[krbdev.mit.edu #1445] GSSAPI can fail to generate error in GSS_C_NO_CREDENTIAL case
Nicolas Williams
Nicolas.Williams at sun.com
Tue Apr 29 16:59:41 EDT 2003
Which brings us back to a discussion we had at Cthon03: why not always
decode the ap-req and use krb5_rd_req_dec() instead of krb5_rd_req().
IIRC you did not like having the decoding API exposed, so I suggested an
API for querying encoded AP-REQs. It would also be nice to have an
exposed API to query DER encoded objects for their tag and length.
Cheers,
Nico
On Tue, Apr 29, 2003 at 04:23:24PM -0400, Sam Hartman via RT wrote:
>
>
> Nico points out that in accept_sec_context, cred->princ is used as the
> server component of the call to krb5_mk_error.
>
>
> This is problematic because sname and srealm are required fields and
> cred->princ can be null in the gss_c_no_credential case.
>
>
> I believe that if cred->princ is null you can get the principal out of
> the decoded ap_req.
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krb5-bugs
More information about the krb5-bugs
mailing list