From a2c2a02edaadda09408708cf9d7b57aa59ae4b39 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 25 May 2015 16:46:23 +0200
Subject: [PATCH] Add GssapiAllowedMech option

This option allows the admin to list the mechanisms that can be used for
authentication. An empty list allows any locally supported mechanisms.
---
 README                | 12 +++++++++++
 src/mod_auth_gssapi.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 src/mod_auth_gssapi.h |  2 ++
 3 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/README b/README
index e8d3031..87b1436 100644
--- a/README
+++ b/README
@@ -204,3 +204,15 @@ Example:
   GssapiCredStore keytab:/etc/httpd/http.keytab
   Require valid-user
 </Location>
+
+
+### GssapiAllowedMech
+
+List of allowed mechanisms. This is useful to restrict the mechanism that
+can be used when credentials for multiple mechanisms are available.
+By default no mechanism is set, this means all locally available mechanisms
+are allowed.  The recognized mechanism names are: krb5, iakerb, ntlmssp
+
+Example:
+    GssapiAllowedMech krb5
+    GssapiAllowedMech ntlmssp
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 9b8cd08..7751361 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -24,6 +24,10 @@
 
 #include "mod_auth_gssapi.h"
 
+const gss_OID_desc gss_mech_ntlmssp = {
+    GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING
+};
+
 #define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION
 
 module AP_MODULE_DECLARE_DATA auth_gssapi_module;
@@ -411,7 +415,7 @@ static int mag_auth(request_rec *req)
 #endif
         maj = gss_acquire_cred_with_password(&min, client, &ba_pwd,
                                              GSS_C_INDEFINITE,
-                                             GSS_C_NO_OID_SET,
+                                             cfg->allowed_mechs,
                                              GSS_C_INITIATE,
                                              &user_cred, NULL, NULL);
         if (GSS_ERROR(maj)) {
@@ -483,6 +487,16 @@ static int mag_auth(request_rec *req)
         }
     }
 
+    if (!is_basic && cfg->allowed_mechs != GSS_C_NO_OID_SET) {
+        maj = gss_set_neg_mechs(&min, acquired_cred, cfg->allowed_mechs);
+        if (GSS_ERROR(maj)) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s",
+                          mag_error(req, "gss_set_neg_mechs() failed",
+                                    maj, min));
+            goto done;
+        }
+    }
+
     maj = gss_accept_sec_context(&min, pctx, acquired_cred,
                                  &input, GSS_C_NO_CHANNEL_BINDINGS,
                                  &client, &mech_type, &output, &flags, &vtime,
@@ -798,6 +812,46 @@ static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on)
     return NULL;
 }
 
+#define MAX_ALLOWED_MECHS 10
+
+static const char *mag_allow_mech(cmd_parms *parms, void *mconfig,
+                                  const char *w)
+{
+    struct mag_config *cfg = (struct mag_config *)mconfig;
+    gss_const_OID oid;
+    size_t size;
+
+    if (!cfg->allowed_mechs) {
+        cfg->allowed_mechs = apr_pcalloc(parms->pool,
+                                         sizeof(gss_OID_set_desc));
+        size = sizeof(gss_OID) * MAX_ALLOWED_MECHS;
+        cfg->allowed_mechs->elements = apr_palloc(parms->pool, size);
+    }
+
+    if (strcmp(w, "krb5") == 0) {
+        oid = gss_mech_krb5;
+    } else if (strcmp(w, "iakerb") == 0) {
+        oid = gss_mech_iakerb;
+    } else if (strcmp(w, "ntlmssp") == 0) {
+        oid = &gss_mech_ntlmssp;
+    } else {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                     "Unrecognized GSSAPI Mechanism: %s", w);
+        return NULL;
+    }
+
+    if (cfg->allowed_mechs->count >= MAX_ALLOWED_MECHS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
+                     "Too many GssapiAllowedMech options (MAX: %d)",
+                     MAX_ALLOWED_MECHS);
+        return NULL;
+    }
+    cfg->allowed_mechs->elements[cfg->allowed_mechs->count] = *oid;
+    cfg->allowed_mechs->count++;
+
+    return NULL;
+}
+
 static const command_rec mag_commands[] = {
     AP_INIT_FLAG("GssapiSSLonly", mag_ssl_only, NULL, OR_AUTHCFG,
                   "Work only if connection is SSL Secured"),
@@ -823,6 +877,8 @@ static const command_rec mag_commands[] = {
     AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG,
                      "Allows use of Basic Auth for authentication"),
 #endif
+    AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG,
+                    "Allowed Mechanisms"),
     { NULL }
 };
 
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index d540ee1..2d8ffff 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -6,6 +6,7 @@
 #include <gssapi/gssapi.h>
 #include <gssapi/gssapi_ext.h>
 #include <gssapi/gssapi_krb5.h>
+#include <gssapi/gssapi_ntlmssp.h>
 
 #define APR_WANT_STRFUNC
 #include "apr_want.h"
@@ -55,6 +56,7 @@ struct mag_config {
 #endif
     struct seal_key *mag_skey;
     bool use_basic_auth;
+    gss_OID_set_desc *allowed_mechs;
 };
 
 struct mag_conn {
-- 
2.1.4