From c8ac2a462bf649711707cf09c789f27892a05837 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 27 Jul 2015 00:24:42 +0300 Subject: [PATCH] Avoid advertising NTLM if it isn't technically supported This lets browsers to fall back to basic auth if supported (similar to 4e7967e797e5c8912a67c0de8f172bb95b5172ff). Add boolean param to is_mech_allowed which denotes whether the caller supports multiple step. Reviewed-by: Simo Sorce --- src/mod_auth_gssapi.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 763b625..68663e4 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -292,8 +292,12 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header, return true; } -static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech) +static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech, + bool multi_step_supported) { + if (!multi_step_supported && gss_oid_equal(&gss_mech_ntlmssp, mech)) + return false; + if (allowed_mechs == GSS_C_NO_OID_SET) return true; for (int i = 0; i < allowed_mechs->count; i++) { @@ -785,7 +789,8 @@ static int mag_auth(request_rec *req) break; case AUTH_TYPE_RAW_NTLM: - if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) { + if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "NTLM Authentication is not allowed!"); goto done; @@ -945,7 +950,8 @@ done: } } else if (ret == HTTP_UNAUTHORIZED) { apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); - if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) { + if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM"); } if (cfg->use_basic_auth) { -- 2.1.4