[krbdev.mit.edu #6602] gss_accept_sec_context cannot handle non-SPNEGO creds when using SPNEGO
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Tue Dec 22 21:29:31 EST 2009
Gss_accept_sec_context needs the same code that gss_init_sec_context
already has for coping with non-SPNEGO credentials.
Index: src/lib/gssapi/mechglue/g_accept_sec_context.c
===================================================================
--- src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 23482)
+++ src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy)
@@ -187,6 +187,18 @@
input_cred_handle = gssint_get_mechanism_cred(union_cred,
token_mech_type);
/*
+ * If the mechanism is SPNEGO, and a SPNEGO specific cred could not
be
+ * found, then pass the entire cred list through. SPNEGO will send
the
+ * right creds to the correct mechanism.
+ */
+ if (input_cred_handle == NULL &&
+ token_mech_type->length == 6 &&
+ !memcmp(token_mech_type->elements, "\x2b\x06\x01\x05\x05\x02",
6))
+ {
+ input_cred_handle = (gss_cred_id_t) union_cred;
+ }
+
+ /*
* now select the approprate underlying mechanism routine and
* call it.
*/
More information about the krb5-bugs
mailing list