+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using Digest",
+ username);
+
+ con->type = AUTH_DIGEST;
+ }
+#ifdef HAVE_GSSAPI
+ else if (!strncmp(authorization, "Negotiate", 9))
+ {
+ int len; /* Length of authorization string */
+ gss_cred_id_t server_creds; /* Server credentials */
+ gss_ctx_id_t context; /* Authorization context */
+ OM_uint32 major_status, /* Major status code */
+ minor_status; /* Minor status code */
+ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER,
+ /* Input token from string */
+ output_token = GSS_C_EMPTY_BUFFER;
+ /* Output token for username */
+ gss_name_t client_name; /* Client name */
+ unsigned int ret_flags; /* Credential flags */
+
+
+# ifdef __APPLE__
+ /*
+ * If the weak-linked GSSAPI/Kerberos library is not present, don't try
+ * to use it...
+ */
+
+ if (gss_init_sec_context == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "GSSAPI/Kerberos authentication failed because the "
+ "Kerberos framework is not present.");
+ return;
+ }
+# endif /* __APPLE__ */
+
+ con->gss_output_token.length = 0;
+
+ /*
+ * Find the start of the Kerberos input token...
+ */
+
+ authorization += 9;
+ while (isspace(*authorization & 255))
+ authorization ++;
+
+ if (!*authorization)
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ "cupsdAuthorize: No authentication data specified.");
+ return;
+ }
+
+ /*
+ * Get the server credentials...
+ */
+
+ if ((server_creds = get_gss_creds(GSSServiceName)) == NULL)
+ return;
+
+ /*
+ * Decode the authorization string to get the input token...
+ */
+
+ len = strlen(authorization);
+ input_token.value = malloc(len);
+ input_token.value = httpDecode64_2(input_token.value, &len,
+ authorization);
+ input_token.length = len;
+
+ /*
+ * Accept the input token to get the authorization info...
+ */
+
+ context = GSS_C_NO_CONTEXT;
+ client_name = GSS_C_NO_NAME;
+ major_status = gss_accept_sec_context(&minor_status,
+ &context,
+ server_creds,
+ &input_token,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &client_name,
+ NULL,
+ &con->gss_output_token,
+ &ret_flags,
+ NULL,
+ &con->gss_delegated_cred);
+
+ if (GSS_ERROR(major_status))
+ {
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
+ "cupsdAuthorize: Error accepting GSSAPI security "
+ "context");
+
+ if (context != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
+
+ gss_release_cred(&minor_status, &server_creds);
+ return;
+ }
+
+ /*
+ * Release our credentials...
+ */
+
+ gss_release_cred(&minor_status, &server_creds);
+
+ /*
+ * Get the username associated with the client's credentials...
+ */
+
+ if (!con->gss_delegated_cred)
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: No delegated credentials!");
+
+ if (major_status == GSS_S_CONTINUE_NEEDED)
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
+ "cupsdAuthorize: Credentials not complete");
+ else if (major_status == GSS_S_COMPLETE)
+ {
+ major_status = gss_display_name(&minor_status, client_name,
+ &output_token, NULL);
+
+ if (GSS_ERROR(major_status))
+ {
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
+ "cupsdAuthorize: Error getting username");
+ gss_release_name(&minor_status, &client_name);
+ gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
+ return;
+ }
+
+ gss_release_name(&minor_status, &client_name);
+ strlcpy(username, output_token.value, sizeof(username));
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using Negotiate",
+ username);
+
+ gss_release_buffer(&minor_status, &output_token);
+ gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
+
+ con->gss_have_creds = 1;
+
+ con->type = AUTH_NEGOTIATE;
+ }
+ else
+ gss_release_name(&minor_status, &client_name);