From f539123f4aa77a2ed7738173c21e938f8ed1adab Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Wed, 13 Oct 2010 08:12:57 +1100 Subject: [PATCH] more error reporting work --- accept_sec_context.c | 37 +++++++++++++++++------ eap_mech.c | 11 ++++++- export_sec_context.c | 3 ++ gsseap_err.et | 72 +++++++++++++++++++++++++++++++++++--------- import_sec_context.c | 21 +++++++------ init_sec_context.c | 21 +++++++++++-- inquire_context.c | 3 +- inquire_cred.c | 7 ++++- inquire_cred_by_oid.c | 8 +++-- inquire_sec_context_by_oid.c | 1 + set_cred_option.c | 5 ++- set_sec_context_option.c | 5 ++- unwrap_iov.c | 4 +-- util_exts.c | 4 +-- util_name.c | 8 ++--- util_ordering.c | 2 +- verify_mic.c | 2 +- 17 files changed, 158 insertions(+), 56 deletions(-) diff --git a/accept_sec_context.c b/accept_sec_context.c index c3038c1..8d12d42 100644 --- a/accept_sec_context.c +++ b/accept_sec_context.c @@ -104,6 +104,7 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred) ctx->initiatorName->attrCtx = gssEapCreateAttrContext(cred, ctx); + *minor = 0; return GSS_S_COMPLETE; } @@ -126,8 +127,10 @@ eapGssSmAcceptIdentity(OM_uint32 *minor, } pkt; gss_buffer_desc pktBuffer; - if (inputToken != GSS_C_NO_BUFFER && inputToken->length != 0) + if (inputToken != GSS_C_NO_BUFFER && inputToken->length != 0) { + *minor = GSSEAP_WRONG_SIZE; return GSS_S_DEFECTIVE_TOKEN; + } assert(ctx->acceptorName == GSS_C_NO_NAME); @@ -151,6 +154,7 @@ eapGssSmAcceptIdentity(OM_uint32 *minor, ctx->state = EAP_STATE_AUTHENTICATE; + *minor = 0; return GSS_S_CONTINUE_NEEDED; } @@ -170,17 +174,21 @@ setAcceptorIdentity(OM_uint32 *minor, assert(rh != NULL); - /* Awaits further specification */ - if (ctx->acceptorName == GSS_C_NO_NAME) + if (ctx->acceptorName == GSS_C_NO_NAME) { + *minor = 0; return GSS_S_COMPLETE; + } + + if ((ctx->acceptorName->flags & NAME_FLAG_SERVICE) == 0) { + *minor = GSSEAP_BAD_SERVICE_NAME; + return GSS_S_BAD_NAME; + } GSSEAP_KRB_INIT(&krbContext); krbPrinc = ctx->acceptorName->krbPrincipal; assert(krbPrinc != NULL); - - if (krb5_princ_size(krbContext, krbPrinc) < 2) - return GSS_S_BAD_NAME; + assert(krb5_princ_size(krbContext, krbPrinc) >= 2); /* Acceptor-Service-Name */ krbDataToGssBuffer(krb5_princ_component(krbContext, krbPrinc, 0), &nameBuf); @@ -241,6 +249,7 @@ setAcceptorIdentity(OM_uint32 *minor, return major; } + *minor = 0; return GSS_S_COMPLETE; } @@ -262,7 +271,7 @@ createRadiusHandle(OM_uint32 *minor, assert(actx->radConn == NULL); if (rs_context_create(&actx->radHandle, RS_DICT_FILE) != 0) { - *minor = GSSEAP_RADSEC_INIT_FAILURE; + *minor = GSSEAP_RADSEC_CONTEXT_FAILURE; return GSS_S_FAILURE; } @@ -418,6 +427,7 @@ eapGssSmAcceptAuthenticate(OM_uint32 *minor, ctx->state = EAP_STATE_EXTENSIONS_REQ; } + *minor = 0; major = GSS_S_CONTINUE_NEEDED; cleanup: @@ -445,6 +455,7 @@ eapGssSmAcceptExtensionsReq(OM_uint32 *minor, ctx->state = EAP_STATE_EXTENSIONS_RESP; + *minor = 0; return GSS_S_CONTINUE_NEEDED; } @@ -464,6 +475,7 @@ eapGssSmAcceptExtensionsResp(OM_uint32 *minor, ctx->state = EAP_STATE_ESTABLISHED; + *minor = 0; return GSS_S_COMPLETE; } @@ -580,6 +592,7 @@ gss_accept_sec_context(OM_uint32 *minor, output_token->value = NULL; if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } @@ -613,7 +626,7 @@ gss_accept_sec_context(OM_uint32 *minor, goto cleanup; if (!gssEapCredAvailable(cred, ctx->mechanismUsed)) { - *minor = GSSEAP_WRONG_MECH; + *minor = GSSEAP_CRED_MECH_MISMATCH; major = GSS_S_BAD_MECH; goto cleanup; } @@ -672,8 +685,11 @@ gss_accept_sec_context(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; } - if (time_rec != NULL) - gssEapContextTime(&tmpMinor, ctx, time_rec); + if (time_rec != NULL) { + major = gssEapContextTime(&tmpMinor, ctx, time_rec); + if (GSS_ERROR(major)) + goto cleanup; + } } assert(ctx->state == EAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED); @@ -729,6 +745,7 @@ acceptReadyKrb(OM_uint32 *minor, ctx->state = EAP_STATE_ESTABLISHED; + *minor = 0; return GSS_S_COMPLETE; } diff --git a/eap_mech.c b/eap_mech.c index b6ef299..4199fcd 100644 --- a/eap_mech.c +++ b/eap_mech.c @@ -137,7 +137,11 @@ eapPeerRegisterMethods(OM_uint32 *minor) ret = eap_peer_tnc_register(); #endif /* EAP_TNC */ - return ret ? GSS_S_FAILURE : GSS_S_COMPLETE; + if (ret == 0) + return GSS_S_COMPLETE; + + *minor = GSSEAP_LIBEAP_INIT_FAILURE; + return GSS_S_FAILURE; } static OM_uint32 @@ -149,6 +153,11 @@ gssEapInitLibEap(OM_uint32 *minor) static OM_uint32 gssEapInitLibRadsec(OM_uint32 *minor) { + if (0) { + *minor = GSSEAP_RADSEC_INIT_FAILURE; + return GSS_S_FAILURE; + } + return GSS_S_COMPLETE; } diff --git a/export_sec_context.c b/export_sec_context.c index 8cda194..1582886 100644 --- a/export_sec_context.c +++ b/export_sec_context.c @@ -83,6 +83,9 @@ gssEapExportPartialContext(OM_uint32 *minor, assert(p == (unsigned char *)token->value + token->length); + major = GSS_S_COMPLETE; + *minor = 0; + cleanup: if (GSS_ERROR(major)) gss_release_buffer(&tmpMinor, token); diff --git a/gsseap_err.et b/gsseap_err.et index e77af6b..9d2e861 100644 --- a/gsseap_err.et +++ b/gsseap_err.et @@ -32,6 +32,10 @@ error_table eapg +# +# Protocol errors that can be returned in an error token. This should match +# up with makeErrorToken in accept_sec_context.c. +# error_code GSSEAP_RESERVED, "" error_code GSSEAP_WRONG_SIZE, "Buffer is incorrect size" error_code GSSEAP_WRONG_MECH, "Mechanism OID is incorrect" @@ -42,39 +46,77 @@ error_code GSSEAP_WRONG_TOK_ID, "Received token ID does not match ex error_code GSSEAP_REFLECT, "Token was reflected" error_code GSSEAP_CRIT_EXT_UNAVAILABLE, "Critical extension unavailable" error_code GSSEAP_MISSING_REQUIRED_EXT, "Missing required extension" -error_code GSSEAP_BAD_SERVICE_NAME, "Could not parse service name" error_code GSSEAP_KEY_UNAVAILABLE, "EAP key unavailable" error_code GSSEAP_KEY_TOO_SHORT, "EAP key too short" error_code GSSEAP_RADIUS_AUTH_FAILURE, "Authentication rejected by RADIUS server" error_code GSSEAP_UNKNOWN_RADIUS_CODE, "Received unknown response code from RADIUS server" error_code GSSEAP_MISSING_EAP_REQUEST, "RADIUS response is missing EAP request" error_code GSSEAP_GENERIC_RADIUS_ERROR, "Generic RADIUS error" + +# +# Context errors +# +error_code GSSEAP_CONTEXT_ESTABLISHED, "Context is already fully established" +error_code GSSEAP_CONTEXT_INCOMPLETE, "Attempt to use incomplete security context" +error_code GSSEAP_BAD_CONTEXT_TOKEN, "Context token is malformed or corrupt" +error_code GSSEAP_BAD_ERROR_TOKEN, "Error token is malformed or corrupt" +error_code GSSEAP_BAD_CONTEXT_OPTION, "Bad context option" + +# +# Name errors +# +error_code GSSEAP_BAD_SERVICE_NAME, "Name is not a valid service name" +error_code GSSEAP_BAD_INITIATOR_NAME, "Initiator identity must be a valid name" +error_code GSSEAP_NO_HOSTNAME, "Could not determine local host name" + +# +# Credential errors +# error_code GSSEAP_BAD_USAGE, "Credential usage type is unknown" error_code GSSEAP_CRED_USAGE_MISMATCH, "Credential usage does not match requested usage" +error_code GSSEAP_CRED_MECH_MISMATCH, "Credential is not usable with this mechanism" +error_code GSSEAP_BAD_CRED_OPTION, "Bad credential option" + +# +# Wrap/unwrap/PRF errors +# +error_code GSSEAP_BAD_WRAP_TOKEN, "Bad RFC 4121 wrap or MIC token" +error_code GSSEAP_MISSING_IOV, "IOV is missing required buffer" +error_code GSSEAP_BAD_STREAM_IOV, "Stream IOV can only contain a single data buffer" +error_code GSSEAP_BAD_PADDING_IOV, "Padding IOV is not permitted for RFC 4121 tokens" +error_code GSSEAP_UNKNOWN_QOP, "Unknown quality of protection specified" error_code GSSEAP_INPUT_TOO_LONG, "PRF input too long" -error_code GSSEAP_CONTEXT_ESTABLISHED, "Context is already fully established" -error_code GSSEAP_CONTEXT_INCOMPLETE, "Attempt to use incomplete security context" +error_code GSSEAP_BAD_PRF_KEY, "PRF key usage type is unknown" + +# +# libeap errors +# +error_code GSSEAP_LIBEAP_INIT_FAILURE, "Failed to initialise EAP library" +error_code GSSEAP_PEER_SM_INIT_FAILURE, "Failed to create EAP state machine" +error_code GSSEAP_PEER_AUTH_FAILURE, "EAP peer authentication failure" +error_code GSSEAP_PEER_BAD_MESSAGE, "Received bad EAP message" + +# +# RadSec initialisation errors +# error_code GSSEAP_RADSEC_INIT_FAILURE, "Failed to initialise RadSec library" +error_code GSSEAP_RADSEC_CONTEXT_FAILURE, "Failed to create RadSec context" + +# +# SAML/Shibboleth/attribute errors +# error_code GSSEAP_SAML_INIT_FAILURE, "Failed to initialise SAML library" error_code GSSEAP_SHIB_INIT_FAILURE, "Failed to initialise Shibboleth" -error_code GSSEAP_PEER_INIT_FAILURE, "Failed to initialise EAP state machine" -error_code GSSEAP_PEER_AUTH_FAILURE, "EAP peer authentication failure" -error_code GSSEAP_PEER_BAD_MESSAGE, "Received bad EAP message" error_code GSSEAP_NO_ATTR_CONTEXT, "Name has no attributes" error_code GSSEAP_NO_ATTR_PROVIDERS, "Failed to initialise attribute providers" error_code GSSEAP_NO_SUCH_ATTR, "Unknown naming attribute" error_code GSSEAP_BAD_ATTR_TOKEN, "Serialised attributes are malformed or corrupt" error_code GSSEAP_ATTR_CONTEXT_FAILURE, "Failed to initialise attribute context" -error_code GSSEAP_BAD_CONTEXT_TOKEN, "Context token is malformed or corrupt" -error_code GSSEAP_MISSING_IOV, "IOV is missing required buffer" -error_code GSSEAP_BAD_STREAM_IOV, "Stream IOV can only contain a single data buffer" -error_code GSSEAP_BAD_PADDING_IOV, "Padding IOV is not permitted for RFC 4121 tokens" -error_code GSSEAP_BAD_PRF_KEY, "PRF key usage type is unknown" -error_code GSSEAP_BAD_ERROR_TOKEN, "Error token is malformed or corrupt" -error_code GSSEAP_BAD_WRAP_TOKEN, "Bad RFC 4121 wrap or MIC token" + +# +# Extensions +# error_code GSSEAP_BINDINGS_MISMATCH, "Channel bindings do not match" error_code GSSEAP_NO_MECHGLUE_SYMBOL, "Could not find symbol in mechanism glue" -error_code GSSEAP_UNKNOWN_QOP, "Unknown quality of protection specified" -error_code GSSEAP_NO_HOSTNAME, "Could not determine local host name" end diff --git a/import_sec_context.c b/import_sec_context.c index 1e05f93..646c107 100644 --- a/import_sec_context.c +++ b/import_sec_context.c @@ -39,7 +39,7 @@ #define CHECK_REMAIN(n) do { \ if (remain < (n)) { \ - *minor = GSSEAP_WRONG_SIZE; \ + *minor = GSSEAP_TOK_TRUNC; \ return GSS_S_DEFECTIVE_TOKEN; \ } \ } while (0) @@ -111,7 +111,7 @@ importMechanismOid(OM_uint32 *minor, oidBuf.length = load_uint32_be(p); if (remain < 4 + oidBuf.length || oidBuf.length == 0) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } @@ -150,7 +150,7 @@ importKerberosKey(OM_uint32 *minor, gss_buffer_desc tmp; if (remain < 12) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } @@ -164,7 +164,7 @@ importKerberosKey(OM_uint32 *minor, } if (remain - 12 < length) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } @@ -197,14 +197,14 @@ importName(OM_uint32 *minor, gss_buffer_desc tmp; if (remain < 4) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } tmp.length = load_uint32_be(p); if (tmp.length != 0) { if (remain - 4 < tmp.length) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } @@ -233,7 +233,7 @@ gssEapImportContext(OM_uint32 *minor, size_t remain = token->length; if (remain < 16) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } if (load_uint32_be(&p[0]) != EAP_EXPORT_CONTEXT_V1) { @@ -282,7 +282,7 @@ gssEapImportContext(OM_uint32 *minor, } if (remain < 24 + sequenceSize(ctx->seqState)) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } ctx->expiryTime = (time_t)load_uint64_be(&p[0]); /* XXX */ @@ -325,12 +325,13 @@ gss_import_sec_context(OM_uint32 *minor, OM_uint32 major, tmpMinor; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; - *minor = 0; *context_handle = GSS_C_NO_CONTEXT; if (interprocess_token == GSS_C_NO_BUFFER || - interprocess_token->length == 0) + interprocess_token->length == 0) { + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; + } major = gssEapAllocContext(minor, &ctx); if (GSS_ERROR(major)) diff --git a/init_sec_context.c b/init_sec_context.c index f509327..4a23931 100644 --- a/init_sec_context.c +++ b/init_sec_context.c @@ -221,6 +221,11 @@ peerConfigInit(OM_uint32 *minor, eapPeerConfig->fragment_size = 1024; wpa_debug_level = 0; + if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) { + *minor = GSSEAP_BAD_INITIATOR_NAME; + return GSS_S_BAD_NAME; + } + code = krb5_unparse_name(krbContext, cred->name->krbPrincipal, &identity); if (code != 0) { *minor = code; @@ -232,6 +237,7 @@ peerConfigInit(OM_uint32 *minor, eapPeerConfig->password = (unsigned char *)cred->password.value; eapPeerConfig->password_len = cred->password.length; + *minor = 0; return GSS_S_COMPLETE; } @@ -246,6 +252,7 @@ peerConfigFree(OM_uint32 *minor, krb5_free_unparsed_name(krbContext, (char *)eapPeerConfig->identity); + *minor = 0; return GSS_S_COMPLETE; } @@ -363,9 +370,12 @@ initBegin(OM_uint32 *minor, return major; /* If credentials were provided, check they're usable with this mech */ - if (!gssEapCredAvailable(cred, ctx->mechanismUsed)) + if (!gssEapCredAvailable(cred, ctx->mechanismUsed)) { + *minor = GSSEAP_CRED_MECH_MISMATCH; return GSS_S_BAD_MECH; + } + *minor = 0; return GSS_S_COMPLETE; } @@ -398,6 +408,7 @@ eapGssSmInitIdentity(OM_uint32 *minor, ctx->state = EAP_STATE_AUTHENTICATE; + *minor = 0; return GSS_S_CONTINUE_NEEDED; } @@ -421,6 +432,8 @@ eapGssSmInitAuthenticate(OM_uint32 *minor, struct wpabuf *resp = NULL; int initialContextToken; + *minor = 0; + initialContextToken = (inputToken == GSS_C_NO_BUFFER || inputToken->length == 0); @@ -438,7 +451,7 @@ eapGssSmInitAuthenticate(OM_uint32 *minor, ctx, &eapConfig); if (ctx->initiatorCtx.eap == NULL) { - *minor = GSSEAP_PEER_INIT_FAILURE; + *minor = GSSEAP_PEER_SM_INIT_FAILURE; major = GSS_S_FAILURE; goto cleanup; } @@ -522,6 +535,7 @@ eapGssSmInitExtensionsReq(OM_uint32 *minor, ctx->state = EAP_STATE_EXTENSIONS_RESP; + *minor = 0; return GSS_S_CONTINUE_NEEDED; } @@ -545,6 +559,7 @@ eapGssSmInitExtensionsResp(OM_uint32 *minor, ctx->state = EAP_STATE_ESTABLISHED; + *minor = 0; return GSS_S_COMPLETE; } @@ -581,7 +596,7 @@ eapGssSmInitError(OM_uint32 *minor, unsigned char *p; if (inputToken->length < 8) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } diff --git a/inquire_context.c b/inquire_context.c index ab0e4d3..369ed0d 100644 --- a/inquire_context.c +++ b/inquire_context.c @@ -50,8 +50,6 @@ gss_inquire_context(OM_uint32 *minor, return GSS_S_NO_CONTEXT; } - *minor = 0; - GSSEAP_MUTEX_LOCK(&ctx->mutex); if (src_name != NULL) { @@ -102,6 +100,7 @@ gss_inquire_context(OM_uint32 *minor, } major = GSS_S_COMPLETE; + *minor = 0; cleanup: GSSEAP_MUTEX_UNLOCK(&ctx->mutex); diff --git a/inquire_cred.c b/inquire_cred.c index 05ae554..138552d 100644 --- a/inquire_cred.c +++ b/inquire_cred.c @@ -42,8 +42,10 @@ gss_inquire_cred(OM_uint32 *minor, { OM_uint32 major = GSS_S_COMPLETE; - if (cred == NULL) + if (cred == NULL) { + *minor = EINVAL; return GSS_S_NO_CRED; + } GSSEAP_MUTEX_LOCK(&cred->mutex); @@ -93,6 +95,9 @@ gss_inquire_cred(OM_uint32 *minor, goto cleanup; } + *minor = 0; + major = GSS_S_COMPLETE; + cleanup: GSSEAP_MUTEX_UNLOCK(&cred->mutex); diff --git a/inquire_cred_by_oid.c b/inquire_cred_by_oid.c index 569b7b5..5abdc2d 100644 --- a/inquire_cred_by_oid.c +++ b/inquire_cred_by_oid.c @@ -48,14 +48,18 @@ gss_inquire_cred_by_oid(OM_uint32 *minor, OM_uint32 major = GSS_S_UNAVAILABLE; int i; - *minor = 0; *data_set = GSS_C_NO_BUFFER_SET; - if (cred_handle == GSS_C_NO_CREDENTIAL) + if (cred_handle == GSS_C_NO_CREDENTIAL) { + *minor = EINVAL; return GSS_S_NO_CRED; + } GSSEAP_MUTEX_LOCK(&cred_handle->mutex); + major = GSS_S_UNAVAILABLE; + *minor = GSSEAP_BAD_CRED_OPTION; + for (i = 0; i < sizeof(inquireCredOps) / sizeof(inquireCredOps[0]); i++) { if (oidEqual(&inquireCredOps[i].oid, desired_object)) { major = (*inquireCredOps[i].inquire)(minor, cred_handle, diff --git a/inquire_sec_context_by_oid.c b/inquire_sec_context_by_oid.c index 6413b28..71f7202 100644 --- a/inquire_sec_context_by_oid.c +++ b/inquire_sec_context_by_oid.c @@ -119,6 +119,7 @@ gss_inquire_sec_context_by_oid(OM_uint32 *minor, } major = GSS_S_UNAVAILABLE; + *minor = GSSEAP_BAD_CONTEXT_OPTION; for (i = 0; i < sizeof(inquireCtxOps) / sizeof(inquireCtxOps[0]); i++) { if (oidEqual(&inquireCtxOps[i].oid, desired_object)) { diff --git a/set_cred_option.c b/set_cred_option.c index 1854920..396012a 100644 --- a/set_cred_option.c +++ b/set_cred_option.c @@ -144,7 +144,7 @@ gssspi_set_cred_option(OM_uint32 *minor, const gss_OID desired_object, const gss_buffer_t value) { - OM_uint32 major = GSS_S_UNAVAILABLE; + OM_uint32 major; gss_cred_id_t cred = *pCred; int i; @@ -155,6 +155,9 @@ gssspi_set_cred_option(OM_uint32 *minor, GSSEAP_MUTEX_LOCK(&cred->mutex); + major = GSS_S_UNAVAILABLE; + *minor = GSSEAP_BAD_CRED_OPTION; + for (i = 0; i < sizeof(setCredOps) / sizeof(setCredOps[0]); i++) { if (oidEqual(&setCredOps[i].oid, desired_object)) { major = (*setCredOps[i].setOption)(minor, cred, diff --git a/set_sec_context_option.c b/set_sec_context_option.c index b4872ca..859582d 100644 --- a/set_sec_context_option.c +++ b/set_sec_context_option.c @@ -45,10 +45,13 @@ gss_set_sec_context_option(OM_uint32 *minor, const gss_OID desired_object, const gss_buffer_t value) { - OM_uint32 major = GSS_S_UNAVAILABLE; + OM_uint32 major; gss_ctx_id_t ctx = *pCtx; int i; + major = GSS_S_UNAVAILABLE; + *minor = GSSEAP_BAD_CONTEXT_OPTION; + if (ctx != GSS_C_NO_CONTEXT) GSSEAP_MUTEX_LOCK(&ctx->mutex); diff --git a/unwrap_iov.c b/unwrap_iov.c index 10b74fe..5f4237e 100644 --- a/unwrap_iov.c +++ b/unwrap_iov.c @@ -118,7 +118,7 @@ unwrapToken(OM_uint32 *minor, ptr = (unsigned char *)header->buffer.value; if (header->buffer.length < 16) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } @@ -411,7 +411,7 @@ unwrapStream(OM_uint32 *minor, if (stream->buffer.length < theader->buffer.length + tpadding->buffer.length + ttrailer->buffer.length) { - code = GSSEAP_WRONG_SIZE; + code = GSSEAP_TOK_TRUNC; major = GSS_S_DEFECTIVE_TOKEN; goto cleanup; } diff --git a/util_exts.c b/util_exts.c index 54a3437..dfdf7c6 100644 --- a/util_exts.c +++ b/util_exts.c @@ -431,7 +431,7 @@ decodeExtensions(OM_uint32 *minor, gss_buffer_desc extension; if (remain < 8) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; major = GSS_S_DEFECTIVE_TOKEN; goto cleanup; } @@ -449,7 +449,7 @@ decodeExtensions(OM_uint32 *minor, extension.length = load_uint32_be(&p[4]); if (remain < 8 + extension.length) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; major = GSS_S_DEFECTIVE_TOKEN; goto cleanup; } diff --git a/util_name.c b/util_name.c index d01646c..7e7d25f 100644 --- a/util_name.c +++ b/util_name.c @@ -132,10 +132,10 @@ krbPrincipalToName(OM_uint32 *minor, name->krbPrincipal = *principal; *principal = NULL; - if (name->krbPrincipal->length == 1) { - name->flags |= NAME_FLAG_NAI; - } else { + if (name->krbPrincipal->length > 1) { name->flags |= NAME_FLAG_SERVICE; + } else { + name->flags |= NAME_FLAG_NAI; } *pName = name; @@ -228,7 +228,7 @@ importUserName(OM_uint32 *minor, #define CHECK_REMAIN(n) do { \ if (remain < (n)) { \ - *minor = GSSEAP_WRONG_SIZE; \ + *minor = GSSEAP_TOK_TRUNC; \ major = GSS_S_BAD_NAME; \ goto cleanup; \ } \ diff --git a/util_ordering.c b/util_ordering.c index c58ac6c..0ab8c28 100644 --- a/util_ordering.c +++ b/util_ordering.c @@ -283,7 +283,7 @@ sequenceInternalize(OM_uint32 *minor, void *q; if (*lenremain < sizeof(queue)) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_DEFECTIVE_TOKEN; } diff --git a/verify_mic.c b/verify_mic.c index f8ecf94..e06816c 100644 --- a/verify_mic.c +++ b/verify_mic.c @@ -44,7 +44,7 @@ gss_verify_mic(OM_uint32 *minor, int conf_state; if (message_token->length < 16) { - *minor = GSSEAP_WRONG_SIZE; + *minor = GSSEAP_TOK_TRUNC; return GSS_S_BAD_SIG; } -- 2.1.4