 end:
568 krb5_free_data_contents(context, &req);
569 if (auth_context)
570 krb5_auth_con_free(context, auth_context);
571 if (new_creds)
572 krb5_free_creds(context, new_creds);
573 if (ap_req_keytab == NULL && keytab)
574 krb5_kt_close(context, keytab);
575 if (local_ccache)
576 krb5_cc_destroy(context, local_ccache);
577
578 return ret;
579 }
580
581 static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p,
582 krb5_context kcontext, krb5_ccache delegated_cred)
583 {
584 krb5_error_code problem;
585 krb5_principal princ = NULL;
586 krb5_ccache ccache = NULL;
587
588 problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ);
589 if (problem) {
590 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem);
591 goto end;
592 }
593
594 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) {
595 goto end;
596 }
597
598 problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache);
599 if (problem) {
600 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem);
601 goto end;
602 }
603
604 krb5_free_principal(kcontext, princ);
605 krb5_cc_close(kcontext, ccache);
606 return 0;
607
608 end:
609 if (princ)
610 krb5_free_principal(kcontext, princ);
611 if (ccache)
612 krb5_cc_destroy(kcontext, ccache);
613 return -1;
614 }
615
616 static handler_t mod_authn_gssapi_send_401_unauthorized_basic (server *srv, connection *con)
617 {
618 con->http_status = 401;
619 con->mode = DIRECT;
620 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Basic realm=\"Kerberos\""));
621 return HANDLER_FINISHED;
622 }
623
624 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw)
625 {
626 krb5_context kcontext = NULL;
627 krb5_keytab keytab = NULL;
628 krb5_principal s_princ = NULL;
629 krb5_principal c_princ = NULL;
630 krb5_creds c_creds;
631 krb5_ccache c_ccache = NULL;
632 krb5_ccache ret_ccache = NULL;
633 krb5_error_code code;
634 int ret;
635 buffer *sprinc;
636 buffer *user_at_realm = NULL;
637 plugin_data * const p = (plugin_data *)p_d;
638
639 if (*pw == '\0') {
640 log_error_write(srv, __FILE__, __LINE__, "s", "Empty passwords are not accepted");
641 mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
642 }
643
644 mod_authn_gssapi_patch_connection(srv, con, p);
645
646 code = krb5_init_context(&kcontext);
647 if (code) {
648 log_error_write(srv, __FILE__, __LINE__, "sd", "krb5_init_context():", code);
649 mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
650 }
651
652 code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
653 if (code) {
654 log_error_write(srv, __FILE__, __LINE__, "sdb", "krb5_kt_resolve():", code, p->conf.auth_gssapi_keytab);
655 mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
656 }
657
658 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
659 if (strchr(sprinc->ptr, '/') == NULL) {
660 buffer_append_string(sprinc, "/");
661 /*(copy HTTP Host, omitting port if port is present)*/
662 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
663 }
664
665 /*(init c_creds before anything which might krb5_free_cred_contents())*/
666 memset(&c_creds, 0, sizeof(c_creds));
667
668 ret = krb5_parse_name(kcontext, sprinc->ptr, &s_princ);
669 if (ret) {
670 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", sprinc->ptr, kcontext, ret);
671 ret = -1;
672 goto end;
673 }
674
675 if (strchr(username->ptr, '@') == NULL) {
676 user_at_realm = buffer_init_buffer(username);
677 BUFFER_APPEND_STRING_CONST(user_at_realm, "@");
678 buffer_append_string_buffer(user_at_realm, require->realm);
679 }
680
681 ret = krb5_parse_name(kcontext, (user_at_realm ? user_at_realm->ptr : username->ptr), &c_princ);
682 if (ret) {
683 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", (user_at_realm ? user_at_realm->ptr : username->ptr), kcontext, ret);
684 if (user_at_realm) buffer_free(user_at_realm);
685 ret = -1;
686 goto end;
687 }
688 if (user_at_realm) buffer_free(user_at_realm);
689 /* XXX: if the qualified username with @realm should be in REMOTE_USER,
690 * then http_auth_backend_t basic interface needs to change to pass
691 * modifiable buffer *username, but note that const char *pw follows
692 * in the truncated buffer *username, so pw would need to be copied
693 * before modifying buffer *username */
694
695 /*
696 * char *name = NULL;
697 * ret = krb5_unparse_name(kcontext, c_princ, &name);
698 * if (ret == 0) {
699 * log_error_write(srv, __FILE__, __LINE__, "sbss", "Trying to get TGT for user:", username, "password:", pw);
700 * free(name);
701 * }
702 */
703
704 ret = krb5_get_init_creds_password(kcontext, &c_creds, c_princ, pw, NULL, NULL, 0, NULL, NULL);
705 if (ret) {
706 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_get_init_creds_password", NULL, kcontext, ret);
707 goto end;
708 }
709
710 ret = mod_authn_gssapi_verify_krb5_init_creds(srv, kcontext, &c_creds, s_princ, keytab);
711 if (ret) {
712 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "mod_authn_gssapi_verify_krb5_init_creds", NULL, kcontext, ret);
713 goto end;
714 }
715
716 ret = krb5_cc_resolve(kcontext, "MEMORY:", &ret_ccache);
717 if (ret) {
718 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, ret);
719 goto end;
720 }
721
722 ret = krb5_cc_initialize(kcontext, ret_ccache, c_princ);
723 if (ret) {
724 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", NULL, kcontext, ret);
725 goto end;
726 }
727
728 ret = krb5_cc_store_cred(kcontext, ret_ccache, &c_creds);
729 if (ret) {
730 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_store_cred", NULL, kcontext, ret);
731 goto end;
732 }
733
734 c_ccache = ret_ccache;
735 ret_ccache = NULL;
736
737 end:
738
739 krb5_free_cred_contents(kcontext, &c_creds);
740 if (ret_ccache)
741 krb5_cc_destroy(kcontext, ret_ccache);
742
743 if (!ret && c_ccache && (ret = mod_authn_gssapi_store_krb5_creds(srv, con, p, kcontext, c_ccache))) {
744 log_error_write(srv, __FILE__, __LINE__, "sb", "mod_authn_gssapi_store_krb5_creds failed for", username);
745 }
746
747 if (c_princ)
748 krb5_free_principal(kcontext, c_princ);
749 if (s_princ)
750 krb5_free_principal(kcontext, s_princ);
751 if (sprinc)
752 buffer_free(sprinc);
753 if (c_ccache)
754 krb5_cc_destroy(kcontext, c_ccache);
755 if (keytab)
756 krb5_kt_close(kcontext, keytab);
757
758 krb5_free_context(kcontext);
759
760 if (0 == ret && http_auth_match_rules(require,username->ptr,NULL,NULL)){
761 return HANDLER_GO_ON;
762 }
763 else {
764 /* ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or no authz rules match */
765 log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
766 return mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
767 }
768 }
769
770
771 REQUESTDONE_FUNC(mod_authn_gssapi_request_done) {
772 plugin_data *p = (plugin_data *)p_d;
773 buffer *kccname = (buffer *)con->plugin_ctx[p->id];
774 if (NULL != kccname) {
775 con->plugin_ctx[p->id] = NULL;
776 unlink(kccname->ptr+sizeof("FILE:")-1);
777 buffer_free(kccname);
778 }
779
780 UNUSED(srv);
781 return HANDLER_GO_ON;
782 }
783
784 int mod_authn_gssapi_plugin_init(plugin *p);
785 int mod_authn_gssapi_plugin_init(plugin *p) {
786 p->version = LIGHTTPD_VERSION_ID;
787 p->name = buffer_init_string("authn_gssapi");
788 p->init = mod_authn_gssapi_init;
789 p->set_defaults= mod_authn_gssapi_set_defaults;
790 p->cleanup = mod_authn_gssapi_free;
791 p->handle_request_done = mod_authn_gssapi_request_done;
792
793 p->data = NULL;
794
795 return 0;
796 }
797
798 #else
799
800 int mod_authn_gssapi_plugin_init(plugin *p);
801 int mod_authn_gssapi_plugin_init(plugin *p) {
802 UNUSED(p);
803 return -1;
804 }
805
806 #endif
A fast webserver with minimal memory-footprint (lighttpd)