krb5 commit: Improve duplicate checking in gss_add_cred()

Greg Hudson ghudson at mit.edu
Mon Nov 23 12:22:27 EST 2020 

https://github.com/krb5/krb5/commit/2c30f41745d29ed7f06028bba452355b328e8fba
commit 2c30f41745d29ed7f06028bba452355b328e8fba
Author: sashan <anedvedicky at gmail.com>
Date:   Fri Nov 20 16:22:52 2020 +0100

    Improve duplicate checking in gss_add_cred()
    
    If both input and output credentials are provided to gss_add_cred() or
    gss_add_cred_from(), check for a duplicate element in the input handle.
    
    [ghudson at mit.edu: reorganized code; rewrote commit message]
    
    ticket: 8966 (new)

 src/lib/gssapi/mechglue/g_acquire_cred.c |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c
index f03ab9e..c885f56 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred.c
@@ -480,7 +480,13 @@ gss_add_cred_from(minor_status, input_cred_handle,
     else if (!mech->gss_acquire_cred)
 	return (GSS_S_UNAVAILABLE);
 
-    if (input_cred_handle == GSS_C_NO_CREDENTIAL) {
+    union_cred = (gss_union_cred_t)input_cred_handle;
+    if (union_cred != NULL &&
+	gssint_get_mechanism_cred(union_cred,
+				  selected_mech) != GSS_C_NO_CREDENTIAL)
+	return (GSS_S_DUPLICATE_ELEMENT);
+
+    if (union_cred == NULL) {
 	/* Create a new credential handle. */
 	union_cred = malloc(sizeof (gss_union_cred_desc));
 	if (union_cred == NULL)
@@ -488,13 +494,7 @@ gss_add_cred_from(minor_status, input_cred_handle,
 
 	(void) memset(union_cred, 0, sizeof (gss_union_cred_desc));
 	union_cred->loopback = union_cred;
-    } else if (output_cred_handle == NULL) {
-	/* Add to the existing handle. */
-	union_cred = (gss_union_cred_t)input_cred_handle;
-	if (gssint_get_mechanism_cred(union_cred, selected_mech) !=
-	    GSS_C_NO_CREDENTIAL)
-	    return (GSS_S_DUPLICATE_ELEMENT);
-    } else {
+    } else if (output_cred_handle != NULL) {
 	/* Create a new credential handle with the mechanism credentials of the
 	 * input handle plus the acquired mechanism credential. */
 	status = copy_union_cred(minor_status, input_cred_handle, &union_cred);

More information about the cvs-krb5 mailing list