1 /* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */ 2 3 #include <stdbool.h> 4 #include <stdint.h> 5 #include <stdlib.h> 6 #include <time.h> 7 #include <unistd.h> 8 9 #define APR_WANT_STRFUNC 10 #include "apr_want.h" 11 #include <apr_strings.h> 12 #include <apr_base64.h> 13 14 #include <httpd.h> 15 #include <http_core.h> 16 #include <http_connection.h> 17 #include <http_log.h> 18 #include <http_request.h> 19 #include <mod_session.h> 20 #include <mod_ssl.h> 21 22 /* apache's httpd.h drags in empty PACKAGE_* variables. 23 * undefine them to avoid annoying compile warnings as they 24 * are re-defined in config.h */ 25 #undef PACKAGE_BUGREPORT 26 #undef PACKAGE_NAME 27 #undef PACKAGE_STRING 28 #undef PACKAGE_TARNAME 29 #undef PACKAGE_VERSION 30 #include "config.h" 31 32 #include <gssapi/gssapi.h> 33 #include <gssapi/gssapi_ext.h> 34 #include <gssapi/gssapi_krb5.h> 35 #ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H 36 # include <gssapi/gssapi_ntlmssp.h> 37 #endif 38 39 #include <ctype.h> 40 #include <pwd.h> 41 #include <grp.h> 42 43 #include "crypto.h" 44 #include "sessions.h" 45 #include "environ.h" 46 47 #define MIN_SESS_EXP_TIME 300 /* 5 minutes validity minimum */ 48 49 #if defined(HAVE_GSS_ACQUIRE_CRED_FROM) && defined(HAVE_GSS_STORE_CRED_INTO) 50 # define HAVE_CRED_STORE 1 51 #endif 52 53 extern module AP_MODULE_DECLARE_DATA auth_gssapi_module; 54 #define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata" 55 56 #ifndef HAVE_AP_LOG_RDATA 57 #define ap_log_rdata(...) 58 #endif 59 60 struct mag_na_map { 61 char *env_name; 62 char *attr_name; 63 }; 64 65 struct mag_name_attributes { 66 bool output_json; 67 int map_count; 68 struct mag_na_map map[]; 69 }; 70 71 struct mag_config { 72 apr_pool_t *pool; 73 bool ssl_only; 74 bool map_to_local; 75 bool gss_conn_ctx; 76 bool send_persist; 77 bool use_sessions; 78 #ifdef HAVE_CRED_STORE 79 bool use_s4u2proxy; 80 char *deleg_ccache_dir; 81 mode_t deleg_ccache_mode; 82 uid_t deleg_ccache_uid; 83 gid_t deleg_ccache_gid; 84 gss_key_value_set_desc *cred_store; 85 bool deleg_ccache_unique; 86 int s4u2self; 87 char *ccname_envvar; 88 #endif 89 struct seal_key *mag_skey; 90 91 bool use_basic_auth; 92 gss_OID_set_desc *allowed_mechs; 93 gss_OID_set_desc *basic_mechs; 94 bool negotiate_once; 95 struct mag_name_attributes *name_attributes; 96 const char *required_na_expr; 97 int enverrs; 98 int pubmech; 99 gss_name_t acceptor_name; 100 bool acceptor_name_from_req; 101 uint32_t basic_timeout; 102 }; 103 104 struct mag_server_config { 105 gss_OID_set default_mechs; 106 struct seal_key *mag_skey; 107 }; 108 109 struct mag_req_cfg { 110 request_rec *req; 111 struct mag_config *cfg; 112 gss_OID_set desired_mechs; 113 bool use_sessions; 114 bool send_persist; 115 const char *req_proto; 116 const char *rep_proto; 117 struct seal_key *mag_skey; 118 }; 119 120 struct mag_attr { 121 const char *name; 122 const char *value; 123 }; 124 125 struct mag_conn { 126 apr_pool_t *pool; 127 gss_ctx_id_t ctx; 128 bool established; 129 const char *user_name; 130 const char *gss_name; 131 time_t expiration; 132 int auth_type; 133 bool delegated; 134 struct databuf basic_hash; 135 bool is_preserved; 136 int na_count; 137 const char **required_name_attrs; 138 const char **required_name_vals; 139 struct mag_attr *name_attributes; 140 const char *ccname; 141 apr_table_t *env; 142 }; 143 144 #define discard_const(ptr) ((void *)((uintptr_t)(ptr))) 145 146 struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool); 147 const char *mag_str_auth_type(int auth_type); 148 char *mag_error(apr_pool_t *pool, const char *msg, uint32_t maj, uint32_t min); 149 int mag_get_user_uid(const char *name, uid_t *uid); 150 int mag_get_group_gid(const char *name, gid_t *gid); 151 bool mag_strbuf_equal(const char *str, gss_buffer_t buf); 152