mod_auth_gssapi.git - A GSSAPI based replacement for the aging mod_auth

	Commit message (Collapse)	Author	Age	Files	Lines
*	Add compatibility with OpenSSL 1.1.0	Simo Sorce	2016-07-06	1	-31/+76
\| \| \| \| \| \| \| \| \|	In their continued wisdom OpenSSL developers keep breaking APIs left and right with very poor documentation and forward/backward source compatibility. Signed-off-by: Simo Sorce <simo@redhat.com> Closes #96 Closes #97
*	Unify copyright convention	Robbie Harwood	2016-05-18	1	-1/+1
\| \| \| \| \|	Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
*	Fix incorrect free() usage	Simo Sorce	2015-08-30	1	-5/+1
\| \| \| \| \| \| \| \|	This code has been changed to use apr pools for memory allocation, so the error path is wrong as free() is not called on malloc()ed memory anymore. Remove the calls to free(), the mempool is clean up by callers. Signed-off-by: Simo Sorce <simo@redhat.com>
*	Optimize BASIC AUTH checks with sessions.	Simo Sorce	2015-06-13	1	-0/+9
\| \| \| \| \| \| \| \|	If sessions are enbled store a MAC of the password and use it to check if the password is the same on follow-up requests. If it is, avoid the whole gssapi dance and use the session data instead. Signed-off-by: Simo Sorce <simo@redhat.com>
*	Split HMAC_BUFFER out as a separate publi function	Simo Sorce	2015-06-13	1	-31/+38
\| \| \| \|	Signed-off-by: Simo Sorce <simo@redhat.com>
*	Revert "Use aes-256-gcm rather than aes-128-cbc"	Simo Sorce	2015-04-23	1	-64/+124
\| \| \| \| \| \| \| \| \| \| \|	This reverts commit e9c92795d87a316ea47f6bf37c9636e86eec57e7. AESGCM is a neat idea but it is not really appropriate to be used in mod_auth_gssapi because we cannot gurantee that the nonce will never be reused. It is not very probable, and it is also not easy to force the server to generate so many encyrpted sessions to have a good chance of a collision that I know of, but better to avoid the whole issue, than risk unforseen cases where it may happen.
*	Use aes-256-gcm rather than aes-128-cbc	Nathaniel McCallum	2015-03-10	1	-124/+64
\| \| \| \| \| \| \| \| \|	Also, remove all the manual HMAC code since it is no longer needed. The end result should be faster and stronger authenticated encryption. Closes #12 Reviewed-by: Simo Sorce <simo@redhat.com>
*	Fix random number generation	Simo Sorce	2015-03-10	1	-3/+3
\| \| \| \|	Untested code is broken code :(
*	Use apr function for random bytes	Simo Sorce	2015-03-10	1	-3/+3
\| \| \| \| \|	The apr function is thread safe while the OpenSSL one depdns on setting up custom locking, which is hard in a library.
*	Replace block size constants with actual block size	Nathaniel McCallum	2015-02-03	1	-6/+7
\|
*	Add permanent session keys support	Simo Sorce	2014-07-10	1	-24/+41
\| \| \| \| \| \| \| \| \|	Keys (encryption+MAC) can now be stored in apache configuration. The key must be a base64 encoded blob of original length of 32 bytes (16 bytes for encryption and 16 for the MAC key) The format is: key:<base64 blob>
*	Add mod_session support	Simo Sorce	2014-07-10	1	-0/+210
	By setting GssapiUseSessions we enable the module to store a bearer token with the user and gss names in the client, this way we can allow clients to perform authentication once but then remain authenticaed for the duration of the session or until the original credentials expire. The Secure cookie used to store the token is encrypted using a randomly generated AES key at process startup. This means multiple apache servers will not be able to use the same cookie, however the client will reauth transparently if the cookie cannot be read.