krb5 commit: Use first mech's status in gss_acquire_cred

Greg Hudson ghudson at MIT.EDU
Sun Jun 3 20:48:42 EDT 2012 

https://github.com/krb5/krb5/commit/71ca96850348569a7358b32301bb0cc60eb08103
commit 71ca96850348569a7358b32301bb0cc60eb08103
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Jun 3 20:39:08 2012 -0400

    Use first mech's status in gss_acquire_cred
    
    If we can't acquire creds for any mech in gss_acquire_cred, return the
    status of the first mech instead of the last mech, as it's more useful
    in the typical case (where the first mech is krb5 and the last mech is
    SPNEGO).  This error reporting is not ideal when the user was
    expecting to use some mech other than krb5, but it's about as good as
    things were prior to #6894.
    
    ticket: 6973

 src/lib/gssapi/mechglue/g_acquire_cred.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c
index faa8e40..ad4e99b 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred.c
@@ -104,6 +104,7 @@ OM_uint32 *		time_rec;
 
 {
     OM_uint32 major = GSS_S_FAILURE, tmpMinor;
+    OM_uint32 first_major = GSS_S_COMPLETE, first_minor = 0;
     OM_uint32 initTimeOut, acceptTimeOut, outTime = GSS_C_INDEFINITE;
     gss_OID_set mechs = GSS_C_NO_OID_SET;
     unsigned int i;
@@ -149,7 +150,7 @@ OM_uint32 *		time_rec;
 
     /* for each requested mech attempt to obtain a credential */
     for (i = 0, major = GSS_S_UNAVAILABLE; i < mechs->count; i++) {
-	major = gss_add_cred(minor_status, (gss_cred_id_t)creds,
+	major = gss_add_cred(&tmpMinor, (gss_cred_id_t)creds,
 			     desired_name,
 			     &mechs->elements[i],
 			     cred_usage, time_req, time_req, NULL,
@@ -174,12 +175,19 @@ OM_uint32 *		time_rec;
 		    outTime = (outTime > initTimeOut) ?
 			initTimeOut : outTime;
 	    }
+	} else if (first_major == GSS_S_COMPLETE) {
+	    first_major = major;
+	    first_minor = tmpMinor;
 	}
     } /* for */
 
-    /* ensure that we have at least one credential element */
-    if (creds->count < 1)
+    /* If we didn't get any creds, return the error status from the first mech
+     * (which is often the preferred one). */
+    if (creds->count < 1) {
+	major = first_major;
+	*minor_status = first_minor;
 	goto cleanup;
+    }
     major = GSS_S_COMPLETE;
 
     /*

More information about the cvs-krb5 mailing list