If calling gss_accept_sec_context with non-NULL credentials, ensure

that you have credentials for the mechanism being accepted.

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/moonshot-mechglue-fixes@24713 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 10 insertions, 5 deletions

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index 8714f3f..8e0b7c5 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -115,7 +115,6 @@ gss_cred_id_t *		d_cred;
     OM_uint32		status, temp_status, temp_minor_status;
     OM_uint32		temp_ret_flags = 0;
     gss_union_ctx_id_t	union_ctx_id;
-    gss_union_cred_t	union_cred;
     gss_cred_id_t	input_cred_handle = GSS_C_NO_CREDENTIAL;
     gss_cred_id_t	tmp_d_cred = GSS_C_NO_CREDENTIAL;
     gss_name_t		internal_name = GSS_C_NO_NAME;
@@ -181,11 +180,17 @@ gss_cred_id_t *		d_cred;
 
     /*
      * get the appropriate cred handle from the union cred struct.
-     * defaults to GSS_C_NO_CREDENTIAL if there is no cred, which will
-     * use the default credential.
      */
-    union_cred = (gss_union_cred_t) verifier_cred_handle;
-    input_cred_handle = gssint_get_mechanism_cred(union_cred, token_mech_type);
+    if (verifier_cred_handle != GSS_C_NO_CREDENTIAL) {
+	input_cred_handle =
+	    gssint_get_mechanism_cred((gss_union_cred_t)verifier_cred_handle,
+				      token_mech_type);
+	if (input_cred_handle == GSS_C_NO_CREDENTIAL) {
+	    /* verifier credential specified but no acceptor credential found */
+	    status = GSS_S_NO_CRED;
+	    goto error_out;
+	}
+    }
 
     /*
      * now select the approprate underlying mechanism routine and