support mechanisms that do not support mutual auth

[cyrus-sasl.git] / plugins / gs2.c

diff --git a/plugins/gs2.c b/plugins/gs2.c
index 1b6dc6a..5c3abce 100644 (file)
--- a/plugins/gs2.c
+++ b/plugins/gs2.c
@@ -539,7 +539,7 @@ cleanup:
         sasl_gs2_seterror(text->utils, maj_stat, min_stat);
         ret = SASL_FAIL;
     }
-    if (ret != SASL_OK && ret != SASL_CONTINUE)
+    if (ret < SASL_OK)
         sasl_gs2_free_context_contents(text);
 
     return ret;
@@ -766,7 +766,7 @@ static int gs2_client_mech_step(void *conn_context,
             goto cleanup;
     }
 
-    req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+    req_flags = GSS_C_SEQUENCE_FLAG;
 
     maj_stat = gss_init_sec_context(&min_stat,
                                     (params->gss_creds != GSS_C_NO_CREDENTIAL)
@@ -842,7 +842,7 @@ cleanup:
         sasl_gs2_seterror(text->utils, maj_stat, min_stat);
         ret = SASL_FAIL;
     }
-    if (ret != SASL_OK && ret != SASL_CONTINUE)
+    if (ret < SASL_OK)
         sasl_gs2_free_context_contents(text);
 
     return ret;
@@ -1317,7 +1317,7 @@ gs2_get_mech_attrs(const sasl_utils_t *utils,
 static int gs2_indicate_mechs(const sasl_utils_t *utils)
 {
     OM_uint32 major, minor;
-    gss_OID_desc desired_oids[3];
+    gss_OID_desc desired_oids[2];
     gss_OID_set_desc desired_attrs;
     gss_OID_desc except_oids[3];
     gss_OID_set_desc except_attrs;
@@ -1326,8 +1326,7 @@ static int gs2_indicate_mechs(const sasl_utils_t *utils)
         return SASL_OK;
 
     desired_oids[0] = *GSS_C_MA_AUTH_INIT;
-    desired_oids[1] = *GSS_C_MA_AUTH_TARG;
-    desired_oids[2] = *GSS_C_MA_CBINDINGS;
+    desired_oids[1] = *GSS_C_MA_CBINDINGS;
     desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]);
     desired_attrs.elements = desired_oids;
 
@@ -1560,6 +1559,9 @@ gs2_get_init_creds(context_t *text,
                                        &text->client_name);
             if (GSS_ERROR(maj_stat))
                 goto cleanup;
+
+            /* The authid may have changed after prompting, so free any creds */
+            gss_release_cred(&min_stat, &text->client_creds);
         }
     }
 
@@ -1589,8 +1591,11 @@ gs2_get_init_creds(context_t *text,
                                     NULL,
                                     NULL,
                                     NULL);
-        if (GSS_ERROR(maj_stat))
-            goto cleanup;
+        if (GSS_ERROR(maj_stat)) {
+            /* Maybe there was no default credential */
+            auth_result = SASL_INTERACT;
+            goto interact;
+        }
 
         maj_stat = gss_display_name(&min_stat,
                                     text->client_name,
@@ -1671,6 +1676,8 @@ gs2_get_init_creds(context_t *text,
 
     maj_stat = GSS_S_COMPLETE;
 
+interact:
+
     /* free prompts we got */
     if (prompt_need && *prompt_need) {
         params->utils->free(*prompt_need);