Fail server startup on bad mechanisms

iboukris · simo5 · commit d6d8a6b02923 · 2015-06-24T15:47:25.000-04:00
This helps to detect mis-configurations early.
Configuration errors are considered fatal in apache anyway.

Reviewed-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
@@ -1152,7 +1152,7 @@ static apr_status_t mag_oid_set_destroy(void *ptr)
     return APR_SUCCESS;
 }
 
-static void mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset,
+static bool mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset,
                               bool add_spnego, const char *w)
 {
     gss_buffer_desc buf = { 0 };
@@ -1167,7 +1167,7 @@ static void mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset,
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
                          "gss_create_empty_oid_set() failed.");
             *oidset = GSS_C_NO_OID_SET;
-            return;
+            return false;
         }
         if (add_spnego) {
             oid = discard_const(&gss_mech_spnego);
@@ -1177,7 +1177,7 @@ static void mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset,
                              "gss_add_oid_set_member() failed.");
                 (void)gss_release_oid_set(&min, &set);
                 *oidset = GSS_C_NO_OID_SET;
-                return;
+                return false;
             }
         }
         /* register in the pool so it can be released once the server
@@ -1203,7 +1203,7 @@ static void mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset,
         if (maj != GSS_S_COMPLETE) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,
                          "Unrecognized GSSAPI Mechanism: [%s]", w);
-            return;
+            return false;
         }
         release_oid = true;
     }
@@ -1215,14 +1215,17 @@ static void mag_list_of_mechs(cmd_parms *parms, gss_OID_set *oidset,
     if (release_oid) {
         (void)gss_release_oid(&min, &oid);
     }
+
+    return true;
 }
 
 static const char *mag_allow_mech(cmd_parms *parms, void *mconfig,
                                   const char *w)
 {
     struct mag_config *cfg = (struct mag_config *)mconfig;
 
-    mag_list_of_mechs(parms, &cfg->allowed_mechs, true, w);
+    if (!mag_list_of_mechs(parms, &cfg->allowed_mechs, true, w))
+        return "Failed to apply GssapiAllowedMech directive";
 
     return NULL;
 }
@@ -1233,7 +1236,8 @@ static const char *mag_basic_auth_mechs(cmd_parms *parms, void *mconfig,
 {
     struct mag_config *cfg = (struct mag_config *)mconfig;
 
-    mag_list_of_mechs(parms, &cfg->basic_mechs, false, w);
+    if (!mag_list_of_mechs(parms, &cfg->basic_mechs, false, w))
+        return "Failed to apply GssapiBasicAuthMech directive";
 
     return NULL;
 }

Original file line number	Diff line number	Diff line change
`@@ -1152,7 +1152,7 @@ static apr_status_t mag_oid_set_destroy(void *ptr)`
`1152`	`1152`	`return APR_SUCCESS;`
`1153`	`1153`	`}`
`1154`	`1154`
`1155`		`-static void mag_list_of_mechs(cmd_parms parms, gss_OID_set oidset,`
	`1155`	`+static bool mag_list_of_mechs(cmd_parms parms, gss_OID_set oidset,`
`1156`	`1156`	`bool add_spnego, const char *w)`
`1157`	`1157`	`{`
`1158`	`1158`	`gss_buffer_desc buf = { 0 };`
`@@ -1167,7 +1167,7 @@ static void mag_list_of_mechs(cmd_parms parms, gss_OID_set oidset,`
`1167`	`1167`	`ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,`
`1168`	`1168`	`"gss_create_empty_oid_set() failed.");`
`1169`	`1169`	`*oidset = GSS_C_NO_OID_SET;`
`1170`		`- return;`
	`1170`	`+ return false;`
`1171`	`1171`	`}`
`1172`	`1172`	`if (add_spnego) {`
`1173`	`1173`	`oid = discard_const(&gss_mech_spnego);`
`@@ -1177,7 +1177,7 @@ static void mag_list_of_mechs(cmd_parms parms, gss_OID_set oidset,`
`1177`	`1177`	`"gss_add_oid_set_member() failed.");`
`1178`	`1178`	`(void)gss_release_oid_set(&min, &set);`
`1179`	`1179`	`*oidset = GSS_C_NO_OID_SET;`
`1180`		`- return;`
	`1180`	`+ return false;`
`1181`	`1181`	`}`
`1182`	`1182`	`}`
`1183`	`1183`	`/* register in the pool so it can be released once the server`
`@@ -1203,7 +1203,7 @@ static void mag_list_of_mechs(cmd_parms parms, gss_OID_set oidset,`
`1203`	`1203`	`if (maj != GSS_S_COMPLETE) {`
`1204`	`1204`	`ap_log_error(APLOG_MARK, APLOG_ERR, 0, parms->server,`
`1205`	`1205`	`"Unrecognized GSSAPI Mechanism: [%s]", w);`
`1206`		`- return;`
	`1206`	`+ return false;`
`1207`	`1207`	`}`
`1208`	`1208`	`release_oid = true;`
`1209`	`1209`	`}`
`@@ -1215,14 +1215,17 @@ static void mag_list_of_mechs(cmd_parms parms, gss_OID_set oidset,`
`1215`	`1215`	`if (release_oid) {`
`1216`	`1216`	`(void)gss_release_oid(&min, &oid);`
`1217`	`1217`	`}`
	`1218`	`+`
	`1219`	`+ return true;`
`1218`	`1220`	`}`
`1219`	`1221`
`1220`	`1222`	`static const char mag_allow_mech(cmd_parms parms, void *mconfig,`
`1221`	`1223`	`const char *w)`
`1222`	`1224`	`{`
`1223`	`1225`	`struct mag_config cfg = (struct mag_config )mconfig;`
`1224`	`1226`
`1225`		`- mag_list_of_mechs(parms, &cfg->allowed_mechs, true, w);`
	`1227`	`+ if (!mag_list_of_mechs(parms, &cfg->allowed_mechs, true, w))`
	`1228`	`+ return "Failed to apply GssapiAllowedMech directive";`
`1226`	`1229`
`1227`	`1230`	`return NULL;`
`1228`	`1231`	`}`
`@@ -1233,7 +1236,8 @@ static const char mag_basic_auth_mechs(cmd_parms parms, void *mconfig,`
`1233`	`1236`	`{`
`1234`	`1237`	`struct mag_config cfg = (struct mag_config )mconfig;`
`1235`	`1238`
`1236`		`- mag_list_of_mechs(parms, &cfg->basic_mechs, false, w);`
	`1239`	`+ if (!mag_list_of_mechs(parms, &cfg->basic_mechs, false, w))`
	`1240`	`+ return "Failed to apply GssapiBasicAuthMech directive";`
`1237`	`1241`
`1238`	`1242`	`return NULL;`
`1239`	`1243`	`}`