# endif
# endif
-static void decode_subr(const char *m, uint32_t code, int type)
+static void decode_subr(const char *m, uint32_t code, int type, FILE *ostrm)
{
uint32_t maj, min, context;
gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
report(stderr, GT_("GSSAPI error in gss_display_status called from <%s>\n"), m);
break;
}
- report(stderr, GT_("GSSAPI error %s: %.*s\n"), m,
+ report(ostrm, GT_("GSSAPI error %s: %.*s\n"), m,
(int)msg.length, (char *)msg.value);
(void)gss_release_buffer(&min, &msg);
} while(context);
}
-static void decode_status(const char *m, uint32_t major, uint32_t minor)
+static void decode_status(const char *m, uint32_t major, uint32_t minor,
+ FILE *ostrm)
{
- decode_subr(m, major, GSS_C_GSS_CODE);
- decode_subr(m, minor, GSS_C_MECH_CODE);
+ decode_subr(m, major, GSS_C_GSS_CODE, ostrm);
+ decode_subr(m, minor, GSS_C_MECH_CODE, ostrm);
}
#define GSSAUTH_P_NONE 1
maj_stat = gss_import_name(&min_stat, &request_buf,
GSS_C_NT_HOSTBASED_SERVICE, target_name);
if (maj_stat != GSS_S_COMPLETE) {
- decode_status("gss_import_name", maj_stat, min_stat);
+ decode_status("gss_import_name", maj_stat, min_stat, stderr);
report(stderr, GT_("Couldn't get service name for [%s]\n"), buf1);
return PS_AUTHFAIL;
}
if (maj_stat != GSS_S_COMPLETE
|| (cu != GSS_C_INITIATE && cu != GSS_C_BOTH)) {
if (outlevel >= O_DEBUG) {
- decode_status("gss_inquire_cred", maj_stat, min_stat);
- report(stderr, GT_("No suitable GSSAPI credentials found. Skipping GSSAPI authentication.\n"));
- report(stderr, GT_("If you want to use GSSAPI, you need credentials first, possibly from kinit.\n"));
+ decode_status("gss_inquire_cred", maj_stat, min_stat, stdout);
+ report(stdout, GT_("No suitable GSSAPI credentials found. Skipping GSSAPI authentication.\n"));
+ report(stdout, GT_("If you want to use GSSAPI, you need credentials first, possibly from kinit.\n"));
}
return PS_AUTHFAIL;
}
gen_send(sock, "%s GSSAPI", command);
/* upon receipt of the GSSAPI authentication request, server returns
- * null data ready response. */
+ * a null data ready challenge to us. */
result = gen_recv(sock, buf1, sizeof buf1);
if (result)
return result;
+ if (buf1[0] != '+' || strspn(buf1 + 1, " \t") < strlen(buf1 + 1)) {
+ if (outlevel >= O_VERBOSE) {
+ report(stdout, GT_("Received malformed challenge to \"%s GSSAPI\"!\n"), command);
+ }
+ goto cancelfail;
+ }
+
+
/* now start the security context initialisation loop... */
sec_token = GSS_C_NO_BUFFER;
context = GSS_C_NO_CONTEXT;
NULL);
if (maj_stat!=GSS_S_COMPLETE && maj_stat!=GSS_S_CONTINUE_NEEDED) {
- decode_status("gss_init_sec_context", maj_stat, min_stat);
+ if (outlevel >= O_VERBOSE)
+ decode_status("gss_init_sec_context", maj_stat, min_stat, stdout);
(void)gss_release_name(&min_stat, &target_name);
- report(stderr, GT_("Error exchanging credentials\n"));
- /* wake up server and await NO response */
- SockWrite(sock, "\r\n", 2);
+cancelfail:
+ /* wake up server and cancel authentication */
+ suppress_tags = TRUE;
+ gen_send(sock, "*");
+ suppress_tags = FALSE;
+
result = gen_recv(sock, buf1, sizeof buf1);
+ if (outlevel >= O_VERBOSE)
+ report(stderr, GT_("Error exchanging credentials\n"));
if (result)
return result;
return PS_AUTHFAIL;
maj_stat = gss_unwrap(&min_stat, context,
&request_buf, &send_token, &cflags, &quality);
if (maj_stat != GSS_S_COMPLETE) {
- decode_status("gss_unwrap", maj_stat, min_stat);
+ decode_status("gss_unwrap", maj_stat, min_stat, stderr);
report(stderr, GT_("Couldn't unwrap security level data\n"));
gss_release_buffer(&min_stat, &send_token);
return PS_AUTHFAIL;
report(stdout, GT_("Releasing GSS credentials\n"));
maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);
if (maj_stat != GSS_S_COMPLETE) {
- decode_status("gss_delete_sec_context", maj_stat, min_stat);
+ decode_status("gss_delete_sec_context", maj_stat, min_stat, stderr);
report(stderr, GT_("Error releasing credentials\n"));
return PS_AUTHFAIL;
}