Return unwrapped delegated credentials if the actual mech is not the called mech

Assumes that pseudo mechs are are of how mechglue credentails look like and
return credentials like that.

Pointed out on krbdev by Nicolas Williams

lib/gssapi/mech/gss_accept_sec_context.c

@@ -161,6 +161,7 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
 	struct _gss_mechanism_cred *mc;
 	gss_cred_id_t acceptor_mc, delegated_mc;
 	gss_name_t src_mn;
+	gss_OID mech_ret_type = NULL;
 
 	*minor_status = 0;
 	if (src_name)
@@ -228,7 +229,7 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
 	    input_token,
 	    input_chan_bindings,
 	    &src_mn,
-	    mech_type,
+	    &mech_ret_type,
 	    output_token,
 	    &mech_ret_flags,
 	    time_rec,
@@ -241,6 +242,9 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
 		return (major_status);
 	}
 
+	if (mech_type)
+	    *mech_type = mech_ret_type;
+
 	if (src_name && src_mn) {
 		/*
 		 * Make a new name and mark it as an MN.
@@ -262,6 +266,15 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
 			m->gm_release_cred(minor_status, &delegated_mc);
 			if (ret_flags)
 				*ret_flags &= ~GSS_C_DELEG_FLAG;
+		} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
+			/* 
+			 * If the returned mech_type is not the same
+			 * as the mech, assume its pseudo mech type
+			 * and the returned type is already a
+			 * mech-glue object
+			 */
+			*delegated_cred_handle = delegated_mc;
+
 		} else if (delegated_mc) {
 			struct _gss_cred *dcred;
 			struct _gss_mechanism_cred *dmc;