diff options
author | Simo Sorce <simo@redhat.com> | 2015-06-16 15:07:37 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-06-19 16:42:29 -0400 |
commit | 6e4513dc0ebe5ff6643223d35b509464d451b230 (patch) | |
tree | 9b98f07c0ed50ea884702a7c60e8f2f530cadc29 | |
parent | d0732a69720d78a24d1565a38403c12d273d4ac9 (diff) | |
download | mod_auth_gssapi-6e4513dc0ebe5ff6643223d35b509464d451b230.tar.gz mod_auth_gssapi-6e4513dc0ebe5ff6643223d35b509464d451b230.tar.xz mod_auth_gssapi-6e4513dc0ebe5ff6643223d35b509464d451b230.zip |
Better handling of desired_mechs
If no explicit allowed mechanism is set in configuration just ask
GSSAPI for a list of known mechanisms and use that. Do not try to
artificially acquire credentials as ultimatily all that does is
just call gss_inidicate_mechs() internally.
Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs
as that would lead to a leak given that cfg->allowed_mechs is allocated
on a memory pool, while gss_inidate_mechs()s results are not.
Closes #44
Signed-off-by: Simo Sorce <simo@redhat.com>
-rw-r--r-- | src/mod_auth_gssapi.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index ffcd215..e1ecc36 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -514,6 +514,7 @@ static int mag_auth(request_rec *req) char *clientname; gss_OID mech_type = GSS_C_NO_OID; gss_OID_set desired_mechs = GSS_C_NO_OID_SET; + gss_OID_set indicated_mechs = GSS_C_NO_OID_SET; gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; time_t expiration; @@ -526,16 +527,19 @@ static int mag_auth(request_rec *req) cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); - if (!cfg->allowed_mechs) { + if (cfg->allowed_mechs) { + desired_mechs = cfg->allowed_mechs; + } else { /* Try to fetch the default set if not explicitly configured */ - gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; - (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT, - &server_cred, &cfg->allowed_mechs); - (void)gss_release_cred(&min, &server_cred); + maj = gss_indicate_mechs(&min, &indicated_mechs); + if (maj != GSS_S_COMPLETE) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s", + mag_error(req, "gss_indicate_mechs() failed", + maj, min)); + } + desired_mechs = indicated_mechs; } - desired_mechs = cfg->allowed_mechs; - /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req) && req->main != NULL) { type = ap_auth_type(req->main); @@ -827,6 +831,7 @@ done: ap_auth_name(req))); } } + gss_release_oid_set(&min, &indicated_mechs); if (ctx != GSS_C_NO_CONTEXT) gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); gss_release_cred(&min, &acquired_cred); |