From fca6363307d03a7c80ad201f17f5d357b794c4e9 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 4 Mar 2015 02:38:09 +0000 Subject: [PATCH] Drop delegated creds when target is NULL In gsskrb5_accept_delegated_token() it is wrong to store the delegated credentials in the default ccache by default. When the caller does not provide a target credential handle, we just do nothing and return success. Test the return value of gsskrb5_accept_delegated_token() against GSS_S_COMPLETE, rather than 0. --- lib/gssapi/krb5/accept_sec_context.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index 8eb870c2f..e9c5d2e9d 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -164,12 +164,13 @@ gsskrb5_accept_delegated_token /* XXX Create a new delegated_cred_handle? */ if (delegated_cred_handle == NULL) { - kret = krb5_cc_default (context, &ccache); - } else { - *delegated_cred_handle = NULL; - kret = krb5_cc_new_unique (context, krb5_cc_type_memory, - NULL, &ccache); + ret = GSS_S_COMPLETE; + goto out; } + + *delegated_cred_handle = NULL; + kret = krb5_cc_new_unique (context, krb5_cc_type_memory, + NULL, &ccache); if (kret) { ctx->flags &= ~GSS_C_DELEG_FLAG; goto out; @@ -270,7 +271,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status, ctx, context, delegated_cred_handle); - if (ret) + if (ret != GSS_S_COMPLETE) return ret; } else { /* Well, looks like it wasn't there after all */