From 8885f38b2627dc1ead69a6fc973a259dd1b052d0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Sun, 12 Aug 2012 21:43:23 +0200
Subject: Check creds to select mech in accept_sec_context

---
 src/lib/gssapi/mechglue/g_accept_sec_context.c | 27 ++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index e01b8549e7..1ca0f5d751 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -156,10 +156,29 @@ gss_cred_id_t *		d_cred;
 	if (status)
 	    return status;
 
-	status = gssint_select_mech_type(minor_status, token_mech_type,
-					 &selected_mech);
-	if (status)
-	    return status;
+        /* if the verifier contains creds, it may be an interposer plugin
+         * calling back into the mechglue layer, so use the mechanism for
+         * which we have matching creds for if available */
+        if (verifier_cred_handle != GSS_C_NO_CREDENTIAL) {
+            gss_union_cred_t uc;
+            int i;
+
+            uc = (gss_union_cred_t)verifier_cred_handle;
+            for (i = 0; i < uc->count; i++) {
+	        if (g_OID_equal(token_mech_type,
+                                gssint_get_public_oid(&uc->mechs_array[i]))) {
+                    selected_mech = &uc->mechs_array[i];
+                    break;
+                }
+            }
+        }
+
+        if (selected_mech == GSS_C_NO_OID) {
+	    status = gssint_select_mech_type(minor_status, token_mech_type,
+					     &selected_mech);
+	    if (status)
+	        return status;
+        }
 
     } else {
 	union_ctx_id = (gss_union_ctx_id_t)*context_handle;
-- 
cgit