search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[mod_accesslog] %{ratio}n logs compression ratio (fixes #2133)
[lighttpd.git] / src / mod_authn_gssapi.c
blob704c66c11489f90212ba09b26d959624803cc422
1 #include "first.h"
2
3 /* mod_authn_gssapi
4 *
5 * - provides http_auth_backend_t "gssapi" for HTTP auth Basic realm="Kerberos"
6 * - provides http_auth_scheme_t "Negotiate"
7 * - (does not provide http_auth_backend_t for HTTP auth Digest)
8 *
9 * Note: Credentials cache (KRB5CCNAME) is exported into CGI and SSI environment
10 * as well as passed to FastCGI and SCGI (useful if on same machine
11 * and running under same user account with access to KRB5CCNAME file).
12 * Credentials are clean up at the end of each request.
13 *
14 * LIMITATIONS:
15 * - no rate limiting of auth requests, so remote attacker can send many auth
16 * requests very quickly if attempting brute force password cracking attack
17 *
18 * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
19 * - Kerberos auth is synchronous and blocks waiting for response
20 * TODO: attempt async?
21 */
22
23 #include "plugin.h"
24
25 #include <krb5.h>
26 #include <gssapi.h>
27 #include <gssapi/gssapi_krb5.h>
28
29 #include "http_auth.h"
30 #include "base.h"
31 #include "log.h"
32 #include "md5.h"
33 #include "base64.h"
34 #include "response.h"
35
36 #include <errno.h>
37 #include <stdlib.h>
38 #include <string.h>
39
40 typedef struct {
41 buffer *auth_gssapi_keytab;
42 buffer *auth_gssapi_principal;
43 } plugin_config;
44
45 typedef struct {
46 PLUGIN_DATA;
47 plugin_config **config_storage;
48 plugin_config conf;
49 buffer *auth_cred;
50 } plugin_data;
51
52 static handler_t mod_authn_gssapi_check(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
53 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
54
55 static plugin_data *plugin_data_singleton;
56
57 INIT_FUNC(mod_authn_gssapi_init) {
58 static http_auth_scheme_t http_auth_scheme_gssapi =
59 { "gssapi", mod_authn_gssapi_check, NULL };
60 static http_auth_backend_t http_auth_backend_gssapi =
61 { "gssapi", mod_authn_gssapi_basic, NULL, NULL };
62 plugin_data *p = calloc(1, sizeof(*p));
63
64 /* register http_auth_scheme_gssapi and http_auth_backend_gssapi */
65 http_auth_scheme_gssapi.p_d = p;
66 http_auth_scheme_set(&http_auth_scheme_gssapi);
67 http_auth_backend_gssapi.p_d = p;
68 http_auth_backend_set(&http_auth_backend_gssapi);
69
70 plugin_data_singleton = p;
71 return p;
72 }
73
74 FREE_FUNC(mod_authn_gssapi_free) {
75 plugin_data *p = p_d;
76
77 UNUSED(srv);
78
79 if (!p) return HANDLER_GO_ON;
80
81 if (p->config_storage) {
82 size_t i;
83 for (i = 0; i < srv->config_context->used; i++) {
84 plugin_config *s = p->config_storage[i];
85
86 if (NULL == s) continue;
87
88 buffer_free(s->auth_gssapi_keytab);
89 buffer_free(s->auth_gssapi_principal);
90
91 free(s);
92 }
93 free(p->config_storage);
94 }
95
96 free(p);
97
98 return HANDLER_GO_ON;
99 }
100
101 SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) {
102 plugin_data *p = p_d;
103 size_t i;
104 config_values_t cv[] = {
105 { "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
106 { "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
107 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
108 };
109
110 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
111
112 for (i = 0; i < srv->config_context->used; i++) {
113 data_config const* config = (data_config const*)srv->config_context->data[i];
114 plugin_config *s;
115
116 s = calloc(1, sizeof(plugin_config));
117
118 s->auth_gssapi_keytab = buffer_init();
119 s->auth_gssapi_principal = buffer_init();
120
121 cv[0].destination = s->auth_gssapi_keytab;
122 cv[1].destination = s->auth_gssapi_principal;
123
124 p->config_storage[i] = s;
125
126 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
127 return HANDLER_ERROR;
128 }
129 }
130
131 return HANDLER_GO_ON;
132 }
133
134 #define PATCH(x) \
135 p->conf.x = s->x;
136 static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugin_data *p)
137 {
138 size_t i, j;
139 plugin_config *s = p->config_storage[0];
140
141 PATCH(auth_gssapi_keytab);
142 PATCH(auth_gssapi_principal);
143
144 /* skip the first, the global context */
145 for (i = 1; i < srv->config_context->used; i++) {
146 data_config *dc = (data_config *)srv->config_context->data[i];
147 s = p->config_storage[i];
148
149 /* condition didn't match */
150 if (!config_check_cond(srv, con, dc)) continue;
151
152 /* merge config */
153 for (j = 0; j < dc->value->used; j++) {
154 data_unset *du = dc->value->data[j];
155
156 if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.keytab"))) {
157 PATCH(auth_gssapi_keytab);
158 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
159 PATCH(auth_gssapi_principal);
160 }
161 }
162 }
163
164 return 0;
165 }
166 #undef PATCH
167
168 static handler_t mod_authn_gssapi_send_400_bad_request (server *srv, connection *con)
169 {
170 UNUSED(srv);
171 con->http_status = 400;
172 con->mode = DIRECT;
173 return HANDLER_FINISHED;
174 }
175
176 static void mod_authn_gssapi_log_gss_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, OM_uint32 err_maj, OM_uint32 err_min)
177 {
178 buffer * const msg = buffer_init_string(func);
179 OM_uint32 maj_stat, min_stat;
180 OM_uint32 msg_ctx = 0;
181 gss_buffer_desc status_string;
182
183 buffer_append_string_len(msg, CONST_STR_LEN("("));
184 if (extra) buffer_append_string(msg, extra);
185 buffer_append_string_len(msg, CONST_STR_LEN("):"));
186
187 do {
188 maj_stat = gss_display_status(&min_stat, err_maj, GSS_C_GSS_CODE,
189 GSS_C_NO_OID, &msg_ctx, &status_string);
190 if (GSS_ERROR(maj_stat))
191 break;
192
193 buffer_append_string(msg, status_string.value);
194 gss_release_buffer(&min_stat, &status_string);
195
196 maj_stat = gss_display_status(&min_stat, err_min, GSS_C_MECH_CODE,
197 GSS_C_NULL_OID, &msg_ctx, &status_string);
198 if (!GSS_ERROR(maj_stat)) {
199 buffer_append_string(msg, " (");
200 buffer_append_string(msg, status_string.value);
201 buffer_append_string(msg, ")");
202 gss_release_buffer(&min_stat, &status_string);
203 }
204 } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
205
206 log_error_write(srv, file, line, "b", msg);
207 buffer_free(msg);
208 }
209
210 static void mod_authn_gssapi_log_krb5_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, krb5_context context, int code)
211 {
212 UNUSED(context);
213 /*(extra might be NULL)*/
214 log_error_write(srv, file, line, "sssss", func, "(", extra, "):",
215 error_message(code));
216 }
217
218 static int mod_authn_gssapi_create_krb5_ccache(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
219 {
220 buffer * const kccname = buffer_init_string("FILE:/tmp/krb5cc_gssapi_XXXXXX");
221 char * const ccname = kccname->ptr + sizeof("FILE:")-1;
222 const size_t ccnamelen = buffer_string_length(kccname)-(sizeof("FILE:")-1);
223 /*(future: might consider using server.upload-dirs instead of /tmp)*/
224 int fd = mkstemp(ccname);
225 if (fd < 0) {
226 log_error_write(srv, __FILE__, __LINE__, "ss", "mkstemp():", strerror(errno));
227 buffer_free(kccname);
228 return -1;
229 }
230 close(fd);
231
232 do {
233 krb5_error_code problem;
234
235 problem = krb5_cc_resolve(kcontext, kccname->ptr, ccache);
236 if (problem) {
237 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, problem);
238 break;
239 }
240
241 problem = krb5_cc_initialize(kcontext, *ccache, princ);
242 if (problem) {
243 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", kccname->ptr, kcontext, problem);
244 break;
245 }
246
247 con->plugin_ctx[p->id] = kccname;
248
249 array_set_key_value(con->environment, CONST_STR_LEN("KRB5CCNAME"), ccname, ccnamelen);
250 array_set_key_value(con->request.headers, CONST_STR_LEN("X-Forwarded-Keytab"), ccname, ccnamelen);
251
252 return 0;
253
254 } while (0);
255
256 if (*ccache) {
257 krb5_cc_destroy(kcontext, *ccache);
258 *ccache = NULL;
259 }
260 unlink(ccname);
261 buffer_free(kccname);
262
263 return -1;
264 }
265
266 /*
267 * HTTP auth Negotiate
268 */
269
270 static handler_t mod_authn_gssapi_send_401_unauthorized_negotiate (server *srv, connection *con)
271 {
272 con->http_status = 401;
273 con->mode = DIRECT;
274 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Negotiate"));
275 return HANDLER_FINISHED;
276 }
277
278 static int mod_authn_gssapi_store_gss_creds(server *srv, connection *con, plugin_data *p, char *princ_name, gss_cred_id_t delegated_cred)
279 {
280 OM_uint32 maj_stat, min_stat;
281 krb5_principal princ = NULL;
282 krb5_ccache ccache = NULL;
283 krb5_error_code problem;
284 krb5_context context;
285
286 problem = krb5_init_context(&context);
287 if (problem) {
288 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_init_context", NULL, context, problem);
289 return 0;
290 }
291
292 problem = krb5_parse_name(context, princ_name, &princ);
293 if (problem) {
294 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", NULL, context, problem);
295 goto end;
296 }
297
298 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, context, princ, &ccache))
299 goto end;
300
301 maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache);
302 if (GSS_ERROR(maj_stat)) {
303 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_krb5_copy_ccache", princ_name, maj_stat, min_stat);
304 goto end;
305 }
306
307 krb5_cc_close(context, ccache);
308 krb5_free_principal(context, princ);
309 krb5_free_context(context);
310 return 1;
311
312 end:
313 if (princ)
314 krb5_free_principal(context, princ);
315 if (ccache)
316 krb5_cc_destroy(context, ccache);
317 krb5_free_context(context);
318
319 return 0;
320 }
321
322 static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plugin_data *p, const http_auth_require_t *require, const char *realm_str)
323 {
324 OM_uint32 st_major, st_minor, acc_flags;
325 gss_buffer_desc token_s = GSS_C_EMPTY_BUFFER;
326 gss_buffer_desc token_in = GSS_C_EMPTY_BUFFER;
327 gss_buffer_desc token_out = GSS_C_EMPTY_BUFFER;
328 gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
329 gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL;
330 gss_ctx_id_t context = GSS_C_NO_CONTEXT;
331 gss_name_t server_name = GSS_C_NO_NAME;
332 gss_name_t client_name = GSS_C_NO_NAME;
333
334 /*(future: might modify http_auth_scheme_t to store (void *)p_d
335 * and pass to checkfn, similar to http_auth_backend_t) */
336 buffer *ktname;
337 buffer *sprinc;
338 int ret = 0;
339
340 buffer *t_in = buffer_init();
341 if (!buffer_append_base64_decode(t_in, realm_str, strlen(realm_str), BASE64_STANDARD)) {
342 log_error_write(srv, __FILE__, __LINE__, "ss", "decoding GSSAPI authentication header failed", realm_str);
343 buffer_free(t_in);
344 return mod_authn_gssapi_send_400_bad_request(srv, con);
345 }
346
347 mod_authn_gssapi_patch_connection(srv, con, p);
348
349 /* ??? Should code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
350 * be used, instead of putenv() of KRB5_KTNAME=...? See mod_authn_gssapi_basic() */
351 /* ??? Should KRB5_KTNAME go into con->environment instead ??? */
352 /* ??? Should KRB5_KTNAME be added to mod_authn_gssapi_basic(), too? */
353 ktname = buffer_init_string("KRB5_KTNAME=");
354 buffer_append_string_buffer(ktname, p->conf.auth_gssapi_keytab);
355 putenv(ktname->ptr);
356 /* ktname becomes part of the environment, do not free */
357 /* buffer_free(ktname); */
358
359 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
360 if (strchr(sprinc->ptr, '/') == NULL) {
361 buffer_append_string(sprinc, "/");
362 /*(copy HTTP Host, omitting port if port is present)*/
363 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
364 }
365 if (strchr(sprinc->ptr, '@') == NULL) {
366 buffer_append_string(sprinc, "@");
367 buffer_append_string_buffer(sprinc, require->realm);
368 }
369 /*#define GSS_C_NT_USER_NAME gss_nt_user_name*/
370 /*#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name*/
371 #define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name
372
373 token_s.value = sprinc->ptr;
374 token_s.length = buffer_string_length(sprinc);
375 st_major = gss_import_name(&st_minor, &token_s, (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &server_name);
376 if (GSS_ERROR(st_major)) {
377 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_import_name", NULL, st_major, st_minor);
378 goto end;
379 }
380
381 memset(&token_s, 0, sizeof(token_s));
382 st_major = gss_display_name(&st_minor, server_name, &token_s, NULL);
383 if (GSS_ERROR(st_major)) {
384 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
385 goto end;
386 }
387
388 /* acquire server's own credentials */
389 st_major = gss_acquire_cred(&st_minor, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_cred, NULL, NULL);
390 if (GSS_ERROR(st_major)) {
391 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_acquire_cred", sprinc->ptr, st_major, st_minor);
392 goto end;
393 }
394
395 /* accept the user's context */
396 token_in.length = buffer_string_length(t_in);
397 token_in.value = t_in->ptr;
398 st_major = gss_accept_sec_context(&st_minor, &context, server_cred, &token_in, GSS_C_NO_CHANNEL_BINDINGS,
399 &client_name, NULL, &token_out, &acc_flags, NULL, &client_cred);
400 if (GSS_ERROR(st_major)) {
401 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_accept_sec_context", NULL, st_major, st_minor);
402 goto end;
403 }
404
405 /* fetch the username */
406 st_major = gss_display_name(&st_minor, client_name, &token_out, NULL);
407 if (GSS_ERROR(st_major)) {
408 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
409 goto end;
410 }
411
412 /* check the allow-rules */
413 if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
414 log_error_write(srv, __FILE__, __LINE__, "s", "rules didn't match");
415 goto end;
416 }
417
418 if (!(acc_flags & GSS_C_CONF_FLAG)) {
419 log_error_write(srv, __FILE__, __LINE__, "ss", "No confidentiality for user:", token_out.value);
420 goto end;
421 }
422
423 if (!(acc_flags & GSS_C_DELEG_FLAG)) {
424 log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
425 goto end;
426 }
427
428 ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
429 if (ret)
430 http_auth_setenv(con->environment, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
431
432 end:
433 buffer_free(t_in);
434 if (sprinc)
435 buffer_free(sprinc);
436
437 if (context != GSS_C_NO_CONTEXT)
438 gss_delete_sec_context(&st_minor, &context, GSS_C_NO_BUFFER);
439
440 if (client_cred != GSS_C_NO_CREDENTIAL)
441 gss_release_cred(&st_minor, &client_cred);
442 if (server_cred != GSS_C_NO_CREDENTIAL)
443 gss_release_cred(&st_minor, &server_cred);
444
445 if (client_name != GSS_C_NO_NAME)
446 gss_release_name(&st_minor, &client_name);
447 if (server_name != GSS_C_NO_NAME)
448 gss_release_name(&st_minor, &server_name);
449
450 if (token_s.length)
451 gss_release_buffer(&st_minor, &token_s);
452 /* if (token_in.length)
453 * gss_release_buffer(&st_minor, &token_in); */
454 if (token_out.length)
455 gss_release_buffer(&st_minor, &token_out);
456
457 return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
458 }
459
460 static handler_t mod_authn_gssapi_check (server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend)
461 {
462 data_string * const ds =
463 (data_string *)array_get_element(con->request.headers, "Authorization");
464
465 UNUSED(backend);
466 if (NULL == ds || buffer_is_empty(ds->value)) {
467 return mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
468 }
469
470 if (0 != strncasecmp(ds->value->ptr, "Negotiate ", sizeof("Negotiate ")-1)) {
471 return mod_authn_gssapi_send_400_bad_request(srv, con);
472 }
473
474 return mod_authn_gssapi_check_spnego(srv, con, (plugin_data *)p_d, require, ds->value->ptr+sizeof("Negotiate ")-1);
475 }
476
477 /*
478 * HTTP auth Basic realm="kerberos"
479 */
480
481 static krb5_error_code mod_authn_gssapi_verify_krb5_init_creds(server *srv, krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
482 {
483 krb5_error_code ret;
484 krb5_data req;
485 krb5_ccache local_ccache = NULL;
486 krb5_creds *new_creds = NULL;
487 krb5_auth_context auth_context = NULL;
488 krb5_keytab keytab = NULL;
489 char *server_name;
490
491 memset(&req, 0, sizeof(req));
492
493 if (ap_req_keytab == NULL) {
494 ret = krb5_kt_default(context, &keytab);
495 if (ret)
496 return ret;
497 } else
498 keytab = ap_req_keytab;
499
500 ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
501 if (ret) {
502 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_resolve() failed when verifying KDC");
503 /* return ret; */
504 goto end;
505 }
506
507 ret = krb5_cc_initialize(context, local_ccache, creds->client);
508 if (ret) {
509 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_initialize() failed when verifying KDC");
510 goto end;
511 }
512
513 ret = krb5_cc_store_cred(context, local_ccache, creds);
514 if (ret) {
515 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_store_cred() failed when verifying KDC");
516 goto end;
517 }
518
519 ret = krb5_unparse_name(context, ap_req_server, &server_name);
520 if (ret) {
521 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_unparse_name() failed when verifying KDC");
522 goto end;
523 }
524 /* log_error_write(srv, __FILE__, __LINE__, "ss", "Trying to verify authenticity of KDC using principal", server_name); */
525 free(server_name);
526
527 if (!krb5_principal_compare(context, ap_req_server, creds->server)) {
528 krb5_creds match_cred;
529
530 memset(&match_cred, 0, sizeof(match_cred));
531
532 match_cred.client = creds->client;
533 match_cred.server = ap_req_server;
534
535 ret = krb5_get_credentials(context, 0, local_ccache, &match_cred, &new_creds);
536 if (ret) {
537 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_get_credentials() failed when verifying KDC");
538 goto end;
539 }
540 creds = new_creds;
541 }
542
543 ret = krb5_mk_req_extended(context, &auth_context, 0, NULL, creds, &req);
544 if (ret) {
545 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_mk_req_extended() failed when verifying KDC");
546 goto end;
547 }
548
549 krb5_auth_con_free(context, auth_context);
550 auth_context = NULL;
551 ret = krb5_auth_con_init(context, &auth_context);
552 if (ret) {
553 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_auth_con_init() failed when verifying KDC");
554 goto end;
555 }
556
557 /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
558 krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
559 ret = krb5_rd_req(context, &auth_context, &req, ap_req_server, keytab, 0, NULL);
560 if (ret) {
561 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_rd_req() failed when verifying KDC");
562 goto end;
563 }
564
565 end:
566 krb5_free_data_contents(context, &req);
567 if (auth_context)
568 krb5_auth_con_free(context, auth_context);
569 if (new_creds)
570 krb5_free_creds(context, new_creds);
571 if (ap_req_keytab == NULL && keytab)
572 krb5_kt_close(context, keytab);
573 if (local_ccache)
574 krb5_cc_destroy(context, local_ccache);
575
576 return ret;
577 }
578
579 static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p,
580 krb5_context kcontext, krb5_ccache delegated_cred)
581 {
582 krb5_error_code problem;
583 krb5_principal princ = NULL;
584 krb5_ccache ccache = NULL;
585
586 problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ);
587 if (problem) {
588 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem);
589 goto end;
590 }
591
592 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) {
593 goto end;
594 }
595
596 problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache);
597 if (problem) {
598 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem);
599 goto end;
600 }
601
602 krb5_free_principal(kcontext, princ);
603 krb5_cc_close(kcontext, ccache);
604 return 0;
605
606 end:
607 if (princ)
608 krb5_free_principal(kcontext, princ);
609 if (ccache)
610 krb5_cc_destroy(kcontext, ccache);
611 return -1;
612 }
613
614 static handler_t mod_authn_gssapi_send_401_unauthorized_basic (server *srv, connection *con)
615 {
616 con->http_status = 401;
617 con->mode = DIRECT;
618 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Basic realm=\"Kerberos\""));
619 return HANDLER_FINISHED;
620 }
621
622 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw)
623 {
624 krb5_context kcontext = NULL;
625 krb5_keytab keytab = NULL;
626 krb5_principal s_princ = NULL;
627 krb5_principal c_princ = NULL;
628 krb5_creds c_creds;
629 krb5_ccache c_ccache = NULL;
630 krb5_ccache ret_ccache = NULL;
631 krb5_error_code code;
632 int ret;
633 buffer *sprinc;
634 buffer *user_at_realm = NULL;
635 plugin_data * const p = (plugin_data *)p_d;
636
637 if (*pw == '\0') {
638 log_error_write(srv, __FILE__, __LINE__, "s", "Empty passwords are not accepted");
639 mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
640 }
641
642 mod_authn_gssapi_patch_connection(srv, con, p);
643
644 code = krb5_init_context(&kcontext);
645 if (code) {
646 log_error_write(srv, __FILE__, __LINE__, "sd", "krb5_init_context():", code);
647 mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
648 }
649
650 code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
651 if (code) {
652 log_error_write(srv, __FILE__, __LINE__, "sdb", "krb5_kt_resolve():", code, p->conf.auth_gssapi_keytab);
653 mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
654 }
655
656 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
657 if (strchr(sprinc->ptr, '/') == NULL) {
658 buffer_append_string(sprinc, "/");
659 /*(copy HTTP Host, omitting port if port is present)*/
660 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
661 }
662
663 /*(init c_creds before anything which might krb5_free_cred_contents())*/
664 memset(&c_creds, 0, sizeof(c_creds));
665
666 ret = krb5_parse_name(kcontext, sprinc->ptr, &s_princ);
667 if (ret) {
668 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", sprinc->ptr, kcontext, ret);
669 ret = -1;
670 goto end;
671 }
672
673 if (strchr(username->ptr, '@') == NULL) {
674 user_at_realm = buffer_init_buffer(username);
675 BUFFER_APPEND_STRING_CONST(user_at_realm, "@");
676 buffer_append_string_buffer(user_at_realm, require->realm);
677 }
678
679 ret = krb5_parse_name(kcontext, (user_at_realm ? user_at_realm->ptr : username->ptr), &c_princ);
680 if (ret) {
681 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", (user_at_realm ? user_at_realm->ptr : username->ptr), kcontext, ret);
682 if (user_at_realm) buffer_free(user_at_realm);
683 ret = -1;
684 goto end;
685 }
686 if (user_at_realm) buffer_free(user_at_realm);
687 /* XXX: if the qualified username with @realm should be in REMOTE_USER,
688 * then http_auth_backend_t basic interface needs to change to pass
689 * modifiable buffer *username, but note that const char *pw follows
690 * in the truncated buffer *username, so pw would need to be copied
691 * before modifying buffer *username */
692
693 /*
694 * char *name = NULL;
695 * ret = krb5_unparse_name(kcontext, c_princ, &name);
696 * if (ret == 0) {
697 * log_error_write(srv, __FILE__, __LINE__, "sbss", "Trying to get TGT for user:", username, "password:", pw);
698 * free(name);
699 * }
700 */
701
702 ret = krb5_get_init_creds_password(kcontext, &c_creds, c_princ, pw, NULL, NULL, 0, NULL, NULL);
703 if (ret) {
704 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_get_init_creds_password", NULL, kcontext, ret);
705 goto end;
706 }
707
708 ret = mod_authn_gssapi_verify_krb5_init_creds(srv, kcontext, &c_creds, s_princ, keytab);
709 if (ret) {
710 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "mod_authn_gssapi_verify_krb5_init_creds", NULL, kcontext, ret);
711 goto end;
712 }
713
714 ret = krb5_cc_resolve(kcontext, "MEMORY:", &ret_ccache);
715 if (ret) {
716 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, ret);
717 goto end;
718 }
719
720 ret = krb5_cc_initialize(kcontext, ret_ccache, c_princ);
721 if (ret) {
722 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", NULL, kcontext, ret);
723 goto end;
724 }
725
726 ret = krb5_cc_store_cred(kcontext, ret_ccache, &c_creds);
727 if (ret) {
728 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_store_cred", NULL, kcontext, ret);
729 goto end;
730 }
731
732 c_ccache = ret_ccache;
733 ret_ccache = NULL;
734
735 end:
736
737 krb5_free_cred_contents(kcontext, &c_creds);
738 if (ret_ccache)
739 krb5_cc_destroy(kcontext, ret_ccache);
740
741 if (!ret && c_ccache && (ret = mod_authn_gssapi_store_krb5_creds(srv, con, p, kcontext, c_ccache))) {
742 log_error_write(srv, __FILE__, __LINE__, "sb", "mod_authn_gssapi_store_krb5_creds failed for", username);
743 }
744
745 if (c_princ)
746 krb5_free_principal(kcontext, c_princ);
747 if (s_princ)
748 krb5_free_principal(kcontext, s_princ);
749 if (sprinc)
750 buffer_free(sprinc);
751 if (c_ccache)
752 krb5_cc_destroy(kcontext, c_ccache);
753 if (keytab)
754 krb5_kt_close(kcontext, keytab);
755
756 krb5_free_context(kcontext);
757
758 if (0 == ret && http_auth_match_rules(require,username->ptr,NULL,NULL)){
759 return HANDLER_GO_ON;
760 }
761 else {
762 /* ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or no authz rules match */
763 log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
764 return mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
765 }
766 }
767
768
769 REQUESTDONE_FUNC(mod_authn_gssapi_request_done) {
770 plugin_data *p = (plugin_data *)p_d;
771 buffer *kccname = (buffer *)con->plugin_ctx[p->id];
772 if (NULL != kccname) {
773 con->plugin_ctx[p->id] = NULL;
774 unlink(kccname->ptr+sizeof("FILE:")-1);
775 buffer_free(kccname);
776 }
777
778 UNUSED(srv);
779 return HANDLER_GO_ON;
780 }
781
782 int mod_authn_gssapi_plugin_init(plugin *p);
783 int mod_authn_gssapi_plugin_init(plugin *p) {
784 p->version = LIGHTTPD_VERSION_ID;
785 p->name = buffer_init_string("authn_gssapi");
786 p->init = mod_authn_gssapi_init;
787 p->set_defaults= mod_authn_gssapi_set_defaults;
788 p->cleanup = mod_authn_gssapi_free;
789 p->handle_request_done = mod_authn_gssapi_request_done;
790
791 p->data = NULL;
792
793 return 0;
794 }
A fast webserver with minimal memory-footprint (lighttpd)