|
Packit |
728676 |
/* Copyright (C) 2014, 2016 mod_auth_gssapi contributors - See COPYING for (C) terms */
|
|
Packit |
728676 |
|
|
Packit |
728676 |
#include "mod_auth_gssapi.h"
|
|
Packit |
728676 |
#include "asn1c/GSSSessionData.h"
|
|
Packit |
728676 |
|
|
Packit |
728676 |
APLOG_USE_MODULE(auth_gssapi);
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static APR_OPTIONAL_FN_TYPE(ap_session_load) *mag_sess_load_fn = NULL;
|
|
Packit |
728676 |
static APR_OPTIONAL_FN_TYPE(ap_session_get) *mag_sess_get_fn = NULL;
|
|
Packit |
728676 |
static APR_OPTIONAL_FN_TYPE(ap_session_set) *mag_sess_set_fn = NULL;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
void mag_post_config_session(void)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
mag_sess_load_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_load);
|
|
Packit |
728676 |
mag_sess_get_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_get);
|
|
Packit |
728676 |
mag_sess_set_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_set);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static apr_status_t mag_session_load(request_rec *req, session_rec **sess)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
if (mag_sess_load_fn) {
|
|
Packit |
728676 |
return mag_sess_load_fn(req, sess);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
return DECLINED;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static apr_status_t mag_session_get(request_rec *req, session_rec *sess,
|
|
Packit |
728676 |
const char *key, const char **value)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
if (mag_sess_get_fn) {
|
|
Packit |
728676 |
return mag_sess_get_fn(req, sess, key, value);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
return DECLINED;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static apr_status_t mag_session_set(request_rec *req, session_rec *sess,
|
|
Packit |
728676 |
const char *key, const char *value)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
if (mag_sess_set_fn) {
|
|
Packit |
728676 |
return mag_sess_set_fn(req, sess, key, value);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
return DECLINED;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static bool encode_GSSSessionData(apr_pool_t *mempool,
|
|
Packit |
728676 |
GSSSessionData_t *gsessdata,
|
|
Packit |
728676 |
unsigned char **buf, int *len)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
asn_enc_rval_t rval;
|
|
Packit |
728676 |
unsigned char *buffer = NULL;
|
|
Packit |
728676 |
size_t buflen;
|
|
Packit |
728676 |
bool ret = false;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* dry run to compute the size */
|
|
Packit |
728676 |
rval = der_encode(&asn_DEF_GSSSessionData, gsessdata, NULL, NULL);
|
|
Packit |
728676 |
if (rval.encoded == -1) goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
buflen = rval.encoded;
|
|
Packit |
728676 |
buffer = apr_pcalloc(mempool, buflen);
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* now for real */
|
|
Packit |
728676 |
rval = der_encode_to_buffer(&asn_DEF_GSSSessionData,
|
|
Packit |
728676 |
gsessdata, buffer, buflen);
|
|
Packit |
728676 |
if (rval.encoded == -1) goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
*buf = buffer;
|
|
Packit |
728676 |
*len = buflen;
|
|
Packit |
728676 |
ret = true;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
done:
|
|
Packit |
728676 |
return ret;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static GSSSessionData_t *decode_GSSSessionData(void *buf, size_t len)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
GSSSessionData_t *gsessdata = NULL;
|
|
Packit |
728676 |
asn_dec_rval_t rval;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
rval = ber_decode(NULL, &asn_DEF_GSSSessionData,
|
|
Packit |
728676 |
(void **)&gsessdata, buf, len);
|
|
Packit |
728676 |
if (rval.code == RC_OK) {
|
|
Packit |
728676 |
return gsessdata;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
return NULL;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
#define MAG_BEARER_KEY "MagBearerToken"
|
|
Packit |
728676 |
|
|
Packit |
728676 |
void mag_check_session(struct mag_req_cfg *cfg, struct mag_conn **conn)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
request_rec *req = cfg->req;
|
|
Packit |
728676 |
struct mag_conn *mc;
|
|
Packit |
728676 |
apr_status_t rc;
|
|
Packit |
728676 |
session_rec *sess = NULL;
|
|
Packit |
728676 |
const char *sessval = NULL;
|
|
Packit |
728676 |
int declen;
|
|
Packit |
728676 |
struct databuf ctxbuf = { 0 };
|
|
Packit |
728676 |
struct databuf cipherbuf = { 0 };
|
|
Packit |
728676 |
GSSSessionData_t *gsessdata;
|
|
Packit |
728676 |
time_t expiration;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
rc = mag_session_load(req, &sess;;
|
|
Packit |
728676 |
if (rc != OK || sess == NULL) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, req,
|
|
Packit |
728676 |
"Sessions not available, no cookies!");
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
mc = *conn;
|
|
Packit |
728676 |
if (!mc) {
|
|
Packit |
728676 |
*conn = mc = mag_new_conn_ctx(req->pool);
|
|
Packit |
728676 |
mc->is_preserved = true;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
rc = mag_session_get(req, sess, MAG_BEARER_KEY, &sessval);
|
|
Packit |
728676 |
if (rc != OK) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
Packit |
728676 |
"Failed to get session data!");
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
if (!sessval) {
|
|
Packit |
728676 |
/* no session established, just return */
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
if (!cfg->mag_skey) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
|
|
Packit |
728676 |
"Session key not available, no cookies!");
|
|
Packit |
728676 |
/* we do not have a key, just return */
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* decode it */
|
|
Packit |
728676 |
declen = apr_base64_decode_len(sessval);
|
|
Packit |
728676 |
cipherbuf.value = apr_palloc(req->pool, declen);
|
|
Packit |
728676 |
if (!cipherbuf.value) return;
|
|
Packit |
728676 |
cipherbuf.length = (int)apr_base64_decode((char *)cipherbuf.value, sessval);
|
|
Packit |
728676 |
|
|
Packit |
728676 |
rc = UNSEAL_BUFFER(req->pool, cfg->mag_skey, &cipherbuf, &ctxbuf);
|
|
Packit |
728676 |
if (rc != OK) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
Packit |
728676 |
"Failed to unseal session data!");
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
gsessdata = decode_GSSSessionData(ctxbuf.value, ctxbuf.length);
|
|
Packit |
728676 |
if (!gsessdata) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
Packit |
728676 |
"Failed to unpack session data!");
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* booleans */
|
|
Packit |
728676 |
if (gsessdata->established != 0) mc->established = true;
|
|
Packit |
728676 |
if (gsessdata->delegated != 0) mc->delegated = true;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* get time */
|
|
Packit |
728676 |
expiration = gsessdata->expiration;
|
|
Packit |
728676 |
if (expiration < time(NULL)) {
|
|
Packit |
728676 |
/* credentials fully expired, return nothing */
|
|
Packit |
728676 |
mc->established = false;
|
|
Packit |
728676 |
goto done;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* user name */
|
|
Packit |
728676 |
mc->user_name = apr_pstrndup(mc->pool,
|
|
Packit |
728676 |
(char *)gsessdata->username.buf,
|
|
Packit |
728676 |
gsessdata->username.size);
|
|
Packit |
728676 |
if (!mc->user_name) goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* gssapi name */
|
|
Packit |
728676 |
mc->gss_name = apr_pstrndup(mc->pool,
|
|
Packit |
728676 |
(char *)gsessdata->gssname.buf,
|
|
Packit |
728676 |
gsessdata->gssname.size);
|
|
Packit |
728676 |
if (!mc->gss_name) goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
mc->basic_hash.length = gsessdata->basichash.size;
|
|
Packit |
728676 |
mc->basic_hash.value = apr_palloc(mc->pool, mc->basic_hash.length);
|
|
Packit |
728676 |
memcpy(mc->basic_hash.value,
|
|
Packit |
728676 |
gsessdata->basichash.buf, gsessdata->basichash.size);
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* ccname */
|
|
Packit |
728676 |
mc->ccname = apr_pstrndup(mc->pool,
|
|
Packit |
728676 |
(char *)gsessdata->ccname.buf,
|
|
Packit |
728676 |
gsessdata->ccname.size);
|
|
Packit |
728676 |
if (!mc->ccname) goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* OK we have a valid token */
|
|
Packit |
728676 |
mc->established = true;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
done:
|
|
Packit |
728676 |
ASN_STRUCT_FREE(asn_DEF_GSSSessionData, gsessdata);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
void mag_attempt_session(struct mag_req_cfg *cfg, struct mag_conn *mc)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
request_rec *req = cfg->req;
|
|
Packit |
728676 |
session_rec *sess = NULL;
|
|
Packit |
728676 |
struct databuf plainbuf = { 0 };
|
|
Packit |
728676 |
struct databuf cipherbuf = { 0 };
|
|
Packit |
728676 |
struct databuf ctxbuf = { 0 };
|
|
Packit |
728676 |
GSSSessionData_t gsessdata = { 0 };
|
|
Packit |
728676 |
apr_status_t rc;
|
|
Packit |
728676 |
bool ret;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* we save the session only if the authentication is established */
|
|
Packit |
728676 |
|
|
Packit |
728676 |
if (!mc->established) return;
|
|
Packit |
728676 |
rc = mag_session_load(req, &sess;;
|
|
Packit |
728676 |
if (rc != OK || sess == NULL) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
|
|
Packit |
728676 |
"Sessions not available, can't send cookies!");
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
if (!cfg->mag_skey) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, req,
|
|
Packit |
728676 |
"Session key not available, aborting.");
|
|
Packit |
728676 |
return;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
gsessdata.established = mc->established?1:0;
|
|
Packit |
728676 |
gsessdata.delegated = mc->delegated?1:0;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
if (sess->expiry != 0) {
|
|
Packit |
728676 |
mc->expiration = mc->expiration < apr_time_sec(sess->expiry) ?
|
|
Packit |
728676 |
mc->expiration : apr_time_sec(sess->expiry);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
gsessdata.expiration = mc->expiration;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
if (OCTET_STRING_fromString(&gsessdata.username, mc->user_name) != 0)
|
|
Packit |
728676 |
goto done;
|
|
Packit |
728676 |
if (OCTET_STRING_fromString(&gsessdata.gssname, mc->gss_name) != 0)
|
|
Packit |
728676 |
goto done;
|
|
Packit |
728676 |
if (OCTET_STRING_fromBuf(&gsessdata.basichash,
|
|
Packit |
728676 |
(const char *)mc->basic_hash.value,
|
|
Packit |
728676 |
mc->basic_hash.length) != 0)
|
|
Packit |
728676 |
goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
/* NULL ccname here just means default ccache */
|
|
Packit |
728676 |
if (mc->ccname &&
|
|
Packit |
728676 |
OCTET_STRING_fromString(&gsessdata.ccname, mc->ccname) != 0) {
|
|
Packit |
728676 |
goto done;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
ret = encode_GSSSessionData(req->pool, &gsessdata,
|
|
Packit |
728676 |
&plainbuf.value, &plainbuf.length);
|
|
Packit |
728676 |
if (ret == false) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
Packit |
728676 |
"Failed to pack session data!");
|
|
Packit |
728676 |
goto done;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
rc = SEAL_BUFFER(req->pool, cfg->mag_skey, &plainbuf, &cipherbuf);
|
|
Packit |
728676 |
if (rc != OK) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
Packit |
728676 |
"Failed to seal session data!");
|
|
Packit |
728676 |
goto done;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
ctxbuf.length = apr_base64_encode_len(cipherbuf.length);
|
|
Packit |
728676 |
ctxbuf.value = apr_pcalloc(req->pool, ctxbuf.length);
|
|
Packit |
728676 |
if (!ctxbuf.value) goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
ctxbuf.length = apr_base64_encode((char *)ctxbuf.value,
|
|
Packit |
728676 |
(char *)cipherbuf.value,
|
|
Packit |
728676 |
cipherbuf.length);
|
|
Packit |
728676 |
|
|
Packit |
728676 |
rc = mag_session_set(req, sess, MAG_BEARER_KEY, (char *)ctxbuf.value);
|
|
Packit |
728676 |
if (rc != OK) {
|
|
Packit |
728676 |
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
Packit |
728676 |
"Failed to set session data!");
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
done:
|
|
Packit |
728676 |
ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GSSSessionData, &gsessdata);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static int mag_basic_hmac(struct seal_key *key, unsigned char *mac,
|
|
Packit |
728676 |
gss_buffer_desc user, gss_buffer_desc pwd)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
struct databuf hmacbuf = { mac, 0 };
|
|
Packit |
728676 |
int data_size = user.length + pwd.length + 1;
|
|
Packit |
728676 |
unsigned char data[data_size];
|
|
Packit |
728676 |
struct databuf databuf = { data, data_size };
|
|
Packit |
728676 |
|
|
Packit |
728676 |
memcpy(data, user.value, user.length);
|
|
Packit |
728676 |
data[user.length] = '\0';
|
|
Packit |
728676 |
memcpy(&data[user.length + 1], pwd.value, pwd.length);
|
|
Packit |
728676 |
|
|
Packit |
728676 |
return HMAC_BUFFER(key, &databuf, &hmacbuf);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
static int mag_get_mac_size(struct mag_req_cfg *cfg)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
if (!cfg->mag_skey) {
|
|
Packit |
728676 |
ap_log_perror(APLOG_MARK, APLOG_INFO, 0, cfg->cfg->pool,
|
|
Packit |
728676 |
"Session key not available, aborting!");
|
|
Packit |
728676 |
return 0;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
return get_mac_size(cfg->mag_skey);
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
bool mag_basic_check(struct mag_req_cfg *cfg, struct mag_conn *mc,
|
|
Packit |
728676 |
gss_buffer_desc user, gss_buffer_desc pwd)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
int mac_size = mag_get_mac_size(cfg);
|
|
Packit |
728676 |
unsigned char mac[mac_size];
|
|
Packit |
728676 |
int ret, i, j;
|
|
Packit |
728676 |
bool res = false;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
if (mac_size == 0) return false;
|
|
Packit |
728676 |
if (mc->basic_hash.value == NULL) return false;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);
|
|
Packit |
728676 |
if (ret != 0) goto done;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
for (i = 0, j = 0; i < mac_size; i++) {
|
|
Packit |
728676 |
if (mc->basic_hash.value[i] != mac[i]) j++;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
if (j == 0) res = true;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
done:
|
|
Packit |
728676 |
if (res == false) {
|
|
Packit |
728676 |
mc->basic_hash.value = NULL;
|
|
Packit |
728676 |
mc->basic_hash.length = 0;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
return res;
|
|
Packit |
728676 |
}
|
|
Packit |
728676 |
|
|
Packit |
728676 |
void mag_basic_cache(struct mag_req_cfg *cfg, struct mag_conn *mc,
|
|
Packit |
728676 |
gss_buffer_desc user, gss_buffer_desc pwd)
|
|
Packit |
728676 |
{
|
|
Packit |
728676 |
int mac_size = mag_get_mac_size(cfg);
|
|
Packit |
728676 |
unsigned char mac[mac_size];
|
|
Packit |
728676 |
int ret;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
ret = mag_basic_hmac(cfg->mag_skey, mac, user, pwd);
|
|
Packit |
728676 |
if (ret != 0) return;
|
|
Packit |
728676 |
|
|
Packit |
728676 |
mc->basic_hash.length = mac_size;
|
|
Packit |
728676 |
mc->basic_hash.value = apr_palloc(mc->pool, mac_size);
|
|
Packit |
728676 |
memcpy(mc->basic_hash.value, mac, mac_size);
|
|
Packit |
728676 |
}
|