Cleanup s4u2proxy in mag_auth_basic

[mod_auth_gssapi.git] / src / mod_auth_gssapi.c
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c

index 088fb88..97e365c 100644 (file)
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -362,7 +362,6 @@ static bool mag_auth_basic(request_rec *req,
                             struct mag_config *cfg,
                             gss_buffer_desc ba_user,
                             gss_buffer_desc ba_pwd,
-                           gss_cred_usage_t cred_usage,
                             gss_name_t *client,
                             gss_OID *mech_type,
                             gss_cred_id_t *delegated_cred,
@@ -380,7 +379,6 @@ static bool mag_auth_basic(request_rec *req,
      gss_name_t server = GSS_C_NO_NAME;
      gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
      gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT;
-    gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;
      gss_buffer_desc input = GSS_C_EMPTY_BUFFER;
      gss_buffer_desc output = GSS_C_EMPTY_BUFFER;
      gss_OID_set allowed_mechs;
@@ -494,20 +492,10 @@ static bool mag_auth_basic(request_rec *req,
  
      /* must acquire creds based on the actual mechs we want to try */
      if (!mag_acquire_creds(req, cfg, actual_mechs,
-                           cred_usage, &acquired_cred, NULL)) {
+                           GSS_C_ACCEPT, &server_cred, NULL)) {
          goto done;
      }
  
-    if (cred_usage == GSS_C_BOTH) {
-        /* must acquire with GSS_C_ACCEPT to get the server name */
-        if (!mag_acquire_creds(req, cfg, actual_mechs,
-                               GSS_C_ACCEPT, &server_cred, NULL)) {
-            goto done;
-        }
-    } else {
-        server_cred = acquired_cred;
-    }
-
  #ifdef HAVE_CRED_STORE
      if (cfg->deleg_ccache_dir) {
          /* delegate ourselves credentials so we store them as requested */
@@ -545,7 +533,7 @@ static bool mag_auth_basic(request_rec *req,
                  break;
              }
              gss_release_buffer(&min, &output);
-            maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred,
+            maj = gss_accept_sec_context(&min, &server_ctx, server_cred,
                                           &input, GSS_C_NO_CHANNEL_BINDINGS,
                                           client, mech_type, &output, NULL,
                                           vtime, delegated_cred);
@@ -568,10 +556,8 @@ done:
      gss_release_buffer(&min, &output);
      gss_release_buffer(&min, &input);
      gss_release_name(&min, &server);
-    if (server_cred != acquired_cred)
-        gss_release_cred(&min, &server_cred);
      gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER);
-    gss_release_cred(&min, &acquired_cred);
+    gss_release_cred(&min, &server_cred);
      gss_release_name(&min, &user);
      gss_release_cred(&min, &user_cred);
      gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
@@ -674,6 +660,7 @@ static int mag_auth(request_rec *req)
      gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
      struct mag_conn *mc = NULL;
      int i;
+    bool send_auth_header = true;
  
      type = ap_auth_type(req);
      if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) {
@@ -765,6 +752,9 @@ static int mag_auth(request_rec *req)
      auth_header_type = ap_getword_white(req->pool, &auth_header);
      if (!auth_header_type) goto done;
  
+    /* We got auth header, sending auth header would mean re-auth */
+    send_auth_header = !cfg->negotiate_once;
+
      for (i = 0; auth_types[i] != NULL; i++) {
          if (strcasecmp(auth_header_type, auth_types[i]) == 0) {
              auth_type = i;
@@ -845,7 +835,7 @@ static int mag_auth(request_rec *req)
  
      if (auth_type == AUTH_TYPE_BASIC) {
          if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
-                           cred_usage, &client, &mech_type,
+                           &client, &mech_type,
                             &delegated_cred, &vtime)) {
              goto complete;
          }
@@ -957,11 +947,14 @@ done:
              apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply);
          }
      } else if (ret == HTTP_UNAUTHORIZED) {
-        apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate");
-
-        if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
-                            cfg->gss_conn_ctx)) {
-            apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM");
+        if (send_auth_header) {
+            apr_table_add(req->err_headers_out,
+                          req_cfg->rep_proto, "Negotiate");
+            if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
+                                cfg->gss_conn_ctx)) {
+                apr_table_add(req->err_headers_out, req_cfg->rep_proto,
+                              "NTLM");
+            }
          }
          if (cfg->use_basic_auth) {
              apr_table_add(req->err_headers_out, req_cfg->rep_proto,
@@ -1229,6 +1222,14 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig,
      return NULL;
  }
  
+static const char *mag_negotiate_once(cmd_parms *parms, void *mconfig, int on)
+{
+    struct mag_config *cfg = (struct mag_config *)mconfig;
+
+    cfg->negotiate_once = on ? true : false;
+    return NULL;
+}
+
  #define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata"
  
  static apr_status_t mag_name_attrs_cleanup(void *data)
@@ -1360,6 +1361,8 @@ static const command_rec mag_commands[] = {
  #endif
      AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG,
                      "Allowed Mechanisms"),
+    AP_INIT_FLAG("GssapiNegotiateOnce", mag_negotiate_once, NULL, OR_AUTHCFG,
+                    "Don't resend negotiate header on negotiate failure"),
      AP_INIT_RAW_ARGS("GssapiNameAttributes", mag_name_attrs, NULL, OR_AUTHCFG,
                       "Name Attributes to be exported as environ variables"),
      { NULL }