Fix re-authentication when connection bound is on

[mod_auth_gssapi.git] / src / mod_auth_gssapi.c

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 053d02f..911ac92 100644 (file)
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -110,8 +110,8 @@ static apr_status_t mag_conn_destroy(void *ptr)
 
     if (mc->ctx) {
         (void)gss_delete_sec_context(&min, &mc->ctx, GSS_C_NO_BUFFER);
-        mc->established = false;
     }
+    memset(mc, 0, sizeof(struct mag_conn));
     return APR_SUCCESS;
 }
 
@@ -424,13 +424,15 @@ static int mag_auth(request_rec *req)
     if (mc) {
         /* register the context in the memory pool, so it can be freed
          * when the connection/request is terminated */
-        apr_pool_userdata_set(mc, "mag_conn_ptr",
-                              mag_conn_destroy, mc->parent);
+        apr_pool_cleanup_register(mc->parent, (void *) mc,
+                                  mag_conn_destroy, apr_pool_cleanup_null);
 
         if (mc->established && !auth_header) {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
                           "Already established context found!");
             mag_set_req_data(req, cfg, mc);
+            ret = OK;
+            goto done;
         }
         pctx = &mc->ctx;
     } else {
@@ -450,6 +452,13 @@ static int mag_auth(request_rec *req)
         }
     }
 
+    if (mc && mc->established && auth_type != AUTH_TYPE_BASIC) {
+        /* if we are re-authenticating make sure the conn context
+         * is cleaned up so we do not accidentally reuse an existing
+         * established context */
+        mag_conn_destroy(mc);
+    }
+
     switch (auth_type) {
     case AUTH_TYPE_NEGOTIATE:
         if (!parse_auth_header(req->pool, &auth_header, &input)) {
@@ -475,13 +484,16 @@ static int mag_auth(request_rec *req)
         ba_user.length = strlen(ba_user.value);
         ba_pwd.length = strlen(ba_pwd.value);
 
-        if (mc && mc->established &&
-            mag_basic_check(cfg, mc, ba_user, ba_pwd)) {
-            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
-                          "Already established BASIC AUTH context found!");
-            mag_set_req_data(req, cfg, mc);
-            ret = OK;
-            goto done;
+        if (mc && mc->established) {
+            if (mag_basic_check(cfg, mc, ba_user, ba_pwd)) {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
+                              "Already established BASIC AUTH context found!");
+                mag_set_req_data(req, cfg, mc);
+                ret = OK;
+                goto done;
+            } else {
+                mag_conn_destroy(mc);
+            }
         }
 
         maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client);
@@ -657,7 +669,6 @@ static int mag_auth(request_rec *req)
                           "Mechanism needs continuation but neither "
                           "GssapiConnectionBound nor "
                           "GssapiUseSessions are available");
-            gss_delete_sec_context(&min, pctx, GSS_C_NO_BUFFER);
             gss_release_buffer(&min, &output);
             output.length = 0;
         }
@@ -766,7 +777,9 @@ done:
         }
     }
 #endif
-    gss_delete_sec_context(&min, &user_ctx, &output);
+    if (ctx != GSS_C_NO_CONTEXT)
+        gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
+    gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
     gss_release_cred(&min, &user_cred);
     gss_release_cred(&min, &acquired_cred);
     gss_release_cred(&min, &delegated_cred);