From 3673482a9bac8094d60308dd30c6f64c37993e55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 21 Feb 2008 12:46:24 +0000
Subject: [PATCH] make the SPNEGO mech store the error itself instead, works
 for everything except other stackable mechs

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22600 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/ChangeLog                   |  5 +++++
 lib/gssapi/gssapi_mech.h               |  2 ++
 lib/gssapi/mech/context.c              | 16 ++++++++++++++++
 lib/gssapi/spnego/accept_sec_context.c |  5 ++++-
 lib/gssapi/spnego/context_stubs.c      | 12 ------------
 lib/gssapi/spnego/external.c           |  2 +-
 lib/gssapi/spnego/init_sec_context.c   |  6 +++++-
 7 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/lib/gssapi/ChangeLog b/lib/gssapi/ChangeLog
index 4042371fa..cb97cc54f 100644
--- a/lib/gssapi/ChangeLog
+++ b/lib/gssapi/ChangeLog
@@ -1,3 +1,8 @@
+2008-02-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* make the SPNEGO mech store the error itself instead, works for
+	everything except other stackable mechs
+
 2008-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* spnego/init_sec_context.c (spnego_reply): if the reply token was
diff --git a/lib/gssapi/gssapi_mech.h b/lib/gssapi/gssapi_mech.h
index 403990ad4..b360de13f 100644
--- a/lib/gssapi/gssapi_mech.h
+++ b/lib/gssapi/gssapi_mech.h
@@ -356,4 +356,6 @@ gssapi_mech_interface __gss_spnego_initialize(void);
 gssapi_mech_interface __gss_krb5_initialize(void);
 gssapi_mech_interface __gss_ntlm_initialize(void);
 
+void		gss_mg_collect_error(gss_OID, OM_uint32, OM_uint32);
+
 #endif /* GSSAPI_MECH_H */
diff --git a/lib/gssapi/mech/context.c b/lib/gssapi/mech/context.c
index b5d4bd874..e6adbccf0 100644
--- a/lib/gssapi/mech/context.c
+++ b/lib/gssapi/mech/context.c
@@ -107,6 +107,13 @@ _gss_mg_error(gssapi_mech_interface m, OM_uint32 maj, OM_uint32 min)
     OM_uint32 message_content;
     struct mg_thread_ctx *mg;
 
+    /* 
+     * Mechs without gss_display_status() does
+     * gss_mg_collect_error() by themself.
+     */
+    if (m->gm_display_status == NULL)
+	return ;
+
     mg = _gss_mechglue_thread();
     if (mg == NULL)
 	return;
@@ -139,3 +146,12 @@ _gss_mg_error(gssapi_mech_interface m, OM_uint32 maj, OM_uint32 min)
 	mg->min_error.length = 0;
     }
 }
+
+void
+gss_mg_collect_error(gss_OID mech, OM_uint32 maj, OM_uint32 min)
+{
+    gssapi_mech_interface m = __gss_get_mechanism(mech);
+    if (m == NULL)
+	return;
+    _gss_mg_error(m, maj, min);
+}
diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
index 33bd0d891..9af4e1b1e 100644
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -609,7 +609,7 @@ acceptor_start
     /*
      * First we try the opportunistic token if we have support for it,
      * don't try to verify we have credential for the token,
-     * gss_accept_sec_context will (hopefully) tell us that.
+     * gss_accept_sec_context() will (hopefully) tell us that.
      * If that failes, 
      */
 
@@ -674,6 +674,8 @@ acceptor_start
 		goto out;
 
 	    first_ok = 1;
+	} else {
+	    gss_mg_collect_error(preferred_mech_type, ret, *minor_status);
 	}
     }
 
@@ -879,6 +881,7 @@ acceptor_continue
 	    }
 	    if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
 		free_NegotiationToken(&nt);
+		gss_mg_collect_error(ctx->negotiated_mech_type, ret, minor);
 		send_reject (minor_status, output_token);
 		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 		return ret;
diff --git a/lib/gssapi/spnego/context_stubs.c b/lib/gssapi/spnego/context_stubs.c
index 367a9d588..ef778bce7 100644
--- a/lib/gssapi/spnego/context_stubs.c
+++ b/lib/gssapi/spnego/context_stubs.c
@@ -263,18 +263,6 @@ OM_uint32 _gss_spnego_unwrap
 		      qop_state);
 }
 
-OM_uint32 _gss_spnego_display_status
-           (OM_uint32 * minor_status,
-            OM_uint32 status_value,
-            int status_type,
-            const gss_OID mech_type,
-            OM_uint32 * message_context,
-            gss_buffer_t status_string
-           )
-{
-    return GSS_S_FAILURE;
-}
-
 OM_uint32 _gss_spnego_compare_name
            (OM_uint32 *minor_status,
             const gss_name_t name1,
diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c
index 1d8fc732d..58824a7f0 100644
--- a/lib/gssapi/spnego/external.c
+++ b/lib/gssapi/spnego/external.c
@@ -57,7 +57,7 @@ static gssapi_mech_interface_desc spnego_mech = {
     _gss_spnego_verify_mic,
     _gss_spnego_wrap,
     _gss_spnego_unwrap,
-    _gss_spnego_display_status,
+    NULL,
     NULL,
     _gss_spnego_compare_name,
     _gss_spnego_display_name,
diff --git a/lib/gssapi/spnego/init_sec_context.c b/lib/gssapi/spnego/init_sec_context.c
index 6c8c8b36e..f032757fd 100644
--- a/lib/gssapi/spnego/init_sec_context.c
+++ b/lib/gssapi/spnego/init_sec_context.c
@@ -59,8 +59,10 @@ initiator_approved(gss_name_t target_name, gss_OID mech)
 				    &out,
 				    NULL,
 				    NULL);
-    if (GSS_ERROR(maj_stat))
+    if (GSS_ERROR(maj_stat)) {
+	gss_mg_collect_error(mech, maj_stat, min_stat);
 	return GSS_S_BAD_MECH;
+    }
     gss_release_buffer(&min_stat, &out);
     gss_delete_sec_context(&min_stat, &ctx, NULL);
 
@@ -268,6 +270,7 @@ spnego_initial
     if (GSS_ERROR(sub)) {
 	free_NegTokenInit(&ni);
 	*minor_status = minor;
+	gss_mg_collect_error(ctx->preferred_mech_type, sub, minor);
 	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
 	return sub;
     }
@@ -516,6 +519,7 @@ spnego_reply
 	if (GSS_ERROR(ret)) {
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    free_NegTokenResp(&resp);
+	    gss_mg_collect_error(&mech, ret, minor);
 	    *minor_status = minor;
 	    return ret;
 	}