diff options
| author | Simo Sorce <simo@redhat.com> | 2015-06-14 18:08:53 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-06-14 18:13:36 -0400 |
| commit | db750842dd9e7bf2dd76bc9be91bbd4d045d3179 (patch) | |
| tree | 2fc8f444a316d59296e126e0beccba11b7bf18bc /src | |
| parent | 5cd4e8a90f3db84e57a25570ffdfeaffcf908b6c (diff) | |
| download | mod_auth_gssapi-db750842dd9e7bf2dd76bc9be91bbd4d045d3179.tar.gz mod_auth_gssapi-db750842dd9e7bf2dd76bc9be91bbd4d045d3179.tar.xz mod_auth_gssapi-db750842dd9e7bf2dd76bc9be91bbd4d045d3179.zip | |
Fix re-authentication when connection bound is on
When re-using a context on a connection, a re-authentication request
may end up trying to use an established context handler to establish
a new context. This will fail with an error in GSSAPI.
Make sure to completely clean up the connection data when a brand
new authentication needs to happen so that no data is mistakenly
carried over.
Note this may leak a small amount of data, but only if authentication is
successful, so it is probably fine as is.
Closes #38
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/mod_auth_gssapi.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 66c8659..911ac92 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -110,8 +110,8 @@ static apr_status_t mag_conn_destroy(void *ptr) if (mc->ctx) { (void)gss_delete_sec_context(&min, &mc->ctx, GSS_C_NO_BUFFER); - mc->established = false; } + memset(mc, 0, sizeof(struct mag_conn)); return APR_SUCCESS; } @@ -452,6 +452,13 @@ static int mag_auth(request_rec *req) } } + if (mc && mc->established && auth_type != AUTH_TYPE_BASIC) { + /* if we are re-authenticating make sure the conn context + * is cleaned up so we do not accidentally reuse an existing + * established context */ + mag_conn_destroy(mc); + } + switch (auth_type) { case AUTH_TYPE_NEGOTIATE: if (!parse_auth_header(req->pool, &auth_header, &input)) { @@ -477,13 +484,16 @@ static int mag_auth(request_rec *req) ba_user.length = strlen(ba_user.value); ba_pwd.length = strlen(ba_pwd.value); - if (mc && mc->established && - mag_basic_check(cfg, mc, ba_user, ba_pwd)) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, - "Already established BASIC AUTH context found!"); - mag_set_req_data(req, cfg, mc); - ret = OK; - goto done; + if (mc && mc->established) { + if (mag_basic_check(cfg, mc, ba_user, ba_pwd)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "Already established BASIC AUTH context found!"); + mag_set_req_data(req, cfg, mc); + ret = OK; + goto done; + } else { + mag_conn_destroy(mc); + } } maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client); |