summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix Basic Auth with non-krb5 mechanismsSimo Sorce2015-06-191-55/+85
| | | | | | | | | | | Try each allowed mechanism explicitly in a loop including sourcing the server name per mechanism to insure the proper name type is used in the accept. Otherwise secondary mechanims will fail to work. Fixes #43 Signed-off-by: Simo Sorce <simo@redhat.com>
* Better handling of desired_mechsSimo Sorce2015-06-191-7/+12
| | | | | | | | | | | | | | | If no explicit allowed mechanism is set in configuration just ask GSSAPI for a list of known mechanisms and use that. Do not try to artificially acquire credentials as ultimatily all that does is just call gss_inidicate_mechs() internally. Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs as that would lead to a leak given that cfg->allowed_mechs is allocated on a memory pool, while gss_inidate_mechs()s results are not. Closes #44 Signed-off-by: Simo Sorce <simo@redhat.com>
* Enforce GssapiAllowedMech over raw gssapi mechsIsaac Boukris2015-06-191-0/+9
| | | | | | Implemented by aqcuiring creds only for allowed_mechs and by explicity adding spnego to the allowed_mechs set (while still restricting spengo only to the allowed mechanism as before).
* Always require authentication with basic authSimo Sorce2015-06-161-1/+3
| | | | | | | | | | | | When connection bound authentication is used, we must deny access if basci auth is used and a request does not have the basic auth header. Basic auth authenticate each and every request, so if it is missing this means such request is no more authenticated and we should not allow access based on our cached metadata in this case. Closes #41 Signed-off-by: Simo Sorce <simo@redhat.com>
* Move most of basic_auth handling to a functionSimo Sorce2015-06-161-126/+160
| | | | | | | | | | | Consolidate and simplify AUTH BASIC Handling - Part 3. By moving all the special operation one for auth basic into its own segment we make the code simpler (less exceptions) and more readable. Closes #39 Signed-off-by: Simo Sorce <simo@redhat.com>
* Separate basic auth loop from the main accept.Simo Sorce2015-06-161-37/+27
| | | | | | | | | Consolidate and simplify AUTH BASIC Handling - Part 2. By moving all the special operation one for auth basic into its own segment we make the code simpler (less exceptions) and more readable. Signed-off-by: Simo Sorce <simo@redhat.com>
* Move the initial part of basic auth processingSimo Sorce2015-06-161-49/+47
| | | | | | | | | Consolidate and simplify AUTH BASIC Handling - Part 1. By moving all the special operation one for auth basic into its own segment we make the code simpler (less exceptions) and more readable. Signed-off-by: Simo Sorce <simo@redhat.com>
* Improve mag_conn memory handlingSimo Sorce2015-06-163-23/+38
| | | | | | | | | | | | Create a pool just for the mag_conn structure, so that we can clear up all the memory used when a reset is necessary. This also fixes a segfault introduced by a previous patch where we mistakenly zeroed the whole structure including the memory pool pointer, which needs to be preserved. Closes #40 Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix re-authentication when connection bound is onSimo Sorce2015-06-141-8/+18
| | | | | | | | | | | | | | | | When re-using a context on a connection, a re-authentication request may end up trying to use an established context handler to establish a new context. This will fail with an error in GSSAPI. Make sure to completely clean up the connection data when a brand new authentication needs to happen so that no data is mistakenly carried over. Note this may leak a small amount of data, but only if authentication is successful, so it is probably fine as is. Closes #38 Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix connection/session bound authIsaac Boukris2015-06-141-0/+2
| | | | | | | | | A previous commit mistakenly removed the jump to the end with a successful error. Example scenario that is fixed with this patch: $ curl -v -u usera:passa http://myhost/ http://myhost/ --ntlm Reviewed-by: Simo Sorce <simo@redhat.com>
* Use apr_pool_cleanup_register() to cleanup mcIsaac Boukris2015-06-141-2/+2
| | | | | | Instead of using apr_pool_userdata_set() since we don't use apr_pool_userdata_get() with the mag_conn_ptr apr_pool_cleanup_register() seem cleaner. Reviewed-by: Simo Sorce <simo@redhat.com>
* Make sure to release the ctx when no 'mc' availableIsaac Boukris2015-06-131-2/+3
| | | | And some other cleanup adjusments.
* When an authorization haeder is sent, recheck authSimo Sorce2015-06-131-25/+32
| | | | | | | | | | | | | Except for BASIC AUTH, if a client send an authorization header it means it wants to re-check authentication. So, if an authorization header is sent, go through the regular path and do not set request variables based on the session data. In case of Basic Auth we still use session data if user/pwd match the stored hash. Closes #22 Signed-off-by: Simo Sorce <simo@redhat.com>
* Store data in session as the last thingSimo Sorce2015-06-131-3/+3
| | | | | | mag_attempt_session() was being called too early. Signed-off-by: Simo Sorce <simo@redhat.com>
* Avoid segfault when skey is not set in configSimo Sorce2015-06-131-2/+20
| | | | | | | | When the skey is generated on the fly, we will get an empty key on the very first auth attempt. If that uses basic auth then we'll segfault when trying to compute the hmac as we pass in a NULL key and immediately dereference it. Signed-off-by: Simo Sorce <simo@redhat.com>
* Actually store basic_hash in the session dataSimo Sorce2015-06-134-4/+26
| | | | | | Also fixes a segfault when mc->basic_hash.value is NULL Signed-off-by: Simo Sorce <simo@redhat.com>
* Optimize BASIC AUTH checks with sessions.Simo Sorce2015-06-136-6/+85
| | | | | | | | If sessions are enbled store a MAC of the password and use it to check if the password is the same on follow-up requests. If it is, avoid the whole gssapi dance and use the session data instead. Signed-off-by: Simo Sorce <simo@redhat.com>
* Split HMAC_BUFFER out as a separate publi functionSimo Sorce2015-06-132-31/+40
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Set KRB5CCNAME on follow up requests with sessionSimo Sorce2015-06-099-26/+412
| | | | | | | | | | If the original context establishment delegated credentials, set the KRB5CCNAME variable to the proper file name for follow up connections that uses the session to validate access. Closes #18 Signed-off-by: Simo Sorce <simo@redhat.com>
* Use a compiler to marshall/unmarshall the sessionsSimo Sorce2015-06-0952-23/+10260
| | | | | | This way changes are easier, all is needed is to change the session.asn1 file to add or remove elements, and different session types can also be supported at the same time.
* Disable connection-bound for basic-authIsaac Boukris2015-06-081-0/+4
| | | | | | | | | | | | Clients don't expect this and therefore might inappropriately reuse the connection for another user identity (with or without creds). This is currently more of an issue due to issue 22, example: curl -v http://myhost/ -u usera:passa --next http://myhost/ -u userb:passb Closes #36 Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix segfault if req->main is NULLSimo Sorce2015-06-061-1/+1
| | | | | | | | Seen in the wild. Closes #35 Signed-off-by: Simo Sorce <simo@redhat.com>
* Allow raw NTLM authenticationSimo Sorce2015-06-032-38/+115
| | | | | | | | | Some clients may decide to use raw NTLM authentication instead of wrapping it into a Negotiate (SPNEGO) authentication request. If the NTLMSSP mechanism is allowed/supported then allow this request to be processed. Closes #23
* Add GssapiAllowedMech optionSimo Sorce2015-06-032-1/+59
| | | | | This option allows the admin to list the mechanisms that can be used for authentication. An empty list allows any locally supported mechanisms.
* Move acquire_cred functions into a helperSimo Sorce2015-06-011-44/+35
| | | | | | | This makes the code more readable and easier to deal with. Side effect: now we always acquire credentials Signed-off-by: Simo Sorce <simo@redhat.com>
* More work on keeping cred_store functions optionalSimo Sorce2015-06-012-6/+21
| | | | | | | Some more definitions that depend on cred_store functions were not properly ifdef-ed Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix conditional support for gss_acquire_cred_fromSimo Sorce2015-06-011-1/+5
| | | | | | | This function is supported only on some GSSAPI versions. Keep it optional. Signed-off-by: Simo Sorce <simo@redhat.com>
* Find the right server name when using basic authSimo Sorce2015-05-261-1/+31
| | | | | | | | When S4U2Proxy is used in combination with Basic Auth, the gss_inquire_cred() call will return the client name instead of the server name we need. Detect this case and aquire a separate set of credentials in that case. Fixes #28
* Export only the symbol named auth_gssapi_moduleJoe Orton2015-05-241-1/+2
| | | | | | | | | The only entry point into the module DSO is the module structure itself; use libtool's export-symbols linker trick to hide all the other global symbols, which otherwise are potentially visible outside the module itself (SEAL_* etc). Reviewed-by: Simo Sorce <simo@redhat.com>
* Remove all uses of APLOG_NOERRNOJoe Orton2015-05-241-28/+28
| | | | | | This directive is deprecated and has no effect in all httpd 2.x releases. Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix typo.Joe Orton2015-05-241-1/+1
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Drop OOM handling.Joe Orton2015-05-241-41/+0
| | | | | | | | | | In httpd/APR it is best practice to assume that memory allocation always succeeds, which simplifies module code. APR internally calls abort() if memory allocation ever actually fails, so in pratice you cannot trigger these code paths anyway. Reviewed-by: Simo Sorce <simo@redhat.com>
* Use the "ssl_is_https" definition from mod_ssl.h.Joe Orton2015-05-242-2/+1
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Add GssapiSignalPersistentAuth directiveIsaac Boukris2015-05-242-0/+14
| | | | | | | Controls whether to send the Persistent-Auth header, and sets it only when necessary/appropriate Reviewed-by: Simo Sorce <simo@redhat.com>
* Export variable with session expiration timeSimo Sorce2015-05-051-1/+8
| | | | Closes #16
* Revert "Use aes-256-gcm rather than aes-128-cbc"Simo Sorce2015-04-232-70/+130
| | | | | | | | | | | This reverts commit e9c92795d87a316ea47f6bf37c9636e86eec57e7. AESGCM is a neat idea but it is not really appropriate to be used in mod_auth_gssapi because we cannot gurantee that the nonce will never be reused. It is not very probable, and it is also not easy to force the server to generate so many encyrpted sessions to have a good chance of a collision that I know of, but better to avoid the whole issue, than risk unforseen cases where it may happen.
* Properly complete context establishmentSimo Sorce2015-04-191-18/+16
| | | | | | | On success do not forget to send the last negotiate packet (if any) to the client within the 200 Reply. Fixes #21
* Add support for delegate creds on basic authSimo Sorce2015-04-141-2/+9
| | | | | | | | When doing fallback basic auth, we may also want to honor the configured directive about storing delegated credentials. Detect if we are configured to store them and set the appopriate init_sec_context flag that will cause the accept_sec_context call to get valid delegated credentials for later storage.
* Handle authentication on subrequestsSimo Sorce2015-03-311-4/+29
| | | | | | | | | | | | | In some cases (like during directory listing) Apache will re-run the authentication code. Many GSSAPI mechanism have replay detection so we cannot simply rerun the accept_sec_context phase. Others require multiple steps. When authntication has already been estalished just implicitly consider the authentication successfully performed and copy the user name. Otherwise fail. If a subrequest hits a location with a different mod_auth_gssapi configuration warn but do not error off right away. Fixes #15
* Escape principal name to remove the path separatorSimo Sorce2015-03-261-2/+54
| | | | | | | | The principla name is used as a file name, any embedded path separators are going to cause trouble if used in the file name, so we need to escape them away. Usee ~ as the escape chracter (~~ to escape ~ itself) Fixes #14
* Use aes-256-gcm rather than aes-128-cbcNathaniel McCallum2015-03-102-130/+70
| | | | | | | | | Also, remove all the manual HMAC code since it is no longer needed. The end result should be faster and stronger authenticated encryption. Closes #12 Reviewed-by: Simo Sorce <simo@redhat.com>
* Do not free orig_ccacheSimo Sorce2015-03-101-5/+2
| | | | | | | | | It realy is const memory referenced internally by MIT's gssapi. Freeing it will cause a segfault on the next invocation. This memory is kept in thread local storage and freed by gssapi itself as needed. Fixes #11
* Improve Basic Auth based loginsSimo Sorce2015-03-102-0/+41
| | | | | | | | | | Set a per-thread Credentials Cache Name that will be thrown away once authentication is done. This handles both an issue with stomping on ccaches if two authentications happen in concurrent threads, as well as issues with gss_acquire_cred_with_password() reusing the ccache without actually performing an AS request. Fixes #11
* Fix random number generationSimo Sorce2015-03-101-3/+3
| | | | Untested code is broken code :(
* Use apr function for random bytesSimo Sorce2015-03-101-3/+3
| | | | | The apr function is thread safe while the OpenSSL one depdns on setting up custom locking, which is hard in a library.
* Remove forward basic auth and fix docsSimo Sorce2015-03-062-31/+7
| | | | Fixes #8
* Add support for handling Basic AuthSimo Sorce2015-03-052-13/+171
| | | | | | | Support either passing Basic Auth Through to another module, or handling it directly through gss_acquire_cred_with_password() Fixes #8
* Do not leak acquired_credSimo Sorce2015-03-051-0/+1
|
* Replace block size constants with actual block sizeNathaniel McCallum2015-02-031-6/+7
|
* Fix error message copy&paste errorwipSimo Sorce2014-10-211-1/+1
|
generated by cgit (git 2.34.1) at 2025-07-01 14:59:01 +0000