| Subject: | gss_accept_sec_context cannot handle non-SPNEGO creds when using SPNEGO |
| Date: | Tue, 22 Dec 2009 18:29:39 -0500 |
| From: | "Arlene Berry" <aberry@likewise.com> |
| To: | <krb5-bugs@mit.edu> |
Gss_accept_sec_context needs the same code that gss_init_sec_context
already has for coping with non-SPNEGO credentials.
Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 23482)
+++ src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy)
@@ -187,6 +187,18 @@
input_cred_handle = gssint_get_mechanism_cred(union_cred,
token_mech_type);
/*
+ * If the mechanism is SPNEGO, and a SPNEGO specific cred could not
be
+ * found, then pass the entire cred list through. SPNEGO will send
the
+ * right creds to the correct mechanism.
+ */
+ if (input_cred_handle == NULL &&
+ token_mech_type->length == 6 &&
+ !memcmp(token_mech_type->elements, "\x2b\x06\x01\x05\x05\x02",
6))
+ {
+ input_cred_handle = (gss_cred_id_t) union_cred;
+ }
+
+ /*
* now select the approprate underlying mechanism routine and
* call it.
*/
already has for coping with non-SPNEGO credentials.
Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 23482)
+++ src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy)
@@ -187,6 +187,18 @@
input_cred_handle = gssint_get_mechanism_cred(union_cred,
token_mech_type);
/*
+ * If the mechanism is SPNEGO, and a SPNEGO specific cred could not
be
+ * found, then pass the entire cred list through. SPNEGO will send
the
+ * right creds to the correct mechanism.
+ */
+ if (input_cred_handle == NULL &&
+ token_mech_type->length == 6 &&
+ !memcmp(token_mech_type->elements, "\x2b\x06\x01\x05\x05\x02",
6))
+ {
+ input_cred_handle = (gss_cred_id_t) union_cred;
+ }
+
+ /*
* now select the approprate underlying mechanism routine and
* call it.
*/