[krbdev.mit.edu #6051] krb5_gss_accept_sec_context always returns minor_status = 0

[Christian Krause via RT]

Hi,

I've started to use krb5's (krb-1.6.3) gss API and it happened quite 
often in the first time, that this function failed for various reasons 
(which is not a problem so far).

The function returned GSS_S_FAILURE and according to the documentation a 
more specific error code should be in minor_status. But in my case 
minor_status was always 0.

I've digged a little bit in the implementation in 
krb5/src/lib/gssapi/krb5/accept_sec_context.c and it looks like in line 
928 the minor_status is correctly set to code, which is the return value 
of most krb5 functions:

    *minor_status = code;

So far this would work perfectly.

Unfortunately, at the end of this function it will be overwritten:

   if (!verifier_cred_handle && cred_handle) {
            krb5_gss_release_cred(minor_status, &cred_handle);
    }

At least in my case, the condition was always true (because I've called 
accept_sec_contect with verifier_cred_handle=GSS_C_NO_CREDENTIAL) and so 
the real error was always hidden.

Because this is not very convenient (and usually the return code of 
krb5_gss_release_cred is much less helpful than the real error code of a 
previous failed function), I'd suggest to change the code like this:

--- src/lib/gssapi/krb5/accept_sec_context.c
+++ src/lib/gssapi/krb5/accept_sec_context.c
@@ -991,7 +991,8 @@
         *output_token = token;
     }
     if (!verifier_cred_handle && cred_handle) {
-          krb5_gss_release_cred(minor_status, &cred_handle);
+          int release_minor_status;
+          krb5_gss_release_cred(&release_minor_status, &cred_handle);
     }
     krb5_free_context(context);
     return (major_status);


It would be great if you could review this patch and consider to apply 
the it.

Thank you very much in advance!


Best regards,
Christian