int config_parse_file(server *srv, config_t *context, const char *fn) { tokenizer_t t; stream s; int ret; buffer *filename; if (buffer_is_empty(context->basedir) || (fn[0] == '/' || fn[0] == '\\') || (fn[0] == '.' && (fn[1] == '/' || fn[1] == '\\'))) { filename = buffer_init_string(fn); } else { filename = buffer_init_buffer(context->basedir); buffer_append_string(filename, fn); } if (0 != stream_open(&s, filename)) { if (s.size == 0) { /* the file was empty, nothing to parse */ ret = 0; } else { log_error_write(srv, __FILE__, __LINE__, "sbss", "opening configfile ", filename, "failed:", strerror(errno)); ret = -1; } } else { tokenizer_init(&t, filename, s.start, s.size); ret = config_parse(srv, context, &t); } stream_close(&s); buffer_free(filename); return ret; }
static int tokenizer_open(server *srv, tokenizer_t *t, buffer *basedir, const char *fn) { if (buffer_is_empty(basedir) || (fn[0] == '/' || fn[0] == '\\') || (fn[0] == '.' && (fn[1] == '/' || fn[1] == '\\'))) { t->file = buffer_init_string(fn); } else { t->file = buffer_init_buffer(basedir); buffer_append_string(t->file, fn); } if (0 != stream_open(&(t->s), t->file)) { log_error_write(srv, __FILE__, __LINE__, "sbss", "opening configfile ", t->file, "failed:", strerror(errno)); buffer_free(t->file); return -1; } t->input = t->s.start; t->offset = 0; t->size = t->s.size; t->line = 1; t->line_pos = 1; t->in_key = 1; t->in_brace = 0; t->in_cond = 0; return 0; }
void mod_lisp_init_socket_pool (server *srv, plugin_data *p) { unsigned short size, i; fd_data *ff; UNUSED (srv); if (! p->LispSocketPool) { size = p->conf.LispSocketPoolSize; p->LispSocketPoolSize = size; p->LispSocketPool = calloc(size, sizeof(fd_data)); for (ff = p->LispSocketPool, i = 0; i < size; ++i, ++ff) { ff->fd = -1; ff->fde_ndx = -1; ff->state = 0; ff->ip = buffer_init_buffer(p->conf.LispServerIP); ff->id = buffer_init_buffer(p->conf.LispServerId); ff->port = p->conf.LispServerPort; } p->LispSocketPoolUsed = 0; } }
static void connection_handle_errdoc_init(server *srv, connection *con) { /* modules that produce headers required with error response should * typically also produce an error document. Make an exception for * mod_auth WWW-Authenticate response header. */ buffer *www_auth = NULL; if (401 == con->http_status) { data_string *ds = (data_string *)array_get_element(con->response.headers, "WWW-Authenticate"); if (NULL != ds) { www_auth = buffer_init_buffer(ds->value); } } con->response.transfer_encoding = 0; buffer_reset(con->physical.path); array_reset(con->response.headers); chunkqueue_reset(con->write_queue); if (NULL != www_auth) { response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(www_auth)); buffer_free(www_auth); } }
/* ** Perform a reduce action and the shift that must immediately ** follow the reduce. */ static void yy_reduce( yyParser *yypParser, /* The parser */ int yyruleno /* Number of the rule by which to reduce */ ){ int yygoto; /* The next state */ int yyact; /* The next action */ YYMINORTYPE yygotominor; /* The LHS of the rule reduced */ yyStackEntry *yymsp; /* The top of the parser's stack */ int yysize; /* Amount to pop the stack */ configparserARG_FETCH; yymsp = &yypParser->yystack[yypParser->yyidx]; #ifndef NDEBUG if( yyTraceFILE && yyruleno>=0 && yyruleno<sizeof(yyRuleName)/sizeof(yyRuleName[0]) ){ fprintf(yyTraceFILE, "%sReduce [%s].\n", yyTracePrompt, yyRuleName[yyruleno]); } #endif /* NDEBUG */ switch( yyruleno ){ /* Beginning here are the reduction cases. A typical example ** follows: ** case 0: ** #line <lineno> <grammarfile> ** { ... } // User supplied code ** #line <lineno> <thisfile> ** break; */ case 0: /* No destructor defined for metalines */ break; case 1: /* No destructor defined for metalines */ /* No destructor defined for metaline */ break; case 2: break; case 3: /* No destructor defined for varline */ break; case 4: /* No destructor defined for global */ break; case 5: #line 115 "./configparser.y" { yymsp[-1].minor.yy78 = NULL; } #line 822 "configparser.c" yy_destructor(1,&yymsp[0].minor); break; case 6: /* No destructor defined for include */ break; case 7: /* No destructor defined for include_shell */ break; case 8: yy_destructor(1,&yymsp[0].minor); break; case 9: #line 144 "./configparser.y" { if (ctx->ok) { buffer_copy_string_buffer(yymsp[0].minor.yy41->key, yymsp[-2].minor.yy43); if (strncmp(yymsp[-2].minor.yy43->ptr, "env.", sizeof("env.") - 1) == 0) { fprintf(stderr, "Setting env variable is not supported in conditional %d %s: %s\n", ctx->current->context_ndx, ctx->current->key->ptr, yymsp[-2].minor.yy43->ptr); ctx->ok = 0; } else if (NULL == array_get_element(ctx->current->value, yymsp[0].minor.yy41->key->ptr)) { array_insert_unique(ctx->current->value, yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } else { fprintf(stderr, "Duplicate config variable in conditional %d %s: %s\n", ctx->current->context_ndx, ctx->current->key->ptr, yymsp[0].minor.yy41->key->ptr); ctx->ok = 0; yymsp[0].minor.yy41->free(yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } } buffer_free(yymsp[-2].minor.yy43); yymsp[-2].minor.yy43 = NULL; } #line 859 "configparser.c" yy_destructor(2,&yymsp[-1].minor); break; case 10: #line 168 "./configparser.y" { array *vars = ctx->current->value; data_unset *du; if (strncmp(yymsp[-2].minor.yy43->ptr, "env.", sizeof("env.") - 1) == 0) { fprintf(stderr, "Appending env variable is not supported in conditional %d %s: %s\n", ctx->current->context_ndx, ctx->current->key->ptr, yymsp[-2].minor.yy43->ptr); ctx->ok = 0; } else if (NULL != (du = array_get_element(vars, yymsp[-2].minor.yy43->ptr))) { /* exists in current block */ du = configparser_merge_data(du, yymsp[0].minor.yy41); if (NULL == du) { ctx->ok = 0; } else { buffer_copy_string_buffer(du->key, yymsp[-2].minor.yy43); array_replace(vars, du); } yymsp[0].minor.yy41->free(yymsp[0].minor.yy41); } else if (NULL != (du = configparser_get_variable(ctx, yymsp[-2].minor.yy43))) { du = configparser_merge_data(du, yymsp[0].minor.yy41); if (NULL == du) { ctx->ok = 0; du->free(du); } else { buffer_copy_string_buffer(du->key, yymsp[-2].minor.yy43); array_insert_unique(ctx->current->value, du); } yymsp[0].minor.yy41->free(yymsp[0].minor.yy41); } else { buffer_copy_string_buffer(yymsp[0].minor.yy41->key, yymsp[-2].minor.yy43); array_insert_unique(ctx->current->value, yymsp[0].minor.yy41); } buffer_free(yymsp[-2].minor.yy43); yymsp[-2].minor.yy43 = NULL; yymsp[0].minor.yy41 = NULL; } #line 903 "configparser.c" yy_destructor(3,&yymsp[-1].minor); break; case 11: #line 208 "./configparser.y" { if (strchr(yymsp[0].minor.yy0->ptr, '.') == NULL) { yygotominor.yy43 = buffer_init_string("var."); buffer_append_string_buffer(yygotominor.yy43, yymsp[0].minor.yy0); buffer_free(yymsp[0].minor.yy0); yymsp[0].minor.yy0 = NULL; } else { yygotominor.yy43 = yymsp[0].minor.yy0; yymsp[0].minor.yy0 = NULL; } } #line 919 "configparser.c" break; case 12: #line 220 "./configparser.y" { yygotominor.yy41 = configparser_merge_data(yymsp[-2].minor.yy41, yymsp[0].minor.yy41); if (NULL == yygotominor.yy41) { ctx->ok = 0; } yymsp[-2].minor.yy41 = NULL; yymsp[0].minor.yy41->free(yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } #line 932 "configparser.c" yy_destructor(5,&yymsp[-1].minor); break; case 13: #line 230 "./configparser.y" { yygotominor.yy41 = yymsp[0].minor.yy41; yymsp[0].minor.yy41 = NULL; } #line 941 "configparser.c" break; case 14: #line 235 "./configparser.y" { yygotominor.yy41 = NULL; if (strncmp(yymsp[0].minor.yy43->ptr, "env.", sizeof("env.") - 1) == 0) { char *env; if (NULL != (env = getenv(yymsp[0].minor.yy43->ptr + 4))) { data_string *ds; ds = data_string_init(); buffer_append_string(ds->value, env); yygotominor.yy41 = (data_unset *)ds; } else { fprintf(stderr, "Undefined env variable: %s\n", yymsp[0].minor.yy43->ptr + 4); ctx->ok = 0; } } else if (NULL == (yygotominor.yy41 = configparser_get_variable(ctx, yymsp[0].minor.yy43))) { fprintf(stderr, "Undefined config variable: %s\n", yymsp[0].minor.yy43->ptr); ctx->ok = 0; } if (!yygotominor.yy41) { /* make a dummy so it won't crash */ yygotominor.yy41 = (data_unset *)data_string_init(); } buffer_free(yymsp[0].minor.yy43); yymsp[0].minor.yy43 = NULL; } #line 971 "configparser.c" break; case 15: #line 262 "./configparser.y" { yygotominor.yy41 = (data_unset *)data_string_init(); buffer_copy_string_buffer(((data_string *)(yygotominor.yy41))->value, yymsp[0].minor.yy0); buffer_free(yymsp[0].minor.yy0); yymsp[0].minor.yy0 = NULL; } #line 981 "configparser.c" break; case 16: #line 269 "./configparser.y" { yygotominor.yy41 = (data_unset *)data_integer_init(); ((data_integer *)(yygotominor.yy41))->value = strtol(yymsp[0].minor.yy0->ptr, NULL, 10); buffer_free(yymsp[0].minor.yy0); yymsp[0].minor.yy0 = NULL; } #line 991 "configparser.c" break; case 17: #line 275 "./configparser.y" { yygotominor.yy41 = (data_unset *)data_array_init(); array_free(((data_array *)(yygotominor.yy41))->value); ((data_array *)(yygotominor.yy41))->value = yymsp[0].minor.yy40; yymsp[0].minor.yy40 = NULL; } #line 1001 "configparser.c" break; case 18: #line 281 "./configparser.y" { yygotominor.yy40 = array_init(); } #line 1008 "configparser.c" yy_destructor(8,&yymsp[-1].minor); yy_destructor(9,&yymsp[0].minor); break; case 19: #line 284 "./configparser.y" { yygotominor.yy40 = yymsp[-1].minor.yy40; yymsp[-1].minor.yy40 = NULL; } #line 1018 "configparser.c" yy_destructor(8,&yymsp[-2].minor); yy_destructor(9,&yymsp[0].minor); break; case 20: #line 289 "./configparser.y" { if (buffer_is_empty(yymsp[0].minor.yy41->key) || NULL == array_get_element(yymsp[-2].minor.yy40, yymsp[0].minor.yy41->key->ptr)) { array_insert_unique(yymsp[-2].minor.yy40, yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } else { fprintf(stderr, "Duplicate array-key: %s\n", yymsp[0].minor.yy41->key->ptr); ctx->ok = 0; yymsp[0].minor.yy41->free(yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } yygotominor.yy40 = yymsp[-2].minor.yy40; yymsp[-2].minor.yy40 = NULL; } #line 1040 "configparser.c" yy_destructor(10,&yymsp[-1].minor); break; case 21: #line 306 "./configparser.y" { yygotominor.yy40 = yymsp[-1].minor.yy40; yymsp[-1].minor.yy40 = NULL; } #line 1049 "configparser.c" yy_destructor(10,&yymsp[0].minor); break; case 22: #line 311 "./configparser.y" { yygotominor.yy40 = array_init(); array_insert_unique(yygotominor.yy40, yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } #line 1059 "configparser.c" break; case 23: #line 317 "./configparser.y" { yygotominor.yy41 = yymsp[0].minor.yy41; yymsp[0].minor.yy41 = NULL; } #line 1067 "configparser.c" break; case 24: #line 321 "./configparser.y" { buffer_copy_string_buffer(yymsp[0].minor.yy41->key, yymsp[-2].minor.yy43); buffer_free(yymsp[-2].minor.yy43); yymsp[-2].minor.yy43 = NULL; yygotominor.yy41 = yymsp[0].minor.yy41; yymsp[0].minor.yy41 = NULL; } #line 1079 "configparser.c" yy_destructor(11,&yymsp[-1].minor); break; case 25: yy_destructor(1,&yymsp[0].minor); break; case 26: break; case 27: #line 333 "./configparser.y" { data_config *dc; dc = (data_config *)array_get_element(ctx->srv->config_context, "global"); assert(dc); configparser_push(ctx, dc, 0); } #line 1095 "configparser.c" yy_destructor(12,&yymsp[0].minor); break; case 28: #line 340 "./configparser.y" { data_config *cur; cur = ctx->current; configparser_pop(ctx); assert(cur && ctx->current); yygotominor.yy78 = cur; } #line 1110 "configparser.c" /* No destructor defined for globalstart */ yy_destructor(13,&yymsp[-2].minor); /* No destructor defined for metalines */ yy_destructor(14,&yymsp[0].minor); break; case 29: #line 351 "./configparser.y" { assert(yymsp[-3].minor.yy78->context_ndx < yymsp[0].minor.yy78->context_ndx); yymsp[0].minor.yy78->prev = yymsp[-3].minor.yy78; yymsp[-3].minor.yy78->next = yymsp[0].minor.yy78; yygotominor.yy78 = yymsp[0].minor.yy78; yymsp[-3].minor.yy78 = NULL; yymsp[0].minor.yy78 = NULL; } #line 1126 "configparser.c" /* No destructor defined for eols */ yy_destructor(15,&yymsp[-1].minor); break; case 30: #line 360 "./configparser.y" { yygotominor.yy78 = yymsp[0].minor.yy78; yymsp[0].minor.yy78 = NULL; } #line 1136 "configparser.c" break; case 31: #line 365 "./configparser.y" { data_config *cur; cur = ctx->current; configparser_pop(ctx); assert(cur && ctx->current); yygotominor.yy78 = cur; } #line 1150 "configparser.c" /* No destructor defined for context */ yy_destructor(13,&yymsp[-2].minor); /* No destructor defined for metalines */ yy_destructor(14,&yymsp[0].minor); break; case 32: #line 376 "./configparser.y" { data_config *dc; buffer *b, *rvalue, *op; if (ctx->ok && yymsp[0].minor.yy41->type != TYPE_STRING) { fprintf(stderr, "rvalue must be string"); ctx->ok = 0; } switch(yymsp[-1].minor.yy27) { case CONFIG_COND_NE: op = buffer_init_string("!="); break; case CONFIG_COND_EQ: op = buffer_init_string("=="); break; case CONFIG_COND_NOMATCH: op = buffer_init_string("!~"); break; case CONFIG_COND_MATCH: op = buffer_init_string("=~"); break; default: assert(0); return; } b = buffer_init(); buffer_copy_string_buffer(b, ctx->current->key); buffer_append_string(b, "/"); buffer_append_string_buffer(b, yymsp[-5].minor.yy0); buffer_append_string_buffer(b, yymsp[-3].minor.yy43); buffer_append_string_buffer(b, op); rvalue = ((data_string*)yymsp[0].minor.yy41)->value; buffer_append_string_buffer(b, rvalue); if (NULL != (dc = (data_config *)array_get_element(ctx->all_configs, b->ptr))) { configparser_push(ctx, dc, 0); } else { struct { comp_key_t comp; char *comp_key; size_t len; } comps[] = { { COMP_SERVER_SOCKET, CONST_STR_LEN("SERVER[\"socket\"]" ) }, { COMP_HTTP_URL, CONST_STR_LEN("HTTP[\"url\"]" ) }, { COMP_HTTP_HOST, CONST_STR_LEN("HTTP[\"host\"]" ) }, { COMP_HTTP_REFERER, CONST_STR_LEN("HTTP[\"referer\"]" ) }, { COMP_HTTP_USER_AGENT, CONST_STR_LEN("HTTP[\"useragent\"]" ) }, { COMP_HTTP_USER_AGENT, CONST_STR_LEN("HTTP[\"user-agent\"]" ) }, { COMP_HTTP_COOKIE, CONST_STR_LEN("HTTP[\"cookie\"]" ) }, { COMP_HTTP_REMOTE_IP, CONST_STR_LEN("HTTP[\"remoteip\"]" ) }, { COMP_HTTP_REMOTE_IP, CONST_STR_LEN("HTTP[\"remote-ip\"]" ) }, { COMP_HTTP_QUERY_STRING, CONST_STR_LEN("HTTP[\"querystring\"]") }, { COMP_HTTP_QUERY_STRING, CONST_STR_LEN("HTTP[\"query-string\"]") }, { COMP_HTTP_REQUEST_METHOD, CONST_STR_LEN("HTTP[\"request-method\"]") }, { COMP_HTTP_SCHEME, CONST_STR_LEN("HTTP[\"scheme\"]" ) }, { COMP_UNSET, NULL, 0 }, }; size_t i; dc = data_config_init(); buffer_copy_string_buffer(dc->key, b); buffer_copy_string_buffer(dc->op, op); buffer_copy_string_buffer(dc->comp_key, yymsp[-5].minor.yy0); buffer_append_string_len(dc->comp_key, CONST_STR_LEN("[\"")); buffer_append_string_buffer(dc->comp_key, yymsp[-3].minor.yy43); buffer_append_string_len(dc->comp_key, CONST_STR_LEN("\"]")); dc->cond = yymsp[-1].minor.yy27; for (i = 0; comps[i].comp_key; i ++) { if (buffer_is_equal_string( dc->comp_key, comps[i].comp_key, comps[i].len)) { dc->comp = comps[i].comp; break; } } if (COMP_UNSET == dc->comp) { fprintf(stderr, "error comp_key %s", dc->comp_key->ptr); ctx->ok = 0; } switch(yymsp[-1].minor.yy27) { case CONFIG_COND_NE: case CONFIG_COND_EQ: dc->string = buffer_init_buffer(rvalue); break; case CONFIG_COND_NOMATCH: case CONFIG_COND_MATCH: { #ifdef HAVE_PCRE_H const char *errptr; int erroff; if (NULL == (dc->regex = pcre_compile(rvalue->ptr, 0, &errptr, &erroff, NULL))) { dc->string = buffer_init_string(errptr); dc->cond = CONFIG_COND_UNSET; fprintf(stderr, "parsing regex failed: %s -> %s at offset %d\n", rvalue->ptr, errptr, erroff); ctx->ok = 0; } else if (NULL == (dc->regex_study = pcre_study(dc->regex, 0, &errptr)) && errptr != NULL) { fprintf(stderr, "studying regex failed: %s -> %s\n", rvalue->ptr, errptr); ctx->ok = 0; } else { dc->string = buffer_init_buffer(rvalue); } #else fprintf(stderr, "can't handle '$%s[%s] =~ ...' as you compiled without pcre support. \n" "(perhaps just a missing pcre-devel package ?) \n", yymsp[-5].minor.yy0->ptr, yymsp[-3].minor.yy43->ptr); ctx->ok = 0; #endif break; } default: fprintf(stderr, "unknown condition for $%s[%s]\n", yymsp[-5].minor.yy0->ptr, yymsp[-3].minor.yy43->ptr); ctx->ok = 0; break; } configparser_push(ctx, dc, 1); } buffer_free(b); buffer_free(op); buffer_free(yymsp[-5].minor.yy0); yymsp[-5].minor.yy0 = NULL; buffer_free(yymsp[-3].minor.yy43); yymsp[-3].minor.yy43 = NULL; yymsp[0].minor.yy41->free(yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } #line 1298 "configparser.c" yy_destructor(16,&yymsp[-6].minor); yy_destructor(18,&yymsp[-4].minor); yy_destructor(19,&yymsp[-2].minor); break; case 33: #line 516 "./configparser.y" { yygotominor.yy27 = CONFIG_COND_EQ; } #line 1308 "configparser.c" yy_destructor(20,&yymsp[0].minor); break; case 34: #line 519 "./configparser.y" { yygotominor.yy27 = CONFIG_COND_MATCH; } #line 1316 "configparser.c" yy_destructor(21,&yymsp[0].minor); break; case 35: #line 522 "./configparser.y" { yygotominor.yy27 = CONFIG_COND_NE; } #line 1324 "configparser.c" yy_destructor(22,&yymsp[0].minor); break; case 36: #line 525 "./configparser.y" { yygotominor.yy27 = CONFIG_COND_NOMATCH; } #line 1332 "configparser.c" yy_destructor(23,&yymsp[0].minor); break; case 37: #line 529 "./configparser.y" { yygotominor.yy43 = NULL; if (ctx->ok) { if (yymsp[0].minor.yy41->type == TYPE_STRING) { yygotominor.yy43 = buffer_init_buffer(((data_string*)yymsp[0].minor.yy41)->value); } else if (yymsp[0].minor.yy41->type == TYPE_INTEGER) { yygotominor.yy43 = buffer_init(); buffer_copy_long(yygotominor.yy43, ((data_integer *)yymsp[0].minor.yy41)->value); } else { fprintf(stderr, "operand must be string"); ctx->ok = 0; } } yymsp[0].minor.yy41->free(yymsp[0].minor.yy41); yymsp[0].minor.yy41 = NULL; } #line 1353 "configparser.c" break; case 38: #line 546 "./configparser.y" { if (ctx->ok) { if (0 != config_parse_file(ctx->srv, ctx, yymsp[0].minor.yy43->ptr)) { ctx->ok = 0; } buffer_free(yymsp[0].minor.yy43); yymsp[0].minor.yy43 = NULL; } } #line 1366 "configparser.c" yy_destructor(24,&yymsp[-1].minor); break; case 39: #line 556 "./configparser.y" { if (ctx->ok) { if (0 != config_parse_cmd(ctx->srv, ctx, yymsp[0].minor.yy43->ptr)) { ctx->ok = 0; } buffer_free(yymsp[0].minor.yy43); yymsp[0].minor.yy43 = NULL; } } #line 1380 "configparser.c" yy_destructor(25,&yymsp[-1].minor); break; }; yygoto = yyRuleInfo[yyruleno].lhs; yysize = yyRuleInfo[yyruleno].nrhs; yypParser->yyidx -= yysize; yyact = yy_find_reduce_action(yypParser,yygoto); if( yyact < YYNSTATE ){ yy_shift(yypParser,yyact,yygoto,&yygotominor); }else if( yyact == YYNSTATE + YYNRULE + 1 ){ yy_accept(yypParser); } }
static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw) { krb5_context kcontext = NULL; krb5_keytab keytab = NULL; krb5_principal s_princ = NULL; krb5_principal c_princ = NULL; krb5_creds c_creds; krb5_ccache c_ccache = NULL; krb5_ccache ret_ccache = NULL; krb5_error_code code; int ret; buffer *sprinc; buffer *user_at_realm = NULL; plugin_data * const p = (plugin_data *)p_d; if (*pw == '\0') { log_error_write(srv, __FILE__, __LINE__, "s", "Empty passwords are not accepted"); return mod_authn_gssapi_send_401_unauthorized_basic(srv, con); } mod_authn_gssapi_patch_connection(srv, con, p); code = krb5_init_context(&kcontext); if (code) { log_error_write(srv, __FILE__, __LINE__, "sd", "krb5_init_context():", code); return mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/ } code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab); if (code) { log_error_write(srv, __FILE__, __LINE__, "sdb", "krb5_kt_resolve():", code, p->conf.auth_gssapi_keytab); return mod_authn_gssapi_send_401_unauthorized_basic(srv, con); /*(well, should be 500)*/ } sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal); if (strchr(sprinc->ptr, '/') == NULL) { /*(copy HTTP Host, omitting port if port is present)*/ /* ??? Should con->server_name be used if http_host not present? * ??? What if con->server_name is not set? * ??? Will this work below if IPv6 provided in Host? probably not */ if (!buffer_is_empty(con->request.http_host)) { buffer_append_string(sprinc, "/"); buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":")); } } /*(init c_creds before anything which might krb5_free_cred_contents())*/ memset(&c_creds, 0, sizeof(c_creds)); ret = krb5_parse_name(kcontext, sprinc->ptr, &s_princ); if (ret) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", sprinc->ptr, kcontext, ret); ret = -1; goto end; } if (strchr(username->ptr, '@') == NULL) { user_at_realm = buffer_init_buffer(username); BUFFER_APPEND_STRING_CONST(user_at_realm, "@"); buffer_append_string_buffer(user_at_realm, require->realm); } ret = krb5_parse_name(kcontext, (user_at_realm ? user_at_realm->ptr : username->ptr), &c_princ); if (ret) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_parse_name", (user_at_realm ? user_at_realm->ptr : username->ptr), kcontext, ret); if (user_at_realm) buffer_free(user_at_realm); ret = -1; goto end; } if (user_at_realm) buffer_free(user_at_realm); /* XXX: if the qualified username with @realm should be in REMOTE_USER, * then http_auth_backend_t basic interface needs to change to pass * modifiable buffer *username, but note that const char *pw follows * in the truncated buffer *username, so pw would need to be copied * before modifying buffer *username */ /* * char *name = NULL; * ret = krb5_unparse_name(kcontext, c_princ, &name); * if (ret == 0) { * log_error_write(srv, __FILE__, __LINE__, "sbss", "Trying to get TGT for user:"******"password:"******"krb5_get_init_creds_password", NULL, kcontext, ret); goto end; } ret = mod_authn_gssapi_verify_krb5_init_creds(srv, kcontext, &c_creds, s_princ, keytab); if (ret) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "mod_authn_gssapi_verify_krb5_init_creds", NULL, kcontext, ret); goto end; } ret = krb5_cc_resolve(kcontext, "MEMORY:", &ret_ccache); if (ret) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, ret); goto end; } ret = krb5_cc_initialize(kcontext, ret_ccache, c_princ); if (ret) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", NULL, kcontext, ret); goto end; } ret = krb5_cc_store_cred(kcontext, ret_ccache, &c_creds); if (ret) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_store_cred", NULL, kcontext, ret); goto end; } c_ccache = ret_ccache; ret_ccache = NULL; end: krb5_free_cred_contents(kcontext, &c_creds); if (ret_ccache) krb5_cc_destroy(kcontext, ret_ccache); if (!ret && c_ccache && (ret = mod_authn_gssapi_store_krb5_creds(srv, con, p, kcontext, c_ccache))) { log_error_write(srv, __FILE__, __LINE__, "sb", "mod_authn_gssapi_store_krb5_creds failed for", username); } buffer_free(sprinc); if (c_princ) krb5_free_principal(kcontext, c_princ); if (s_princ) krb5_free_principal(kcontext, s_princ); if (c_ccache) krb5_cc_destroy(kcontext, c_ccache); if (keytab) krb5_kt_close(kcontext, keytab); krb5_free_context(kcontext); if (0 == ret && http_auth_match_rules(require,username->ptr,NULL,NULL)){ return HANDLER_GO_ON; } else { /* ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or no authz rules match */ log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:"******", IP:", con->dst_addr_buf); return mod_authn_gssapi_send_401_unauthorized_basic(srv, con); } }
static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plugin_data *p, const http_auth_require_t *require, const char *realm_str) { OM_uint32 st_major, st_minor, acc_flags; gss_buffer_desc token_s = GSS_C_EMPTY_BUFFER; gss_buffer_desc token_in = GSS_C_EMPTY_BUFFER; gss_buffer_desc token_out = GSS_C_EMPTY_BUFFER; gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL; gss_ctx_id_t context = GSS_C_NO_CONTEXT; gss_name_t server_name = GSS_C_NO_NAME; gss_name_t client_name = GSS_C_NO_NAME; buffer *sprinc; int ret = 0; buffer *t_in = buffer_init(); if (!buffer_append_base64_decode(t_in, realm_str, strlen(realm_str), BASE64_STANDARD)) { log_error_write(srv, __FILE__, __LINE__, "ss", "decoding GSSAPI authentication header failed", realm_str); buffer_free(t_in); return mod_authn_gssapi_send_400_bad_request(srv, con); } mod_authn_gssapi_patch_connection(srv, con, p); { /* ??? Should code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab); * be used, instead of putenv() of KRB5_KTNAME=...? See mod_authn_gssapi_basic() */ /* ??? Should KRB5_KTNAME go into con->environment instead ??? */ /* ??? Should KRB5_KTNAME be added to mod_authn_gssapi_basic(), too? */ buffer ktname; memset(&ktname, 0, sizeof(ktname)); buffer_copy_string(&ktname, "KRB5_KTNAME="); buffer_append_string_buffer(&ktname, p->conf.auth_gssapi_keytab); putenv(ktname.ptr); /* ktname.ptr becomes part of the environment, do not free */ } sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal); if (strchr(sprinc->ptr, '/') == NULL) { /*(copy HTTP Host, omitting port if port is present)*/ /* ??? Should con->server_name be used if http_host not present? * ??? What if con->server_name is not set? * ??? Will this work below if IPv6 provided in Host? probably not */ if (!buffer_is_empty(con->request.http_host)) { buffer_append_string(sprinc, "/"); buffer_append_string_len(sprinc, con->request.http_host->ptr, strcspn(con->request.http_host->ptr, ":")); } } if (strchr(sprinc->ptr, '@') == NULL) { buffer_append_string(sprinc, "@"); buffer_append_string_buffer(sprinc, require->realm); } /*#define GSS_C_NT_USER_NAME gss_nt_user_name*/ /*#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name*/ #define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name token_s.value = sprinc->ptr; token_s.length = buffer_string_length(sprinc); st_major = gss_import_name(&st_minor, &token_s, (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &server_name); if (GSS_ERROR(st_major)) { mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_import_name", NULL, st_major, st_minor); goto end; } memset(&token_s, 0, sizeof(token_s)); st_major = gss_display_name(&st_minor, server_name, &token_s, NULL); if (GSS_ERROR(st_major)) { mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor); goto end; } /* acquire server's own credentials */ st_major = gss_acquire_cred(&st_minor, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_cred, NULL, NULL); if (GSS_ERROR(st_major)) { mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_acquire_cred", sprinc->ptr, st_major, st_minor); goto end; } /* accept the user's context */ token_in.length = buffer_string_length(t_in); token_in.value = t_in->ptr; st_major = gss_accept_sec_context(&st_minor, &context, server_cred, &token_in, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &token_out, &acc_flags, NULL, &client_cred); if (GSS_ERROR(st_major)) { mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_accept_sec_context", NULL, st_major, st_minor); goto end; } /* fetch the username */ st_major = gss_display_name(&st_minor, client_name, &token_out, NULL); if (GSS_ERROR(st_major)) { mod_authn_gssapi_log_gss_error(srv, __FILE__, __LINE__, "gss_display_name", NULL, st_major, st_minor); goto end; } if (!(acc_flags & GSS_C_CONF_FLAG)) { log_error_write(srv, __FILE__, __LINE__, "ss", "No confidentiality for user:"******"ss", "Unable to delegate credentials for user:"******"GSSAPI")); end: buffer_free(t_in); buffer_free(sprinc); if (context != GSS_C_NO_CONTEXT) gss_delete_sec_context(&st_minor, &context, GSS_C_NO_BUFFER); if (client_cred != GSS_C_NO_CREDENTIAL) gss_release_cred(&st_minor, &client_cred); if (server_cred != GSS_C_NO_CREDENTIAL) gss_release_cred(&st_minor, &server_cred); if (client_name != GSS_C_NO_NAME) gss_release_name(&st_minor, &client_name); if (server_name != GSS_C_NO_NAME) gss_release_name(&st_minor, &server_name); if (token_s.length) gss_release_buffer(&st_minor, &token_s); /* if (token_in.length) * gss_release_buffer(&st_minor, &token_in); */ if (token_out.length) gss_release_buffer(&st_minor, &token_out); return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(srv, con); }