There isn't really a point to validating cred_handle if it was just

acquired by acquire_cred(), so instead of the suggested patch,
validate verifier_cred_handle only if we didn't acquire_cred().

	* accept_sec_context.c (krb5_gss_accept_sec_context): Don't
	validate verifier_cred_handle if GSS_C_NO_CREDENTIAL is passed in.

ticket: 1356

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15211 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 11 insertions, 6 deletions

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 65ecfc1f5..b85af053e 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,8 @@
+2003-03-01  Tom Yu  <tlyu@mit.edu>
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Don't
+	validate verifier_cred_handle if GSS_C_NO_CREDENTIAL is passed in.
+
 2003-02-25  Tom Yu  <tlyu@mit.edu>
 
 	* set_ccache.c (gss_krb5_ccache_name): Don't return a pointer to
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index c0efb3db1..be212b526 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -284,15 +284,15 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 	   goto fail;
        }
    } else {
+       major_status = krb5_gss_validate_cred(minor_status,
+					     verifier_cred_handle);
+       if (GSS_ERROR(major_status)) {
+	   code = *minor_status;
+	   goto fail;
+       }
        cred_handle = verifier_cred_handle;
    }
 
-   major_status = krb5_gss_validate_cred(minor_status, verifier_cred_handle);
-   if (GSS_ERROR(major_status)) {
-       code = *minor_status;
-       goto fail;
-   }
-
    cred = (krb5_gss_cred_id_t) cred_handle;
 
    /* make sure the supplied credentials are valid for accept */