Apply adapted patch from http://bugs.debian.org/480434 to recurse into

SPNEGO creds when attempting to retrieve a mechanism cred.

ticket: 5807

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20900 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c
index f5bed4719d96d26c237c8da8b5592c2dba03375a..a347906562f119bfedfd1101b303d1e3ff1c7790 100644 (file)
--- a/src/lib/gssapi/mechglue/g_glue.c
+++ b/src/lib/gssapi/mechglue/g_glue.c
@@ -29,6 +29,7 @@
 #endif
 #include <string.h>
 #include <errno.h>
+#include "../spnego/gssapiP_spnego.h"
 
 #define        MSO_BIT (8*(sizeof (int) - 1))  /* Most significant octet bit */
 
@@ -557,6 +558,18 @@ gssint_get_mechanism_cred(union_cred, mech_type)
     for (i=0; i < union_cred->count; i++) {
        if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
            return union_cred->cred_array[i];
+
+       /* for SPNEGO, check the next-lower set of creds */
+       if (g_OID_equal(gss_mech_spnego, &union_cred->mechs_array[i])) {
+           gss_union_cred_t candidate_cred;
+           gss_cred_id_t    sub_cred;
+
+           candidate_cred = (gss_union_cred_t)union_cred->cred_array[i];
+           sub_cred = gssint_get_mechanism_cred(candidate_cred, mech_type);
+
+           if(sub_cred != GSS_C_NO_CREDENTIAL)
+               return sub_cred;
+       }
     }
     return GSS_C_NO_CREDENTIAL;
 }