From 45ccc1c85f42e4f41f2042df8a51dd7826533029 Mon Sep 17 00:00:00 2001
From: Tomas Kuthan <tkuthan@gmail.com>
Date: Wed, 30 Sep 2015 15:34:26 +0200
Subject: [PATCH] Correct GSS major code for non-default QOP values

This patch fixes several krb5 mech error cases to comply with RFC
2743; non-default QOP arguments should result in GSS_S_BAD_QOP, not
GSS_S_FAILURE.

[ghudson@mit.edu: edit commit message]

ticket: 8258 (new)
target_version: 1.14
tags: pullup
---
 src/lib/gssapi/krb5/k5seal.c          | 2 +-
 src/lib/gssapi/krb5/k5sealiov.c       | 4 ++--
 src/lib/gssapi/krb5/wrap_size_limit.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index f1c74dd522..4da531b582 100644
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -337,7 +337,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
        them later.  */
     if (qop_req != 0) {
         *minor_status = (OM_uint32) G_UNKNOWN_QOP;
-        return GSS_S_FAILURE;
+        return GSS_S_BAD_QOP;
     }
 
     ctx = (krb5_gss_ctx_id_rec *) context_handle;
diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
index b53e348f09..88caa856f8 100644
--- a/src/lib/gssapi/krb5/k5sealiov.c
+++ b/src/lib/gssapi/krb5/k5sealiov.c
@@ -277,7 +277,7 @@ kg_seal_iov(OM_uint32 *minor_status,
 
     if (qop_req != 0) {
         *minor_status = (OM_uint32)G_UNKNOWN_QOP;
-        return GSS_S_FAILURE;
+        return GSS_S_BAD_QOP;
     }
 
     ctx = (krb5_gss_ctx_id_rec *)context_handle;
@@ -342,7 +342,7 @@ kg_seal_iov_length(OM_uint32 *minor_status,
 
     if (qop_req != GSS_C_QOP_DEFAULT) {
         *minor_status = (OM_uint32)G_UNKNOWN_QOP;
-        return GSS_S_FAILURE;
+        return GSS_S_BAD_QOP;
     }
 
     ctx = (krb5_gss_ctx_id_rec *)context_handle;
diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c
index ed5c599951..7959f424ec 100644
--- a/src/lib/gssapi/krb5/wrap_size_limit.c
+++ b/src/lib/gssapi/krb5/wrap_size_limit.c
@@ -91,7 +91,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
     /* only default qop is allowed */
     if (qop_req != GSS_C_QOP_DEFAULT) {
         *minor_status = (OM_uint32) G_UNKNOWN_QOP;
-        return(GSS_S_FAILURE);
+        return GSS_S_BAD_QOP;
     }
 
     ctx = (krb5_gss_ctx_id_rec *) context_handle;
-- 
2.47.2