/* Copyright (C) 2014, 2016, 2020 mod_auth_gssapi contributors

 * See COPYING for (C) terms */

#include "mod_auth_gssapi.h"

#include "mag_parse.h"

const gss_OID_desc gss_mech_spnego = {

    6, "\x2b\x06\x01\x05\x05\x02"

};

#ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H

const gss_OID_desc gss_mech_ntlmssp_desc = {

    GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING

};

gss_const_OID gss_mech_ntlmssp = &gss_mech_ntlmssp_desc;

const gss_OID_set_desc gss_mech_set_ntlmssp_desc = {

    1, discard_const(&gss_mech_ntlmssp_desc)

};

gss_const_OID_set gss_mech_set_ntlmssp = &gss_mech_set_ntlmssp_desc;

#else

gss_OID gss_mech_ntlmssp = GSS_C_NO_OID;

gss_OID_set gss_mech_set_ntlmssp = GSS_C_NO_OID_SET;

#endif

#define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION

module AP_MODULE_DECLARE_DATA auth_gssapi_module;

APLOG_USE_MODULE(auth_gssapi);

static char *mag_status(apr_pool_t *pool, int type, uint32_t err)

{

    uint32_t maj_ret, min_ret;

    gss_buffer_desc text;

    uint32_t msg_ctx;

    char *msg_ret;

    int len;

    msg_ret = NULL;

    msg_ctx = 0;

    do {

        maj_ret = gss_display_status(&min_ret, err, type,

                                     GSS_C_NO_OID, &msg_ctx, &text);

        if (maj_ret != GSS_S_COMPLETE) {

            return msg_ret;

        }

        len = text.length;

        if (msg_ret) {

            msg_ret = apr_psprintf(pool, "%s, %*s",

                                   msg_ret, len, (char *)text.value);

        } else {

            msg_ret = apr_psprintf(pool, "%*s", len, (char *)text.value);

        }

        gss_release_buffer(&min_ret, &text);

    } while (msg_ctx != 0);

    return msg_ret;

}

char *mag_error(apr_pool_t *pool, const char *msg, uint32_t maj, uint32_t min)

{

    char *msg_maj;

    char *msg_min;

    msg_maj = mag_status(pool, GSS_C_GSS_CODE, maj);

    msg_min = mag_status(pool, GSS_C_MECH_CODE, min);

    return apr_psprintf(pool, "%s: [%s (%s)]", msg, msg_maj, msg_min);

}

enum mag_err_code {

    MAG_NO_AUTH = 1,

    MAG_GSS_ERR,

    MAG_INTERNAL,

    MAG_AUTH_NOT_ALLOWED

};

static const char *mag_err_text(enum mag_err_code err)

{

    switch (err) {

    case MAG_NO_AUTH:

        return "NO AUTH DATA";

    case MAG_GSS_ERR:

        return "GSS ERROR";

    case MAG_INTERNAL:

        return "INTERNAL ERROR";

    case MAG_AUTH_NOT_ALLOWED:

        return "AUTH NOT ALLOWED";

    default:

        return "INVALID ERROR CODE";

    }

}

static void mag_post_info(request_rec *req, struct mag_config *cfg,

                          enum mag_err_code err, const char *msg)

{

    const char *text = NULL;

    if (cfg->enverrs) {

        mag_publish_error(req, 0, 0, text ? text : msg, mag_err_text(err));

    }

    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req, "%s %s", mag_err_text(err),

                  text ? text : msg);

}

static void mag_post_error(request_rec *req, struct mag_config *cfg,

                           enum mag_err_code err, uint32_t maj, uint32_t min,

                           const char *msg)

{

    const char *text = NULL;

    if (maj)

        text = mag_error(req->pool, msg, maj, min);

    if (cfg->enverrs)

        mag_publish_error(req, maj, min, text ? text : msg, mag_err_text(err));

    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s %s", mag_err_text(err),

                  text ? text : msg);

}

static APR_OPTIONAL_FN_TYPE(ssl_is_https) *mag_is_https = NULL;

static int mag_post_config(apr_pool_t *cfgpool, apr_pool_t *log,

                           apr_pool_t *temp, server_rec *s)

{

    /* FIXME: create mutex to deal with connections and contexts ? */

    mag_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);

    mag_post_config_session();

    ap_add_version_component(cfgpool, MOD_AUTH_GSSAPI_VERSION);

    return OK;

}

static int mag_pre_connection(conn_rec *c, void *csd)

{

    struct mag_conn *mc;

    mc = mag_new_conn_ctx(c->pool);

    mc->is_preserved = true;

    ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc);

    return OK;

}

static apr_status_t mag_conn_destroy(void *ptr)

{

    struct mag_conn *mc = (struct mag_conn *)ptr;

    uint32_t min;

    if (mc->ctx) {

        (void)gss_delete_sec_context(&min, &mc->ctx, GSS_C_NO_BUFFER);

    }

    return APR_SUCCESS;

}

struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool)

{

    struct mag_conn *mc;

    mc = apr_pcalloc(pool, sizeof(struct mag_conn));

    apr_pool_create(&mc->pool, pool);

    mc->env = apr_table_make(mc->pool, 1);

    /* register the context in the memory pool, so it can be freed

     * when the connection/request is terminated */

    apr_pool_cleanup_register(mc->pool, (void *)mc,

                              mag_conn_destroy, apr_pool_cleanup_null);

    return mc;

}

static void mag_conn_clear(struct mag_conn *mc)

{

    (void)mag_conn_destroy(mc);

    apr_pool_t *temp;

    apr_pool_clear(mc->pool);

    temp = mc->pool;

    memset(mc, 0, sizeof(struct mag_conn));

    mc->pool = temp;

    mc->env = apr_table_make(mc->pool, 1);

}

static bool mag_conn_is_https(conn_rec *c)

{

    if (mag_is_https) {

        if (mag_is_https(c)) return true;

    }

    return false;

}

static bool mag_acquire_creds(request_rec *req,

                              struct mag_config *cfg,

                              gss_OID_set desired_mechs,

                              gss_cred_usage_t cred_usage,

                              gss_cred_id_t *creds,

                              gss_OID_set *actual_mechs)

{

    gss_name_t acceptor_name = GSS_C_NO_NAME;

    uint32_t maj, min;

    bool ret;

    if (cfg->acceptor_name_from_req) {

        gss_buffer_desc bufnam;

        bufnam.value = apr_psprintf(req->pool, "HTTP@%s", req->hostname);

        bufnam.length = strlen(bufnam.value);

        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "GSS Server Name: %s",

                      (char *)bufnam.value);

        maj = gss_import_name(&min, &bufnam, GSS_C_NT_HOSTBASED_SERVICE,

                              &acceptor_name);

        if (GSS_ERROR(maj)) {

            mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                           "gss_import_name() failed to import hostnname");

            return false;

        }

    } else {

        acceptor_name = cfg->acceptor_name;

    }

#ifdef HAVE_CRED_STORE

    gss_const_key_value_set_t store = cfg->cred_store;

    maj = gss_acquire_cred_from(&min, acceptor_name, GSS_C_INDEFINITE,

                                desired_mechs, cred_usage, store, creds,

                                actual_mechs, NULL);

#else

    maj = gss_acquire_cred(&min, acceptor_name, GSS_C_INDEFINITE,

                           desired_mechs, cred_usage, creds,

                           actual_mechs, NULL);

#endif

    if (GSS_ERROR(maj)) {

        mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                       "gss_acquire_cred[_from]() failed to get server creds");

        ret = false;

    } else {

        ret = true;

    }

    if (cfg->acceptor_name_from_req) {

        gss_release_name(&min, &acceptor_name);

    }

    return ret;

}

#ifdef HAVE_CRED_STORE

static char *escape(apr_pool_t *pool, const char *name,

                    char find, const char *replace)

{

    char *escaped = NULL;

    char *namecopy;

    char *n;

    char *p;

    namecopy = apr_pstrdup(pool, name);

    p = strchr(namecopy, find);

    if (!p) return namecopy;

    /* first segment */

    n = namecopy;

    while (p) {

        /* terminate previous segment */

        *p = '\0';

        if (escaped) {

            escaped = apr_pstrcat(pool, escaped, n, replace, NULL);

        } else {

            escaped = apr_pstrcat(pool, n, replace, NULL);

        }

        /* move to next segment */

        n = p + 1;

        p = strchr(n, find);

    }

    /* append last segment if any */

    if (*n) {

        escaped = apr_pstrcat(pool, escaped, n, NULL);

    }

    return escaped;

}

static char *get_ccache_name(request_rec *req, char *dir, const char *gss_name,

                             bool use_unique, struct mag_conn *mc)

{

    char *ccname, *escaped;

    int ccachefd;

    /* We need to escape away '/', we can't have path separators in

     * a ccache file name */

    /* first double escape the esacping char (~) if any */

    escaped = escape(req->pool, gss_name, '~', "~~");

    /* then escape away the separator (/) if any */

    escaped = escape(req->pool, escaped, '/', "~");

    if (use_unique == false) {

        return apr_psprintf(mc->pool, "%s/%s", dir, escaped);

    }

    ccname = apr_psprintf(mc->pool, "%s/%s-XXXXXX", dir, escaped);

    ccachefd = mkstemp(ccname);

    if (ccachefd == -1) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,

                      "creating unique ccache file %s failed", ccname);

        return NULL;

    }

    close(ccachefd);

    return ccname;

}

static void mag_store_deleg_creds(request_rec *req, const char *ccname,

                                  gss_cred_id_t delegated_cred)

{

    gss_key_value_element_desc element;

    gss_key_value_set_desc store;

    uint32_t maj, min;

    element.key = "ccache";

    store.elements = &element;

    store.count = 1;

    element.value = apr_psprintf(req->pool, "FILE:%s", ccname);

    maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE,

                              GSS_C_NULL_OID, 1, 1, &store, NULL, NULL);

    if (GSS_ERROR(maj)) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",

                      mag_error(req->pool, "failed to store delegated creds",

                                maj, min));

    }

}

#endif

static bool parse_auth_header(apr_pool_t *pool, const char **auth_header,

                              gss_buffer_t value)

{

    char *auth_header_value;

    auth_header_value = ap_getword_white(pool, auth_header);

    if (!auth_header_value) return false;

    value->length = apr_base64_decode_len(auth_header_value) + 1;

    value->value = apr_pcalloc(pool, value->length);

    if (!value->value) return false;

    value->length = apr_base64_decode(value->value, auth_header_value);

    return true;

}

static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech,

                            bool multi_step_supported)

{

    if (mech == GSS_C_NO_OID) return false;

    if (!multi_step_supported && gss_oid_equal(gss_mech_ntlmssp, mech))

        return false;

    if (allowed_mechs == GSS_C_NO_OID_SET) return true;

    for (int i = 0; i < allowed_mechs->count; i++) {

        if (gss_oid_equal(&allowed_mechs->elements[i], mech)) {

            return true;

        }

    }

    return false;

}

#define AUTH_TYPE_NEGOTIATE 0

#define AUTH_TYPE_BASIC 1

#define AUTH_TYPE_RAW_NTLM 2

#define AUTH_TYPE_IMPERSONATE 3

const char *auth_types[] = {

    "Negotiate",

    "Basic",

    "NTLM",

    "Impersonate",

    NULL

};

const char *mag_str_auth_type(int auth_type)

{

    return auth_types[auth_type];

}

gss_OID_set mag_filter_unwanted_mechs(gss_OID_set src)

{

    gss_const_OID unwanted_mechs[] = {

        &gss_mech_spnego,

        gss_mech_krb5_old,

        gss_mech_krb5_wrong,

        gss_mech_iakerb,

        GSS_C_NO_OID

    };

    gss_OID_set dst;

    uint32_t maj, min;

    int present = 0;

    if (src == GSS_C_NO_OID_SET) return GSS_C_NO_OID_SET;

    for (int i = 0; unwanted_mechs[i] != GSS_C_NO_OID; i++) {

        maj = gss_test_oid_set_member(&min,

                                      discard_const(unwanted_mechs[i]),

                                      src, &present);

        if (present) break;

    }

    if (present) {

        maj = gss_create_empty_oid_set(&min, &dst);

        if (maj != GSS_S_COMPLETE) {

            return GSS_C_NO_OID_SET;

        }

        for (int i = 0; i < src->count; i++) {

            present = 0;

            for (int j = 0; unwanted_mechs[j] != GSS_C_NO_OID; j++) {

                if (gss_oid_equal(&src->elements[i], unwanted_mechs[j])) {

                    present = 1;

                    break;

                }

            }

            if (present) continue;

            maj = gss_add_oid_set_member(&min, &src->elements[i], &dst);

            if (maj != GSS_S_COMPLETE) {

                gss_release_oid_set(&min, &dst);

                return GSS_C_NO_OID_SET;

            }

        }

        return dst;

    }

    return src;

}

static uint32_t mag_context_loop(uint32_t *min,

                                 request_rec *req,

                                 struct mag_config *cfg,

                                 gss_cred_id_t init_cred,

                                 gss_cred_id_t accept_cred,

                                 gss_OID mech_type,

                                 uint32_t req_lifetime,

                                 gss_name_t *client,

                                 uint32_t *lifetime,

                                 gss_cred_id_t *delegated_cred)

{

    gss_ctx_id_t init_ctx = GSS_C_NO_CONTEXT;

    gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;

    gss_buffer_desc init_token = GSS_C_EMPTY_BUFFER;

    gss_buffer_desc accept_token = GSS_C_EMPTY_BUFFER;

    gss_name_t accept_name = GSS_C_NO_NAME;

    uint32_t maj, tmin;

    maj = gss_inquire_cred_by_mech(min, accept_cred, mech_type, &accept_name,

                                   NULL, NULL, NULL);

    if (GSS_ERROR(maj)) {

        mag_post_error(req, cfg, MAG_GSS_ERR, maj, *min,

                       "gss_inquired_cred_by_mech() failed");

        return maj;

    }

    do {

        /* output and input are inverted here, this is intentional */

        maj = gss_init_sec_context(min, init_cred, &init_ctx,

                                   accept_name, mech_type, GSS_C_DELEG_FLAG,

                                   req_lifetime, GSS_C_NO_CHANNEL_BINDINGS,

                                   &accept_token, NULL, &init_token, NULL,

                                   NULL);

        if (GSS_ERROR(maj)) {

            mag_post_error(req, cfg, MAG_GSS_ERR, maj, *min,

                           "gss_init_sec_context()");

            goto done;

        }

        gss_release_buffer(&tmin, &accept_token);

        maj = gss_accept_sec_context(min, &accept_ctx, accept_cred,

                                     &init_token, GSS_C_NO_CHANNEL_BINDINGS,

                                     client, NULL, &accept_token, NULL,

                                     lifetime, delegated_cred);

        if (GSS_ERROR(maj)) {

            mag_post_error(req, cfg, MAG_GSS_ERR, maj, *min,

                           "gss_accept_sec_context()");

            goto done;

        }

        gss_release_buffer(&tmin, &init_token);

    } while (maj == GSS_S_CONTINUE_NEEDED);

done:

    gss_release_name(&tmin, &accept_name);

    gss_release_buffer(&tmin, &init_token);

    gss_release_buffer(&tmin, &accept_token);

    gss_delete_sec_context(&tmin, &init_ctx, GSS_C_NO_BUFFER);

    gss_delete_sec_context(&tmin, &accept_ctx, GSS_C_NO_BUFFER);

    return maj;

}

static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,

                        gss_name_t client, gss_OID mech_type,

                        uint32_t vtime, gss_cred_id_t delegated_cred);

static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,

                          gss_buffer_desc ba_user, gss_buffer_desc ba_pwd)

{

    struct mag_config *cfg = req_cfg->cfg;

    request_rec *req = req_cfg->req;

    const char *user_ccache = NULL;

    const char *orig_ccache = NULL;

    long long unsigned int rndname;

    apr_status_t rs;

    gss_name_t user = GSS_C_NO_NAME;

    gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL;

    gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;

    gss_OID_set allowed_mechs;

    gss_OID_set filtered_mechs;

    gss_OID_set actual_mechs = GSS_C_NO_OID_SET;

    gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;

    gss_name_t client = GSS_C_NO_NAME;

    uint32_t vtime;

    uint32_t maj, min;

    int present = 0;

    int ret = HTTP_UNAUTHORIZED;

    maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user);

    if (GSS_ERROR(maj)) {

        mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                       "In Basic Auth: gss_import_name() failed");

        goto done;

    }

    if (cfg->basic_mechs) {

        allowed_mechs = cfg->basic_mechs;

    } else if (cfg->allowed_mechs) {

        allowed_mechs = cfg->allowed_mechs;

    } else {

        struct mag_server_config *scfg;

        /* Try to fetch the default set if not explicitly configured,

         * We need to do this because gss_acquire_cred_with_password()

         * is currently limited to acquire creds for a single "default"

         * mechanism if no desired mechanisms are passed in. This causes

         * authentication to fail for secondary mechanisms as no user

         * credentials are generated for those. */

        scfg = ap_get_module_config(req->server->module_config,

                                    &auth_gssapi_module);

        /* In the worst case scenario default_mechs equals to GSS_C_NO_OID_SET.

         * This generally causes only the krb5 mechanism to be tried due

         * to implementation constraints, but may change in future. */

        allowed_mechs = scfg->default_mechs;

    }

    /* Remove Spnego if present, or we'd repeat failed authentiations

     * multiple times, one within Spnego and then again with an explicit

     * mechanism. We would normally just force Spnego and use

     * gss_set_neg_mechs, but due to the way we source the server name

     * and the fact MIT up to 1.14 at least does no handle union names,

     * we can't provide spnego with a server name that can be used by

     * multiple mechanisms, causing any but the first mechanism to fail.

     * Also remove unwanted krb mechs, or AS requests will be repeated

     * multiple times uselessly.

     */

    filtered_mechs = mag_filter_unwanted_mechs(allowed_mechs);

    if (filtered_mechs == allowed_mechs) {

        /* in case filtered_mechs was not allocated here don't free it */

        filtered_mechs = GSS_C_NO_OID_SET;

    } else if (filtered_mechs == GSS_C_NO_OID_SET) {

        mag_post_error(req, cfg, MAG_INTERNAL, 0, 0,

                       "Fatal failure while filtering mechs, aborting");

        goto done;

    } else {

        /* use the filtered list */

        allowed_mechs = filtered_mechs;

    }

    /* If we are using the krb5 mechanism make sure to set a per thread

     * memory ccache so that there can't be interferences between threads.

     * Also make sure we have  new cache so no cached results end up being

     * used. Some implementations of gss_acquire_cred_with_password() do

     * not reacquire creds if cached ones are around, failing to check

     * again for the password. */

    maj = gss_test_oid_set_member(&min, discard_const(gss_mech_krb5),

                                  allowed_mechs, &present);

    if (GSS_ERROR(maj)) {

        mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                       "In Basic Auth: gss_test_oid_set_member() failed");

        goto done;

    }

    if (present) {

        rs = apr_generate_random_bytes((unsigned char *)(&rndname),

                                       sizeof(long long unsigned int));

        if (rs != APR_SUCCESS) {

            mag_post_error(req, cfg, MAG_INTERNAL, 0, 0,

                           "Failed to generate random ccache name");

            goto done;

        }

        user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname);

        maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache);

        if (GSS_ERROR(maj)) {

            mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                          "In Basic Auth: gss_krb5_ccache_name() failed");

            goto done;

        }

    }

    maj = gss_acquire_cred_with_password(&min, user, &ba_pwd,

                                         cfg->basic_timeout,

                                         allowed_mechs,

                                         GSS_C_INITIATE,

                                         &user_cred, &actual_mechs, NULL);

    if (GSS_ERROR(maj)) {

            mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                           "In Basic Auth: gss_acquire_cred_with_password() "

                           "failed");

        goto done;

    }

    /* must acquire creds based on the actual mechs we want to try */

    if (!mag_acquire_creds(req, cfg, actual_mechs,

                           GSS_C_ACCEPT, &server_cred, NULL)) {

        goto done;

    }

    for (int i = 0; i < actual_mechs->count; i++) {

        maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,

                               &actual_mechs->elements[i], cfg->basic_timeout,

                               &client, &vtime, &delegated_cred);

        if (maj == GSS_S_COMPLETE) {

            ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],

                               vtime, delegated_cred);

            if (ret == OK) {

                mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);

            }

            break;

        }

    }

done:

    gss_release_cred(&min, &delegated_cred);

    gss_release_name(&min, &client);

    gss_release_cred(&min, &server_cred);

    gss_release_name(&min, &user);

    gss_release_cred(&min, &user_cred);

    gss_release_oid_set(&min, &actual_mechs);

    gss_release_oid_set(&min, &filtered_mechs);

    if (user_ccache != NULL) {

        maj = gss_krb5_ccache_name(&min, orig_ccache, NULL);

        if (maj != GSS_S_COMPLETE) {

            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req,

                          "Failed to restore per-thread ccache, %s",

                          mag_error(req->pool, "gss_krb5_ccache_name() "

                                    "failed", maj, min));

        }

    }

    return ret;

}

struct mag_req_cfg *mag_init_cfg(request_rec *req)

{

    struct mag_server_config *scfg;

    struct mag_req_cfg *req_cfg = apr_pcalloc(req->pool,

                                              sizeof(struct mag_req_cfg));

    req_cfg->req = req;

    req_cfg->cfg = ap_get_module_config(req->per_dir_config,

                                        &auth_gssapi_module);

    scfg = ap_get_module_config(req->server->module_config,

                                &auth_gssapi_module);

    if (req_cfg->cfg->allowed_mechs) {

        req_cfg->desired_mechs = req_cfg->cfg->allowed_mechs;

    } else {

        /* Use the default set if not explicitly configured */

        req_cfg->desired_mechs = scfg->default_mechs;

    }

    if (req_cfg->cfg->mag_skey) {

        req_cfg->mag_skey = req_cfg->cfg->mag_skey;

    } else {

        /* Use server random key if not explicitly configured */

        req_cfg->mag_skey = scfg->mag_skey;

    }

    if (req->proxyreq == PROXYREQ_PROXY) {

        req_cfg->req_proto = "Proxy-Authorization";

        req_cfg->rep_proto = "Proxy-Authenticate";

    } else {

        req_cfg->req_proto = "Authorization";

        req_cfg->rep_proto = "WWW-Authenticate";

        req_cfg->use_sessions = req_cfg->cfg->use_sessions;

        req_cfg->send_persist = req_cfg->cfg->send_persist;

    }

    return req_cfg;

}

#ifdef HAVE_CRED_STORE

static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {

    if (req_cfg->cfg->use_s4u2proxy) {

        if (req_cfg->cfg->deleg_ccache_dir != NULL) {

            return true;

        } else {

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req_cfg->req,

                          "S4U2 Proxy requested but GssapiDelegCcacheDir "

                          "is not set. Constrained delegation disabled!");

        }

    }

    return false;

}

static apr_status_t mag_s4u2self(request_rec *req)

{

    apr_status_t ret = DECLINED;

    const char *type;

    struct mag_config *cfg;

    struct mag_req_cfg *req_cfg;

    gss_OID mech_type = discard_const(gss_mech_krb5);

    gss_OID_set_desc gss_mech_krb5_set = { 1, mech_type };

    gss_buffer_desc user_name = GSS_C_EMPTY_BUFFER;

    gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL;

    gss_name_t user = GSS_C_NO_NAME;

    gss_name_t client = GSS_C_NO_NAME;

    gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;

    gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;

    struct mag_conn *mc = NULL;

    uint32_t vtime;

    uint32_t maj, min;

    req_cfg = mag_init_cfg(req);

    cfg = req_cfg->cfg;

    if (!cfg->s4u2self) {

        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,

                      "GSSapiImpersonate not On, skipping impersonation.");

        return DECLINED;

    }

    type = ap_auth_type(req);

    if (type && (strcasecmp(type, "GSSAPI") == 0)) {

        /* do not try to impersonate if GSSAPI is handling real auth */

        return DECLINED;

    }

    if (!req->user) {

        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,

                      "Authentication user not found, "

                      "skipping impersonation.");

        return DECLINED;

    }

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,

                  "Using user %s for impersonation.", req->user);

    if (!mag_acquire_creds(req, cfg, &gss_mech_krb5_set,

                           GSS_C_BOTH, &server_cred, NULL)) {

        goto done;

    }

    user_name.value = req->user;

    user_name.length = strlen(user_name.value);

    maj = gss_import_name(&min, &user_name, GSS_C_NT_USER_NAME, &user);

    if (GSS_ERROR(maj)) {

        mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                       "In S4U2Self: gss_import_name()");

        goto done;

    }

    maj = gss_acquire_cred_impersonate_name(&min, server_cred, user,

                                            GSS_C_INDEFINITE,

                                            &gss_mech_krb5_set,

                                            GSS_C_INITIATE, &user_cred,

                                            NULL, NULL);

    if (GSS_ERROR(maj)) {

        mag_post_error(req, cfg, MAG_GSS_ERR, maj, min,

                       "In S4U2Self: gss_acquire_cred_impersonate_name()");

        goto done;

    }

    /* the following exchange is needed to decrypt the ticket and get named

     * attributes as well as check if the ticket is forwardable when

     * delegated credentials are requested */

    maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,

                           discard_const(gss_mech_krb5), GSS_C_INDEFINITE,

                           &client, &vtime, &delegated_cred);

    if (GSS_ERROR(maj))

        goto done;

    if (cfg->deleg_ccache_dir && delegated_cred == GSS_C_NO_CREDENTIAL) {

        mag_post_error(req, cfg, MAG_INTERNAL, 0, 0,

                       "Failed to obtain delegated credentials, "

                       "does service have +ok_to_auth_as_delegate?");

        goto done;

    }

    mc = mag_new_conn_ctx(req->pool);

    mc->auth_type = AUTH_TYPE_IMPERSONATE;

    ret = mag_complete(req_cfg, mc, client, mech_type, vtime, delegated_cred);

    if (ret != OK) ret = DECLINED;

done:

    gss_release_cred(&min, &user_cred);

    gss_release_name(&min, &user);

    gss_release_name(&min, &client);

    gss_release_cred(&min, &server_cred);

    gss_release_cred(&min, &delegated_cred);

    return ret;

}

#endif

static apr_status_t mag_oid_set_destroy(void *ptr)

{

    uint32_t min;

    gss_OID_set set = (gss_OID_set)ptr;

    (void)gss_release_oid_set(&min, &set);

    return APR_SUCCESS;

}

static gss_OID_set mag_get_negotiate_mechs(apr_pool_t *p, gss_OID_set desired)

{

    gss_OID spnego_oid = discard_const(&gss_mech_spnego);

    uint32_t maj, min;

    int present = 0;

    maj = gss_test_oid_set_member(&min, spnego_oid, desired, &present);

    if (maj != GSS_S_COMPLETE) {

        return GSS_C_NO_OID_SET;

    }

    if (present) {

        return desired;

    } else {

        gss_OID_set set;

        maj = gss_create_empty_oid_set(&min, &set);

        if (maj != GSS_S_COMPLETE) {

            return GSS_C_NO_OID_SET;

        }

        apr_pool_cleanup_register(p, (void *)set,

                                  mag_oid_set_destroy,

                                  apr_pool_cleanup_null);

        maj = gss_add_oid_set_member(&min, spnego_oid, &set);

        if (maj != GSS_S_COMPLETE) {

            return GSS_C_NO_OID_SET;

        }

        for (int i = 0; i < desired->count; i++) {

             maj = gss_add_oid_set_member(&min, &desired->elements[i], &set);

            if (maj != GSS_S_COMPLETE) {

                return GSS_C_NO_OID_SET;

            }

        }

        return set;

    }

}

static int mag_auth(request_rec *req)

{

    const char *type;

    int auth_type = -1;

    struct mag_req_cfg *req_cfg;

    struct mag_config *cfg;

    const char *auth_header;

    char *auth_header_type;

    int ret = HTTP_UNAUTHORIZED;

    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;

    gss_ctx_id_t *pctx;

    gss_buffer_desc input = GSS_C_EMPTY_BUFFER;

    gss_buffer_desc output = GSS_C_EMPTY_BUFFER;

    gss_buffer_desc ba_user;

    gss_buffer_desc ba_pwd;

    gss_name_t client = GSS_C_NO_NAME;

    gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;

    gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;

    gss_cred_usage_t cred_usage = GSS_C_ACCEPT;

    uint32_t vtime;

    uint32_t maj, min;

    char *reply;

    size_t replen;

    gss_OID mech_type = GSS_C_NO_OID;

    gss_OID_set desired_mechs = GSS_C_NO_OID_SET;

    struct mag_conn *mc = NULL;

    int i;

    bool send_nego_header = true;