From 2584e5b861e1af60fe7c4a331cfd7622cc8e955c Mon Sep 17 00:00:00 2001 From: Margaret Wasserman Date: Tue, 16 Dec 2014 16:15:43 -0500 Subject: [PATCH] Fix minor issues blocking Firefox authentication from working: - Check only first portion of content type against default type - Handle non-GSSWeb messages better when there is no active authentication (DECLINE) - Fix bug where nonce is corrupted (unintentional signed/unsigned integer conversion) --- mod_auth_gssweb.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/mod_auth_gssweb.c b/mod_auth_gssweb.c index 48329d8..b3e8360 100644 --- a/mod_auth_gssweb.c +++ b/mod_auth_gssweb.c @@ -108,7 +108,7 @@ static int gssweb_read_req(request_rec *r, const char **rbuf, apr_off_t *size) /* gssweb_get_post_data() -- Gets the token and nonce from the request * data. */ -static int gssweb_get_post_data(request_rec *r, int *nonce, gss_buffer_desc *input_token) +static int gssweb_get_post_data(request_rec *r, unsigned int *nonce, gss_buffer_desc *input_token) { const char *data; apr_off_t datalen; @@ -128,7 +128,7 @@ static int gssweb_get_post_data(request_rec *r, int *nonce, gss_buffer_desc *inp } type = apr_table_get(r->headers_in, "Content-Type"); - if(strcasecmp(type, DEFAULT_ENCTYPE) != 0) { + if(strncasecmp(type, DEFAULT_ENCTYPE, strlen(DEFAULT_ENCTYPE)) != 0) { gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_get_post_data: Unexpected content type, declining."); return DECLINED; } @@ -426,14 +426,17 @@ gssweb_authenticate_user(request_rec *r) /* Read the token and nonce from the POST */ if (0 != gssweb_get_post_data(r, &nonce, &input_token)) { - gss_log(APLOG_MARK, APLOG_ERR, 0, r, "gssweb_authenticate_user: Unable to read nonce or input token from GSSWeb input"); - gss_delete_sec_context(&minor_status, &conn_ctx->context, GSS_C_NO_BUFFER); - conn_ctx->context = GSS_C_NO_CONTEXT; - conn_ctx->state = GSS_CTX_FAILED; - if (0 != conn_ctx->output_token.length) - gss_release_buffer(&minor_status, &(conn_ctx->output_token)); - conn_ctx->output_token.length = 0; - ret = HTTP_UNAUTHORIZED; + /* If we get spurious msg on an established session, say OK again */ + if (GSS_CTX_ESTABLISHED == conn_ctx->state) + ret = OK; + /* ...otherwise, if we are in progress, return HTTP_UNAUTHORIZED */ + if (GSS_CTX_IN_PROGRESS == conn_ctx->state) + ret = HTTP_UNAUTHORIZED; + /* If this would start a new session, free the context and return DECLINED */ + else { + gss_cleanup_conn_ctx(conn_ctx); + ret = DECLINED; + } goto end; } gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: GSSWeb nonce value = %u.", nonce); @@ -503,8 +506,8 @@ gssweb_authenticate_user(request_rec *r) release_output_token = 0; /* If we aren't done yet, go around again */ - gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: Accept sec context complete, continue needed"); if (major_status & GSS_S_CONTINUE_NEEDED) { + gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "gssweb_authenticate_user: Accept sec context complete, continue needed"); conn_ctx->state = GSS_CTX_IN_PROGRESS; ret = HTTP_UNAUTHORIZED; goto end; -- 2.1.4