Drop delegated creds when target is NULL

In gsskrb5_accept_delegated_token() it is wrong to store the delegated credentials in the default ccache by default. When the caller does not provide a target credential handle, we just do nothing and return success. Test the return value of gsskrb5_accept_delegated_token() against GSS_S_COMPLETE, rather than 0.
2015-03-04 02:38:09 +00:00
parent ca052eadd5
commit fca6363307
1 changed files with 7 additions and 6 deletions
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -164,12 +164,13 @@ gsskrb5_accept_delegated_token

    /* XXX Create a new delegated_cred_handle? */
    if (delegated_cred_handle == NULL) {
-	kret = krb5_cc_default (context, &ccache);
-    } else {
+        ret = GSS_S_COMPLETE;
+        goto out;
+    }
+
    *delegated_cred_handle = NULL;
    kret = krb5_cc_new_unique (context, krb5_cc_type_memory,
                               NULL, &ccache);
-    }
    if (kret) {
 	ctx->flags &= ~GSS_C_DELEG_FLAG;
 	goto out;
@@ -270,7 +271,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
 					     ctx,
 					     context,
 					     delegated_cred_handle);
-	if (ret)
+	if (ret != GSS_S_COMPLETE)
 	    return ret;
    } else {
 	/* Well, looks like it wasn't there after all */