There isn't really a point to validating cred_handle if it was just

acquired by acquire_cred(), so instead of the suggested patch,
validate verifier_cred_handle only if we didn't acquire_cred().

	* accept_sec_context.c (krb5_gss_accept_sec_context): Don't
	validate verifier_cred_handle if GSS_C_NO_CREDENTIAL is passed in.

ticket: 1356

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15211 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 65ecfc1f57bb2b34c262290a659c9abc2426c882..b85af053e88cd880ed0586118fd7b9d3fb759120 100644 (file)
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,8 @@
+2003-03-01  Tom Yu  <tlyu@mit.edu>
+
+       * accept_sec_context.c (krb5_gss_accept_sec_context): Don't
+       validate verifier_cred_handle if GSS_C_NO_CREDENTIAL is passed in.
+
 2003-02-25  Tom Yu  <tlyu@mit.edu>
 
        * set_ccache.c (gss_krb5_ccache_name): Don't return a pointer to

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index c0efb3db1b8adeac7aa709f1d61fa15025c3bea3..be212b526293de14e2ee2eb9497c4521419feef9 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -284,15 +284,15 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
           goto fail;
        }
    } else {
+       major_status = krb5_gss_validate_cred(minor_status,
+                                            verifier_cred_handle);
+       if (GSS_ERROR(major_status)) {
+          code = *minor_status;
+          goto fail;
+       }
        cred_handle = verifier_cred_handle;
    }
 
-   major_status = krb5_gss_validate_cred(minor_status, verifier_cred_handle);
-   if (GSS_ERROR(major_status)) {
-       code = *minor_status;
-       goto fail;
-   }
-
    cred = (krb5_gss_cred_id_t) cred_handle;
 
    /* make sure the supplied credentials are valid for accept */