From 420c080a8f2d4c5692ff5a8d9f8cb4bc2d4cd2cd Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Fri, 17 Apr 2015 10:48:57 -0500 Subject: [PATCH] Can't use deleg creds with SPNEGO (test_context) It isn't possible to use non-default credentials to init a context with a mechanism for which the credential doesn't have an element. That's exactly what was happening here. The code was left commented out to describe how one might use SPNEGO with delegated credentials: store them with gss_store_cred(), then acquire them back. --- lib/gssapi/test_context.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index 07a6d908a..dfee0dda3 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -978,6 +978,13 @@ main(int argc, char **argv) gss_release_cred(&min_stat, &cred2); +#if 0 + /* + * XXX We can't do this. Delegated credentials only work with + * the actual_mech. We could gss_store_cred the delegated + * credentials *then* gss_add/acquire_cred() with SPNEGO, then + * we could try loop() with those credentials. + */ /* try again using SPNEGO */ if (verbose_flag) printf("checking spnego on delegated cred\n"); @@ -988,6 +995,7 @@ main(int argc, char **argv) gss_delete_sec_context(&min_stat, &sctx, NULL); gss_release_cred(&min_stat, &cred2); +#endif /* check export/import */ if (ei_flag) { @@ -1016,6 +1024,8 @@ main(int argc, char **argv) gss_delete_sec_context(&min_stat, &cctx, NULL); gss_delete_sec_context(&min_stat, &sctx, NULL); +#if 0 + /* XXX See above */ /* try again using SPNEGO */ if (verbose_flag) printf("checking SPNEGO on export/imported cred\n"); @@ -1026,6 +1036,7 @@ main(int argc, char **argv) gss_delete_sec_context(&min_stat, &cctx, NULL); gss_delete_sec_context(&min_stat, &sctx, NULL); +#endif gss_release_cred(&min_stat, &cred2);