summaryrefslogtreecommitdiff
path: root/src/lib/gssapi/mechglue/g_accept_sec_context.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/gssapi/mechglue/g_accept_sec_context.c')
-rw-r--r--src/lib/gssapi/mechglue/g_accept_sec_context.c22
1 files changed, 15 insertions, 7 deletions
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index ddaf87412e9e..f28e2b14a903 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -216,6 +216,8 @@ gss_cred_id_t * d_cred;
} else {
union_ctx_id = (gss_union_ctx_id_t)*context_handle;
selected_mech = union_ctx_id->mech_type;
+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
+ return (GSS_S_NO_CONTEXT);
}
/* Now create a new context if we didn't get one. */
@@ -234,9 +236,6 @@ gss_cred_id_t * d_cred;
free(union_ctx_id);
return (status);
}
-
- /* set the new context handle to caller's data */
- *context_handle = (gss_ctx_id_t)union_ctx_id;
}
/*
@@ -277,8 +276,10 @@ gss_cred_id_t * d_cred;
d_cred ? &tmp_d_cred : NULL);
/* If there's more work to do, keep going... */
- if (status == GSS_S_CONTINUE_NEEDED)
+ if (status == GSS_S_CONTINUE_NEEDED) {
+ *context_handle = (gss_ctx_id_t)union_ctx_id;
return GSS_S_CONTINUE_NEEDED;
+ }
/* if the call failed, return with failure */
if (status != GSS_S_COMPLETE) {
@@ -364,14 +365,22 @@ gss_cred_id_t * d_cred;
*mech_type = gssint_get_public_oid(actual_mech);
if (ret_flags != NULL)
*ret_flags = temp_ret_flags;
- return (status);
+ *context_handle = (gss_ctx_id_t)union_ctx_id;
+ return GSS_S_COMPLETE;
} else {
status = GSS_S_BAD_MECH;
}
error_out:
- if (union_ctx_id) {
+ /*
+ * RFC 2744 5.1 requires that we not create a context on a failed first
+ * call to accept, and recommends that on a failed subsequent call we
+ * make the caller responsible for calling gss_delete_sec_context.
+ * Even if the mech deleted its context, keep the union context around
+ * for the caller to delete.
+ */
+ if (union_ctx_id && *context_handle == GSS_C_NO_CONTEXT) {
if (union_ctx_id->mech_type) {
if (union_ctx_id->mech_type->elements)
free(union_ctx_id->mech_type->elements);
@@ -384,7 +393,6 @@ error_out:
GSS_C_NO_BUFFER);
}
free(union_ctx_id);
- *context_handle = GSS_C_NO_CONTEXT;
}
if (src_name)
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-04 16:48:27 +0000