From 5a97a7bec72eb87313c9b626321ea1d21f7fdab6 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sun, 25 Sep 2011 23:40:47 +1000
Subject: [PATCH] use "Negotiate" mechanism

---
 client/Makefile      |  2 +-
 client/http_client.c | 19 ++++++++++---
 config.h.in          | 76 +++++++++++++++++++++++++++++++++++++++++++++-------
 mod_auth_gssapi.c    | 14 +++++-----
 4 files changed, 90 insertions(+), 21 deletions(-)

diff --git a/client/Makefile b/client/Makefile
index 0fe6f2a..2aecc5d 100644
--- a/client/Makefile
+++ b/client/Makefile
@@ -1,7 +1,7 @@
 DEFS = -DHAVE_SYS_TYPES_H -DHAVE_UNISTD_H -DHAVE_SYS_SOCKET_H -DHAVE_NETINET_IN_H -DHAVE_NETDB_H -DHAVE_SYS_PARAM_H \
 	-D_GNU_SOURCE
 CPPFLAGS = $(DEFS) -Wall -O0 -g
-LDFLAGS = -lgssapi_krb5
+LDFLAGS = -L/usr/local/lib -lgssapi_krb5
 
 HTTP_OBJS = http_client.o gss_common.o base64.o net_write.o net_read.o
 
diff --git a/client/http_client.c b/client/http_client.c
index 0ace960..3045b12 100644
--- a/client/http_client.c
+++ b/client/http_client.c
@@ -335,7 +335,7 @@ do_http(const char *host, const char *page, gss_OID mech_oid, gss_cred_id_t cred
 	    if (h == NULL)
 		errx(1, "Got %s but missed `WWW-Authenticate'", req.response);
 
-	    if (strncasecmp(h, "GSSAPI", 6) == 0) {
+	    if (strncasecmp(h, "Negotiate", 9) == 0) {
 		OM_uint32 maj_stat, min_stat;
 		gss_buffer_desc input_token, output_token;
 
@@ -361,8 +361,7 @@ do_http(const char *host, const char *page, gss_OID mech_oid, gss_cred_id_t cred
 		}
 #endif
 
-//		i = 9;
-		i = 6;
+		i = 9;
 		while(h[i] && isspace((unsigned char)h[i]))
 		    i++;
 		if (h[i] != '\0') {
@@ -457,7 +456,7 @@ do_http(const char *host, const char *page, gss_OID mech_oid, gss_cred_id_t cred
 				  output_token.length,
 				  &neg_token);
 		    
-		    asprintf(&headers[0], "Authorization: GSSAPI %s",
+		    asprintf(&headers[0], "Authorization: Negotiate %s",
 			     neg_token);
 		    num_headers = 1;
 		    free(neg_token);
@@ -563,6 +562,18 @@ main(int argc, char *argv[])
 			&cred, NULL, NULL);
 	if (GSS_ERROR(maj_stat))
 	    gss_err(1, maj_stat, min_stat, "Failed to load initial credentials");
+    } else {
+	gss_OID_set_desc mechs, *mechsp = GSS_C_NO_OID_SET;
+
+	mechs.elements = mech_oid;
+	mechs.count = 1;
+	mechsp = &mechs;
+	maj_stat = gss_acquire_cred(&min_stat,
+			gss_username, 0,
+			mechsp, GSS_C_INITIATE,
+			&cred, NULL, NULL);
+	if (GSS_ERROR(maj_stat))
+	    gss_err(1, maj_stat, min_stat, "Failed to load initial credentials");
     }
 
     ret = do_http(host, page, mech_oid, cred);
diff --git a/config.h.in b/config.h.in
index def453e..336664e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,15 +1,73 @@
-/* Define to the version of this package. */
-/* Conflicts with defintions from Apache */
-/* #undef PACKAGE_VERSION */
-
-/* Define to `unsigned' if <sys/types.h> does not define. */
-#undef size_t
+/* config.h.in.  Generated from configure.in by autoheader.  */
 
-/* Define if your GSSAPI library supports handling SPNEGO tokens */
+/* GSS-API implementation has its own SPNEGO */
 #undef GSSAPI_SUPPORTS_SPNEGO
 
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
+/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_H
+
+/* Define to 1 if you have the <gssapi.h> header file. */
+#undef HAVE_GSSAPI_H
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define to 1 if you have the <limits.h> header file. */
+#undef HAVE_LIMITS_H
+
+/* Define to 1 if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#undef HAVE_NETDB_H
+
+/* Define to 1 if you have the <stddef.h> header file. */
+#undef HAVE_STDDEF_H
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
 
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* Define to 1 if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Define to 1 if your <sys/time.h> declares `struct tm'. */
+#undef TM_IN_SYS_TIME
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t
diff --git a/mod_auth_gssapi.c b/mod_auth_gssapi.c
index b24814f..32c0f01 100644
--- a/mod_auth_gssapi.c
+++ b/mod_auth_gssapi.c
@@ -82,8 +82,8 @@ set_http_headers(request_rec *r, const gss_auth_config *conf,
     if (negotiate_ret_value == NULL)
 	return;
 
-    negoauth_param = (*negotiate_ret_value == '\0') ? "GSSAPI" :
-        apr_pstrcat(r->pool, "GSSAPI ", negotiate_ret_value, NULL);
+    negoauth_param = (*negotiate_ret_value == '\0') ? "Negotiate" :
+        apr_pstrcat(r->pool, "Negotiate ", negotiate_ret_value, NULL);
     apr_table_add(r->err_headers_out, header_name, negoauth_param);
 }
 
@@ -137,7 +137,7 @@ gss_authenticate_user(request_rec *r)
    
     /* get the type specified in Apache configuration */
     type = ap_auth_type(r);
-    if (type == NULL || strcmp(type, "GSSAPI") != 0) {
+    if (type == NULL || strcmp(type, "Negotiate") != 0) {
         gss_log(APLOG_MARK, APLOG_DEBUG, 0, r,
 		"AuthType '%s' is not for us, bailing out",
 		(type) ? type : "(NULL)");
@@ -157,7 +157,7 @@ gss_authenticate_user(request_rec *r)
     }
 
     auth_type = ap_getword_white(r->pool, &auth_line);
-    if (strcasecmp(auth_type, "GSSAPI") != 0) {
+    if (strcasecmp(auth_type, "Negotiate") != 0) {
         gss_log(APLOG_MARK, APLOG_DEBUG, 0, r,
 		"Unsupported authentication type (%s) requested by client",
 		(auth_type) ? auth_type : "(NULL)");
@@ -175,14 +175,14 @@ gss_authenticate_user(request_rec *r)
     /* optimizing hack */
     if (conn_ctx->state == GSS_CTX_ESTABLISHED && auth_line == NULL) {
 	r->user = apr_pstrdup(r->pool, conn_ctx->user);
-	r->ap_auth_type = "GSSAPI";
+	r->ap_auth_type = "Negotiate";
 	return OK;
     }
 
     /* XXXX subrequests ignored, only successful accesses taken into account! */
     if (!ap_is_initial_req(r) && conn_ctx->state == GSS_CTX_ESTABLISHED) {
 	r->user = apr_pstrdup(r->pool, conn_ctx->user);
-	r->ap_auth_type = "GSSAPI";
+	r->ap_auth_type = "Negotiate";
 	return OK;
     }
 
@@ -195,7 +195,7 @@ gss_authenticate_user(request_rec *r)
 
     if (ret == OK) {
 	r->user = apr_pstrdup(r->pool, conn_ctx->user);
-	r->ap_auth_type = "GSSAPI";
+	r->ap_auth_type = "Negotiate";
     }
 
     /* debug LOG ??? */
-- 
2.1.4