[11254] in Kerberos-V5-bugs
[krbdev.mit.edu #6602] gss_accept_sec_context cannot handle
daemon@ATHENA.MIT.EDU (Arlene Berry" via RT)
Tue Dec 22 21:29:50 2009
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: ""Arlene Berry" via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6602@krbdev.mit.edu>
Message-ID: <rt-6602-31931.1.13198026609076@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6602'":;"'AdminCc of krbdev.mit.edu Ticket #6602'":;@MIT.EDU
Date: Wed, 23 Dec 2009 02:29:31 +0000 (UTC)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Gss_accept_sec_context needs the same code that gss_init_sec_context
already has for coping with non-SPNEGO credentials.
Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 23482)
+++ src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy)
@@ -187,6 +187,18 @@
input_cred_handle = gssint_get_mechanism_cred(union_cred,
token_mech_type);
/*
+ * If the mechanism is SPNEGO, and a SPNEGO specific cred could not
be
+ * found, then pass the entire cred list through. SPNEGO will send
the
+ * right creds to the correct mechanism.
+ */
+ if (input_cred_handle == NULL &&
+ token_mech_type->length == 6 &&
+ !memcmp(token_mech_type->elements, "\x2b\x06\x01\x05\x05\x02",
6))
+ {
+ input_cred_handle = (gss_cred_id_t) union_cred;
+ }
+
+ /*
* now select the approprate underlying mechanism routine and
* call it.
*/
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
