If no explicit allowed mechanism is set in configuration just ask
GSSAPI for a list of known mechanisms and use that. Do not try to
artificially acquire credentials as ultimatily all that does is
just call gss_inidicate_mechs() internally.
Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs
as that would lead to a leak given that cfg->allowed_mechs is allocated
on a memory pool, while gss_inidate_mechs()s results are not.
Closes #44
Signed-off-by: Simo Sorce <simo@redhat.com>
char *clientname;
gss_OID mech_type = GSS_C_NO_OID;
gss_OID_set desired_mechs = GSS_C_NO_OID_SET;
char *clientname;
gss_OID mech_type = GSS_C_NO_OID;
gss_OID_set desired_mechs = GSS_C_NO_OID_SET;
+ gss_OID_set indicated_mechs = GSS_C_NO_OID_SET;
gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
struct mag_conn *mc = NULL;
time_t expiration;
gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
struct mag_conn *mc = NULL;
time_t expiration;
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
- if (!cfg->allowed_mechs) {
+ if (cfg->allowed_mechs) {
+ desired_mechs = cfg->allowed_mechs;
+ } else {
/* Try to fetch the default set if not explicitly configured */
/* Try to fetch the default set if not explicitly configured */
- gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
- (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT,
- &server_cred, &cfg->allowed_mechs);
- (void)gss_release_cred(&min, &server_cred);
+ maj = gss_indicate_mechs(&min, &indicated_mechs);
+ if (maj != GSS_S_COMPLETE) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s",
+ mag_error(req, "gss_indicate_mechs() failed",
+ maj, min));
+ }
+ desired_mechs = indicated_mechs;
- desired_mechs = cfg->allowed_mechs;
-
/* implicit auth for subrequests if main auth already happened */
if (!ap_is_initial_req(req) && req->main != NULL) {
type = ap_auth_type(req->main);
/* implicit auth for subrequests if main auth already happened */
if (!ap_is_initial_req(req) && req->main != NULL) {
type = ap_auth_type(req->main);
+ gss_release_oid_set(&min, &indicated_mechs);
if (ctx != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
gss_release_cred(&min, &acquired_cred);
if (ctx != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
gss_release_cred(&min, &acquired_cred);