Added year 2005 to the license block

[mod_auth_kerb.cvs/.git] / src / mod_auth_kerb.c

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 46e870b..4b5505d 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -11,7 +11,7 @@
  */
 
 /*
- * Copyright (c) 2004 Masarykova universita
+ * Copyright (c) 2004-2005 Masarykova universita
  * (Masaryk University, Brno, Czech Republic)
  * All rights reserved.
  *
@@ -147,11 +147,11 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
                       int use_krb4, int use_krb5pwd, char *negotiate_ret_value);
 
 static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg);
+krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg);
 
 #ifdef STANDARD20_MODULE_STUFF
 #define command(name, func, var, type, usage)           \
-  AP_INIT_ ## type (name, func,                         \
+  AP_INIT_ ## type (name, (void*) func,                 \
         (void*)APR_XtOffsetOf(kerb_auth_config, var),   \
         OR_AUTHCFG | RSRC_CONF, usage)
 #else
@@ -292,7 +292,7 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
 }
 
 static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg)
+krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg)
 {
    sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
    return NULL;
@@ -558,7 +558,7 @@ verify_krb5_init_creds(request_rec *r, krb5_context context, krb5_creds *creds,
       goto end;
    }
    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-             "Using principal %s to verify authenticity of KDC", server_name);
+             "Trying to verify authenticity of KDC using principal %s", server_name);
    free(server_name);
 
    if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
@@ -868,6 +868,7 @@ int authenticate_user_krb5pwd(request_rec *r,
    int             ret;
    char            *name = NULL;
    int             all_principals_unkown;
+   char            *p = NULL;
 
    code = krb5_init_context(&kcontext);
    if (code) {
@@ -878,13 +879,6 @@ int authenticate_user_krb5pwd(request_rec *r,
 
    sent_pw = ap_pbase64decode(r->pool, auth_line);
    sent_name = ap_getword (r->pool, &sent_pw, ':');
-   /* do not allow user to override realm setting of server */
-   if (strchr(sent_name, '@')) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                "specifying realm in user name is prohibited");
-      ret = HTTP_UNAUTHORIZED;
-      goto end;
-   }
 
    if (sent_pw == NULL || *sent_pw == '\0') {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
@@ -896,10 +890,21 @@ int authenticate_user_krb5pwd(request_rec *r,
    if (conf->krb_5_keytab)
       krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
 
+   p = strchr(sent_name, '@');
+   if (p) {
+      *p++ = '\0';
+      if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) {
+        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                   "Specified realm `%s' not allowed by configuration", p);
+         ret = HTTP_UNAUTHORIZED;
+         goto end;
+      }
+   }
+
+   realms = (p) ? p : conf->krb_auth_realms;
    all_principals_unkown = 1;
-   realms = conf->krb_auth_realms;
    do {
-      name = sent_name;
+      name = (char *) sent_name;
       if (realms && (realm = ap_getword_white(r->pool, &realms)))
         name = ap_psprintf(r->pool, "%s@%s", sent_name, realm);
 
@@ -1209,6 +1214,10 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      }
      sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
      putenv(ktname);
+#ifdef HEIMDAL
+     /* Seems to be also supported by latest MIT */
+     gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+#endif
   }
 
   ret = get_gss_creds(r, conf, &server_creds);