From 66857a8e364591a3f28f47a61f893b400721e1a6 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Mar 2014 16:02:03 -0400
Subject: [PATCH] Implement checking for TLS connections

Obey the GSSSSLOnly setting.
---
 src/mod_auth_gssapi.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 0cb0982..9e3eca3 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -37,6 +37,8 @@
 
 module AP_MODULE_DECLARE_DATA auth_gssapi_module;
 
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
 struct mag_config {
     bool ssl_only;
     bool map_to_local;
@@ -103,6 +105,17 @@ static int mag_pre_connection(conn_rec *c, void *csd)
     return OK;
 }
 
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *mag_is_https = NULL;
+
+static bool mag_conn_is_https(conn_rec *c)
+{
+    if (mag_is_https) {
+        if (mag_is_https(c)) return true;
+    }
+
+    return false;
+}
+
 static int mag_auth(request_rec *req)
 {
     const char *type;
@@ -134,8 +147,11 @@ static int mag_auth(request_rec *req)
     cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
 
     if (cfg->ssl_only) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
-                      "FIXME: check for ssl!");
+        if (!mag_conn_is_https(req->connection)) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+                          "Not a TLS connection, refusing to authenticate!");
+            goto done;
+        }
     }
 
     if (cfg->gss_conn_ctx) {
-- 
2.1.4