From dca7a82f793178c4a51bdd40a173748c3eb2c2a5 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 21 Sep 2012 15:03:41 -0400
Subject: Resolve verifier cred in accept_sec_context

If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle.  (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)

ticket: 7356
---
 src/lib/gssapi/krb5/accept_sec_context.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/lib/gssapi')

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 957f86031..975df14aa 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -514,13 +514,14 @@ kg_accept_krb5(minor_status, context_handle,
             goto fail;
         }
     } else {
-        major_status = krb5_gss_validate_cred(minor_status,
-                                              verifier_cred_handle);
+        major_status = kg_cred_resolve(minor_status, context,
+                                       verifier_cred_handle, GSS_C_NO_NAME);
         if (GSS_ERROR(major_status)) {
             code = *minor_status;
             goto fail;
         }
         cred_handle = verifier_cred_handle;
+        k5_mutex_unlock(&((krb5_gss_cred_id_t)cred_handle)->lock);
     }
 
     cred = (krb5_gss_cred_id_t) cred_handle;
-- 
cgit