#define SASL_NOCHANGE -22 /* requested change was not needed */
#define SASL_WEAKPASS -27 /* passphrase is too weak for security policy */
#define SASL_NOUSERPASS -28 /* user supplied passwords not permitted */
+#define SASL_BADBINDING -29 /* channel binding failure */
/* max size of a sasl mechanism name */
#define SASL_MECHNAMEMAX 20
if (SASL_CB_PRESENT(c_conn->cparams)) {
if (server_can_cb == 0 && SASL_CB_CRITICAL(c_conn->cparams)) {
- result = SASL_NOMECH;
+ result = SASL_BADBINDING;
goto done;
} else {
cbindingdisp = SASL_CB_DISP_WANT;
case SASL_NOCHANGE: return "requested change was not needed";
case SASL_WEAKPASS: return "passphrase is too weak for security policy";
case SASL_NOUSERPASS: return "user supplied passwords are not permitted";
+ case SASL_BADBINDING: return "channel binding failure";
default: return "undefined error!";
}
if (SASL_CB_CRITICAL(s_conn->sparams)) {
sasl_seterror(conn, 0,
"server requires channel binding but client provided none");
- ret = SASL_BADAUTH;
+ ret = SASL_BADBINDING;
}
break;
case SASL_CB_DISP_WANT:
if (!SASL_CB_PRESENT(s_conn->sparams)) {
sasl_seterror(conn, 0,
"client provided channel binding but server had none");
- ret = SASL_BADAUTH;
+ ret = SASL_BADBINDING;
} else if (strcmp(conn->oparams.cbindingname,
s_conn->sparams->cbinding->name) != 0) {
sasl_seterror(conn, 0,
"client channel binding %s does not match server %s",
conn->oparams.cbindingname, s_conn->sparams->cbinding->name);
- ret = SASL_BADAUTH;
+ ret = SASL_BADBINDING;
}
break;
}
sasl_gs2_log(text->utils, maj_stat, min_stat);
text->utils->seterror(text->utils->conn, SASL_NOLOG,
"GS2 Failure: gss_accept_sec_context");
- ret = SASL_BADAUTH;
+ ret = (maj_stat == GSS_S_BAD_BINDINGS) ? SASL_BADBINDING : SASL_BADAUTH;
goto cleanup;
}
GSS_C_NT_USER_NAME,
&without);
if (GSS_ERROR(maj_stat)) {
- ret = SASL_BADAUTH;
+ ret = SASL_FAIL;
goto cleanup;
}
maj_stat = gss_compare_name(&min_stat, text->client_name,
without, &equal);
if (GSS_ERROR(maj_stat)) {
- ret = SASL_BADAUTH;
+ ret = SASL_FAIL;
goto cleanup;
}
return SASL_OK;
}
-#define CHECK_REMAIN(n) do { if (remain < (n)) return SASL_BADAUTH; } while (0)
+#define CHECK_REMAIN(n) do { if (remain < (n)) return SASL_BADPROT; } while (0)
/*
* Verify gs2-header, save authzid and channel bindings to context.
CHECK_REMAIN(1); /* = */
remain--;
if (*p++ != '=')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
ret = gs2_unescape_authzid(text->utils, &p, &remain, &text->cbindingname);
if (ret != SASL_OK)
CHECK_REMAIN(1); /* , */
remain--;
if (*p++ != ',')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
/* authorization identity */
if (remain > 1 && memcmp(p, "a=", 2) == 0) {
CHECK_REMAIN(1); /* , */
remain--;
if (*p++ != ',')
- return SASL_BADAUTH;
+ return SASL_BADPROT;
buf.length = inlen - remain;
buf.value = (void *)in;