diff options
author | Isaac Boukris <iboukris@gmail.com> | 2015-06-14 18:56:01 +0300 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-06-19 15:40:02 -0400 |
commit | d0732a69720d78a24d1565a38403c12d273d4ac9 (patch) | |
tree | 8861709dced0fa65023e4b5c546ac9d7167852f9 | |
parent | 4b62c33f1c42182e3d7f72c5fa25284bb84572b7 (diff) | |
download | mod_auth_gssapi-d0732a69720d78a24d1565a38403c12d273d4ac9.tar.gz mod_auth_gssapi-d0732a69720d78a24d1565a38403c12d273d4ac9.tar.xz mod_auth_gssapi-d0732a69720d78a24d1565a38403c12d273d4ac9.zip |
Enforce GssapiAllowedMech over raw gssapi mechs
Implemented by aqcuiring creds only for allowed_mechs and by
explicity adding spnego to the allowed_mechs set (while still
restricting spengo only to the allowed mechanism as before).
-rw-r--r-- | src/mod_auth_gssapi.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index f345efc..ffcd215 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -24,6 +24,10 @@ #include "mod_auth_gssapi.h" +const gss_OID_desc gss_mech_spnego = { + 6, "\x2b\x06\x01\x05\x05\x02" +}; + const gss_OID_desc gss_mech_ntlmssp = { GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING }; @@ -530,6 +534,8 @@ static int mag_auth(request_rec *req) (void)gss_release_cred(&min, &server_cred); } + desired_mechs = cfg->allowed_mechs; + /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req) && req->main != NULL) { type = ap_auth_type(req->main); @@ -1009,6 +1015,9 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, sizeof(gss_OID_set_desc)); size = sizeof(gss_OID) * MAX_ALLOWED_MECHS; cfg->allowed_mechs->elements = apr_palloc(parms->pool, size); + + cfg->allowed_mechs->elements[0] = gss_mech_spnego; + cfg->allowed_mechs->count++; } if (strcmp(w, "krb5") == 0) { |