[krbdev.mit.edu #1445] GSSAPI can fail to generate error in GSS_C_NO_CREDENTIAL case
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Thu May 1 19:42:26 EDT 2003
>>>>> "Nicolas" == Nicolas Williams via RT <rt-comment at krbdev.mit.edu> writes:
Nicolas> Which brings us back to a discussion we had at Cthon03:
Nicolas> why not always decode the ap-req and use
Nicolas> krb5_rd_req_dec() instead of krb5_rd_req().
Not really. Or at least I fail to see how your comment is actually
related to the bug or the code.
Note that the code in question already has access to the server
principal from the ap_req because it is in the path that is decoding
it.
Correct solutions include:
* Removivg that code path and not sending back an error token if the ap_req cannot be read.
* Grabbing the server principal out of the ap-req not out of the credential.
What I'll probably do when I get around to it is grab the the server
princ out of the ap-req if cred->princ is null.
More information about the krb5-bugs
mailing list