From a925f039ee382df0f3be434108416bab0d17e8c0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 1 Aug 2008 07:08:51 +0200
Subject: heimdal: update to lorikeet-heimdal rev 801

metze
(This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
---
 .../heimdal/lib/gssapi/krb5/accept_sec_context.c   | 75 ++++++++++++++++++++--
 1 file changed, 69 insertions(+), 6 deletions(-)

(limited to 'source4/heimdal/lib/gssapi/krb5/accept_sec_context.c')

diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index 73b93ceba4..8dbd087da6 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $");
+RCSID("$Id: accept_sec_context.c 23433 2008-07-26 18:44:26Z lha $");
 
 HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
 krb5_keytab _gsskrb5_keytab;
@@ -250,6 +250,62 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
     return GSS_S_COMPLETE;
 }
 
+static OM_uint32
+send_error_token(OM_uint32 *minor_status,
+		 krb5_context context,
+		 krb5_error_code kret,
+		 krb5_principal server,
+		 krb5_data *indata,
+		 gss_buffer_t output_token)
+{
+    krb5_principal ap_req_server = NULL;
+    krb5_error_code ret;
+    krb5_data outbuf;
+
+    /* build server from request if the acceptor had not selected one */
+    if (server == NULL) {
+	AP_REQ ap_req;
+
+	ret = krb5_decode_ap_req(context, indata, &ap_req);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	ret = _krb5_principalname2krb5_principal(context,
+						  &ap_req_server,
+						  ap_req.ticket.sname,
+						  ap_req.ticket.realm);
+	free_AP_REQ(&ap_req);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	server = ap_req_server;
+    }
+    
+    ret = krb5_mk_error(context, kret, NULL, NULL, NULL,
+			server, NULL, NULL, &outbuf);
+    if (ap_req_server)
+	krb5_free_principal(context, ap_req_server);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    
+    ret = _gsskrb5_encapsulate(minor_status,
+			       &outbuf,
+			       output_token,
+			       "\x03\x00",
+			       GSS_KRB5_MECHANISM);
+    krb5_data_free (&outbuf);
+    if (ret)
+	return ret;
+
+    *minor_status = 0;
+    return GSS_S_CONTINUE_NEEDED;
+}
+
+
 static OM_uint32
 gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		       gsskrb5_ctx ctx,
@@ -304,6 +360,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     {
 	krb5_rd_req_in_ctx in = NULL;
 	krb5_rd_req_out_ctx out = NULL;
+	krb5_principal server = NULL;
+
+	if (acceptor_cred)
+	    server = acceptor_cred->principal;
 
 	kret = krb5_rd_req_in_ctx_alloc(context, &in);
 	if (kret == 0)
@@ -319,17 +379,20 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	kret = krb5_rd_req_ctx(context,
 			       &ctx->auth_context,
 			       &indata,
-			       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
+			       server,
 			       in, &out);
 	krb5_rd_req_in_ctx_free(context, in);
 	if (kret) {
-	    ret = GSS_S_FAILURE;
-	    *minor_status = kret;
-	    return ret;
+	    /* 
+	     * No reply in non-MUTUAL mode, but we don't know that its
+	     * non-MUTUAL mode yet, thats inside the 8003 checksum.
+	     */
+	    return send_error_token(minor_status, context, kret,
+				    server, &indata, output_token);
 	}
 
 	/*
-	 * We need to remember some data on the context_handle.
+	 * we need to remember some data on the context_handle.
 	 */
 	kret = krb5_rd_req_out_get_ap_req_options(context, out,
 						  &ap_options);
-- 
cgit