122 lines
4.8 KiB
Diff
122 lines
4.8 KiB
Diff
From 1941fd1545b4786fee9464881239d74a91c55723 Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Thu, 7 Feb 2019 14:48:56 -0500
|
|
Subject: [PATCH] Fix mag_auth_basic function call.
|
|
|
|
In order to respect the API we'd have to return nech_type as a copy of
|
|
the mech found to correctly complete authentication.
|
|
It would need to be a copy because the actual_mechs variable is an array
|
|
of statically copied OIDs not an array of pointers.
|
|
|
|
Instead change mag_auth_basic to directly call mag_complete() and
|
|
mag_cache_basic on success. This is easier than attempting to handle
|
|
copying out OIDs and then freeing them in the caller as GSSAPI does not
|
|
offer standard APIs for copying OIDs.
|
|
|
|
As a side-effect we reduce the number of arguments to mag_auth_gssapi,
|
|
which is good, to the slight detriment of legibility in the main
|
|
function as now you need to know mag_auth_basic() is already calling
|
|
mag_complete(). The trade off is worth it though.
|
|
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
(cherry picked from commit 318db0b0e3777d4cfdc09eeef98e28c478607271)
|
|
---
|
|
src/mod_auth_gssapi.c | 47 ++++++++++++++++++++-----------------------
|
|
1 file changed, 22 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
|
index 4048ee7..9e42ef4 100644
|
|
--- a/src/mod_auth_gssapi.c
|
|
+++ b/src/mod_auth_gssapi.c
|
|
@@ -493,15 +493,15 @@ done:
|
|
return maj;
|
|
}
|
|
|
|
-static bool mag_auth_basic(request_rec *req,
|
|
- struct mag_config *cfg,
|
|
- gss_buffer_desc ba_user,
|
|
- gss_buffer_desc ba_pwd,
|
|
- gss_name_t *client,
|
|
- gss_OID *mech_type,
|
|
- gss_cred_id_t *delegated_cred,
|
|
- uint32_t *vtime)
|
|
+static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
|
+ gss_name_t client, gss_OID mech_type,
|
|
+ uint32_t vtime, gss_cred_id_t delegated_cred);
|
|
+
|
|
+static int mag_auth_basic(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
|
+ gss_buffer_desc ba_user, gss_buffer_desc ba_pwd)
|
|
{
|
|
+ struct mag_config *cfg = req_cfg->cfg;
|
|
+ request_rec *req = req_cfg->req;
|
|
const char *user_ccache = NULL;
|
|
const char *orig_ccache = NULL;
|
|
long long unsigned int rndname;
|
|
@@ -512,9 +512,12 @@ static bool mag_auth_basic(request_rec *req,
|
|
gss_OID_set allowed_mechs;
|
|
gss_OID_set filtered_mechs;
|
|
gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
|
|
+ gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
|
|
+ gss_name_t client = GSS_C_NO_NAME;
|
|
+ uint32_t vtime;
|
|
uint32_t maj, min;
|
|
int present = 0;
|
|
- bool ret = false;
|
|
+ int ret = HTTP_UNAUTHORIZED;
|
|
|
|
maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user);
|
|
if (GSS_ERROR(maj)) {
|
|
@@ -616,15 +619,21 @@ static bool mag_auth_basic(request_rec *req,
|
|
|
|
for (int i = 0; i < actual_mechs->count; i++) {
|
|
maj = mag_context_loop(&min, req, cfg, user_cred, server_cred,
|
|
- &actual_mechs->elements[i], 300, client, vtime,
|
|
- delegated_cred);
|
|
+ &actual_mechs->elements[i], 300, &client,
|
|
+ &vtime, &delegated_cred);
|
|
if (maj == GSS_S_COMPLETE) {
|
|
- ret = true;
|
|
+ ret = mag_complete(req_cfg, mc, client, &actual_mechs->elements[i],
|
|
+ vtime, delegated_cred);
|
|
+ if (ret == OK) {
|
|
+ mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
|
|
+ }
|
|
break;
|
|
}
|
|
}
|
|
|
|
done:
|
|
+ gss_release_cred(&min, &delegated_cred);
|
|
+ gss_release_name(&min, &client);
|
|
gss_release_cred(&min, &server_cred);
|
|
gss_release_name(&min, &user);
|
|
gss_release_cred(&min, &user_cred);
|
|
@@ -683,10 +692,6 @@ struct mag_req_cfg *mag_init_cfg(request_rec *req)
|
|
return req_cfg;
|
|
}
|
|
|
|
-static int mag_complete(struct mag_req_cfg *req_cfg, struct mag_conn *mc,
|
|
- gss_name_t client, gss_OID mech_type,
|
|
- uint32_t vtime, gss_cred_id_t delegated_cred);
|
|
-
|
|
#ifdef HAVE_CRED_STORE
|
|
static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
|
|
if (req_cfg->cfg->use_s4u2proxy) {
|
|
@@ -1105,15 +1110,7 @@ static int mag_auth(request_rec *req)
|
|
#endif
|
|
|
|
if (auth_type == AUTH_TYPE_BASIC) {
|
|
- if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
|
|
- &client, &mech_type,
|
|
- &delegated_cred, &vtime)) {
|
|
-
|
|
- ret = mag_complete(req_cfg, mc, client, mech_type, vtime,
|
|
- delegated_cred);
|
|
- if (ret == OK)
|
|
- mag_basic_cache(req_cfg, mc, ba_user, ba_pwd);
|
|
- }
|
|
+ ret = mag_auth_basic(req_cfg, mc, ba_user, ba_pwd);
|
|
goto done;
|
|
}
|
|
|