[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SPNEGO and credentials delegation

It looks like there exist two issues which affect credentials delegation
when SPNEGO is in use:

1. It looks like acceptor_start (lib/gssapi/spnego/accept_sec_context.c)
always puts GSS_C_NO_CREDENTIAL into *delegated_cred_handle. Even if the
lower layer returns valid credentials and puts them into
*delegated_cred_handle (lines 641-663) they are being overwritten later
with ctx->delegated_cred_id which seems to always be GSS_C_NO_CREDENTIAL
(lines 743-746) I guess that either lines 743-746 should be removed or
delegated_cred_handle should be replaced with ctx->delegated_cred_id in
lines 641-663.

2. There are two methods: _gss_spnego_inquire_sec_context_by_oid and
_gss_spnego_inquire_cred_by_oid, which are implemented but not declared
in lib/gssapi/spnego/external.c
Are there any reasons for them to be disabled?

Oleg Sharoiko.
Software and Network Engineer
Computer Center of Rostov State University.