summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Declare mag_complete outside the ifdef blockSimo Sorce2016-10-111-4/+4
| | | | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Fixes #106 Closes #107
* Fix behavior of NULL ccname for cookie creationRobbie Harwood2016-08-151-1/+6
| | | | | | | | | | | This resolves an issue where the session cookie would not be populated when sesions were used but unique ccaches were not. Based on a report from Bhagavan Das. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #98
* Add compatibility with OpenSSL 1.1.0Simo Sorce2016-07-061-31/+76
| | | | | | | | | In their continued wisdom OpenSSL developers keep breaking APIs left and right with very poor documentation and forward/backward source compatibility. Signed-off-by: Simo Sorce <simo@redhat.com> Closes #96 Closes #97
* Insure the asn1 definitions are in the tarballSimo Sorce2016-06-151-0/+2
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Close #95
* Move context loops to a helper functionSimo Sorce2016-06-151-110/+72
| | | | | | | | This work simplifies the calling code and reduces duplication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #94
* Postpone adding spnego mech to mech listSimo Sorce2016-06-091-23/+65
| | | | | | | | | | | Add the SPNEGO mech oid only if we are performing negotiate auth. This cacthes earlier, with a hard failure, the case where a mechanism defined on the command line is not available, by checking if there are any desired mechs. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #93
* Add support for GssapiImpersonate.Jan Pazdziora2016-06-092-1/+157
| | | | | | | | | | | | | | | | This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> Close #92
* Split the book keeping operations into a functionSimo Sorce2016-06-091-48/+66
| | | | | | | | | This will be used in a following patch that perform gssapi operations using a different path but need to perform the same bookj keeping as the main auth path. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>
* Fix cred cache detectionSimo Sorce2016-06-091-3/+6
| | | | | | | | | The stat call was not using the full path name, therefore it was always failing. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #91
* Fix function name spellingSimo Sorce2016-06-091-2/+2
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #90
* Do not use ap_hook_check_user_id on Apache 2.4Jan Pazdziora2016-06-021-0/+5
| | | | | | | | On Apache 2.4 this method is deprecated, use the recommended hook. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #84
* Obey SessionMaxAge for session expirationMatt Rogers2016-05-251-0/+6
| | | | | | | | | Set the session and cookie expiration to the mod_session SessionMaxAge expiry time, if it is shorter than the credential lifetime. Signed-off-by: Matt Rogers <mrogers@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #82
* Implement unique ccache namesRobbie Harwood2016-05-189-34/+90
| | | | | | | | | | | Unique ccache names may be requested using the GssapiDelegCcacheUnique configuration option. This option is off by default. If both unique ccache names and session use are enabled, then a mechanism for removing old ccaches must be supplied. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Also-authored-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Unify copyright conventionRobbie Harwood2016-05-188-30/+8
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix APXS error "cannot determine bootstrap symbol name"Dennis Schridde2016-04-121-1/+1
| | | | | | | | | | | | | | | Maybe related to out-of-source builds? ``` test -d /target/usr/lib/apache2/modules || mkdir -p /target/usr/lib/apache2/modules /usr/bin/apxs2 -i -S LIBEXECDIR=/target/usr/lib/apache2/modules mod_auth_gssapi.la apxs:Error: Sorry, cannot determine bootstrap symbol name. apxs:Error: Please specify one with option `-n'. Makefile:725: recipe for target 'install-exec-local' failed ``` Reviewed-by: Simo Sorce <simo@redhat.com> Close #79
* Respect DESTDIR when installing Apache moduleDennis Schridde2016-04-121-2/+2
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #78
* Cleanup s4u2proxy in mag_auth_basicIsaac Boukris2016-02-171-18/+4
| | | | | | | | | | | | | | It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72
* Add option to not send a Negotiate headersJames Groffen2016-02-172-5/+23
| | | | | | | | | | | | | | | | If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65
* Fix potential loop when requesting attribute data.Simo Sorce2016-01-141-1/+1
| | | | | | | | | | If this function fail we are better off abandoning the whole quest, continueing here may end us up in an infinite loop where the fucntion keeps failing w/o changing attr.more Thanks to Alejandro Perez for finding this flaw. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix build when cred store is not available.Simo Sorce2016-01-132-0/+4
| | | | | | Older distributions have versions of Kerberos that miss this feature. Signed-off-by: Simo Sorce <simo@redhat.com>
* Prevent potential null pointer dereferenceJames Groffen2016-01-111-0/+4
| | | | | | | | | | | This commit adds checks to ensure cfg->name_attributes is not null before it is used in mag_get_name_attributes. (Reworded commit message) Reviewed-by: Simo Sorce <simo@redhat.com> Close #64
* Add code to set attribute names in the environmentname_attrsSimo Sorce2015-12-034-3/+335
| | | | | | | | | | | | This code allows to specify which attributes in a name are interesting to the application and set them as named environemnt variables. Optionally the whole set of attributes can be exported in a json formatted structure. Signed-off-by: Simo Sorce <simo@redhat.com> Close #62 Close #63
* Move setting request data to a separate fileSimo Sorce2015-12-026-90/+94
| | | | | | In preparation for the next commit. Signed-off-by: Simo Sorce <simo@redhat.com>
* Negate established flag if session is expired.davisd1232015-10-051-0/+1
| | | | | | | | If the session is expired, then set established to false to force re-authentication. Reviewed-by: Simo Sorce <simo@redhat.com> Close #57
* Fix include path to asn1c for out-of-source buildsDennis Schridde2015-09-031-1/+1
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #55
* Fix bug in handling Session KeysSimo Sorce2015-09-031-1/+1
| | | | | | | | A check inversion in 86661d07812b010b8cf664c2dab596be15ff1e31 caused the specified session key to be ignored and a crash when none was specified. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allow building without NTLMSSP supportSimo Sorce2015-09-032-13/+27
| | | | | | | | | | | | | If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP. Coauthored Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de> Signed-off-by: Simo Sorce <simo@redhat.com> Closes #52 Closes #53 Closes #54
* Do not use /tmp as default for s4u2proxySimo Sorce2015-08-311-4/+14
| | | | | | | | | | The /tmp directory can lead to bugs and DoS of the apache process because any user on the system can block the creation of predictable file names. Simply error out if GssapiDelegCcacheDir is not explicitly set. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allocate new keys at server startup.Simo Sorce2015-08-304-39/+44
| | | | | | | | This avoids a potential race condition if the first 2 request come in at the same time. It also avoids issues with forked apapche processes which may end up with different keys per fork. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix incorrect free() usageSimo Sorce2015-08-301-5/+1
| | | | | | | | This code has been changed to use apr pools for memory allocation, so the error path is wrong as free() is not called on malloc()ed memory anymore. Remove the calls to free(), the mempool is clean up by callers. Signed-off-by: Simo Sorce <simo@redhat.com>
* Support forward proxy authenticationIsaac Boukris2015-08-062-20/+53
| | | | | | | | Proxy auth headers are a little different. Sessions cannot be used as we cannot set a cookie. Reviewed-by: Simo Sorce <simo@redhat.com>
* Avoid advertising NTLM if it isn't technically supportedIsaac Boukris2015-08-061-3/+9
| | | | | | | | | | This lets browsers to fall back to basic auth if supported (similar to 4e7967e797e5c8912a67c0de8f172bb95b5172ff). Add boolean param to is_mech_allowed which denotes whether the caller supports multiple step. Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix checks on allowed mechsSimo Sorce2015-07-071-6/+6
| | | | | | | | | | | | | | We need to check if a mech is allowed against the desired_mechs set. Otherwise in case the admin does not explicitly specify an allowed set then all mechs are allowed, including NTLM. This causes annoying issues with browsers like Firefox and Chrome/ium which end up popping up an authentication dialog if they see NTLM is supported and they have no Kerberos tickets around. Authentication will then simply fail because NTLM is not actually supported. By using desired_mechs we use a list of mechanism the machine actually has a chance to support in the default case. Signed-off-by: Simo Sorce <simo@redhat.com>
* Retrieve default mechs at server initIsaac Boukris2015-06-252-34/+43
| | | | | | | | | | This avoids the need to retrieve the list on every auth attempt, and then free it every time. Implemented by adding a server config struct and populating it at server init with gss_indicate_mechs(). Reviewed-by: Simo Sorce <simo@redhat.com>
* Properly check return error when filtering mechsSimo Sorce2015-06-241-1/+4
| | | | | | | We need to fail only if the input was an actual set and instead we get back GSS_C_NO_OID_SET. In all other cases we are fine. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fail server startup on bad mechanismsIsaac Boukris2015-06-241-6/+10
| | | | | | | This helps to detect mis-configurations early. Configuration errors are considered fatal in apache anyway. Reviewed-by: Simo Sorce <simo@redhat.com>
* Skip spnego filtering since we already filter itIsaac Boukris2015-06-231-6/+0
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Acquire server creds with given cred_usage rather than bothIsaac Boukris2015-06-231-1/+1
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Support allowing arbitrary mechanismsSimo Sorce2015-06-221-21/+50
| | | | | | | | | Use gss_str_to_oid so OIDs can be used to set arbitrary mechanism in allow lists like GssapiAllowedMech or GssapiBasicAuthMech. Closes #46 Signed-off-by: Simo Sorce <simo@redhat.com>
* Acquire creds only once for basic_authSimo Sorce2015-06-221-25/+26
| | | | | | | | | | Instead of acquiring creds by looping at each round, use gss_inquire_cred_by_mech() to work around the union_name issue and get the correct per-mechanism server name. Closes #45 Signed-off-by: Simo Sorce <simo@redhat.com>
* Set krb5 ccache only if krb5 is usedSimo Sorce2015-06-211-19/+37
| | | | | | | Check if the krb5 mechanism is present and only then set the cache, this avoid wasteful operations if we are not even using krb5. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add GssapiBasicAuthMech optionSimo Sorce2015-06-202-22/+144
| | | | | | | | | This option allows to set a different list of mechanisms to use with Basic Auth (Basic Auth must be explicitly enabled) than the list of mechs that are allowed with Negotiate or Raw GSSAPI Client authentication. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix Basic Auth with non-krb5 mechanismsSimo Sorce2015-06-191-55/+85
| | | | | | | | | | | Try each allowed mechanism explicitly in a loop including sourcing the server name per mechanism to insure the proper name type is used in the accept. Otherwise secondary mechanims will fail to work. Fixes #43 Signed-off-by: Simo Sorce <simo@redhat.com>
* Better handling of desired_mechsSimo Sorce2015-06-191-7/+12
| | | | | | | | | | | | | | | If no explicit allowed mechanism is set in configuration just ask GSSAPI for a list of known mechanisms and use that. Do not try to artificially acquire credentials as ultimatily all that does is just call gss_inidicate_mechs() internally. Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs as that would lead to a leak given that cfg->allowed_mechs is allocated on a memory pool, while gss_inidate_mechs()s results are not. Closes #44 Signed-off-by: Simo Sorce <simo@redhat.com>
* Enforce GssapiAllowedMech over raw gssapi mechsIsaac Boukris2015-06-191-0/+9
| | | | | | Implemented by aqcuiring creds only for allowed_mechs and by explicity adding spnego to the allowed_mechs set (while still restricting spengo only to the allowed mechanism as before).
* Always require authentication with basic authSimo Sorce2015-06-161-1/+3
| | | | | | | | | | | | When connection bound authentication is used, we must deny access if basci auth is used and a request does not have the basic auth header. Basic auth authenticate each and every request, so if it is missing this means such request is no more authenticated and we should not allow access based on our cached metadata in this case. Closes #41 Signed-off-by: Simo Sorce <simo@redhat.com>
* Move most of basic_auth handling to a functionSimo Sorce2015-06-161-126/+160
| | | | | | | | | | | Consolidate and simplify AUTH BASIC Handling - Part 3. By moving all the special operation one for auth basic into its own segment we make the code simpler (less exceptions) and more readable. Closes #39 Signed-off-by: Simo Sorce <simo@redhat.com>
* Separate basic auth loop from the main accept.Simo Sorce2015-06-161-37/+27
| | | | | | | | | Consolidate and simplify AUTH BASIC Handling - Part 2. By moving all the special operation one for auth basic into its own segment we make the code simpler (less exceptions) and more readable. Signed-off-by: Simo Sorce <simo@redhat.com>
* Move the initial part of basic auth processingSimo Sorce2015-06-161-49/+47
| | | | | | | | | Consolidate and simplify AUTH BASIC Handling - Part 1. By moving all the special operation one for auth basic into its own segment we make the code simpler (less exceptions) and more readable. Signed-off-by: Simo Sorce <simo@redhat.com>
* Improve mag_conn memory handlingSimo Sorce2015-06-163-23/+38
| | | | | | | | | | | | Create a pool just for the mag_conn structure, so that we can clear up all the memory used when a reset is necessary. This also fixes a segfault introduced by a previous patch where we mistakenly zeroed the whole structure including the memory pool pointer, which needs to be preserved. Closes #40 Signed-off-by: Simo Sorce <simo@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-26 19:29:21 +0000