* Authentication Handler: * Fake a Basic authentication from the X509 client certificate. * * This must be run fairly early on to prevent a real authentication from * occurring, in particular it must be run before anything else that * authenticates a user. This means that the Module statement for this * module should be LAST in the Configuration file. */
| 1193 | * module should be LAST in the Configuration file. |
| 1194 | */ |
| 1195 | int ssl_hook_UserCheck(request_rec *r) |
| 1196 | { |
| 1197 | SSLConnRec *sslconn; |
| 1198 | SSLDirConfigRec *dc = myDirConfig(r); |
| 1199 | char *clientdn; |
| 1200 | const char *auth_line, *username, *password; |
| 1201 | |
| 1202 | /* |
| 1203 | * Additionally forbid access (again) |
| 1204 | * when strict require option is used. |
| 1205 | */ |
| 1206 | if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) && |
| 1207 | (apr_table_get(r->notes, "ssl-access-forbidden"))) |
| 1208 | { |
| 1209 | return HTTP_FORBIDDEN; |
| 1210 | } |
| 1211 | |
| 1212 | /* |
| 1213 | * We decline when we are in a subrequest. The Authorization header |
| 1214 | * would already be present if it was added in the main request. |
| 1215 | */ |
| 1216 | if (!ap_is_initial_req(r)) { |
| 1217 | return DECLINED; |
| 1218 | } |
| 1219 | |
| 1220 | /* |
| 1221 | * Make sure the user is not able to fake the client certificate |
| 1222 | * based authentication by just entering an X.509 Subject DN |
| 1223 | * ("/XX=YYY/XX=YYY/..") as the username and "password" as the |
| 1224 | * password. |
| 1225 | */ |
| 1226 | if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) { |
| 1227 | if (strcEQ(ap_getword(r->pool, &auth_line, ' '), "Basic")) { |
| 1228 | while ((*auth_line == ' ') || (*auth_line == '\t')) { |
| 1229 | auth_line++; |
| 1230 | } |
| 1231 | |
| 1232 | auth_line = ap_pbase64decode(r->pool, auth_line); |
| 1233 | username = ap_getword_nulls(r->pool, &auth_line, ':'); |
| 1234 | password = auth_line; |
| 1235 | |
| 1236 | if ((username[0] == '/') && strEQ(password, "password")) { |
| 1237 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02035) |
| 1238 | "Encountered FakeBasicAuth spoof: %s", username); |
| 1239 | return HTTP_FORBIDDEN; |
| 1240 | } |
| 1241 | } |
| 1242 | } |
| 1243 | |
| 1244 | /* |
| 1245 | * We decline operation in various situations... |
| 1246 | * - TLS not enabled |
| 1247 | * - client did not present a certificate |
| 1248 | * - SSLOptions +FakeBasicAuth not configured |
| 1249 | * - r->user already authenticated |
| 1250 | */ |
| 1251 | if (!modssl_request_is_tls(r, &sslconn) |
| 1252 | || !sslconn->client_cert |
nothing calls this directly
no test coverage detected