gss_OID mechanism;
int gs2_flags;
char *cbindingname;
- struct gss_channel_bindings_struct bindings;
+ struct gss_channel_bindings_struct gss_cbindings;
sasl_secret_t *password;
unsigned int free_password;
OM_uint32 lifetime;
text->authzid = NULL;
}
- if (text->mechanism != NULL) {
- gss_release_oid(&min_stat, &text->mechanism);
- text->mechanism = GSS_C_NO_OID;
- }
-
- gss_release_buffer(&min_stat, &text->bindings.application_data);
+ gss_release_buffer(&min_stat, &text->gss_cbindings.application_data);
if (text->out_buf != NULL) {
text->utils->free(text->out_buf);
? (gss_cred_id_t)params->gss_creds
: text->server_creds,
&input_token,
- &text->bindings,
+ &text->gss_cbindings,
&text->client_name,
&actual_mech,
&output_token,
sasl_gs2_log(text->utils, maj_stat, min_stat);
text->utils->seterror(text->utils->conn, SASL_NOLOG,
"GS2 Failure: gss_accept_sec_context");
- ret = SASL_BADAUTH;
+ ret = (maj_stat == GSS_S_BAD_BINDINGS) ? SASL_BADBINDING : SASL_BADAUTH;
goto cleanup;
}
GSS_C_NT_USER_NAME,
&without);
if (GSS_ERROR(maj_stat)) {
- ret = SASL_BADAUTH;
+ ret = SASL_FAIL;
goto cleanup;
}
maj_stat = gss_compare_name(&min_stat, text->client_name,
without, &equal);
if (GSS_ERROR(maj_stat)) {
- ret = SASL_BADAUTH;
+ ret = SASL_FAIL;
goto cleanup;
}
gss_release_buffer(&min_stat, &short_name_buf);
gss_release_buffer(&min_stat, &output_token);
gss_release_name(&min_stat, &without);
- gss_release_oid(&min_stat, &actual_mech);
if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
(gss_OID)text->mechanism,
req_flags,
GSS_C_INDEFINITE,
- &text->bindings,
+ &text->gss_cbindings,
serverinlen ? &input_token : GSS_C_NO_BUFFER,
NULL,
&output_token,
cleanup:
gss_release_buffer(&min_stat, &output_token);
gss_release_buffer(&min_stat, &name_buf);
- gss_release_oid(&min_stat, &actual_mech);
if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
sasl_gs2_seterror(text->utils, maj_stat, min_stat);
gss_buffer_t header,
const sasl_channel_binding_t *cbinding)
{
- gss_buffer_t gss_bindings = &text->bindings.application_data;
+ gss_buffer_t gss_cbindings = &text->gss_cbindings.application_data;
size_t len;
unsigned char *p;
- assert(gss_bindings->value == NULL);
+ assert(gss_cbindings->value == NULL);
/*
* The application-data field MUST be set to the gs2-header, excluding
len += cbinding->len;
}
- gss_bindings->length = len;
- gss_bindings->value = text->utils->malloc(len);
- if (gss_bindings->value == NULL)
+ gss_cbindings->length = len;
+ gss_cbindings->value = text->utils->malloc(len);
+ if (gss_cbindings->value == NULL)
return SASL_NOMEM;
- p = (unsigned char *)gss_bindings->value;
+ p = (unsigned char *)gss_cbindings->value;
if (text->gs2_flags & GS2_NONSTD_FLAG) {
memcpy(p, (unsigned char *)header->value + 2, header->length - 2);
p += header->length - 2;
return SASL_OK;
}
-#define CHECK_REMAIN(n) do { if (remain < (n)) return SASL_BADAUTH; } while (0)
+#define CHECK_REMAIN(n) do { if (remain < (n)) return SASL_BADPROT; } while (0)
/*
* Verify gs2-header, save authzid and channel bindings to context.
CHECK_REMAIN(1); /* = */
remain--;
if (*p++ != '=')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
ret = gs2_unescape_authzid(text->utils, &p, &remain, &text->cbindingname);
if (ret != SASL_OK)
CHECK_REMAIN(1); /* , */
remain--;
if (*p++ != ',')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
/* authorization identity */
if (remain > 1 && memcmp(p, "a=", 2) == 0) {
CHECK_REMAIN(1); /* , */
remain--;
if (*p++ != ',')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
buf.length = inlen - remain;
buf.value = (void *)in;