mod_auth_gssapi.git - A GSSAPI based replacement for the aging mod_auth

	Commit message (Collapse)	Author	Age	Files	Lines
*	Improve mag_conn memory handling	Simo Sorce	2015-06-16	1	-9/+5
\| \| \| \| \| \| \| \| \| \| \| \|	Create a pool just for the mag_conn structure, so that we can clear up all the memory used when a reset is necessary. This also fixes a segfault introduced by a previous patch where we mistakenly zeroed the whole structure including the memory pool pointer, which needs to be preserved. Closes #40 Signed-off-by: Simo Sorce <simo@redhat.com>
*	Avoid segfault when skey is not set in config	Simo Sorce	2015-06-13	1	-2/+20
\| \| \| \| \| \| \| \|	When the skey is generated on the fly, we will get an empty key on the very first auth attempt. If that uses basic auth then we'll segfault when trying to compute the hmac as we pass in a NULL key and immediately dereference it. Signed-off-by: Simo Sorce <simo@redhat.com>
*	Actually store basic_hash in the session data	Simo Sorce	2015-06-13	1	-0/+10
\| \| \| \| \| \|	Also fixes a segfault when mc->basic_hash.value is NULL Signed-off-by: Simo Sorce <simo@redhat.com>
*	Optimize BASIC AUTH checks with sessions.	Simo Sorce	2015-06-13	1	-0/+55
\| \| \| \| \| \| \| \|	If sessions are enbled store a MAC of the password and use it to check if the password is the same on follow-up requests. If it is, avoid the whole gssapi dance and use the session data instead. Signed-off-by: Simo Sorce <simo@redhat.com>
*	Set KRB5CCNAME on follow up requests with session	Simo Sorce	2015-06-09	1	-0/+6
\| \| \| \| \| \| \| \| \| \|	If the original context establishment delegated credentials, set the KRB5CCNAME variable to the proper file name for follow up connections that uses the session to validate access. Closes #18 Signed-off-by: Simo Sorce <simo@redhat.com>
*	Use a compiler to marshall/unmarshall the sessions	Simo Sorce	2015-06-09	1	-23/+85
\| \| \| \| \| \|	This way changes are easier, all is needed is to change the session.asn1 file to add or remove elements, and different session types can also be supported at the same time.
*	Properly initialize logging	Simo Sorce	2014-10-13	1	-0/+2
\| \| \| \| \| \| \|	We need to call APLOG_USE_MODULE() so that the module name is reported properly in log lines, and per module logging level can be set. Fixes #6
*	Add permanent session keys support	Simo Sorce	2014-07-10	1	-1/+1
\| \| \| \| \| \| \| \| \|	Keys (encryption+MAC) can now be stored in apache configuration. The key must be a base64 encoded blob of original length of 32 bytes (16 bytes for encryption and 16 for the MAC key) The format is: key:<base64 blob>
*	Add mod_session support	Simo Sorce	2014-07-10	1	-0/+187
	By setting GssapiUseSessions we enable the module to store a bearer token with the user and gss names in the client, this way we can allow clients to perform authentication once but then remain authenticaed for the duration of the session or until the original credentials expire. The Secure cookie used to store the token is encrypted using a randomly generated AES key at process startup. This means multiple apache servers will not be able to use the same cookie, however the client will reauth transparently if the cookie cannot be read.