Properly complete context establishment

[mod_auth_gssapi.git] / src / mod_auth_gssapi.c

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index e233110..9cb53ec 100644 (file)
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -239,6 +239,7 @@ static int mag_auth(request_rec *req)
     const char *user_ccache = NULL;
     const char *orig_ccache = NULL;
 #endif
+    uint32_t init_flags = 0;
 
     type = ap_auth_type(req);
     if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) {
@@ -445,9 +446,15 @@ static int mag_auth(request_rec *req)
                                           "failed", maj, min));
             goto done;
         }
+
+        if (cfg->deleg_ccache_dir) {
+            /* delegate ourselves credentials so we store them as requested */
+            init_flags |= GSS_C_DELEG_FLAG;
+        }
+
         /* output and input are inverted here, this is intentional */
         maj = gss_init_sec_context(&min, user_cred, &user_ctx, server,
-                                   GSS_C_NO_OID, 0, 300,
+                                   GSS_C_NO_OID, init_flags, 300,
                                    GSS_C_NO_CHANNEL_BINDINGS, &output,
                                    NULL, &input, NULL, NULL);
         if (GSS_ERROR(maj)) {
@@ -473,7 +480,7 @@ static int mag_auth(request_rec *req)
             gss_release_buffer(&min, &input);
             /* output and input are inverted here, this is intentional */
             maj = gss_init_sec_context(&min, user_cred, &user_ctx, server,
-                                       GSS_C_NO_OID, 0, 300,
+                                       GSS_C_NO_OID, init_flags, 300,
                                        GSS_C_NO_CHANNEL_BINDINGS, &output,
                                        NULL, &input, NULL, NULL);
             if (GSS_ERROR(maj)) {
@@ -561,25 +568,23 @@ static int mag_auth(request_rec *req)
     ret = OK;
 
 done:
-    if (ret == HTTP_UNAUTHORIZED) {
-        if (output.length != 0) {
-            replen = apr_base64_encode_len(output.length) + 1;
-            reply = apr_pcalloc(req->pool, 10 + replen);
-            if (reply) {
-                memcpy(reply, "Negotiate ", 10);
-                apr_base64_encode(&reply[10], output.value, output.length);
-                apr_table_add(req->err_headers_out,
-                              "WWW-Authenticate", reply);
-            }
-        } else {
+    if ((!is_basic) && (output.length != 0)) {
+        replen = apr_base64_encode_len(output.length) + 1;
+        reply = apr_pcalloc(req->pool, 10 + replen);
+        if (reply) {
+            memcpy(reply, "Negotiate ", 10);
+            apr_base64_encode(&reply[10], output.value, output.length);
             apr_table_add(req->err_headers_out,
-                          "WWW-Authenticate", "Negotiate");
-            if (cfg->use_basic_auth) {
-                apr_table_add(req->err_headers_out,
-                              "WWW-Authenticate",
-                              apr_psprintf(req->pool, "Basic realm=\"%s\"",
-                                           ap_auth_name(req)));
-            }
+                          "WWW-Authenticate", reply);
+        }
+    } else if (ret == HTTP_UNAUTHORIZED) {
+        apr_table_add(req->err_headers_out,
+                      "WWW-Authenticate", "Negotiate");
+        if (cfg->use_basic_auth) {
+            apr_table_add(req->err_headers_out,
+                          "WWW-Authenticate",
+                          apr_psprintf(req->pool, "Basic realm=\"%s\"",
+                                       ap_auth_name(req)));
         }
     }
 #ifdef HAVE_GSS_KRB5_CCACHE_NAME