Fix checks on allowed mechs

simo5 · simo5 · commit 4e7967e797e5 · 2015-07-07T13:23:57.000-04:00
We need to check if a mech is allowed against the desired_mechs set.
Otherwise in case the admin does not explicitly specify an allowed set
then all mechs are allowed, including NTLM. This causes annoying issues
with browsers like Firefox and Chrome/ium which end up popping up an
authentication dialog if they see NTLM is supported and they have no
Kerberos tickets around.
Authentication will then simply fail because NTLM is not actually supported.
By using desired_mechs we use a list of mechanism the machine actually
has a chance to support in the default case.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
@@ -292,12 +292,12 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header,
     return true;
 }
 
-static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech)
+static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech)
 {
-    if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true;
+    if (allowed_mechs == GSS_C_NO_OID_SET) return true;
 
-    for (int i = 0; i < cfg->allowed_mechs->count; i++) {
-        if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) {
+    for (int i = 0; i < allowed_mechs->count; i++) {
+        if (gss_oid_equal(&allowed_mechs->elements[i], mech)) {
             return true;
         }
     }
@@ -785,7 +785,7 @@ static int mag_auth(request_rec *req)
         break;
 
     case AUTH_TYPE_RAW_NTLM:
-        if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
+        if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
                           "NTLM Authentication is not allowed!");
             goto done;
@@ -945,7 +945,7 @@ static int mag_auth(request_rec *req)
         }
     } else if (ret == HTTP_UNAUTHORIZED) {
         apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate");
-        if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
+        if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
             apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM");
         }
         if (cfg->use_basic_auth) {

Original file line number	Diff line number	Diff line change
`@@ -292,12 +292,12 @@ static bool parse_auth_header(apr_pool_t pool, const char *auth_header,`
`292`	`292`	`return true;`
`293`	`293`	`}`
`294`	`294`
`295`		`-static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech)`
	`295`	`+static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech)`
`296`	`296`	`{`
`297`		`- if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true;`
	`297`	`+ if (allowed_mechs == GSS_C_NO_OID_SET) return true;`
`298`	`298`
`299`		`- for (int i = 0; i < cfg->allowed_mechs->count; i++) {`
`300`		`- if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) {`
	`299`	`+ for (int i = 0; i < allowed_mechs->count; i++) {`
	`300`	`+ if (gss_oid_equal(&allowed_mechs->elements[i], mech)) {`
`301`	`301`	`return true;`
`302`	`302`	`}`
`303`	`303`	`}`
`@@ -785,7 +785,7 @@ static int mag_auth(request_rec *req)`
`785`	`785`	`break;`
`786`	`786`
`787`	`787`	`case AUTH_TYPE_RAW_NTLM:`
`788`		`- if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) {`
	`788`	`+ if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {`
`789`	`789`	`ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,`
`790`	`790`	`"NTLM Authentication is not allowed!");`
`791`	`791`	`goto done;`
`@@ -945,7 +945,7 @@ static int mag_auth(request_rec *req)`
`945`	`945`	`}`
`946`	`946`	`} else if (ret == HTTP_UNAUTHORIZED) {`
`947`	`947`	`apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate");`
`948`		`- if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) {`
	`948`	`+ if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {`
`949`	`949`	`apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM");`
`950`	`950`	`}`
`951`	`951`	`if (cfg->use_basic_auth) {`