MCPcopy Create free account
hub / github.com/apache/httpd / ssl_hook_UserCheck

Function ssl_hook_UserCheck

modules/ssl/ssl_engine_kernel.c:1195–1290  ·  view source on GitHub ↗

* Authentication Handler: * Fake a Basic authentication from the X509 client certificate. * * This must be run fairly early on to prevent a real authentication from * occurring, in particular it must be run before anything else that * authenticates a user. This means that the Module statement for this * module should be LAST in the Configuration file. */

Source from the content-addressed store, hash-verified

1193 * module should be LAST in the Configuration file.
1194 */
1195int ssl_hook_UserCheck(request_rec *r)
1196{
1197 SSLConnRec *sslconn;
1198 SSLDirConfigRec *dc = myDirConfig(r);
1199 char *clientdn;
1200 const char *auth_line, *username, *password;
1201
1202 /*
1203 * Additionally forbid access (again)
1204 * when strict require option is used.
1205 */
1206 if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
1207 (apr_table_get(r->notes, "ssl-access-forbidden")))
1208 {
1209 return HTTP_FORBIDDEN;
1210 }
1211
1212 /*
1213 * We decline when we are in a subrequest. The Authorization header
1214 * would already be present if it was added in the main request.
1215 */
1216 if (!ap_is_initial_req(r)) {
1217 return DECLINED;
1218 }
1219
1220 /*
1221 * Make sure the user is not able to fake the client certificate
1222 * based authentication by just entering an X.509 Subject DN
1223 * ("/XX=YYY/XX=YYY/..") as the username and "password" as the
1224 * password.
1225 */
1226 if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) {
1227 if (strcEQ(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
1228 while ((*auth_line == ' ') || (*auth_line == '\t')) {
1229 auth_line++;
1230 }
1231
1232 auth_line = ap_pbase64decode(r->pool, auth_line);
1233 username = ap_getword_nulls(r->pool, &auth_line, ':');
1234 password = auth_line;
1235
1236 if ((username[0] == '/') && strEQ(password, "password")) {
1237 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02035)
1238 "Encountered FakeBasicAuth spoof: %s", username);
1239 return HTTP_FORBIDDEN;
1240 }
1241 }
1242 }
1243
1244 /*
1245 * We decline operation in various situations...
1246 * - TLS not enabled
1247 * - client did not present a certificate
1248 * - SSLOptions +FakeBasicAuth not configured
1249 * - r->user already authenticated
1250 */
1251 if (!modssl_request_is_tls(r, &sslconn)
1252 || !sslconn->client_cert

Callers

nothing calls this directly

Calls 6

ap_is_initial_reqFunction · 0.85
ap_getwordFunction · 0.85
ap_pbase64decodeFunction · 0.85
ap_getword_nullsFunction · 0.85
modssl_request_is_tlsFunction · 0.85
ap_pbase64encodeFunction · 0.85

Tested by

no test coverage detected