From 574d469f451f2c68809c56a3a8c905a7800df33d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 15 Apr 2014 20:50:36 -0400 Subject: [PATCH] Set context data on the pool with a destructor This way the context is available for the duration of the connection. It is also properly freed if the connection is interrupted before the context is fully established. --- src/mod_auth_gssapi.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 9f88037..99bef7f 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -100,6 +100,7 @@ static int mag_post_config(apr_pool_t *cfg, apr_pool_t *log, struct mag_conn { + apr_pool_t *parent; gss_ctx_id_t ctx; bool established; char *user_name; @@ -113,10 +114,23 @@ static int mag_pre_connection(conn_rec *c, void *csd) mc = apr_pcalloc(c->pool, sizeof(struct mag_conn)); if (!mc) return DECLINED; + mc->parent = c->pool; ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc); return OK; } +static apr_status_t mag_conn_destroy(void *ptr) +{ + struct mag_conn *mc = (struct mag_conn *)ptr; + uint32_t min; + + if (mc->ctx) { + (void)gss_delete_sec_context(&min, &mc->ctx, GSS_C_NO_BUFFER); + mc->established = false; + } + return APR_SUCCESS; +} + static bool mag_conn_is_https(conn_rec *c) { if (mag_is_https) { @@ -212,6 +226,10 @@ static int mag_auth(request_rec *req) goto done; } + /* register the context in the connection pool, so it can be freed + * when the connection is terminated */ + apr_pool_userdata_set(mc, "mag_conn_ptr", mag_conn_destroy, mc->parent); + if (maj == GSS_S_CONTINUE_NEEDED) { if (!cfg->gss_conn_ctx) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, @@ -224,11 +242,6 @@ static int mag_auth(request_rec *req) goto done; } - /* once the connection has been accepted we do not need the context - * anymore, discard it. FIXME: we also need a destructor for those - * mechanisms (like NTLMSSP) that do not complete in one step */ - gss_delete_sec_context(&min, pctx, GSS_C_NO_BUFFER); - #ifdef HAVE_GSS_STORE_CRED_INTO if (cfg->cred_store && delegated_cred != GSS_C_NO_CREDENTIAL) { gss_key_value_set_desc store = {0, NULL}; @@ -265,8 +278,8 @@ static int mag_auth(request_rec *req) } if (mc) { - mc->user_name = apr_pstrdup(req->connection->pool, req->user); - mc->gss_name = apr_pstrdup(req->connection->pool, clientname); + mc->user_name = apr_pstrdup(mc->parent, req->user); + mc->gss_name = apr_pstrdup(mc->parent, clientname); mc->established = true; } -- 2.1.4