* accept_sec_context.c (krb5_gss_accept_sec_context): Add lots of

	explicit assignments to major_status to ensure that we actually
	return an error when we mean to.  This was previously preventing
	gssrpc authentication with the old ovsec_kadm interface from
	working because the gssrpc server side functions were failing to
	loop over a set of supplied credentials.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10428 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 32 insertions, 15 deletions

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 58bd008f0..676300f52 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,5 +1,12 @@
 Thu Feb 12 16:38:14 1998  Tom Yu  <tlyu@mit.edu>
 
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Add lots of
+	explicit assignments to major_status to ensure that we actually
+	return an error when we mean to.  This was previously preventing
+	gssrpc authentication with the old ovsec_kadm interface from
+	working because the gssrpc server side functions were failing to
+	loop over a set of supplied credentials.
+
 	* init_sec_context.c: KLUDGE!! Add global variable
 	krb5_gss_dbg_client_expcreds to allow the client library to send
 	expired credentials for testing and debugging purposes.
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index ef5d7ebc5..5fd4df5a1 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -313,8 +313,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        return(GSS_S_FAILURE);
    }
    if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
-			  cred->keytab, NULL, &ticket)))
-	   goto fail;
+			   cred->keytab, NULL, &ticket))) {
+       major_status = GSS_S_FAILURE;
+       goto fail;
+   }
 
    krb5_auth_con_getauthenticator(context, auth_context, &authdat);
 
@@ -359,22 +361,25 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    TREAD_INT(ptr, tmp, bigend);
 
    if (tmp != krb5_checksum_size(context, CKSUMTYPE_RSA_MD5)) {
-      ptr = (unsigned char *) authdat->checksum->contents;
-      bigend = 1;
+       ptr = (unsigned char *) authdat->checksum->contents;
+       bigend = 1;
 
-      TREAD_INT(ptr, tmp, bigend);
+       TREAD_INT(ptr, tmp, bigend);
 
-      if (tmp != krb5_checksum_size(context, CKSUMTYPE_RSA_MD5)) {
-	 code = KG_BAD_LENGTH;
-	 goto fail;
-      }
+       if (tmp != krb5_checksum_size(context, CKSUMTYPE_RSA_MD5)) {
+	   major_status = GSS_S_FAILURE;
+	   code = KG_BAD_LENGTH;
+	   goto fail;
+       }
    }
 
    /* at this point, bigend is set according to the initiator's byte order */
 
    if ((code = kg_checksum_channel_bindings(context, input_chan_bindings, &md5,
-					    bigend))) 
-	   goto fail;
+					    bigend))) {
+       major_status = GSS_S_BAD_BINDINGS;
+       goto fail;
+   }
 
    TREAD_STR(ptr, ptr2, md5.length);
    if (memcmp(ptr2, md5.contents, md5.length) != 0) {
@@ -417,8 +422,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 		       call to rd_and_store_for_creds() and clear its flags */
 
 		    if ((code = krb5_auth_con_init(context,
-						   &auth_context_cred)))
-			    goto fail;
+						   &auth_context_cred))) {
+			major_status = GSS_S_FAILURE;
+			goto fail;
+		    }
 
 		    krb5_auth_con_setflags(context, auth_context_cred, 0);
 
@@ -448,8 +455,9 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 
    if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
        == NULL) {
-	   code = ENOMEM;
-	   goto fail;
+       major_status = GSS_S_FAILURE;
+       code = ENOMEM;
+       goto fail;
    }
 
    memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
@@ -460,6 +468,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    ctx->seed_init = 0;
    ctx->big_endian = bigend;
 
+   major_status = GSS_S_FAILURE;
+
    /* Intern the ctx pointer so that delete_sec_context works */
    if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
 	   code = G_VALIDATE_FAILED;