Ensure that a GSS_C_BOTH acquired for GSS_C_NO_NAME still passes

a NULL server principal to krb5_rd_req(). Without this the name
canonicalisation support in 1.7 was broken for GSS_C_BOTH
credentials, because cred->name would always be set.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22973 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 6c141ae99ef99ff2fa349f66301d49622ac243d1..b6c216d58f75340b31c98ac0527bdc21bf8221fc 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -585,7 +585,7 @@ kg_accept_krb5(minor_status, context_handle,
     }
 
     if ((code = krb5_rd_req(context, &auth_context, &ap_req,
-                            cred->name ? cred->name->princ : NULL,
+                            cred->default_identity ? NULL : cred->name->princ,
                             cred->keytab,
                             &ap_req_options,
                             &ticket))) {

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 9e714059e2456a905821f084370c3bd25c2b2704..ef80116ad2b7d27191f14773f094b603b7cf3944 100644 (file)
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -538,6 +538,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
     cred->name = NULL;
     cred->prerfc_mech = (req_old != 0);
     cred->rfc_mech = (req_new != 0);
+    cred->default_identity = (desired_name == GSS_C_NO_NAME);
 
 #ifndef LEAN_CLIENT
     cred->keytab = NULL;

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 3b8cc067cda2605915263d71e7b8bf52bf11489d..13413b972e4f7f8c812771fd4f26fdab2f74fd71 100644 (file)
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -169,6 +169,7 @@ typedef struct _krb5_gss_cred_id_rec {
     unsigned int prerfc_mech : 1;
     unsigned int rfc_mech : 1;
     unsigned int proxy_cred : 1;
+    unsigned int default_identity : 1;
 
     /* keytab (accept) data */
     krb5_keytab keytab;