X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=gssapi.c;h=c2c7d94ff46aef0502a587bf47db9c868d18d47e;hb=d31db10231e9ed89f64fdf6e0fb7cae182aa377e;hp=48f690c499b4e6881770db4790338cafc47b8683;hpb=cbd935789d1cda54867fbefab2d27c65acd0a5dc;p=~andy%2Ffetchmail

diff --git a/gssapi.c b/gssapi.c
index 48f690c4..c2c7d94f 100644
--- a/gssapi.c
+++ b/gssapi.c
@@ -33,12 +33,12 @@
 #  ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
 #    include <gssapi/gssapi_generic.h>
 #  endif
-#  ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE
+#  if HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE + 0 == 0
 #    define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
 #  endif
 #  endif
 
-static void decode_subr(const char *m, uint32_t code, int type)
+static void decode_subr(const char *m, uint32_t code, int type, FILE *ostrm)
 {
     uint32_t maj, min, context;
     gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
@@ -52,17 +52,17 @@ static void decode_subr(const char *m, uint32_t code, int type)
 	    report(stderr, GT_("GSSAPI error in gss_display_status called from <%s>\n"), m);
 	    break;
 	}
-	report(stderr, GT_("GSSAPI error %s: %s\n"), m,
-		msg.value ? (char *)msg.value : GT_("(null)"));
-	if (msg.length)
-	    (void)gss_release_buffer(&min, &msg);
+	report(ostrm, GT_("GSSAPI error %s: %.*s\n"), m,
+		(int)msg.length, (char *)msg.value);
+	(void)gss_release_buffer(&min, &msg);
     } while(context);
 }
 
-static void decode_status(const char *m, uint32_t major, uint32_t minor)
+static void decode_status(const char *m, uint32_t major, uint32_t minor,
+		FILE *ostrm)
 {
-    decode_subr(m, major, GSS_C_GSS_CODE);
-    decode_subr(m, minor, GSS_C_MECH_CODE);
+    decode_subr(m, major, GSS_C_GSS_CODE,  ostrm);
+    decode_subr(m, minor, GSS_C_MECH_CODE, ostrm);
 }
 
 #define GSSAUTH_P_NONE      1
@@ -86,7 +86,7 @@ static int import_name(const char *service, const char *hostname,
     maj_stat = gss_import_name(&min_stat, &request_buf,
 	    GSS_C_NT_HOSTBASED_SERVICE, target_name);
     if (maj_stat != GSS_S_COMPLETE) {
-	decode_status("gss_import_name", maj_stat, min_stat);
+	decode_status("gss_import_name", maj_stat, min_stat, stderr);
         report(stderr, GT_("Couldn't get service name for [%s]\n"), buf1);
         return PS_AUTHFAIL;
     }
@@ -118,9 +118,9 @@ int check_gss_creds(const char *service, const char *hostname)
     if (maj_stat != GSS_S_COMPLETE
 	    || (cu != GSS_C_INITIATE && cu != GSS_C_BOTH)) {
 	if (outlevel >= O_DEBUG) {
-	    decode_status("gss_inquire_cred", maj_stat, min_stat);
-	    report(stderr, GT_("No suitable GSSAPI credentials found. Skipping GSSAPI authentication.\n"));
-	    report(stderr, GT_("If you want to use GSSAPI, you need credentials first, possibly from kinit.\n"));
+	    decode_status("gss_inquire_cred", maj_stat, min_stat, stdout);
+	    report(stdout, GT_("No suitable GSSAPI credentials found. Skipping GSSAPI authentication.\n"));
+	    report(stdout, GT_("If you want to use GSSAPI, you need credentials first, possibly from kinit.\n"));
 	}
 	return PS_AUTHFAIL;
     }
@@ -149,11 +149,19 @@ int do_gssauth(int sock, const char *command, const char *service,
     gen_send(sock, "%s GSSAPI", command);
 
     /* upon receipt of the GSSAPI authentication request, server returns
-     * null data ready response. */
+     * a null data ready challenge to us. */
     result = gen_recv(sock, buf1, sizeof buf1);
     if (result)
 	return result;
 
+    if (buf1[0] != '+' || strspn(buf1 + 1, " \t") < strlen(buf1 + 1)) {
+	if (outlevel >= O_VERBOSE) {
+	    report(stdout, GT_("Received malformed challenge to \"%s GSSAPI\"!\n"), command);
+	}
+	goto cancelfail;
+    }
+
+
     /* now start the security context initialisation loop... */
     sec_token = GSS_C_NO_BUFFER;
     context = GSS_C_NO_CONTEXT;
@@ -177,13 +185,19 @@ int do_gssauth(int sock, const char *command, const char *service,
 					NULL);
 
 	if (maj_stat!=GSS_S_COMPLETE && maj_stat!=GSS_S_CONTINUE_NEEDED) {
-	    decode_status("gss_init_sec_context", maj_stat, min_stat);
+	    if (outlevel >= O_VERBOSE)
+		decode_status("gss_init_sec_context", maj_stat, min_stat, stdout);
 	    (void)gss_release_name(&min_stat, &target_name);
-	    report(stderr, GT_("Error exchanging credentials\n"));
 
-	    /* wake up server and await NO response */
-	    SockWrite(sock, "\r\n", 2);
+cancelfail:
+	    /* wake up server and cancel authentication */
+	    suppress_tags = TRUE;
+	    gen_send(sock, "*");
+	    suppress_tags = FALSE;
+
 	    result = gen_recv(sock, buf1, sizeof buf1);
+	    if (outlevel >= O_VERBOSE)
+		report(stderr, GT_("Error exchanging credentials\n"));
 	    if (result)
 		return result;
 	    return PS_AUTHFAIL;
@@ -224,7 +238,7 @@ int do_gssauth(int sock, const char *command, const char *service,
     maj_stat = gss_unwrap(&min_stat, context,
 			  &request_buf, &send_token, &cflags, &quality);
     if (maj_stat != GSS_S_COMPLETE) {
-	decode_status("gss_unwrap", maj_stat, min_stat);
+	decode_status("gss_unwrap", maj_stat, min_stat, stderr);
         report(stderr, GT_("Couldn't unwrap security level data\n"));
         gss_release_buffer(&min_stat, &send_token);
         return PS_AUTHFAIL;
@@ -274,7 +288,7 @@ int do_gssauth(int sock, const char *command, const char *service,
 	report(stdout, GT_("Releasing GSS credentials\n"));
     maj_stat = gss_delete_sec_context(&min_stat, &context, &send_token);
     if (maj_stat != GSS_S_COMPLETE) {
-	decode_status("gss_delete_sec_context", maj_stat, min_stat);
+	decode_status("gss_delete_sec_context", maj_stat, min_stat, stderr);
 	report(stderr, GT_("Error releasing credentials\n"));
 	return PS_AUTHFAIL;
     }