svn rev #25098: trunk/src/lib/gssapi/spnego/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Aug 11 12:37:55 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25098
Commit By: ghudson
Log Message:
ticket: 6945

Fix call to gss_inquire_cred from spnego_gss_acquire_cred_impersonate_name.

If desired_mechs is NULL (this should never happen when invoked from
the MIT mechglue), we call gss_inquire_cred to get a list of mechs.
This call needs to pass a union cred handle, not the SPNEGO handle we
got as input.  Reported by aberry at likewise.com.


Changed Files:
U   trunk/src/lib/gssapi/spnego/spnego_mech.c
Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- trunk/src/lib/gssapi/spnego/spnego_mech.c	2011-08-11 15:13:52 UTC (rev 25097)
+++ trunk/src/lib/gssapi/spnego/spnego_mech.c	2011-08-11 16:37:55 UTC (rev 25098)
@@ -2456,7 +2456,7 @@
 	OM_uint32 status;
 	gss_OID_set amechs = GSS_C_NULL_OID_SET;
 	spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL;
-	gss_cred_id_t mcred;
+	gss_cred_id_t imp_mcred, out_mcred;
 
 	dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
 
@@ -2466,10 +2466,10 @@
 	if (time_rec)
 		*time_rec = 0;
 
+	imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
+	imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
 	if (desired_mechs == GSS_C_NO_OID_SET) {
-		status = gss_inquire_cred(minor_status,
-					  impersonator_cred_handle,
-					  NULL, NULL,
+		status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
 					  NULL, &amechs);
 		if (status != GSS_S_COMPLETE)
 			return status;
@@ -2477,24 +2477,22 @@
 		desired_mechs = amechs;
 	}
 
-	imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
-	status = gss_acquire_cred_impersonate_name(minor_status,
-			imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL,
-			desired_name, time_req,
-			desired_mechs, cred_usage,
-			&mcred, actual_mechs,
-			time_rec);
+	status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred,
+						   desired_name, time_req,
+						   desired_mechs, cred_usage,
+						   &out_mcred, actual_mechs,
+						   time_rec);
 
 	if (amechs != GSS_C_NULL_OID_SET)
 		(void) gss_release_oid_set(minor_status, &amechs);
 
 	out_spcred = malloc(sizeof(spnego_gss_cred_id_rec));
 	if (out_spcred == NULL) {
-		gss_release_cred(minor_status, &mcred);
+		gss_release_cred(minor_status, &out_mcred);
 		*minor_status = ENOMEM;
 		return (GSS_S_FAILURE);
 	}
-	out_spcred->mcred = mcred;
+	out_spcred->mcred = out_mcred;
 	out_spcred->neg_mechs = GSS_C_NULL_OID_SET;
 	*output_cred_handle = (gss_cred_id_t)out_spcred;

More information about the cvs-krb5 mailing list