search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[core] consolidate duplicated read-to-close code
[lighttpd.git] / src / mod_authn_gssapi.c
blobcc0d8f9953ad43d215f90056d5be6522f2a8710e
1 #include "first.h"
2
3 /* mod_authn_gssapi
4 *
5 * - provides http_auth_backend_t "gssapi" for HTTP auth Basic realm="Kerberos"
6 * - provides http_auth_scheme_t "Negotiate"
7 * - (does not provide http_auth_backend_t for HTTP auth Digest)
8 *
9 * Note: Credentials cache (KRB5CCNAME) is exported into CGI and SSI environment
10 * as well as passed to FastCGI and SCGI (useful if on same machine
11 * and running under same user account with access to KRB5CCNAME file).
12 * Credentials are clean up at the end of each request.
13 *
14 * LIMITATIONS:
15 * - no rate limiting of auth requests, so remote attacker can send many auth
16 * requests very quickly if attempting brute force password cracking attack
17 *
18 * FUTURE POTENTIAL PERFORMANCE ENHANCEMENTS:
19 * - Kerberos auth is synchronous and blocks waiting for response
20 * TODO: attempt async?
21 */
22
23 #include "plugin.h"
24
25 #include <krb5.h>
26 #include <gssapi.h>
27 #include <gssapi/gssapi_krb5.h>
28
29 #include "http_auth.h"
30 #include "base.h"
31 #include "log.h"
32 #include "md5.h"
33 #include "base64.h"
34 #include "response.h"
35
36 #include <errno.h>
37 #include <stdlib.h>
38 #include <string.h>
39
40 typedef struct {
41 buffer *auth_gssapi_keytab;
42 buffer *auth_gssapi_principal;
43 } plugin_config;
44
45 typedef struct {
46 PLUGIN_DATA;
47 plugin_config **config_storage;
48 plugin_config conf;
49 } plugin_data;
50
51 static handler_t mod_authn_gssapi_check(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
52 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
53
54 INIT_FUNC(mod_authn_gssapi_init) {
55 static http_auth_scheme_t http_auth_scheme_gssapi =
56 { "gssapi", mod_authn_gssapi_check, NULL };
57 static http_auth_backend_t http_auth_backend_gssapi =
58 { "gssapi", mod_authn_gssapi_basic, NULL, NULL };
59 plugin_data *p = calloc(1, sizeof(*p));
60
61 /* register http_auth_scheme_gssapi and http_auth_backend_gssapi */
62 http_auth_scheme_gssapi.p_d = p;
63 http_auth_scheme_set(&http_auth_scheme_gssapi);
64 http_auth_backend_gssapi.p_d = p;
65 http_auth_backend_set(&http_auth_backend_gssapi);
66
67 return p;
68 }
69
70 FREE_FUNC(mod_authn_gssapi_free) {
71 plugin_data *p = p_d;
72
73 UNUSED(srv);
74
75 if (!p) return HANDLER_GO_ON;
76
77 if (p->config_storage) {
78 size_t i;
79 for (i = 0; i < srv->config_context->used; i++) {
80 plugin_config *s = p->config_storage[i];
81
82 if (NULL == s) continue;
83
84 buffer_free(s->auth_gssapi_keytab);
85 buffer_free(s->auth_gssapi_principal);
86
87 free(s);
88 }
89 free(p->config_storage);
90 }
91
92 free(p);
93
94 return HANDLER_GO_ON;
95 }
96
97 SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) {
98 plugin_data *p = p_d;
99 size_t i;
100 config_values_t cv[] = {
101 { "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
102 { "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
103 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
104 };
105
106 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
107
108 for (i = 0; i < srv->config_context->used; i++) {
109 data_config const* config = (data_config const*)srv->config_context->data[i];
110 plugin_config *s;
111
112 s = calloc(1, sizeof(plugin_config));
113
114 s->auth_gssapi_keytab = buffer_init();
115 s->auth_gssapi_principal = buffer_init();
116
117 cv[0].destination = s->auth_gssapi_keytab;
118 cv[1].destination = s->auth_gssapi_principal;
119
120 p->config_storage[i] = s;
121
122 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
123 return HANDLER_ERROR;
124 }
125 }
126
127 return HANDLER_GO_ON;
128 }
129
130 #define PATCH(x) \
131 p->conf.x = s->x;
132 static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugin_data *p)
133 {
134 size_t i, j;
135 plugin_config *s = p->config_storage[0];
136
137 PATCH(auth_gssapi_keytab);
138 PATCH(auth_gssapi_principal);
139
140 /* skip the first, the global context */
141 for (i = 1; i < srv->config_context->used; i++) {
142 data_config *dc = (data_config *)srv->config_context->data[i];
143 s = p->config_storage[i];
144
145 /* condition didn't match */
146 if (!config_check_cond(srv, con, dc)) continue;
147
148 /* merge config */
149 for (j = 0; j < dc->value->used; j++) {
150 data_unset *du = dc->value->data[j];
151
152 if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.keytab"))) {
153 PATCH(auth_gssapi_keytab);
154 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
155 PATCH(auth_gssapi_principal);
156 }
157 }
158 }
159
160 return 0;
161 }
162 #undef PATCH
163
164 static handler_t mod_authn_gssapi_send_400_bad_request (server *srv, connection *con)
165 {
166 UNUSED(srv);
167 con->http_status = 400;
168 con->mode = DIRECT;
169 return HANDLER_FINISHED;
170 }
171
172 static void mod_authn_gssapi_log_gss_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, OM_uint32 err_maj, OM_uint32 err_min)
173 {
174 buffer * const msg = buffer_init_string(func);
175 OM_uint32 maj_stat, min_stat;
176 OM_uint32 msg_ctx = 0;
177 gss_buffer_desc status_string;
178
179 buffer_append_string_len(msg, CONST_STR_LEN("("));
180 if (extra) buffer_append_string(msg, extra);
181 buffer_append_string_len(msg, CONST_STR_LEN("):"));
182
183 do {
184 maj_stat = gss_display_status(&min_stat, err_maj, GSS_C_GSS_CODE,
185 GSS_C_NO_OID, &msg_ctx, &status_string);
186 if (GSS_ERROR(maj_stat))
187 break;
188
189 buffer_append_string(msg, status_string.value);
190 gss_release_buffer(&min_stat, &status_string);
191
192 maj_stat = gss_display_status(&min_stat, err_min, GSS_C_MECH_CODE,
193 GSS_C_NULL_OID, &msg_ctx, &status_string);
194 if (!GSS_ERROR(maj_stat)) {
195 buffer_append_string(msg, " (");
196 buffer_append_string(msg, status_string.value);
197 buffer_append_string(msg, ")");
198 gss_release_buffer(&min_stat, &status_string);
199 }
200 } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
201
202 log_error_write(srv, file, line, "b", msg);
203 buffer_free(msg);
204 }
205
206 static void mod_authn_gssapi_log_krb5_error(server *srv, const char *file, unsigned int line, const char *func, const char *extra, krb5_context context, int code)
207 {
208 UNUSED(context);
209 /*(extra might be NULL)*/
210 log_error_write(srv, file, line, "sssss", func, "(", extra, "):",
211 error_message(code));
212 }
213
214 static int mod_authn_gssapi_create_krb5_ccache(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
215 {
216 buffer * const kccname = buffer_init_string("FILE:/tmp/krb5cc_gssapi_XXXXXX");
217 char * const ccname = kccname->ptr + sizeof("FILE:")-1;
218 const size_t ccnamelen = buffer_string_length(kccname)-(sizeof("FILE:")-1);
219 /*(future: might consider using server.upload-dirs instead of /tmp)*/
220 /* coverity[secure_temp : FALSE] */
221 int fd = mkstemp(ccname);
222 if (fd < 0) {
223 log_error_write(srv, __FILE__, __LINE__, "ss", "mkstemp():", strerror(errno));
224 buffer_free(kccname);
225 return -1;
226 }
227 close(fd);
228
229 do {
230 krb5_error_code problem;
231
232 problem = krb5_cc_resolve(kcontext, kccname->ptr, ccache);
233 if (problem) {
234 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, problem);
235 break;
236 }
237
238 problem = krb5_cc_initialize(kcontext, *ccache, princ);
239 if (problem) {
240 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", kccname->ptr, kcontext, problem);
241 break;
242 }
243
244 con->plugin_ctx[p->id] = kccname;
245
246 array_set_key_value(con->environment, CONST_STR_LEN("KRB5CCNAME"), ccname, ccnamelen);
247 array_set_key_value(con->request.headers, CONST_STR_LEN("X-Forwarded-Keytab"), ccname, ccnamelen);
248
249 return 0;
250
251 } while (0);
252
253 if (*ccache) {
254 krb5_cc_destroy(kcontext, *ccache);
255 *ccache = NULL;
256 }
257 unlink(ccname);
258 buffer_free(kccname);
259
260 return -1;
261 }
262
263 /*
264 * HTTP auth Negotiate
265 */
266
267 static handler_t mod_authn_gssapi_send_401_unauthorized_negotiate (server *srv, connection *con)
268 {
269 con->http_status = 401;
270 con->mode = DIRECT;
271 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Negotiate"));
272 return HANDLER_FINISHED;
273 }
274
275 static int mod_authn_gssapi_store_gss_creds(server *srv, connection *con, plugin_data *p, char *princ_name, gss_cred_id_t delegated_cred)
276 {
277 OM_uint32 maj_stat, min_stat;
278 krb5_principal princ = NULL;
279 krb5_ccache ccache = NULL;
280 krb5_error_code problem;
281 krb5_context context;
282
283 problem = krb5_init_context(&context);
284 if (problem) {
285 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_init_context", NULL, context, problem);
286 return 0;
287 }
288
289 problem = krb5_parse_name(context, princ_name, &princ);
290 if (problem) {
291 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", NULL, context, problem);
292 goto end;
293 }
294
295 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, context, princ, &ccache))
296 goto end;
297
298 maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache);
299 if (GSS_ERROR(maj_stat)) {
300 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_krb5_copy_ccache", princ_name, maj_stat, min_stat);
301 goto end;
302 }
303
304 krb5_cc_close(context, ccache);
305 krb5_free_principal(context, princ);
306 krb5_free_context(context);
307 return 1;
308
309 end:
310 if (princ)
311 krb5_free_principal(context, princ);
312 if (ccache)
313 krb5_cc_destroy(context, ccache);
314 krb5_free_context(context);
315
316 return 0;
317 }
318
319 static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plugin_data *p, const http_auth_require_t *require, const char *realm_str)
320 {
321 OM_uint32 st_major, st_minor, acc_flags;
322 gss_buffer_desc token_s = GSS_C_EMPTY_BUFFER;
323 gss_buffer_desc token_in = GSS_C_EMPTY_BUFFER;
324 gss_buffer_desc token_out = GSS_C_EMPTY_BUFFER;
325 gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
326 gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL;
327 gss_ctx_id_t context = GSS_C_NO_CONTEXT;
328 gss_name_t server_name = GSS_C_NO_NAME;
329 gss_name_t client_name = GSS_C_NO_NAME;
330
331 buffer *sprinc;
332 int ret = 0;
333
334 buffer *t_in = buffer_init();
335 if (!buffer_append_base64_decode(t_in, realm_str, strlen(realm_str), BASE64_STANDARD)) {
336 log_error_write(srv, __FILE__, __LINE__, "ss", "decoding GSSAPI authentication header failed", realm_str);
337 buffer_free(t_in);
338 return mod_authn_gssapi_send_400_bad_request(srv, con);
339 }
340
341 mod_authn_gssapi_patch_connection(srv, con, p);
342
343 {
344 /* ??? Should code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
345 * be used, instead of putenv() of KRB5_KTNAME=...? See mod_authn_gssapi_basic() */
346 /* ??? Should KRB5_KTNAME go into con->environment instead ??? */
347 /* ??? Should KRB5_KTNAME be added to mod_authn_gssapi_basic(), too? */
348 buffer ktname;
349 memset(&ktname, 0, sizeof(ktname));
350 buffer_copy_string(&ktname, "KRB5_KTNAME=");
351 buffer_append_string_buffer(&ktname, p->conf.auth_gssapi_keytab);
352 putenv(ktname.ptr);
353 /* ktname.ptr becomes part of the environment, do not free */
354 }
355
356 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
357 if (strchr(sprinc->ptr, '/') == NULL) {
358 /*(copy HTTP Host, omitting port if port is present)*/
359 /* ??? Should con->server_name be used if http_host not present?
360 * ??? What if con->server_name is not set?
361 * ??? Will this work below if IPv6 provided in Host? probably not */
362 if (!buffer_is_empty(con->request.http_host)) {
363 buffer_append_string(sprinc, "/");
364 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
365 }
366 }
367 if (strchr(sprinc->ptr, '@') == NULL) {
368 buffer_append_string(sprinc, "@");
369 buffer_append_string_buffer(sprinc, require->realm);
370 }
371 /*#define GSS_C_NT_USER_NAME gss_nt_user_name*/
372 /*#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name*/
373 #define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name
374
375 token_s.value = sprinc->ptr;
376 token_s.length = buffer_string_length(sprinc);
377 st_major = gss_import_name(&st_minor, &token_s, (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &server_name);
378 if (GSS_ERROR(st_major)) {
379 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_import_name", NULL, st_major, st_minor);
380 goto end;
381 }
382
383 memset(&token_s, 0, sizeof(token_s));
384 st_major = gss_display_name(&st_minor, server_name, &token_s, NULL);
385 if (GSS_ERROR(st_major)) {
386 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
387 goto end;
388 }
389
390 /* acquire server's own credentials */
391 st_major = gss_acquire_cred(&st_minor, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_cred, NULL, NULL);
392 if (GSS_ERROR(st_major)) {
393 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_acquire_cred", sprinc->ptr, st_major, st_minor);
394 goto end;
395 }
396
397 /* accept the user's context */
398 token_in.length = buffer_string_length(t_in);
399 token_in.value = t_in->ptr;
400 st_major = gss_accept_sec_context(&st_minor, &context, server_cred, &token_in, GSS_C_NO_CHANNEL_BINDINGS,
401 &client_name, NULL, &token_out, &acc_flags, NULL, &client_cred);
402 if (GSS_ERROR(st_major)) {
403 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_accept_sec_context", NULL, st_major, st_minor);
404 goto end;
405 }
406
407 /* fetch the username */
408 st_major = gss_display_name(&st_minor, client_name, &token_out, NULL);
409 if (GSS_ERROR(st_major)) {
410 mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor);
411 goto end;
412 }
413
414 if (!(acc_flags & GSS_C_CONF_FLAG)) {
415 log_error_write(srv, __FILE__, __LINE__, "ss", "No confidentiality for user:", token_out.value);
416 goto end;
417 }
418
419 if (!(acc_flags & GSS_C_DELEG_FLAG)) {
420 log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
421 goto end;
422 }
423
424 /* check the allow-rules */
425 if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
426 goto end;
427 }
428
429 ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
430 if (ret)
431 http_auth_setenv(con->environment, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
432
433 end:
434 buffer_free(t_in);
435 buffer_free(sprinc);
436
437 if (context != GSS_C_NO_CONTEXT)
438 gss_delete_sec_context(&st_minor, &context, GSS_C_NO_BUFFER);
439
440 if (client_cred != GSS_C_NO_CREDENTIAL)
441 gss_release_cred(&st_minor, &client_cred);
442 if (server_cred != GSS_C_NO_CREDENTIAL)
443 gss_release_cred(&st_minor, &server_cred);
444
445 if (client_name != GSS_C_NO_NAME)
446 gss_release_name(&st_minor, &client_name);
447 if (server_name != GSS_C_NO_NAME)
448 gss_release_name(&st_minor, &server_name);
449
450 if (token_s.length)
451 gss_release_buffer(&st_minor, &token_s);
452 /* if (token_in.length)
453 * gss_release_buffer(&st_minor, &token_in); */
454 if (token_out.length)
455 gss_release_buffer(&st_minor, &token_out);
456
457 return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
458 }
459
460 static handler_t mod_authn_gssapi_check (server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend)
461 {
462 data_string * const ds =
463 (data_string *)array_get_element(con->request.headers, "Authorization");
464
465 UNUSED(backend);
466 if (NULL == ds || buffer_is_empty(ds->value)) {
467 return mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con);
468 }
469
470 if (0 != strncasecmp(ds->value->ptr, "Negotiate ", sizeof("Negotiate ")-1)) {
471 return mod_authn_gssapi_send_400_bad_request(srv, con);
472 }
473
474 return mod_authn_gssapi_check_spnego(srv, con, (plugin_data *)p_d, require, ds->value->ptr+sizeof("Negotiate ")-1);
475 }
476
477 /*
478 * HTTP auth Basic realm="kerberos"
479 */
480
481 static krb5_error_code mod_authn_gssapi_verify_krb5_init_creds(server *srv, krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
482 {
483 krb5_error_code ret;
484 krb5_data req;
485 krb5_ccache local_ccache = NULL;
486 krb5_creds *new_creds = NULL;
487 krb5_auth_context auth_context = NULL;
488 krb5_keytab keytab = NULL;
489 char *server_name;
490
491 memset(&req, 0, sizeof(req));
492
493 if (ap_req_keytab == NULL) {
494 ret = krb5_kt_default(context, &keytab);
495 if (ret)
496 return ret;
497 } else
498 keytab = ap_req_keytab;
499
500 ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
501 if (ret) {
502 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_resolve() failed when verifying KDC");
503 /* return ret; */
504 goto end;
505 }
506
507 ret = krb5_cc_initialize(context, local_ccache, creds->client);
508 if (ret) {
509 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_initialize() failed when verifying KDC");
510 goto end;
511 }
512
513 ret = krb5_cc_store_cred(context, local_ccache, creds);
514 if (ret) {
515 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_cc_store_cred() failed when verifying KDC");
516 goto end;
517 }
518
519 ret = krb5_unparse_name(context, ap_req_server, &server_name);
520 if (ret) {
521 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_unparse_name() failed when verifying KDC");
522 goto end;
523 }
524 krb5_free_unparsed_name(context, server_name);
525
526 if (!krb5_principal_compare(context, ap_req_server, creds->server)) {
527 krb5_creds match_cred;
528
529 memset(&match_cred, 0, sizeof(match_cred));
530
531 match_cred.client = creds->client;
532 match_cred.server = ap_req_server;
533
534 ret = krb5_get_credentials(context, 0, local_ccache, &match_cred, &new_creds);
535 if (ret) {
536 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_get_credentials() failed when verifying KDC");
537 goto end;
538 }
539 creds = new_creds;
540 }
541
542 ret = krb5_mk_req_extended(context, &auth_context, 0, NULL, creds, &req);
543 if (ret) {
544 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_mk_req_extended() failed when verifying KDC");
545 goto end;
546 }
547
548 krb5_auth_con_free(context, auth_context);
549 auth_context = NULL;
550 ret = krb5_auth_con_init(context, &auth_context);
551 if (ret) {
552 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_auth_con_init() failed when verifying KDC");
553 goto end;
554 }
555
556 /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
557 krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
558 ret = krb5_rd_req(context, &auth_context, &req, ap_req_server, keytab, 0, NULL);
559 if (ret) {
560 log_error_write(srv, __FILE__, __LINE__, "s", "krb5_rd_req() failed when verifying KDC");
561 goto end;
562 }
563
564 end:
565 krb5_free_data_contents(context, &req);
566 if (auth_context)
567 krb5_auth_con_free(context, auth_context);
568 if (new_creds)
569 krb5_free_creds(context, new_creds);
570 if (ap_req_keytab == NULL && keytab)
571 krb5_kt_close(context, keytab);
572 if (local_ccache)
573 krb5_cc_destroy(context, local_ccache);
574
575 return ret;
576 }
577
578 static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p,
579 krb5_context kcontext, krb5_ccache delegated_cred)
580 {
581 krb5_error_code problem;
582 krb5_principal princ = NULL;
583 krb5_ccache ccache = NULL;
584
585 problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ);
586 if (problem) {
587 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem);
588 goto end;
589 }
590
591 if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) {
592 goto end;
593 }
594
595 problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache);
596 if (problem) {
597 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem);
598 goto end;
599 }
600
601 krb5_free_principal(kcontext, princ);
602 krb5_cc_close(kcontext, ccache);
603 return 0;
604
605 end:
606 if (princ)
607 krb5_free_principal(kcontext, princ);
608 if (ccache)
609 krb5_cc_destroy(kcontext, ccache);
610 return -1;
611 }
612
613 static handler_t mod_authn_gssapi_send_401_unauthorized_basic (server *srv, connection *con)
614 {
615 con->http_status = 401;
616 con->mode = DIRECT;
617 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_STR_LEN("Basic realm=\"Kerberos\""));
618 return HANDLER_FINISHED;
619 }
620
621 static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw)
622 {
623 krb5_context kcontext = NULL;
624 krb5_keytab keytab = NULL;
625 krb5_principal s_princ = NULL;
626 krb5_principal c_princ = NULL;
627 krb5_creds c_creds;
628 krb5_ccache c_ccache = NULL;
629 krb5_ccache ret_ccache = NULL;
630 krb5_error_code code;
631 int ret;
632 buffer *sprinc;
633 buffer *user_at_realm = NULL;
634 plugin_data * const p = (plugin_data *)p_d;
635
636 if (*pw == '\0') {
637 log_error_write(srv, __FILE__, __LINE__, "s", "Empty passwords are not accepted");
638 return mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
639 }
640
641 mod_authn_gssapi_patch_connection(srv, con, p);
642
643 code = krb5_init_context(&kcontext);
644 if (code) {
645 log_error_write(srv, __FILE__, __LINE__, "sd", "krb5_init_context():", code);
646 return mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
647 }
648
649 code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
650 if (code) {
651 log_error_write(srv, __FILE__, __LINE__, "sdb", "krb5_kt_resolve():", code, p->conf.auth_gssapi_keytab);
652 return mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/
653 }
654
655 sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
656 if (strchr(sprinc->ptr, '/') == NULL) {
657 /*(copy HTTP Host, omitting port if port is present)*/
658 /* ??? Should con->server_name be used if http_host not present?
659 * ??? What if con->server_name is not set?
660 * ??? Will this work below if IPv6 provided in Host? probably not */
661 if (!buffer_is_empty(con->request.http_host)) {
662 buffer_append_string(sprinc, "/");
663 buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":"));
664 }
665 }
666
667 /*(init c_creds before anything which might krb5_free_cred_contents())*/
668 memset(&c_creds, 0, sizeof(c_creds));
669
670 ret = krb5_parse_name(kcontext, sprinc->ptr, &s_princ);
671 if (ret) {
672 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", sprinc->ptr, kcontext, ret);
673 ret = -1;
674 goto end;
675 }
676
677 if (strchr(username->ptr, '@') == NULL) {
678 user_at_realm = buffer_init_buffer(username);
679 BUFFER_APPEND_STRING_CONST(user_at_realm, "@");
680 buffer_append_string_buffer(user_at_realm, require->realm);
681 }
682
683 ret = krb5_parse_name(kcontext, (user_at_realm ? user_at_realm->ptr : username->ptr), &c_princ);
684 if (ret) {
685 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", (user_at_realm ? user_at_realm->ptr : username->ptr), kcontext, ret);
686 if (user_at_realm) buffer_free(user_at_realm);
687 ret = -1;
688 goto end;
689 }
690 if (user_at_realm) buffer_free(user_at_realm);
691 /* XXX: if the qualified username with @realm should be in REMOTE_USER,
692 * then http_auth_backend_t basic interface needs to change to pass
693 * modifiable buffer *username, but note that const char *pw follows
694 * in the truncated buffer *username, so pw would need to be copied
695 * before modifying buffer *username */
696
697 /*
698 * char *name = NULL;
699 * ret = krb5_unparse_name(kcontext, c_princ, &name);
700 * if (ret == 0) {
701 * log_error_write(srv, __FILE__, __LINE__, "sbss", "Trying to get TGT for user:", username, "password:", pw);
702 * }
703 * krb5_free_unparsed_name(kcontext, name);
704 */
705
706 ret = krb5_get_init_creds_password(kcontext, &c_creds, c_princ, pw, NULL, NULL, 0, NULL, NULL);
707 if (ret) {
708 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_get_init_creds_password", NULL, kcontext, ret);
709 goto end;
710 }
711
712 ret = mod_authn_gssapi_verify_krb5_init_creds(srv, kcontext, &c_creds, s_princ, keytab);
713 if (ret) {
714 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "mod_authn_gssapi_verify_krb5_init_creds", NULL, kcontext, ret);
715 goto end;
716 }
717
718 ret = krb5_cc_resolve(kcontext, "MEMORY:", &ret_ccache);
719 if (ret) {
720 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, ret);
721 goto end;
722 }
723
724 ret = krb5_cc_initialize(kcontext, ret_ccache, c_princ);
725 if (ret) {
726 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", NULL, kcontext, ret);
727 goto end;
728 }
729
730 ret = krb5_cc_store_cred(kcontext, ret_ccache, &c_creds);
731 if (ret) {
732 mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_store_cred", NULL, kcontext, ret);
733 goto end;
734 }
735
736 c_ccache = ret_ccache;
737 ret_ccache = NULL;
738
739 end:
740
741 krb5_free_cred_contents(kcontext, &c_creds);
742 if (ret_ccache)
743 krb5_cc_destroy(kcontext, ret_ccache);
744
745 if (!ret && c_ccache && (ret = mod_authn_gssapi_store_krb5_creds(srv, con, p, kcontext, c_ccache))) {
746 log_error_write(srv, __FILE__, __LINE__, "sb", "mod_authn_gssapi_store_krb5_creds failed for", username);
747 }
748
749 buffer_free(sprinc);
750 if (c_princ)
751 krb5_free_principal(kcontext, c_princ);
752 if (s_princ)
753 krb5_free_principal(kcontext, s_princ);
754 if (c_ccache)
755 krb5_cc_destroy(kcontext, c_ccache);
756 if (keytab)
757 krb5_kt_close(kcontext, keytab);
758
759 krb5_free_context(kcontext);
760
761 if (0 == ret && http_auth_match_rules(require,username->ptr,NULL,NULL)){
762 return HANDLER_GO_ON;
763 }
764 else {
765 /* ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or no authz rules match */
766 log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
767 return mod_authn_gssapi_send_401_unauthorized_basic(srv, con);
768 }
769 }
770
771
772 CONNECTION_FUNC(mod_authn_gssapi_handle_reset) {
773 plugin_data *p = (plugin_data *)p_d;
774 buffer *kccname = (buffer *)con->plugin_ctx[p->id];
775 if (NULL != kccname) {
776 con->plugin_ctx[p->id] = NULL;
777 unlink(kccname->ptr+sizeof("FILE:")-1);
778 buffer_free(kccname);
779 }
780
781 UNUSED(srv);
782 return HANDLER_GO_ON;
783 }
784
785 int mod_authn_gssapi_plugin_init(plugin *p);
786 int mod_authn_gssapi_plugin_init(plugin *p) {
787 p->version = LIGHTTPD_VERSION_ID;
788 p->name = buffer_init_string("authn_gssapi");
789 p->init = mod_authn_gssapi_init;
790 p->set_defaults= mod_authn_gssapi_set_defaults;
791 p->cleanup = mod_authn_gssapi_free;
792 p->connection_reset = mod_authn_gssapi_handle_reset;
793
794 p->data = NULL;
795
796 return 0;
797 }
A fast webserver with minimal memory-footprint (lighttpd)