- ret = gss_authenticate(r, conf, conn_ctx,
- auth_line, &negotiate_ret_value);
- if (ret == HTTP_UNAUTHORIZED || ret == OK) {
- /* LOG?? */
- set_http_headers(r, conf, negotiate_ret_value);
+ /* Acquire server credentials */
+ ret = get_gss_creds(r, conf, &server_creds);
+ if (ret)
+ goto end;
+
+ /* Decode input token */
+ input_token.length = apr_base64_decode(input_token.value, posted_token);
+
+ /* Call gss_accept_sec_context */
+ major_status = gss_accept_sec_context(&minor_status,
+ &ctx->context,
+ server_creds,
+ &input_token,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ NULL,
+ NULL,
+ &output_token,
+ &ret_flags,
+ NULL,
+ &delegated_cred);
+ gss_log(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "Client %s us their credential",
+ (ret_flags & GSS_C_DELEG_FLAG) ? "delegated" : "didn't delegate");
+
+ if (GSS_ERROR(major_status)) {
+ gss_log(APLOG_MARK, APLOG_ERR, 0, r,
+ "%s", get_gss_error(r, major_status, minor_status,
+ "Failed to establish authentication"));
+ gss_delete_sec_context(&minor_status, &ctx->context, GSS_C_NO_BUFFER);
+ ctx->context = GSS_C_NO_CONTEXT;
+ ctx->state = GSS_CTX_EMPTY;
+ ret = HTTP_UNAUTHORIZED;
+ goto end;