Better r.e. to prevent from substituing empty strings on some platforms

[mod_auth_kerb.git] / src / mod_auth_kerb.c

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 8d133e8..13f7ad3 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -303,7 +303,7 @@ mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
 }
 
 /* And this is the operations vector for our replay cache */
-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
+static const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
   0,
   "dfl",
   krb5_rc_dfl_init,
@@ -532,7 +532,7 @@ authenticate_user_krb4pwd(request_rec *r,
    user = apr_pstrcat(r->pool, user, "@", realm, NULL);
 
    MK_USER = user;
-   MK_AUTH_TYPE = "Basic";
+   MK_AUTH_TYPE = "Kerberos";
    apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
 
    if (!conf->krb_save_credentials)
@@ -682,7 +682,8 @@ end:
 static krb5_error_code
 verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
                 const char *password, krb5_principal server,
-                krb5_keytab keytab, int krb_verify_kdc, const char *krb_service_name, krb5_ccache *ccache)
+                krb5_keytab keytab, int krb_verify_kdc,
+                const char *krb_service_name, krb5_ccache *ccache)
 {
    krb5_creds creds;
    krb5_get_init_creds_opt options;
@@ -1065,7 +1066,7 @@ authenticate_user_krb5pwd(request_rec *r,
       goto end;
    }
    MK_USER = apr_pstrdup (r->pool, name);
-   MK_AUTH_TYPE = "Basic";
+   MK_AUTH_TYPE = "Kerberos";
    free(name);
 
    if (conf->krb_save_credentials)
@@ -1284,6 +1285,7 @@ get_gss_creds(request_rec *r,
    return 0;
 }
 
+#ifndef GSSAPI_SUPPORTS_SPNEGO
 static int
 cmp_gss_type(gss_buffer_t token, gss_OID oid)
 {
@@ -1310,6 +1312,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID oid)
 
    return memcmp(p, oid->elements, oid->length);
 }
+#endif
 
 static int
 authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
@@ -1442,15 +1445,15 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      goto end;
   }
 
-#if 0
-  /* This is a _Kerberos_ module so multiple authentication rounds aren't
-   * supported. If we wanted a generic GSS authentication we would have to do
-   * some magic with exporting context etc. */
+  /* Multiple authentication rounds aren't supported.  If we wanted a generic
+   * GSS authentication we would have to do some magic with exporting context
+   * etc. */
   if (major_status & GSS_S_CONTINUE_NEEDED) {
+     log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                "Multi-iteration authentication isn't supported");
      ret = HTTP_UNAUTHORIZED;
      goto end;
   }
-#endif
 
   major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
   gss_release_name(&minor_status, &client_name); 
@@ -1757,7 +1760,7 @@ kerb_authenticate_user(request_rec *r)
    return ret;
 }
 
-int
+static int
 have_rcache_type(const char *type)
 {
    krb5_error_code ret;