diff --git a/configure.ac b/configure.ac index 4b18207..b378b26 100644 --- a/configure.ac +++ b/configure.ac @@ -55,6 +55,7 @@ AC_SUBST([OPENSSL_LIBS]) AC_CHECK_HEADERS([gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h], ,[AC_MSG_ERROR([Could not find GSSAPI headers])]) +AC_CHECK_HEADERS([gssapi/gssapi_ntlmssp.h]) AC_PATH_PROG(KRB5_CONFIG, krb5-config, failed) if test x$KRB5_CONFIG = xfailed; then AC_MSG_ERROR([Could not find GSSAPI development libraries]) diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index b1b16e5..a02a30b 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -28,13 +28,14 @@ const gss_OID_desc gss_mech_spnego = { 6, "\x2b\x06\x01\x05\x05\x02" }; -const gss_OID_desc gss_mech_ntlmssp = { +#ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H +static const gss_OID_desc gss_mech_ntlmssp_desc = { GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING }; - -const gss_OID_set_desc gss_mech_set_ntlmssp = { - 1, discard_const(&gss_mech_ntlmssp) -}; +static const gss_OID gss_mech_ntlmssp = &gss_mech_ntlmssp_desc; +#else +static const gss_OID gss_mech_ntlmssp = GSS_C_NO_OID; +#endif #define MOD_AUTH_GSSAPI_VERSION PACKAGE_NAME "/" PACKAGE_VERSION @@ -295,9 +296,11 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header, static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech, bool multi_step_supported) { - if (!multi_step_supported && gss_oid_equal(&gss_mech_ntlmssp, mech)) + if (!multi_step_supported && gss_oid_equal(gss_mech_ntlmssp, mech)) return false; + if (mech == GSS_C_NO_OID) return false; + if (allowed_mechs == GSS_C_NO_OID_SET) return true; for (int i = 0; i < allowed_mechs->count; i++) { @@ -703,6 +706,10 @@ static int mag_auth(request_rec *req) time_t expiration; int i; + const gss_OID_set_desc gss_mech_set_ntlmssp = { + 1, discard_const(gss_mech_ntlmssp) + }; + type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { return DECLINED; @@ -835,7 +842,7 @@ static int mag_auth(request_rec *req) break; case AUTH_TYPE_RAW_NTLM: - if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp, + if (!is_mech_allowed(desired_mechs, gss_mech_ntlmssp, cfg->gss_conn_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "NTLM Authentication is not allowed!"); @@ -997,7 +1004,7 @@ static int mag_auth(request_rec *req) } else if (ret == HTTP_UNAUTHORIZED) { apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate"); - if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp, + if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, cfg->gss_conn_ctx)) { apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM"); } @@ -1232,7 +1239,7 @@ static bool mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset, } else if (strcmp(w, "iakerb") == 0) { oid = discard_const(gss_mech_iakerb); } else if (strcmp(w, "ntlmssp") == 0) { - oid = discard_const(&gss_mech_ntlmssp); + oid = discard_const(gss_mech_ntlmssp); } else { buf.value = discard_const(w); buf.length = strlen(w); diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h index b08c38a..00fe99a 100644 --- a/src/mod_auth_gssapi.h +++ b/src/mod_auth_gssapi.h @@ -6,7 +6,9 @@ #include #include #include -#include +#ifdef HAVE_GSSAPI_GSSAPI_NTLMSSP_H +# include +#endif #define APR_WANT_STRFUNC #include "apr_want.h"