[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_authz_svn problems under Windows Server 2003

From: G.J. Doornink <dkg_at_xs4all.nl>
Date: 2005-06-16 23:02:06 CEST

Rodney Schuler wrote:
> On 6/15/05, G.J. Doornink <dkg@xs4all.nl> wrote:
>
>>I have solved the domain/username case problem by patching the
>>mod_auth_sspi to accept a new option called SSPIUsernameCase which
>>accepts the values 'upper' and 'lower'.
>>If this option is specified in the Apache config file the mod_auth_sspi
>>module translates the received domain/username to either upper or lower
>>case, which makes Apache report the domain/username to the mod_authz_svn
>>module either in the specified case.
>
>
> Sounds like a very useful patch. Can you post it somewhere. (This
> list would be really convenient for me :)

Attached is a patch which can be applied to mod_auth_sspi from the
following url:
http://www.gknw.net/development/apache/httpd-2.0/win32/modules/mod_auth_sspi-1.0.2-2.0.54.zip
The easiest way to build the binaries is IMHO using the makefile.
Just make sure to change the paths at the top of the makefile and
execute the following bat file.

build.bat
---------
call "C:\Program Files\Microsoft Visual Studio\VC98\Bin\VCVARS32.BAT"
nmake
---------

-- 
Gerrit Jan Doornink <dkg@xs4all.nl>

diff -u -r -x '*.map' -x '*.so' -x '*.exe' -x '*.dsp' -x '*.orig' ./doc/INSTALL ./doc/INSTALL
--- ./doc/INSTALL 2002-07-09 10:08:44.000000000 +0200
+++ ./doc/INSTALL 2005-06-15 23:21:32.921375000 +0200
@@ -53,6 +53,12 @@
                          against for cleartext authentication - if not
                          specified, the local machine, then all trusted
                          domains are checked
+ SSPIOmitDomain - set to on if you want the usernames to have the domain
+ prefix OMITTED, On = user Off = DOMAIN\\user
+ SSPIUsernameCase - set to 'lower' if you want the username and domain to
+ be lowercase, set to 'upper' if you want the username
+ and domain to be uppercase, if not specified, username
+ and domain case conversion is disabled
     SSPIBasicPreferred - set to 'on' if you want basic authentication to be
                          the higher priority
     SSPIMSIE3Hack - set to 'on' if you expect MSIE 3 clients to be using
diff -u -r -x '*.map' -x '*.so' -x '*.exe' -x '*.dsp' -x '*.orig' ./include/mod_auth_sspi.h ./include/mod_auth_sspi.h
--- ./include/mod_auth_sspi.h 2005-05-23 15:54:26.000000000 +0200
+++ ./include/mod_auth_sspi.h 2005-06-16 22:32:22.484750000 +0200
@@ -6,7 +6,7 @@
 
 #define MOD_AUTH_SSPI_VERSION_MAJOR 1
 #define MOD_AUTH_SSPI_VERSION_MID 0
-#define MOD_AUTH_SSPI_VERSION_MINOR 2
+#define MOD_AUTH_SSPI_VERSION_MINOR 3
 
 /* Preprocessor macro definitions */
 #define WIN32_LEAN_AND_MEAN 1
@@ -85,6 +85,7 @@
     unsigned int sspi_msie3hack;
     char *sspi_package;
     char *sspi_domain;
+ char *sspi_usernamecase;
 } sspi_config_rec;
 
 typedef enum {
diff -u -r -x '*.map' -x '*.so' -x '*.exe' -x '*.dsp' -x '*.orig' ./Makefile ./Makefile
--- ./Makefile 2002-08-15 12:47:34.000000000 +0200
+++ ./Makefile 2005-06-15 23:32:06.905750000 +0200
@@ -1,6 +1,6 @@
-APACHEDIR=..\httpd-2.0.40
-MSVCDIR=\program files\microsoft visual studio\vc98
-PLATSDKDIR=\program files\microsoft sdk
+APACHEDIR=D:\apps\comm\internet\www\Apache Group\Apache2
+MSVCDIR=D:\prog\Microsoft Visual Studio\VC98
+PLATSDKDIR=D:\prog\Microsoft SDK
 
 SRCDIR=src
 OBJDIR=obj
@@ -13,18 +13,17 @@
 CC=cl /nologo
 CFLAGS=/G6 /W3 /WX
 INCLUDES=/I include\
- /I "$(APACHEDIR)\include" /I "$(APACHEDIR)\srclib\apr\include"\
- /I "$(APACHEDIR)\srclib\apr-util\include" /I "$(APACHEDIR)\os\win32"\
+ /I "$(APACHEDIR)\include"\
          /I "$(PLATSDKDIR)\include" /I "$(MSVCDIR)\include"
 DEFINES=/D WIN32
 
 LD=link /nologo
 LDFLAGS=
-LIBPATH=/LIBPATH:"\program files\microsoft sdk\lib"\
- /LIBPATH:"\program files\microsoft visual studio\vc98\lib"
-LIBRARIES=$(APACHEDIR)\Release\libhttpd.lib\
- $(APACHEDIR)\srclib\apr\Release\libapr.lib\
- $(APACHEDIR)\srclib\apr-util\Release\libaprutil.lib\
+LIBPATH=/LIBPATH:"$(PLATSDKDIR)\lib"\
+ /LIBPATH:"$(MSVCDIR)\lib"
+LIBRARIES="$(APACHEDIR)\lib\libhttpd.lib"\
+ "$(APACHEDIR)\lib\libapr.lib"\
+ "$(APACHEDIR)\lib\libaprutil.lib"\
           kernel32.lib advapi32.lib ole32.lib
 
 !if ($(DEBUG) != 0)
diff -u -r -x '*.map' -x '*.so' -x '*.exe' -x '*.dsp' -x '*.orig' ./src/authentication.c ./src/authentication.c
--- ./src/authentication.c 2005-05-23 15:38:40.000000000 +0200
+++ ./src/authentication.c 2005-06-16 00:00:47.671375000 +0200
@@ -313,7 +313,7 @@
     }
 }
 
-static int set_connection_details(request_rec *r, sspi_connection_rec *scr, const char *auth_type, int omitdomain)
+static int set_connection_details(request_rec *r, sspi_connection_rec *scr, const char *auth_type, int omitdomain, const char *usernamecase)
 {
     SECURITY_STATUS ss;
     
@@ -327,15 +327,23 @@
     }
 
     if (scr->username != NULL) {
- if (omitdomain) {
- char *s = strchr(scr->username, '\\');
- if (s)
- r->user = s+1;
- else
- r->user = scr->username;
- } else {
- r->user = scr->username;
- }
+ if (usernamecase == NULL) {
+ }
+ else if (!lstrcmpi(usernamecase, "Lower")) {
+ strlwr(scr->username);
+ }
+ else if (!lstrcmpi(usernamecase, "Upper")) {
+ strupr(scr->username);
+ };
+ if (omitdomain) {
+ char *s = strchr(scr->username, '\\');
+ if (s)
+ r->user = s + 1;
+ else
+ r->user = scr->username;
+ } else {
+ r->user = scr->username;
+ }
         r->ap_auth_type = scr->package;
     } else {
         return HTTP_INTERNAL_SERVER_ERROR;
@@ -479,7 +487,7 @@
         apr_pool_cleanup_register(r->pool, scr, cleanup_sspi_connection, apr_pool_cleanup_null);
     }
 
- if (res = set_connection_details(r, scr, hdr.authtype == typeSSPI ? crec->sspi_package : "Basic", crec->sspi_omitdomain)) {
+ if (res = set_connection_details(r, scr, hdr.authtype == typeSSPI ? crec->sspi_package : "Basic", crec->sspi_omitdomain, crec->sspi_usernamecase)) {
         return res;
     }
 
diff -u -r -x '*.map' -x '*.so' -x '*.exe' -x '*.dsp' -x '*.orig' ./src/interface.c ./src/interface.c
--- ./src/interface.c 2005-05-23 15:53:04.000000000 +0200
+++ ./src/interface.c 2005-04-13 14:02:40.000000000 +0200
@@ -238,15 +238,38 @@
 {
     char *decoded;
 
- *decodelength = apr_base64_decode_len(data);
- decoded = apr_palloc(p, *decodelength);
+ /* -VB- 04/15/2003
+ Bug fix. Old code calculated length of the decoded string incorrectly, because
+ apr_base64_decode_len seems to be designed to estimate memory necessary for a decoding
+ buffer and so over estimates the needed size. The proof is the last line of apr_base64_decode_len
+ "return nbytesdecoded + 1;" which means we always get the extra byte at the end.
+
+ This explains why SSPI token authentication worked while basic authentication was extremely flaky.
+
+ The code would work fine for SSPI token authentications because those tokens usually have
+ either predetermined sizes or length is specified inside the token itself. However, for
+ basic authentication the string of the form "username:password" would end up looking
+ "username:password{up to 3 bytes of random data}". If the first character happened to be '\0'
+ everything worked fine and would fail otherwise, as the password would not be correct.
+ */
+
+
+ // -VB- 04/15/2003
+ // Initialize value, just in case
+ *decodelength = 0;
+
+ // -VB- 04/15/2003
+ // Make sure to allocate enough memory plus a byte for terminating '\0'
+ // Don't rely on apr_base64_decode_len to allocate that extra byte since
+ // nowhere in documentation it guaranties that.
+ decoded = apr_palloc(p, apr_base64_decode_len(data) + 1);
 
     if (decoded != NULL) {
+ // -VB- 04/15/2003
+ // Now save the real decoded size and add a terminating 0
         *decodelength = apr_base64_decode_binary(decoded, data);
- if (*decodelength > 0) {
- decoded[(*decodelength)] = '\0';
- return decoded;
- }
+ decoded[(*decodelength)] = '\0';
+ return decoded;
     }
 
     return NULL;
diff -u -r -x '*.map' -x '*.so' -x '*.exe' -x '*.dsp' -x '*.orig' ./src/mod_auth_sspi.c ./src/mod_auth_sspi.c
--- ./src/mod_auth_sspi.c 2005-05-23 15:17:10.000000000 +0200
+++ ./src/mod_auth_sspi.c 2005-06-16 22:31:16.234750000 +0200
@@ -14,39 +14,44 @@
 static const command_rec sspi_cmds[] =
 {
     AP_INIT_FLAG("SSPIAuth", ap_set_flag_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_on), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_on), OR_AUTHCFG,
                  "set to 'on' to activate SSPI authentication here"),
     AP_INIT_FLAG("SSPIOfferSSPI", ap_set_flag_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_offersspi), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_offersspi), OR_AUTHCFG,
                  "set to 'off' to allow access control to be passed along to "
                  "lower modules if the UserID is not known to this module"),
     AP_INIT_FLAG("SSPIAuthoritative", ap_set_flag_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_authoritative), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_authoritative), OR_AUTHCFG,
                  "set to 'off' to allow access control to be passed along to "
                  "lower modules if the UserID is not known to this module"),
     AP_INIT_FLAG("SSPIOfferBasic", ap_set_flag_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_offerbasic), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_offerbasic), OR_AUTHCFG,
                  "set to 'on' to allow the client to authenticate against NT "
                  "with 'Basic' authentication instead of using the NTLM protocol"),
     AP_INIT_TAKE1("SSPIPackage", ap_set_string_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_package), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_package), OR_AUTHCFG,
                  "set to the name of the package you want to use to "
                  "authenticate users"),
     AP_INIT_TAKE1("SSPIDomain", ap_set_string_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_domain), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_domain), OR_AUTHCFG,
                  "set to the domain you want users authenticated against for "
                  "cleartext authentication - if not specified, the local "
                  "machine, then all trusted domains are checked"),
     AP_INIT_FLAG("SSPIOmitDomain", ap_set_flag_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_omitdomain), OR_AUTHCFG,
- "set to 'on' if you want the usernames to have the domain "
- "prefix OMITTED, on = user, off = DOMAIN\\user"),
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_omitdomain), OR_AUTHCFG,
+ "set to on if you want the usernames to have the domain prefix OMITTED, "
+ "On = user Off = DOMAIN\\user"),
+ AP_INIT_TAKE1("SSPIUsernameCase", ap_set_string_slot,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_usernamecase), OR_AUTHCFG,
+ "set to 'lower' if you want the username and domain to be lowercase, "
+ "set to 'upper' if you want the username and domain to be uppercase, "
+ "if not specified, username and domain case conversion is disabled"),
     AP_INIT_FLAG("SSPIBasicPreferred", ap_set_flag_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_basicpreferred), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_basicpreferred), OR_AUTHCFG,
                  "set to 'on' if you want basic authentication to be the "
                  "higher priority"),
     AP_INIT_FLAG("SSPIMSIE3Hack", ap_set_flag_slot,
- (void *) APR_OFFSETOF(sspi_config_rec, sspi_msie3hack), OR_AUTHCFG,
+ (void *) APR_XtOffsetOf(sspi_config_rec, sspi_msie3hack), OR_AUTHCFG,
                  "set to 'on' if you expect MSIE 3 clients to be using this server"),
     {NULL}
 };

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jun 16 23:05:35 2005

This is an archived mail posted to the Subversion Users mailing list.