+authenticate_user(request_rec *r, char *auth_line, const char *type, int use_krb4, int use_krb5)
+{
+ int ret;
+ krb5_conn_data *prevauth = NULL;
+ kerb_auth_config *conf =
+ (kerb_auth_config *) ap_get_module_config(r->per_dir_config,
+ &auth_kerb_module);
+ char *negotiate_ret_value = NULL;
+ const char *auth_type = NULL;
+
+ if (!auth_line) {
+ set_kerb_auth_headers(r, conf, use_krb4, use_krb5,
+ (use_krb5) ? "\0" : NULL);
+ return HTTP_UNAUTHORIZED;
+ }
+ auth_type = ap_getword_white(r->pool, (const char **)&auth_line);
+
+ /* If we are delegating Basic to other modules, DECLINE the request */
+ if (conf->krb_delegate_basic &&
+#ifdef KRB5
+ !conf->krb_method_k5pass &&
+#endif
+#ifdef KRB4
+ !conf->krb_method_k4pass &&
+#endif
+ (strcasecmp(auth_type, "Basic") == 0))
+ return DECLINED;
+ if ((prevauth = already_authorized(r, auth_line)) == NULL) {
+ ret = HTTP_UNAUTHORIZED;
+
+#ifdef KRB5
+ if (use_krb5 && conf->krb_method_gssapi &&
+ strcasecmp(auth_type, MECH_NEGOTIATE) == 0) {
+ ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value);
+ } else if (use_krb5 && (conf->krb_method_k5pass || strcasecmp(type, "Basic"))){
+ ret = authenticate_user_krb5pwd(r, conf, auth_line);
+ }
+#endif
+
+#ifdef KRB4
+ if (ret == HTTP_UNAUTHORIZED && use_krb4 && (conf->krb_method_k4pass || strcasecmp(type, "Basic")))
+ ret = authenticate_user_krb4pwd(r, conf, auth_line);
+#endif
+
+ if (ret == HTTP_UNAUTHORIZED)
+ set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value);
+
+ } else {
+ ret = prevauth->last_return;
+ MK_USER = prevauth->user;
+ MK_AUTH_TYPE = prevauth->mech;
+ }
+
+ /*
+ * save who was auth'd, if it's not already stashed.
+ */
+ if(!prevauth) {
+ save_authorized(r, auth_line, auth_type, ret);
+ }
+
+ if (ret == OK && conf->krb5_do_auth_to_local) {
+ ret = do_krb5_an_to_ln(r);
+ }
+ return ret;
+}
+
+static authn_status authn_krb_password(request_rec *r, const char *user,
+ const char *password)
+{
+ char *auth_line = NULL;
+ int ret;
+ const char *type = NULL;
+
+ type = ap_auth_type(r);
+ auth_line = ap_pbase64encode (r->pool, apr_psprintf(r->pool, "%s:%s", user, password));
+ auth_line = apr_psprintf(r->pool, "Basic %s", auth_line);
+
+ ret = authenticate_user(r, auth_line, type, 1, 1);
+
+ if (ret == OK) return AUTH_GRANTED;
+ else return AUTH_USER_NOT_FOUND;
+}
+
+static int