X-Git-Url: http://www.project-moonshot.org/gitweb/?p=cyrus-sasl.git;a=blobdiff_plain;f=plugins%2Fgs2.c;h=6faa70d3fc256920838e130c2df225a7fb308206;hp=01a75b6950a21a79bd4dd3322fcb5a5c3fa7156e;hb=HEAD;hpb=4e5aeca620099816d64d0d6d6112e3bde315f713

diff --git a/plugins/gs2.c b/plugins/gs2.c
index 01a75b6..6faa70d 100644
--- a/plugins/gs2.c
+++ b/plugins/gs2.c
@@ -97,6 +97,10 @@
 #define GS2_CB_FLAG_Y       0x02
 #define GS2_NONSTD_FLAG     0x10
 
+#ifndef GSS_S_PROMPTING_NEEDED
+#define GSS_S_PROMPTING_NEEDED (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 5))
+#endif
+
 typedef struct context {
     gss_ctx_id_t gss_ctx;
     gss_name_t client_name;
@@ -807,12 +811,11 @@ static int gs2_client_mech_step(void *conn_context,
     if (GSS_ERROR(maj_stat))
         goto cleanup;
 
-#if 0
-    if ((ret_flags & GSS_C_MUTUAL_FLAG) == 0) {
+    if (params->cbindingdisp != SASL_CB_DISP_NONE &&
+        (ret_flags & GSS_C_MUTUAL_FLAG) == 0) {
         maj_stat = SASL_BADAUTH;
         goto cleanup;
     }
-#endif
 
     maj_stat = gss_display_name(&min_stat,
                                 text->client_name,
@@ -835,7 +838,7 @@ cleanup:
 
     if (ret == SASL_OK && maj_stat != GSS_S_COMPLETE) {
         sasl_gs2_seterror(text->utils, maj_stat, min_stat);
-        ret = SASL_FAIL;
+        ret = (maj_stat & GSS_S_PROMPTING_NEEDED) ? SASL_INTERACT : SASL_FAIL;
     }
     if (ret < SASL_OK)
         sasl_gs2_free_context_contents(text);
@@ -1280,7 +1283,7 @@ gs2_get_mech_attrs(const sasl_utils_t *utils,
     }
 
     *security_flags = SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE;
-    *features = SASL_FEAT_WANT_CLIENT_FIRST | SASL_FEAT_CHANNEL_BINDING;
+    *features = SASL_FEAT_WANT_CLIENT_FIRST;
     if (prompts != NULL)
         *prompts = gs2_required_prompts;
 
@@ -1294,8 +1297,10 @@ gs2_get_mech_attrs(const sasl_utils_t *utils,
         *security_flags |= SASL_SEC_NOANONYMOUS;
     if (MA_PRESENT(GSS_C_MA_DELEG_CRED))
         *security_flags |= SASL_SEC_PASS_CREDENTIALS;
-    if (MA_PRESENT(GSS_C_MA_AUTH_TARG))
+    if (MA_PRESENT(GSS_C_MA_AUTH_TARG)) {
+        *features |= SASL_FEAT_CHANNEL_BINDING;
         *security_flags |= SASL_SEC_MUTUAL_AUTH;
+    }
     if (MA_PRESENT(GSS_C_MA_AUTH_INIT_INIT) && prompts != NULL)
         *prompts = NULL;
     if (MA_PRESENT(GSS_C_MA_ITOK_FRAMED))
@@ -1703,7 +1708,7 @@ interact:
 cleanup:
     if (result == SASL_OK && maj_stat != GSS_S_COMPLETE) {
         sasl_gs2_seterror(text->utils, maj_stat, min_stat);
-        result = SASL_FAIL;
+        result = (maj_stat & GSS_S_PROMPTING_NEEDED) ? SASL_INTERACT : SASL_FAIL;
     }
 
     gss_release_buffer(&min_stat, &cred_authid);