Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
From: tlyu@mit.edu
Subject: git commit
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 911


Skip unnecessary mech calls in gss_inquire_cred()

If the caller does not request a name, lifetime, or cred_usage when
calling gss_inquire_cred(), service the call by copying the mechanism
list (if requested) but do not call into the mech.

This change alleviates an issue (reported by Adam Bernstein) where
SPNEGO can fail in the presence of expired krb5 credentials rather
than proceeding with a different mechanism, or can resolve a krb5
credential without the benefit of the target name.

(cherry picked from commit ff5eb892910eeac335d989ae14020da4ffbcc8ec)

https://github.com/krb5/krb5/commit/1f3e550f5c7a626d45c8bacccb6d52079308aa7e
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 1f3e550f5c7a626d45c8bacccb6d52079308aa7e
Branch: krb5-1.14
 src/lib/gssapi/mechglue/g_inq_cred.c |   41 +++++++++++++++++++---------------
 1 files changed, 23 insertions(+), 18 deletions(-)