Better handling of desired_mechs

If no explicit allowed mechanism is set in configuration just ask
GSSAPI for a list of known mechanisms and use that. Do not try to
artificially acquire credentials as ultimatily all that does is
just call gss_inidicate_mechs() internally.

Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs
as that would lead to a leak given that cfg->allowed_mechs is allocated
on a memory pool, while gss_inidate_mechs()s results are not.

Closes #44

Signed-off-by: Simo Sorce <simo@redhat.com>

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index ffcd215..e1ecc36 100644 (file)
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -514,6 +514,7 @@ static int mag_auth(request_rec *req)
     char *clientname;
     gss_OID mech_type = GSS_C_NO_OID;
     gss_OID_set desired_mechs = GSS_C_NO_OID_SET;
     char *clientname;
     gss_OID mech_type = GSS_C_NO_OID;
     gss_OID_set desired_mechs = GSS_C_NO_OID_SET;

+    gss_OID_set indicated_mechs = GSS_C_NO_OID_SET;

     gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
     struct mag_conn *mc = NULL;
     time_t expiration;
     gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
     struct mag_conn *mc = NULL;
     time_t expiration;


@@ -526,16 +527,19 @@ static int mag_auth(request_rec *req)
 
     cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
 
 
     cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
 

-    if (!cfg->allowed_mechs) {
+    if (cfg->allowed_mechs) {
+        desired_mechs = cfg->allowed_mechs;
+    } else {

         /* Try to fetch the default set if not explicitly configured */
         /* Try to fetch the default set if not explicitly configured */

-        gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
-        (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT,
-                                &server_cred, &cfg->allowed_mechs);
-        (void)gss_release_cred(&min, &server_cred);
+        maj = gss_indicate_mechs(&min, &indicated_mechs);
+        if (maj != GSS_S_COMPLETE) {
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s",
+                          mag_error(req, "gss_indicate_mechs() failed",
+                                    maj, min));
+        }
+        desired_mechs = indicated_mechs;

     }
 
     }
 

-    desired_mechs = cfg->allowed_mechs;
-

     /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req) && req->main != NULL) {
         type = ap_auth_type(req->main);
     /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req) && req->main != NULL) {
         type = ap_auth_type(req->main);


@@ -827,6 +831,7 @@ done:
                                        ap_auth_name(req)));
         }
     }
                                        ap_auth_name(req)));
         }
     }

+    gss_release_oid_set(&min, &indicated_mechs);

     if (ctx != GSS_C_NO_CONTEXT)
         gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
     gss_release_cred(&min, &acquired_cred);
     if (ctx != GSS_C_NO_CONTEXT)
         gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
     gss_release_cred(&min, &acquired_cred);