From 6e4513dc0ebe5ff6643223d35b509464d451b230 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 16 Jun 2015 15:07:37 -0400
Subject: [PATCH] Better handling of desired_mechs

If no explicit allowed mechanism is set in configuration just ask
GSSAPI for a list of known mechanisms and use that. Do not try to
artificially acquire credentials as ultimatily all that does is
just call gss_inidicate_mechs() internally.

Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs
as that would lead to a leak given that cfg->allowed_mechs is allocated
on a memory pool, while gss_inidate_mechs()s results are not.

Closes #44

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 src/mod_auth_gssapi.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index ffcd215..e1ecc36 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -514,6 +514,7 @@ static int mag_auth(request_rec *req)
     char *clientname;
     gss_OID mech_type = GSS_C_NO_OID;
     gss_OID_set desired_mechs = GSS_C_NO_OID_SET;
+    gss_OID_set indicated_mechs = GSS_C_NO_OID_SET;
     gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
     struct mag_conn *mc = NULL;
     time_t expiration;
@@ -526,16 +527,19 @@ static int mag_auth(request_rec *req)
 
     cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
 
-    if (!cfg->allowed_mechs) {
+    if (cfg->allowed_mechs) {
+        desired_mechs = cfg->allowed_mechs;
+    } else {
         /* Try to fetch the default set if not explicitly configured */
-        gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
-        (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT,
-                                &server_cred, &cfg->allowed_mechs);
-        (void)gss_release_cred(&min, &server_cred);
+        maj = gss_indicate_mechs(&min, &indicated_mechs);
+        if (maj != GSS_S_COMPLETE) {
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s",
+                          mag_error(req, "gss_indicate_mechs() failed",
+                                    maj, min));
+        }
+        desired_mechs = indicated_mechs;
     }
 
-    desired_mechs = cfg->allowed_mechs;
-
     /* implicit auth for subrequests if main auth already happened */
     if (!ap_is_initial_req(req) && req->main != NULL) {
         type = ap_auth_type(req->main);
@@ -827,6 +831,7 @@ done:
                                        ap_auth_name(req)));
         }
     }
+    gss_release_oid_set(&min, &indicated_mechs);
     if (ctx != GSS_C_NO_CONTEXT)
         gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
     gss_release_cred(&min, &acquired_cred);
-- 
2.1.4