From 5cd4620c41ee3fd9cfebb55179c3d7ce308f75bc Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 27 Sep 2010 14:20:12 +0200
Subject: [PATCH] New SASL_BADBINDING error code; cleanup error handling

---
 include/sasl.h |  1 +
 lib/client.c   |  2 +-
 lib/common.c   |  1 +
 lib/server.c   |  6 +++---
 plugins/gs2.c  | 14 +++++++-------
 5 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/include/sasl.h b/include/sasl.h
index 8c475b6..9c6d060 100755
--- a/include/sasl.h
+++ b/include/sasl.h
@@ -171,6 +171,7 @@
 #define SASL_NOCHANGE   -22  /* requested change was not needed */
 #define SASL_WEAKPASS   -27  /* passphrase is too weak for security policy */
 #define SASL_NOUSERPASS -28  /* user supplied passwords not permitted */
+#define SASL_BADBINDING -29  /* channel binding failure */
 
 /* max size of a sasl mechanism name */
 #define SASL_MECHNAMEMAX 20
diff --git a/lib/client.c b/lib/client.c
index 8cc2d1d..310977c 100644
--- a/lib/client.c
+++ b/lib/client.c
@@ -522,7 +522,7 @@ int sasl_client_start(sasl_conn_t *conn,
 
     if (SASL_CB_PRESENT(c_conn->cparams)) {
 	if (server_can_cb == 0 && SASL_CB_CRITICAL(c_conn->cparams)) {
-	    result = SASL_NOMECH;
+	    result = SASL_BADBINDING;
 	    goto done;
 	} else {
 	    cbindingdisp = SASL_CB_DISP_WANT;
diff --git a/lib/common.c b/lib/common.c
index 0267513..2481697 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -1276,6 +1276,7 @@ const char *sasl_errstring(int saslerr,
     case SASL_NOCHANGE:   return "requested change was not needed";
     case SASL_WEAKPASS:   return "passphrase is too weak for security policy";
     case SASL_NOUSERPASS: return "user supplied passwords are not permitted";
+    case SASL_BADBINDING: return "channel binding failure";
 
     default:   return "undefined error!";
     }
diff --git a/lib/server.c b/lib/server.c
index 928447d..4b78c01 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -1459,7 +1459,7 @@ int sasl_server_step(sasl_conn_t *conn,
 	    if (SASL_CB_CRITICAL(s_conn->sparams)) {
 		sasl_seterror(conn, 0,
 			      "server requires channel binding but client provided none");
-		ret = SASL_BADAUTH;
+		ret = SASL_BADBINDING;
 	    }
 	    break;
 	case SASL_CB_DISP_WANT:
@@ -1473,13 +1473,13 @@ int sasl_server_step(sasl_conn_t *conn,
 	    if (!SASL_CB_PRESENT(s_conn->sparams)) {
 		sasl_seterror(conn, 0,
 			      "client provided channel binding but server had none");
-		ret = SASL_BADAUTH;
+		ret = SASL_BADBINDING;
 	    } else if (strcmp(conn->oparams.cbindingname,
 		       s_conn->sparams->cbinding->name) != 0) {
 		sasl_seterror(conn, 0,
 			      "client channel binding %s does not match server %s",
 			      conn->oparams.cbindingname, s_conn->sparams->cbinding->name);
-		ret = SASL_BADAUTH;
+		ret = SASL_BADBINDING;
 	    }
 	    break;
 	}
diff --git a/plugins/gs2.c b/plugins/gs2.c
index 98039d8..99298c7 100644
--- a/plugins/gs2.c
+++ b/plugins/gs2.c
@@ -426,7 +426,7 @@ gs2_server_mech_step(void *conn_context,
         sasl_gs2_log(text->utils, maj_stat, min_stat);
         text->utils->seterror(text->utils->conn, SASL_NOLOG,
                               "GS2 Failure: gss_accept_sec_context");
-        ret = SASL_BADAUTH;
+        ret = (maj_stat == GSS_S_BAD_BINDINGS) ? SASL_BADBINDING : SASL_BADAUTH;
         goto cleanup;
     }
 
@@ -478,14 +478,14 @@ gs2_server_mech_step(void *conn_context,
                                    GSS_C_NT_USER_NAME,
                                    &without);
         if (GSS_ERROR(maj_stat)) {
-            ret = SASL_BADAUTH;
+            ret = SASL_FAIL;
             goto cleanup;
         }
 
         maj_stat = gss_compare_name(&min_stat, text->client_name,
                                     without, &equal);
         if (GSS_ERROR(maj_stat)) {
-            ret = SASL_BADAUTH;
+            ret = SASL_FAIL;
             goto cleanup;
         }
 
@@ -1061,7 +1061,7 @@ gs2_save_cbindings(context_t *text,
     return SASL_OK;
 }
 
-#define CHECK_REMAIN(n)     do { if (remain < (n)) return SASL_BADAUTH; } while (0)
+#define CHECK_REMAIN(n)     do { if (remain < (n)) return SASL_BADPROT; } while (0)
 
 /*
  * Verify gs2-header, save authzid and channel bindings to context.
@@ -1102,7 +1102,7 @@ gs2_verify_initial_message(context_t *text,
         CHECK_REMAIN(1); /* = */
         remain--;
         if (*p++ != '=')
-            return SASL_BADAUTH;
+            return SASL_BADPROT;
 
         ret = gs2_unescape_authzid(text->utils, &p, &remain, &text->cbindingname);
         if (ret != SASL_OK)
@@ -1121,7 +1121,7 @@ gs2_verify_initial_message(context_t *text,
     CHECK_REMAIN(1); /* , */
     remain--;
     if (*p++ != ',')
-        return SASL_BADAUTH;
+        return SASL_BADPROT;
 
     /* authorization identity */
     if (remain > 1 && memcmp(p, "a=", 2) == 0) {
@@ -1138,7 +1138,7 @@ gs2_verify_initial_message(context_t *text,
     CHECK_REMAIN(1); /* , */
     remain--;
     if (*p++ != ',')
-        return SASL_BADAUTH;
+        return SASL_BADPROT;
 
     buf.length = inlen - remain;
     buf.value = (void *)in;
-- 
2.1.4