do SASL name canon, whatever it does, before GSS name import

diff --git a/plugins/gs2.c b/plugins/gs2.c
index 07f6140..3304968 100644 (file)
--- a/plugins/gs2.c
+++ b/plugins/gs2.c
@@ -1561,38 +1561,52 @@ gs2_get_init_creds(context_t *text,
     }
 
     /*
-     * If the application has provided an authentication identity, parse it.
+     * Get the authorization identity.
      */
-    if (text->client_name == GSS_C_NO_NAME) {
-        gss_buffer_desc name_buf;
+    if (oparams->user == NULL) {
+        user_result = _plug_get_userid(params->utils, &userid, prompt_need);
+        if (user_result != SASL_OK && user_result != SASL_INTERACT) {
+            result = user_result;
+            goto cleanup;
+        }
+    }
 
-        if (oparams->authid != NULL) {
-            name_buf.length = strlen(oparams->authid);
-            name_buf.value = (void *)oparams->authid;
+    if (auth_result == SASL_OK && user_result == SASL_OK &&
+        oparams->authid == NULL) {
+        if (userid == NULL || userid[0] == '\0') {
+            result = params->canon_user(params->utils->conn, authid, 0,
+                                        SASL_CU_AUTHID | SASL_CU_AUTHZID,
+                                        oparams);
         } else {
-            name_buf.length = strlen(authid);
-            name_buf.value = (void *)authid;
-        }
+            result = params->canon_user(params->utils->conn,
+                                        authid, 0, SASL_CU_AUTHID, oparams);
+            if (result != SASL_OK)
+                goto cleanup;
 
-        if (name_buf.value != NULL) {
-            maj_stat = gss_import_name(&min_stat,
-                                       &name_buf,
-                                       GSS_C_NT_USER_NAME,
-                                       &text->client_name);
-            if (GSS_ERROR(maj_stat))
+            result = params->canon_user(params->utils->conn,
+                                        userid, 0, SASL_CU_AUTHZID, oparams);
+            if (result != SASL_OK)
                 goto cleanup;
         }
+
+        assert(oparams->authid != NULL);
     }
 
     /*
-     * Get the authorization identity.
+     * If the application has provided an authentication identity, parse it.
      */
-    if (oparams->user == NULL) {
-        user_result = _plug_get_userid(params->utils, &userid, prompt_need);
-        if (user_result != SASL_OK && user_result != SASL_INTERACT) {
-            result = user_result;
+    if (text->client_name == GSS_C_NO_NAME && oparams->authid != NULL) {
+        gss_buffer_desc name_buf;
+
+        name_buf.length = strlen(oparams->authid);
+        name_buf.value = (void *)oparams->authid;
+
+        maj_stat = gss_import_name(&min_stat,
+                                   &name_buf,
+                                   GSS_C_NT_USER_NAME,
+                                   &text->client_name);
+        if (GSS_ERROR(maj_stat))
             goto cleanup;
-        }
     }
 
     /*
@@ -1672,26 +1686,6 @@ gs2_get_init_creds(context_t *text,
                                NULL, NULL);
         if (result == SASL_OK)
             result = SASL_INTERACT;
-    } else if (oparams->authid == NULL) {
-        /*
-         * XXX we acquired GSS credentials pre-canonicalisation. Just noting
-         * this might cause some problems with applications.
-         */
-        if (userid == NULL || userid[0] == '\0') {
-            result = params->canon_user(params->utils->conn, authid, 0,
-                                        SASL_CU_AUTHID | SASL_CU_AUTHZID,
-                                        oparams);
-        } else {
-            result = params->canon_user(params->utils->conn,
-                                        authid, 0, SASL_CU_AUTHID, oparams);
-            if (result != SASL_OK)
-                goto cleanup;
-
-            result = params->canon_user(params->utils->conn,
-                                        userid, 0, SASL_CU_AUTHZID, oparams);
-            if (result != SASL_OK)
-                goto cleanup;
-        }
     }
 
 cleanup: