From: Isaac Boukris <iboukris@gmail.com>
Date: Sun, 14 Jun 2015 15:56:01 +0000 (+0300)
Subject: Enforce GssapiAllowedMech over raw gssapi mechs
X-Git-Tag: v1.3.0~13
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=commitdiff_plain;h=d0732a69720d78a24d1565a38403c12d273d4ac9

Enforce GssapiAllowedMech over raw gssapi mechs

Implemented by aqcuiring creds only for allowed_mechs and by
explicity adding spnego to the allowed_mechs set (while still
restricting spengo only to the allowed mechanism as before).
---

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index f345efc..ffcd215 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -24,6 +24,10 @@
 
 #include "mod_auth_gssapi.h"
 
+const gss_OID_desc gss_mech_spnego = {
+    6, "\x2b\x06\x01\x05\x05\x02"
+};
+
 const gss_OID_desc gss_mech_ntlmssp = {
     GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING
 };
@@ -530,6 +534,8 @@ static int mag_auth(request_rec *req)
         (void)gss_release_cred(&min, &server_cred);
     }
 
+    desired_mechs = cfg->allowed_mechs;
+
     /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req) && req->main != NULL) {
         type = ap_auth_type(req->main);
@@ -1009,6 +1015,9 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig,
                                          sizeof(gss_OID_set_desc));
         size = sizeof(gss_OID) * MAX_ALLOWED_MECHS;
         cfg->allowed_mechs->elements = apr_palloc(parms->pool, size);
+
+        cfg->allowed_mechs->elements[0] = gss_mech_spnego;
+        cfg->allowed_mechs->count++;
     }
 
     if (strcmp(w, "krb5") == 0) {