Apply adapted patch from http://bugs.debian.org/480434 to recurse into

SPNEGO creds when attempting to retrieve a mechanism cred.

ticket: 5807

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20900 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 13 insertions, 0 deletions

diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c
index f5bed4719..a34790656 100644
--- a/src/lib/gssapi/mechglue/g_glue.c
+++ b/src/lib/gssapi/mechglue/g_glue.c
@@ -29,6 +29,7 @@
 #endif
 #include <string.h>
 #include <errno.h>
+#include "../spnego/gssapiP_spnego.h"
 
 #define	MSO_BIT (8*(sizeof (int) - 1))  /* Most significant octet bit */
 
@@ -557,6 +558,18 @@ gssint_get_mechanism_cred(union_cred, mech_type)
     for (i=0; i < union_cred->count; i++) {
 	if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
 	    return union_cred->cred_array[i];
+
+	/* for SPNEGO, check the next-lower set of creds */
+	if (g_OID_equal(gss_mech_spnego, &union_cred->mechs_array[i])) {
+	    gss_union_cred_t candidate_cred;
+	    gss_cred_id_t    sub_cred;
+
+	    candidate_cred = (gss_union_cred_t)union_cred->cred_array[i];
+	    sub_cred = gssint_get_mechanism_cred(candidate_cred, mech_type);
+
+	    if(sub_cred != GSS_C_NO_CREDENTIAL)
+		return sub_cred;
+	}
     }
     return GSS_C_NO_CREDENTIAL;
 }