X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=e1ecc36562048282138a11e2bdb7a45e19fc9d3c;hp=f345efcce0aef19e40eccaf2fa32de4af7c0924d;hb=6e4513dc0ebe5ff6643223d35b509464d451b230;hpb=4b62c33f1c42182e3d7f72c5fa25284bb84572b7

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index f345efc..e1ecc36 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -24,6 +24,10 @@
 
 #include "mod_auth_gssapi.h"
 
+const gss_OID_desc gss_mech_spnego = {
+    6, "\x2b\x06\x01\x05\x05\x02"
+};
+
 const gss_OID_desc gss_mech_ntlmssp = {
     GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING
 };
@@ -510,6 +514,7 @@ static int mag_auth(request_rec *req)
     char *clientname;
     gss_OID mech_type = GSS_C_NO_OID;
     gss_OID_set desired_mechs = GSS_C_NO_OID_SET;
+    gss_OID_set indicated_mechs = GSS_C_NO_OID_SET;
     gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
     struct mag_conn *mc = NULL;
     time_t expiration;
@@ -522,12 +527,17 @@ static int mag_auth(request_rec *req)
 
     cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
 
-    if (!cfg->allowed_mechs) {
+    if (cfg->allowed_mechs) {
+        desired_mechs = cfg->allowed_mechs;
+    } else {
         /* Try to fetch the default set if not explicitly configured */
-        gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
-        (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT,
-                                &server_cred, &cfg->allowed_mechs);
-        (void)gss_release_cred(&min, &server_cred);
+        maj = gss_indicate_mechs(&min, &indicated_mechs);
+        if (maj != GSS_S_COMPLETE) {
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s",
+                          mag_error(req, "gss_indicate_mechs() failed",
+                                    maj, min));
+        }
+        desired_mechs = indicated_mechs;
     }
 
     /* implicit auth for subrequests if main auth already happened */
@@ -821,6 +831,7 @@ done:
                                        ap_auth_name(req)));
         }
     }
+    gss_release_oid_set(&min, &indicated_mechs);
     if (ctx != GSS_C_NO_CONTEXT)
         gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
     gss_release_cred(&min, &acquired_cred);
@@ -1009,6 +1020,9 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig,
                                          sizeof(gss_OID_set_desc));
         size = sizeof(gss_OID) * MAX_ALLOWED_MECHS;
         cfg->allowed_mechs->elements = apr_palloc(parms->pool, size);
+
+        cfg->allowed_mechs->elements[0] = gss_mech_spnego;
+        cfg->allowed_mechs->count++;
     }
 
     if (strcmp(w, "krb5") == 0) {