Merge branch 'gssweb-apache' of ssh://moonshot.suchdamage.org/srv/git/mod_auth_kerb...

diff --git a/protocol.txt b/protocol.txt
index 41a602d..be39e17 100644 (file)
--- a/protocol.txt
+++ b/protocol.txt
@@ -1,24 +1,34 @@
 GSSWEB PROTOCOL DESCRIPTION
 
-This file describes the protocol used for GSSWeb authentication.
+This file describes the protocol used for GSSWeb authentication.  
+
+Note: All messages in the protocol are exchanged in
+'application/x-www-form-urlencoded' format, and no newlines should be
+inserted into the base64 output.
 
 The client goes to /<app>/gss and does a POST containing:
 
 token: <Base64-encoded GSS Token>
-nonce: <Random String>
+nonce: <Random 32-bit integer represented as string>
 
 The server will respond by sending a JSON response:
 
 {gssweb: {
-    token= "<Base64-encoded & escaped GSS Token>",
+    token= "<Base64-encoded GSS Token>",
     nonce= "<Nonce from request>"},
  application: {
-    data: "<Base-64-encoded & escaped application data>",
+    data: "<Base-64-encoded application data>",
     content-type: "<Original content-type>",
     content-length: "<Original content-length>"}
 }
 
-The "gssweb" section in the response is used for the GSS exchange.
-Upon completion of the GSS exchange, the "application" section is used
-by the client to reconstruct the application response upon completion
-of the GSS exchange.
+The "gssweb" section in the response is used for the GSS exchange.  If
+no token was returned by the call to gss_accept_sec_context(), the
+"token" value will be a zero-length string.
+
+The "application" section contains the original server-side
+application or web server response, which will contain an error
+response unless/until the GSS exchange completes successfully.  Upon
+completion of the exchange (whether successful or not), the client can
+use the application data to reconstruct the original response and pass
+it up to the client-side application.

diff --git a/test/gssweb_client.pl b/test/gssweb_client.pl
index 48dab76..a3f7157 100755 (executable)
--- a/test/gssweb_client.pl
+++ b/test/gssweb_client.pl
@@ -13,7 +13,7 @@ sub parse_token($) {
     my ($json) = @_;
     print $json;
     my $ref = decode_json($json);
-    return decode_base64($ref->{'gssweb'}{'token'});
+    return decode_base64($ref->{'gssweb'}{'token'}) or die "No token\n";
                }
 ;
 
@@ -41,7 +41,7 @@ sub token_body($$) {
     print "$status\n";
     return undef unless $otoken;
     print "Pre-encoding token: $otoken\n";
-    my $encoded_token = encode_base64($otoken);
+    my $encoded_token = encode_base64($otoken, '');
     chomp($encoded_token);
     my $out =  "token=" . uri_encode($encoded_token, {encode_reserved => 1}) ."&nonce=42";
     print "$out\n";