Do not leak acquired_cred

[mod_auth_gssapi.git] / src / mod_auth_gssapi.c

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 5ce9077..e65be4f 100644 (file)
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -28,6 +28,8 @@
 
 module AP_MODULE_DECLARE_DATA auth_gssapi_module;
 
+APLOG_USE_MODULE(auth_gssapi);
+
 APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
 
 static char *mag_status(request_rec *req, int type, uint32_t err)
@@ -209,7 +211,9 @@ static int mag_auth(request_rec *req)
     }
 
     /* if available, session always supersedes connection bound data */
-    mag_check_session(req, cfg, &mc);
+    if (cfg->use_sessions) {
+        mag_check_session(req, cfg, &mc);
+    }
 
     if (mc) {
         /* register the context in the memory pool, so it can be freed
@@ -295,7 +299,7 @@ static int mag_auth(request_rec *req)
     maj = gss_display_name(&min, client, &name, NULL);
     if (GSS_ERROR(maj)) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, "%s",
-                      mag_error(req, "gss_accept_sec_context() failed",
+                      mag_error(req, "gss_display_name() failed",
                                 maj, min));
         goto done;
     }
@@ -335,7 +339,9 @@ static int mag_auth(request_rec *req)
             vtime = MIN_SESS_EXP_TIME;
         }
         mc->expiration = time(NULL) + vtime;
-        mag_attempt_session(req, cfg, mc);
+        if (cfg->use_sessions) {
+            mag_attempt_session(req, cfg, mc);
+        }
     }
 
     ret = OK;
@@ -356,6 +362,7 @@ done:
                           "WWW-Authenticate", "Negotiate");
         }
     }
+    gss_release_cred(&min, &acquired_cred);
     gss_release_cred(&min, &delegated_cred);
     gss_release_buffer(&min, &output);
     gss_release_name(&min, &client);